Commit 629ea603 authored by djahnie's avatar djahnie

Merge remote-tracking branch 'origin/master' into 265-djahnie-memberlist-for-districts

parents e9e22eb2 caf265d9
Pipeline #48417909 failed with stages
in 4 minutes and 29 seconds
......@@ -11,12 +11,6 @@ $finder = PhpCsFixer\Finder::create()
->exclude('js')
->exclude('vendor')
->notPath('tmp')
->notPath('lib/fpdi')
->notPath('lib/makefont')
->notPath('lib/flourish/f')
->notPath('lib/phpqrcode')
->notPath('lib/Mobile_Detect.php')
->notPath('lib/minify')
->notPath('lib/font')
->notPath('tests/_support/_generated')
->notPath('src/Lib/Flourish')
......
......@@ -2,33 +2,75 @@
## Features
- On dashboard there now is a symbol indicating the confirmation status of a pickup !661 @jofranz
- Pre fill end date of pickuphistory with todays date for comfort reasons !660 @jofranz
- Pre-fill end date of pickup history with today's date for comfort reasons !660 @jofranz
- Conversation API returns name (or null) !658 @nicksellen
- Added the amount of events conditionally to the dashboard event headline in case there is more than one event !650 @jofranz
- Added a new button to the contextmenu which appears by clicking the profilepic in shops #302 !671 @peter.reutlingen
- Make date in event a mandatory field #436 !669 @tihar
- Added API endpoints for basket pictures !671 @alex.simm
- Allow use of markdown in fairteiler description !690 @NerdyProjects
- Allow use of markdown in Fair-Teiler description !690 @NerdyProjects
- Joining regions REST API !696 @NerdyProjects
- Added member list for districts and work groups !697 @djahnie
- Prevent group admins to be able to access the passport generation page !706 #392 @jofranz
- Start page content over content manager #470 !701 @k.miklobusec
- Added profile status infos for store and pickup entries for ambassadors !705 @jofranz
- Scale down font size on passports for long names !685 @NerdyProjects
- CSRF protection for API requests !715 @alangecker
- Refactored loop for avatar placement in event view. Added amount as a parameter !718 @jofranz
- Disabled caching searchindex for uptodate results !727 @NerdyProjects
## Bugfixes
- Searchindex is now shared between deployments so we avoid a lot of javascript errors regarding failed requests !657 @NerdyProjects
- Search index is now shared between deployments so we avoid a lot of javascript errors regarding failed requests !657 @NerdyProjects
- Fixup conversation header display !658 @nicksellen
- Fixed bug in #302 goto_profile_from_teamsite !671 with !675 @peter.reutlingen
- Fixed an SQL injection in an FoodsaverGateway method @alangecker
- Properly escape Fairteiler names in all occurences !690 @NerdyProjects
- Properly escape Fair-Teiler names in all occurrences !690 @NerdyProjects
- Avoid strip_tags on bell data !691 @NerdyProjects
- Permission checks when joining regions !696 @NerdyProjects
- Fixed the bug that the number of pickups in the team list isn't shown when the name is too long. #381 !688 @peter.reutlingen
- Fix mass mail sender and email output formatting !707 @NerdyProjects
- Only foodsavers add themselves to working groups !713 @NerdyProjects
- Only allow edting regions as an orga user !714 @NerdyProjects
- higher entropy for security & privacy related tokens !709 @alangecker
- Fix recently broken quiz session storage !730 @NerdyProjects
- Fix broken permission checks in foodsaver module @NerdyProjects
- Fix broken permission checks in foodsaver xhr module @NerdyProjects
- Fix broken permission checks in geoclean xhr module @NerdyProjects
- Fix broken permission checks in mailbox xhr module @NerdyProjects
- Fix broken permission checks in foodsaver xhr module !731 @NerdyProjects
- Fix broken permission checks in geoclean xhr module !731 @NerdyProjects
- Fix broken permission checks in mailbox xhr module !731 @NerdyProjects
## Refactoring
- replaced many outdated jquery functions !655 @peter.toennies
- remove unused methods in XhrMethods !694 @NerdyProjects
- trigger Fair-Teiler wallpost notifications in backend !700 @NerdyProjects
- removed the old qr code library and chaged the current qr on the fs-passes to show the fs profile !685 #144 @peter.toennies
- trigger fairteiler wallpost notifications in backend !700 @NerdyProjects
- use API endpoint to delete users to avoid CSRF problems !717 @NerdyProjects
- use API endpoint to delete regions/workgroups to avoid CSRF problems !719 @NerdyProjects
- removed unused php,js and css code !720 @alangecker
- user normalisation in conversations API endpoint
## Dev/Test/CI stuff
- better webpack splitting !681 @nicksellen
- disable backup_globals for PHPUnit to have unit tests working in dev again !696 @NerdyProjects
- fix xdebug by enabling x-forwarded-for header in webpack devserver !725 @NerdyProjects
# 2019-02-19 Hotfix
- Backport some changes that were needed for yesterdays hotfix
- Conversation API returns name (or null) !658 @nicksellen
- Fixup conversation header display !658 @nicksellen
# 2019-02-18 Hotfix
- fix for 9 SQL injection vulnerabilities #472 @alangecker
- Fix mass mail sender and email output formatting !707 @NerdyProjects
# 2019-02-16 Hotfix
- Fixed an SQL injection in a FoodsaverGateway method @alangecker
# 2019-02-02 Hotfix
- readded adresspicker functionality to Fair-Teiler creation page !668 @peter.toennies
# 2019-01-25
Matthias: "Are there any concerns about merging the addresspicker / map / geolocation to production?"
......
......@@ -21,7 +21,7 @@
"url": "^0.11.0"
},
"devDependencies": {
"eslint": "^5.13.0",
"eslint": "^5.14.1",
"eslint-config-standard": "^12.0.0",
"eslint-plugin-import": "^2.16.0",
"eslint-plugin-node": "^8.0.1",
......@@ -30,7 +30,7 @@
"request": "^2.88.0",
"socket.io-client": "^2.2.0",
"tap-spec": "^5.0.0",
"tape": "^4.10.0",
"tape": "^4.10.1",
"tape-watch": "^2.3.0"
},
"eslintConfig": {
......
This diff is collapsed.
......@@ -54,7 +54,7 @@
"babel-loader": "^8.0.5",
"css-loader": "^2.1.0",
"dotenv": "^6.2.0",
"eslint": "^5.13.0",
"eslint": "^5.14.1",
"eslint-config-standard": "^12.0.0",
"eslint-plugin-html": "^5.0.3",
"eslint-plugin-import": "^2.16.0",
......@@ -79,13 +79,13 @@
"null-loader": "^0.1.1",
"sass-loader": "^7.1.0",
"shx": "^0.3.2",
"sinon": "^7.2.3",
"sinon": "^7.2.4",
"style-loader": "^0.23.1",
"url-loader": "^1.1.2",
"vue-eslint-parser": "<6.0.0",
"vue-loader": "^15.6.2",
"vue-template-compiler": "^2.6.6",
"webpack": "^4.29.3",
"webpack": "^4.29.5",
"webpack-bundle-analyzer": "^3.0.4",
"webpack-cli": "^3.2.3",
"webpack-dev-server": "^3.1.14",
......
......@@ -16,6 +16,7 @@ module.exports = {
'!/sockjs-node/**': {
target,
changeOrigin: true,
xfwd: true,
ws: true
}
}
......
......@@ -2,10 +2,18 @@ const BASE_URL = '/api'
const DEFAULT_OPTIONS = {
method: 'GET',
credentials: 'same-origin',
mode: 'cors'
mode: 'cors',
headers: {}
}
if (window.fetch) window.fetch.activeFetchCalls = 0
export function getCsrfToken () {
if (!document.cookie) return null
const match = document.cookie.match(/CSRF_TOKEN=([0-9a-f]+)/)
if (!match) return null
return match[1]
}
export class HTTPError extends Error {
constructor (code, text, method, url) {
super(`HTTP Error ${code}: ${text} during ${method} ${url}`)
......@@ -17,7 +25,10 @@ export class HTTPError extends Error {
export async function request (path, options = {}) {
try {
window.fetch.activeFetchCalls++
const request = new window.Request(BASE_URL + path, Object.assign({}, DEFAULT_OPTIONS, options))
const o = Object.assign({}, DEFAULT_OPTIONS, options)
const csrfToken = getCsrfToken()
if (csrfToken) o.headers['X-CSRF-Token'] = csrfToken
const request = new window.Request(BASE_URL + path, o)
const res = await window.fetch(request)
if (!res.ok) {
throw new HTTPError(res.status, res.statusText, request.method, request.url)
......
import { remove } from './base'
export function deleteGroup (id) {
return remove(`/groups/${id}`)
}
......@@ -43,6 +43,6 @@ export async function instantSearch (query) {
return mapOldResponseToNewFormat((await get(`/../xhrapp.php?app=search&m=search&s=${encodeURIComponent(query)}`)).data)
}
export async function instantSearchIndex (token) {
return mapOldResponseToNewFormat(await get(`/../cache/searchindex/${encodeURIComponent(token)}.json`))
export async function instantSearchIndex () {
return mapOldResponseToNewFormat(await get(`/search/legacyindex`))
}
import { post } from './base'
import { post, remove } from './base'
export function login (email, password) {
return post(`/user/login`, { email, password })
}
export function deleteUser (id) {
return remove(`/user/${id}`)
}
import { get, post, remove } from './base'
export function getWallPosts (target, targetId) {
return get(`/api/wall/${target}/${targetId}`)
}
export function addPost (target, targetId, body) {
return post(`/api/wall/${target}/${targetId}`, body)
}
export function deletePost (target, targetId, postId) {
return remove(`/api/wall/${target}/${targetId}/${postId}`)
}
......@@ -103,4 +103,7 @@ export function u_printChildBezirke (element) {
})
}
u_printChildBezirke({ value: '0:0' })
$(() => {
// run later, otherwise CSRF-Header for $.ajax are not set yet
u_printChildBezirke({ value: '0:0' })
})
......@@ -56,7 +56,6 @@
<script>
import SearchResults from './SearchResults'
import { instantSearch, instantSearchIndex } from '@/api/search'
import { user } from '@/server-data'
import clickoutMixin from '@b/mixins/clickout'
import listenOnRootMixin from '@b/mixins/listen-on-root'
......@@ -143,7 +142,7 @@ export default {
this.isLoading = false
},
async fetchIndex () {
this.index = await instantSearchIndex(user.token)
this.index = await instantSearchIndex()
},
clickOutListener () {
this.isOpen = false
......
......@@ -28,6 +28,7 @@ import '@/becomeBezirk'
import serverData from '@/server-data'
import socket from '@/socket'
import { getCsrfToken } from '@/api/base'
initialize()
......@@ -62,3 +63,16 @@ if (serverData.user.may) {
} else {
clearInterval(window.g_interval_newBasket)
}
// add CSRF-Token to all jquery requests
$.ajaxPrefilter(function (options) {
if (!options.beforeSend) {
options.beforeSend = function (xhr, settings) {
if (settings.url.startsWith('/') && !settings.url.startsWith('//')) {
xhr.setRequestHeader('X-CSRF-Token', getCsrfToken())
} else {
// don't send for external domains (must be a relative url)
}
}
}
})
......@@ -189,7 +189,6 @@ export function initialize () {
})
// $('.button').button();
$('.dialog').dialog()
$('.v-switch').buttonset()
$('ul.toolbar li').on('mouseenter', function () {
$(this).addClass('ui-state-hover')
......
This diff is collapsed.
......@@ -10,14 +10,14 @@
},
"require-dev": {
"codeception/c3": "2.4.1",
"codeception/codeception": "2.5.2",
"codeception/codeception": "2.5.3",
"filp/whoops": "2.3.1",
"friendsofphp/php-cs-fixer": "2.14.0",
"friendsofphp/php-cs-fixer": "2.14.2",
"mashape/unirest-php": "3.0.4",
"phpstan/phpstan": "0.11.1",
"phpstan/phpstan": "0.11.2",
"roave/security-advisories": "dev-master",
"sebastian/diff": "3.0.1",
"symfony/debug": "4.2.2"
"sebastian/diff": "3.0.2",
"symfony/debug": "4.2.3"
},
"require": {
"ext-dom": "*",
......@@ -47,19 +47,19 @@
"mobiledetect/mobiledetectlib": "2.8.33",
"sensio/framework-extra-bundle": "5.2.4",
"sentry/sentry": "1.10.0",
"setasign/fpdi-fpdf": "2.2.0",
"symfony/config": "4.2.2",
"symfony/console": "4.2.2",
"symfony/dependency-injection": "<4.2.0",
"symfony/expression-language": "4.2.2",
"symfony/form": "4.2.2",
"symfony/framework-bundle": "<4.2.0",
"symfony/http-foundation": "4.2.2",
"symfony/http-kernel": "<4.2.0",
"symfony/translation": "4.2.2",
"symfony/twig-bridge": "4.2.2",
"symfony/validator": "4.2.2",
"symfony/yaml": "4.2.2",
"setasign/fpdi-tcpdf": "2.2.0",
"symfony/config": "4.2.3",
"symfony/console": "4.2.3",
"symfony/dependency-injection": "4.2.3",
"symfony/expression-language": "4.2.3",
"symfony/form": "4.2.3",
"symfony/framework-bundle": "4.2.3",
"symfony/http-foundation": "4.2.3",
"symfony/http-kernel": "4.2.3",
"symfony/translation": "4.2.3",
"symfony/twig-bridge": "4.2.3",
"symfony/validator": "4.2.3",
"symfony/yaml": "4.2.3",
"twig/extensions": "1.5.4",
"twig/twig": "2.6.2",
"voku/bounce-mail-handler": "6.0.0"
......
This diff is collapsed.
......@@ -50,3 +50,5 @@ define('BOUNCE_IMAP_PORT', null);
if (!defined('ROOT_DIR')) {
define('ROOT_DIR', './');
}
define('CSRF_TEST_TOKEN', '__TESTTOKEN__');
......@@ -155,3 +155,9 @@ services:
serviceOption: 'tls'
boxname: 'INBOX'
maxMessages: 10000
Foodsharing\EventListener\CsrfListener:
tags:
- { name: kernel.event_listener, event: kernel.controller }
arguments:
- "@annotation_reader"
\ No newline at end of file
......@@ -132,14 +132,6 @@ input[type=number] {
border-radius: 6px;
}
input.hasDatepicker {
background-image: url(/img/cal.png);
background-position: 175px 3px;
background-repeat: no-repeat;
cursor: pointer !important;
width: 189px !important;
}
select {
border: 1px solid #c9bcaf;
border-radius: 6px;
......@@ -169,24 +161,6 @@ textarea {
width: 254px;
}
.input_hsnr {
width: 47px;
margin-left: 5px;
}
.input_str {
width: 149px;
}
.input_plz {
width: 57px;
}
.input_ort {
width: 139px;
margin-left: 5px;
}
.focus {
background-color: #f5f5b5;
border: 1px solid #3f942f;
......@@ -221,18 +195,6 @@ a.linkrow span.item {
float: left;
}
div.titlebar a.linkrow {
float: left;
}
select.v-switch {
float: right;
position: relative;
right: -11px;
top: -3px;
width: 120px;
}
.hidden {
display: none;
}
......
......@@ -178,20 +178,11 @@ body {
background-color: #f1e7c9;
}
.float_left {
float: left;
display: block;
}
.float_right {
float: right;
display: block;
}
.pageblock {
margin-bottom: 10px;
}
.v-form {
padding: 15px;
background-color: unset;
......