Tim Otten [Thu, 25 Feb 2021 01:54:42 +0000 (17:54 -0800)]
(security/core#104) CRM_Utils_System::authenticateKey - Use secure equality test
Tim Otten [Thu, 25 Feb 2021 05:01:26 +0000 (21:01 -0800)]
(security/core#97) PHP CLI guard is the opposite of correct
Coleman Watts [Fri, 29 Jan 2021 19:30:38 +0000 (14:30 -0500)]
Escape api params in APIv4 Explorer
Seamus Lee [Wed, 23 Dec 2020 09:04:18 +0000 (20:04 +1100)]
Purify PCP introductory text field
Seamus Lee [Wed, 23 Dec 2020 08:45:56 +0000 (19:45 +1100)]
Escape information supplied by extensions to prevent XSS
Seamus Lee [Mon, 9 Nov 2020 09:11:24 +0000 (20:11 +1100)]
security/core#97 Ensure that php scripts where applicable in sql and tools that should only be run in CLI can be run in CLI
Use more portable check for cli and add in 404 header as per Rich's comments
Seamus Lee [Mon, 16 Nov 2020 08:06:16 +0000 (19:06 +1100)]
security/core#100 Escape uploaded data to prevent Reflected Cross site scripting from uploaded CSVs
Seamus Lee [Wed, 17 Mar 2021 21:50:41 +0000 (08:50 +1100)]
Merge pull request #19814 from eileenmcnaughton/535
avoid error when reserving respondents in a survey.
Jamie McClelland [Mon, 15 Mar 2021 13:54:03 +0000 (09:54 -0400)]
avoid error when reserving respondents in a survey.
The full error is:
Error: Call to a member function getSelectedIDs() on null in CRM_Campaign_Form_Task->preProcess() (line 38 of /var/www/powerbase/sites/all/modules/civicrm/CRM/Campaign/Form/Task.php).
I'm not sure if we should somehow be passing &$form to this function
instead?
Seamus Lee [Wed, 10 Mar 2021 20:26:02 +0000 (07:26 +1100)]
Merge pull request #19776 from demeritcowboy/18830-5.35
dev/core#2137 - Backport of 18830 and its followups to not crash when asset builder can't do its thing
demeritcowboy [Wed, 10 Mar 2021 14:46:29 +0000 (09:46 -0500)]
backport of 18830 and its followups
colemanw [Sun, 7 Mar 2021 22:47:58 +0000 (17:47 -0500)]
Merge pull request #19748 from eileenmcnaughton/535a
dev/translation#58 don\'t make group title NOT NULL even for a moment
Andrew Hunt [Fri, 5 Mar 2021 22:52:15 +0000 (17:52 -0500)]
dev/translation#58 don\'t make group title NOT NULL even for a moment
CiviCRM [Thu, 4 Mar 2021 04:57:18 +0000 (04:57 +0000)]
Set version to 5.35.0
Tim Otten [Thu, 4 Mar 2021 04:40:16 +0000 (20:40 -0800)]
Merge pull request #19725 from totten/5.35-avail-perm
dev/drupal#156 - system_get_info() is gone in Drupal 9
Tim Otten [Thu, 4 Mar 2021 04:28:34 +0000 (20:28 -0800)]
(NFC) release-notes/5.35.0 - Last minute update
demeritcowboy [Thu, 11 Feb 2021 18:35:15 +0000 (13:35 -0500)]
system_get_info is deprecated
Seamus Lee [Wed, 3 Mar 2021 23:27:55 +0000 (10:27 +1100)]
Merge pull request #19721 from agh1/5.35.0-releasenotes-final
5.35.0 release notes: added late changes
Andrew Hunt [Wed, 3 Mar 2021 23:25:48 +0000 (18:25 -0500)]
5.35.0 release notes: added late changes
Seamus Lee [Wed, 3 Mar 2021 00:58:11 +0000 (11:58 +1100)]
Merge pull request #19711 from totten/5.35-upg-smtp
Upgrader (5.34) - Handle unsavable characters in decoded SMTP password
colemanw [Tue, 2 Mar 2021 13:43:48 +0000 (08:43 -0500)]
Merge pull request #19694 from eileenmcnaughton/dash
dev/core#2426 Fix regression whereby the dashboard crashes (permission related)
Tim Otten [Tue, 2 Mar 2021 12:10:15 +0000 (04:10 -0800)]
Upgrader (5.34) - Handle unsavable characters
Overview
--------
In php-mysqli with utf8mb4, the escaping rules do not handle 8-bit
characters (`chr(128)`+). ([Demo](https://gist.github.com/totten/
4083741b920113ffc569d40053ce849d))
Here's a situation reported by @agileware-justin which provokes this:
> 1. SMTP credentials (mailing_backend) were saved and had been encrypted using mcrypt, prior to PHP 7.1
> 2. SMTP outbound email was NOT enabled, but the SMTP credentials are in the database
> 3. Active PHP version was PHP 7.3, without mcrypt module
> 4. CiviCRM 5.34 upgrade triggers the database error
Before
------
The behavior can be viewed in two variables:
* Depending on whether `CIVICRM_CRED_KEYS` is set, the upgrader may be
writing passwords as plain-text or as `^CTK?` tokens.
* Depending on what value is in `$setting['smtpPassword']`, what value is in
`CIVICRM_SITE_KEY`, and whether `mcrypt` is active, we may or may not get
8-bit characters when reading the password
(`CRM_Utils_Crypt::decrypt($setting['smtpPassword'])`).
The fatal combination arises when using plain-text with 8-bit characters.
But other combinations (encrypted tokens and/or 7-bit plain-text) seem
fine.
After
-----
As before, combinations involving encrypted tokens and/or 7-bit plain-text
are fine.
We don't have a head-on soultion for escaping 8-bit plain-text for use with
php-mysqli-utf8mb4. (Which is insane, right?) But now we manage the
symptoms better:
* If you aren't even using SMTP (like in Justin's example),
then this is not legit. We show a warning and simply discard the
unneeded/corrupt value of `smtpPassword`.
* If you are using SMTP, then this might theoretically be legit.
(We haven't confirmed, but it seems plausible in other locales.) We show a
different warning and encourage the sysadmin to setup `CIVICRM_CRED_KEYS`
(which will enable the more permissive `^CTK?` format.)
eileen [Sun, 28 Feb 2021 22:34:11 +0000 (11:34 +1300)]
dev/core#2426 Fix regression whereby the dashboard crashes for contacts unable to view their own contact record.
As noted in the code comments this was not my preferred technical fix but I do lean
towards using this in the rc & reconsidering the other approaches in master.
Also, in master I got a different error that I think related to new work
Coleman Watts [Wed, 10 Feb 2021 01:21:57 +0000 (20:21 -0500)]
Fix angular error when user is not logged in.
Seamus Lee [Mon, 1 Mar 2021 21:57:34 +0000 (08:57 +1100)]
Merge pull request #19705 from seamuslee001/update_schema_handler_test
[NFC] Update Schema Handler to use the standard create table syntax o…
Seamus Lee [Mon, 1 Mar 2021 20:27:32 +0000 (07:27 +1100)]
[NFC] Update Schema Handler to use the standard create table syntax of using ROW_FORMAT=dynamic
colemanw [Mon, 1 Mar 2021 19:40:05 +0000 (14:40 -0500)]
Merge pull request #19698 from eileenmcnaughton/custom
dev/core#2423 Fix quasi-regression around serialized custom fields
eileen [Mon, 1 Mar 2021 06:21:34 +0000 (19:21 +1300)]
Bring back some madness
eileen [Mon, 1 Mar 2021 03:18:48 +0000 (16:18 +1300)]
dev/core#2423 Fix quasi-regression around serialized custom fields
https://lab.civicrm.org/dev/core/-/issues/2423
Seamus Lee [Mon, 1 Mar 2021 06:10:35 +0000 (17:10 +1100)]
Merge pull request #19692 from demeritcowboy/case-custom-money-5.35
dev/core#2394 - Don't crash when saving custom case fields of type money
Seamus Lee [Mon, 1 Mar 2021 02:24:10 +0000 (13:24 +1100)]
Merge pull request #19680 from eileenmcnaughton/money
dev/financial#166 Fix for inconsistency around currency symbol
Eileen McNaughton [Mon, 1 Mar 2021 02:15:44 +0000 (15:15 +1300)]
Merge pull request #19696 from eileenmcnaughton/user
dev/core#2427 Fix user creation regression
eileen [Mon, 1 Mar 2021 00:42:51 +0000 (13:42 +1300)]
dev/core#2427 Fix user creation regression
eileen [Fri, 26 Feb 2021 05:05:14 +0000 (18:05 +1300)]
dev/financial#166 Fix for inconsistency around currency symbol
From https://lab.civicrm.org/dev/financial/-/issues/166 we learn that the existing code
(tested via testFormatLocaleNumericRoundedByCurrency) is not consistent across
all platforms. I think this may be
colemanw [Mon, 1 Mar 2021 00:01:55 +0000 (19:01 -0500)]
Merge pull request #19685 from eileenmcnaughton/535
dev/core:2394 Fix for number formatting regression
demeritcowboy [Sun, 28 Feb 2021 15:02:48 +0000 (10:02 -0500)]
don't crash when saving custom fields of type money
eileen [Fri, 26 Feb 2021 23:50:23 +0000 (12:50 +1300)]
dev/core:2394 Fix for number formatting regression
This function has been picking up the formatting for the locale
meaning that the currency separator replacement is already done and
is swapped back by formatLocaleNumericRoundedByPrecision
Doing it via brickmoney is better than our custom
separator replacement - but we need a quick fix for the rc
colemanw [Thu, 25 Feb 2021 13:13:20 +0000 (08:13 -0500)]
Merge pull request #19670 from eileenmcnaughton/aff
Switch afform back to '=' to unbreak deduper
eileen [Thu, 25 Feb 2021 07:03:25 +0000 (20:03 +1300)]
Switch afform back to '=' to unbreak deduper
https://github.com/eileenmcnaughton/deduper/pull/9
Eileen McNaughton [Tue, 23 Feb 2021 19:49:47 +0000 (08:49 +1300)]
Merge pull request #19659 from demeritcowboy/revert-18782
revert 18782
demeritcowboy [Tue, 23 Feb 2021 12:11:59 +0000 (07:11 -0500)]
revert 18782
Eileen McNaughton [Mon, 22 Feb 2021 21:51:07 +0000 (10:51 +1300)]
Merge pull request #19653 from eileenmcnaughton/535
dev/core#2360 - Escape the word `rows` in sql query
Coleman Watts [Thu, 4 Feb 2021 23:10:42 +0000 (18:10 -0500)]
dev/core#2360 - Escape the word `rows` in sql query
Seamus Lee [Mon, 15 Feb 2021 20:18:08 +0000 (07:18 +1100)]
Merge pull request #19593 from eileenmcnaughton/535
Fix Redis deprecated warning
Seamus Lee [Mon, 15 Feb 2021 08:06:36 +0000 (19:06 +1100)]
Merge pull request #19594 from eileenmcnaughton/535m
dev/mail#89 Fix unreleased regression where civimember is not permitted/enabled
eileen [Sun, 14 Feb 2021 23:23:58 +0000 (12:23 +1300)]
dev/mail#89 Fix unreleased regression where civimember is not permitted/enabled
Fixes a bug where a person with no access to CiviMember will get an exception thrown (and
not caught) rather than receive a result of 0 when checking the memberships
that a contact has access to
eileen [Fri, 12 Feb 2021 22:05:44 +0000 (11:05 +1300)]
Fix Redis deprecated warning
It's not obvious why we would pass trapException here. I believe the issue is that
some custom searches result in 'acceptable' bad sql here but
https://github.com/civicrm/civicrm-core/commit/
6dc40f3250ede0f38ce2aed7c3fabd3f1f667c1b
already fixed to catch any exception so we don't
need to convert. There is one other place that calls fillWithSql but there
is no evidence it is subject to the random issue on custom searches / needs
any attention at the moment
Eileen McNaughton [Sat, 13 Feb 2021 22:38:21 +0000 (11:38 +1300)]
Merge pull request #19586 from alifrumin/5.35-releasenotes
[NFC] First Pass at 5.35 release notes
Alice Frumin [Wed, 10 Feb 2021 18:20:18 +0000 (13:20 -0500)]
5.35 Release Notes - First Pass
Eileen McNaughton [Wed, 10 Feb 2021 01:07:55 +0000 (14:07 +1300)]
Merge pull request #19573 from totten/5.35-rand37
dev/core#2370 - Installer - Bump up entropy for autogenerated cred keys
Tim Otten [Tue, 9 Feb 2021 10:51:05 +0000 (02:51 -0800)]
dev/core#2370 - Installer - Bump up entropy for autogenerated cred keys
This slightly expands the amount of entropy for certain auto-generated values.
Before
-----
~99% of generated values have >=232 bits
After
-----
~99% of generated values have >=260 bits
Technical details
--------
https://lab.civicrm.org/dev/core/-/issues/2370#note_53832
Seamus Lee [Tue, 9 Feb 2021 08:55:41 +0000 (19:55 +1100)]
Merge pull request #19563 from eileenmcnaughton/5.35
Fix unreleased regression from mistake extracting function
eileen [Tue, 9 Feb 2021 04:00:11 +0000 (17:00 +1300)]
Fix unreleased regression from mistake extracting function
Ports this line (merged to master) to 5.35 as the mistake turns out to affect 5.35
https://github.com/civicrm/civicrm-core/pull/19551/files#diff-447cfa0a0ec021e7cf54c6f207d94c3e3343eec930130a995355fec37a590a22R597
Eileen McNaughton [Fri, 5 Feb 2021 23:42:45 +0000 (12:42 +1300)]
Merge pull request #19546 from colemanw/labelField
APIv4 - Fix label_field to use underscore instead of camelCase
Coleman Watts [Fri, 5 Feb 2021 20:36:26 +0000 (15:36 -0500)]
APIv4 - Fix label_field to use underscore instead of camelCase
Seamus Lee [Thu, 4 Feb 2021 21:55:06 +0000 (08:55 +1100)]
Merge pull request #19529 from agh1/5.35.0-releasenotes-initial
5.35.0 release notes - initial run
Andrew Hunt [Thu, 4 Feb 2021 16:26:40 +0000 (11:26 -0500)]
5.35.0 release notes: added boilerplate
Andrew Hunt [Thu, 4 Feb 2021 16:23:48 +0000 (11:23 -0500)]
5.35.0 release notes: raw from script
CiviCRM [Thu, 4 Feb 2021 07:00:42 +0000 (07:00 +0000)]
Set version to 5.35.beta1
Seamus Lee [Thu, 4 Feb 2021 01:49:34 +0000 (12:49 +1100)]
Merge pull request #19521 from civicrm/5.34
5.34
Seamus Lee [Thu, 4 Feb 2021 01:42:31 +0000 (12:42 +1100)]
Merge pull request #19519 from colemanw/afformGuiFixBlocks
Afform GUI - Fix errors when creating & saving blocks
Seamus Lee [Thu, 4 Feb 2021 00:17:39 +0000 (11:17 +1100)]
Merge pull request #19520 from agh1/5.34.0-releasenotes-final
5.34.0 release notes: final edits and late changes
Andrew Hunt [Thu, 4 Feb 2021 00:09:24 +0000 (19:09 -0500)]
5.34.0 release notes: final edits and late changes
Coleman Watts [Wed, 3 Feb 2021 23:55:02 +0000 (18:55 -0500)]
Afform Gui - Exclude self from list of available blocks when editing a block
colemanw [Wed, 3 Feb 2021 23:46:26 +0000 (18:46 -0500)]
Merge pull request #19464 from eileenmcnaughton/menu
dev/core#2340 Skip rather than fail on bad menu item
Eileen McNaughton [Wed, 3 Feb 2021 23:30:23 +0000 (12:30 +1300)]
Merge pull request #19514 from colemanw/apiRelativeDateFix
APIv4 - Fix bug when using relative date filters in ON clause of a join
Coleman Watts [Wed, 3 Feb 2021 22:58:38 +0000 (17:58 -0500)]
Afform GUI - Fix errors when creating & saving blocks
Eileen McNaughton [Wed, 3 Feb 2021 22:42:42 +0000 (11:42 +1300)]
Merge pull request #19517 from seamuslee001/fix_user_load_deprecation
Override the DrupalBase getUserObject function with a Drupal8/9 compa…
Eileen McNaughton [Wed, 3 Feb 2021 21:57:16 +0000 (10:57 +1300)]
Merge pull request #19516 from colemanw/apiGetFkFields
APIv4 - Enable getFields to find fields across implicit FK joins
Matthew Wire [Wed, 3 Feb 2021 21:04:54 +0000 (21:04 +0000)]
Merge pull request #19510 from eileenmcnaughton/msg_tpl
[REF] Extract logical functions from sendTemplate
Seamus Lee [Wed, 3 Feb 2021 20:41:07 +0000 (07:41 +1100)]
Override the DrupalBase getUserObject function with a Drupal8/9 compatible version
Matthew Wire [Wed, 3 Feb 2021 20:58:45 +0000 (20:58 +0000)]
Merge pull request #19443 from eileenmcnaughton/ipn
[REF] Move sendNotification out of recur, remove unused related_contact
Matthew Wire [Wed, 3 Feb 2021 20:57:13 +0000 (20:57 +0000)]
Merge pull request #19511 from eileenmcnaughton/mem_clean
[REF] Remove invalid attempt to load contriution id from invoiceID
Seamus Lee [Wed, 3 Feb 2021 20:21:57 +0000 (07:21 +1100)]
Merge pull request #19498 from eileenmcnaughton/complete_order_test
[REF] Stop passing contributionPageID to isEmailReceipt
Eileen McNaughton [Wed, 3 Feb 2021 20:11:32 +0000 (09:11 +1300)]
Merge pull request #19515 from demeritcowboy/amtg-notice
dev/core#2355 - E_NOTICE on Manage Contribution and Manage Event listings
Coleman Watts [Wed, 3 Feb 2021 16:48:26 +0000 (11:48 -0500)]
APIv4 - Enable getFields to find fields across implicit FK joins
Now it is possible to retrieve field metadata for a joined entity
demeritcowboy [Wed, 3 Feb 2021 14:24:46 +0000 (09:24 -0500)]
E_NOTICE on contribution pages
Coleman Watts [Wed, 3 Feb 2021 13:18:36 +0000 (08:18 -0500)]
APIv4 - Fix bug when using relative date filters in ON clause of a join
Eileen McNaughton [Wed, 3 Feb 2021 11:26:33 +0000 (00:26 +1300)]
Merge pull request #19496 from colemanw/afformBugFixes
Afform - Misc tweaks, validation & bug fixes
Eileen McNaughton [Wed, 3 Feb 2021 09:24:54 +0000 (22:24 +1300)]
Merge pull request #19513 from eileenmcnaughton/kernel_error
Move require once in api kernel to support edge cases
Seamus Lee [Wed, 3 Feb 2021 09:17:23 +0000 (20:17 +1100)]
Merge pull request #19492 from demeritcowboy/fatalerrorhandler
dev/core#2350 - Oauth extension - Setting a fatalErrorHandler might override the redirect url because typo
Tim Otten [Wed, 3 Feb 2021 08:35:14 +0000 (00:35 -0800)]
config-form.html - Fix rendering of client-side validation error for "server_route"
eileen [Wed, 3 Feb 2021 07:23:35 +0000 (20:23 +1300)]
Move require once in api kernel to support edge cases
The function 'createError' on the kernel class calls 3 functions that are in the api v3 utils file.
It is possible to reach this from apiv4 using drush (I realise we
don't really know much about how to support api v4 with drush but it DOES work with a simple
api with this patch in my testing). We could go with only including utils.php in
v4 api AND the createError function. I think it's more readable this way.
To test this try
drush cvapi Contribution.get version=4
it will legitimately fail without checkPermissions=0 but it will fail with a
require_once error without this patch
Coleman Watts [Wed, 3 Feb 2021 01:57:03 +0000 (20:57 -0500)]
Search Kit - Improve display of afforms in search list
eileen [Wed, 3 Feb 2021 01:42:29 +0000 (14:42 +1300)]
Remove defunct reference to skilCleanMoney
The BAO used to handle this param but it no longer does. The api does respond to it - but defaults to
true (we don't call the api here but anything other than setting it to false will always do nothing)
eileen [Wed, 3 Feb 2021 01:38:49 +0000 (14:38 +1300)]
Remove attempt to load contriution id from invoiceID
This might make sense (maybe) on the front end code this was previously shared with but on the
backoffice form id would be specifically set in the url
eileen [Tue, 2 Feb 2021 22:51:44 +0000 (11:51 +1300)]
[REF] Extract logical functions from sendTemplate
This simply makes it clear what the main chunks of code are doing
eileen [Tue, 2 Feb 2021 01:15:25 +0000 (14:15 +1300)]
[REF] Stop passing contributionPageID to isEmailReceipt
By switching to passing in contributionID instead we can significantly simplify this.
It could cause an extra query in some cases but the query would be very quick based
on my previous query reduction efforts and this will help us
remove a bunch of other code
Monish Deb [Tue, 2 Feb 2021 23:24:23 +0000 (04:54 +0530)]
Merge pull request #19417 from eileenmcnaughton/test
[REF] Standardise methods of determining isTest
Seamus Lee [Tue, 2 Feb 2021 22:28:05 +0000 (09:28 +1100)]
Merge pull request #19505 from mattwire/remotememrelated
Remove another use of loadRelatedObjects() function
Seamus Lee [Tue, 2 Feb 2021 22:16:58 +0000 (09:16 +1100)]
Merge pull request #19500 from eileenmcnaughton/cancel
dev/core#2206 Unhide contributioncancelactions core extension
Matthew Wire [Tue, 2 Feb 2021 21:24:03 +0000 (21:24 +0000)]
Merge pull request #19507 from eileenmcnaughton/trans
Comment intent to remove call to transition components
eileen [Tue, 2 Feb 2021 20:55:16 +0000 (09:55 +1300)]
Comment intent to remove call to transition components
The other usages have been migrated to contributioncancelactions so only update-to-completed remains
Eileen McNaughton [Tue, 2 Feb 2021 20:48:58 +0000 (09:48 +1300)]
Merge pull request #19502 from mattwire/sendReminder
CRM_Core_BAO_MessageTemplate::sendReminder() is not used anywhere
Eileen McNaughton [Tue, 2 Feb 2021 20:47:01 +0000 (09:47 +1300)]
Merge pull request #19504 from colemanw/labelField
Add "labelField" metadata to entities
eileen [Tue, 2 Feb 2021 07:45:00 +0000 (20:45 +1300)]
Unhide contributioncancelactions
With https://github.com/civicrm/civicrm-core/pull/19289 merged we
can now unhide this extension & people can disable it if they wish (as a
supported option)
Matthew Wire [Tue, 2 Feb 2021 19:30:39 +0000 (19:30 +0000)]
Remove another use of loadRelatedObjects() as we call it again before using
Seamus Lee [Tue, 2 Feb 2021 20:00:23 +0000 (07:00 +1100)]
Merge pull request #19503 from mattwire/casecomponentignoreexception
Use exceptions when enabling case component / checking for 'CREATE VIEW' permissions
Coleman Watts [Tue, 2 Feb 2021 19:24:51 +0000 (14:24 -0500)]
Add "labelField" metadata to entities
This determines which field will be shown when displaying a single record
e.g. when viewing a Contact, show the display_name.
Coleman Watts [Tue, 2 Feb 2021 18:31:22 +0000 (13:31 -0500)]
Afform - Fix repeatable blocks in GUI