Eileen McNaughton [Mon, 20 Apr 2020 22:11:35 +0000 (10:11 +1200)]
Merge pull request #17106 from pradpnayak/statepro1
Update Colmbra state/province to Coimbra
Eileen McNaughton [Mon, 20 Apr 2020 22:09:48 +0000 (10:09 +1200)]
Merge pull request #17109 from colemanw/noAlias
APIv4 - Prevent field alias conflicts.
colemanw [Mon, 20 Apr 2020 17:29:33 +0000 (13:29 -0400)]
Merge pull request #17113 from colemanw/restoreApiSql
Restore #16947 - APIv4 support for sql functions and grouping
Coleman Watts [Mon, 20 Apr 2020 15:43:18 +0000 (11:43 -0400)]
Restore #16947 - APIv4 support for sql functions and grouping
Seamus Lee [Mon, 20 Apr 2020 09:17:44 +0000 (19:17 +1000)]
Merge pull request #17111 from seamuslee001/master
5.25
Seamus Lee [Mon, 20 Apr 2020 09:16:14 +0000 (19:16 +1000)]
Merge in 5.25
Seamus Lee [Mon, 20 Apr 2020 09:11:39 +0000 (19:11 +1000)]
Merge pull request #17093 from eileenmcnaughton/cont
[NFC] Remove calculation of unused parameter
Seamus Lee [Mon, 20 Apr 2020 08:54:32 +0000 (18:54 +1000)]
Merge pull request #17108 from colemanw/revertSqlFn
Revert #16947 from 5.25RC
Coleman Watts [Mon, 20 Apr 2020 00:55:19 +0000 (20:55 -0400)]
APIv4 - Prevent field alias conflicts.
Do not allow regular fields to be aliased - only expressions.
Prevent an alias from using the same name as an existing field.
colemanw [Mon, 20 Apr 2020 00:50:55 +0000 (20:50 -0400)]
Merge pull request #17069 from colemanw/removeUselessChecks
[REF] Remove duplicate checks for an array key existing
Coleman Watts [Sun, 19 Apr 2020 23:56:26 +0000 (19:56 -0400)]
Revert "APIv4 - Add rudimentary support for groupBy"
This reverts commit
fba513f62ec8815e08fa838e0d0501279bf34501.
Coleman Watts [Sun, 19 Apr 2020 23:56:25 +0000 (19:56 -0400)]
Revert "Api4SelectQuery - add more metadata to apiFieldSpec"
This reverts commit
9b06167d3c8dc54bb51e22e3583b18799a46c930.
Coleman Watts [Sun, 19 Apr 2020 23:56:20 +0000 (19:56 -0400)]
Revert "APIv4 - Add SQL expression handling and aggregate functions"
This reverts commit
3176b04cb62b0e8f94454e367736f50454f89de8.
Pradeep Nayak [Sun, 19 Apr 2020 19:58:58 +0000 (20:58 +0100)]
updated civicrm_generated.mysql file
Pradeep Nayak [Sun, 19 Apr 2020 17:39:50 +0000 (18:39 +0100)]
Update Colmbra state/province to Coimbra
colemanw [Sun, 19 Apr 2020 01:33:06 +0000 (21:33 -0400)]
Merge pull request #17080 from colemanw/importExtract
[REF] Import - extract duplicate code to function
colemanw [Sat, 18 Apr 2020 15:50:56 +0000 (11:50 -0400)]
Merge pull request #17101 from totten/master-gitlab-tpl
(NFC) Gitlab Template - Request more detail about upgrade problems
colemanw [Sat, 18 Apr 2020 15:14:09 +0000 (11:14 -0400)]
Merge pull request #17100 from artfulrobot/artfulrobot-lab-1917
Replace CaseType's own XML encoding function
Rich Lott / Artful Robot [Sat, 18 Apr 2020 07:55:51 +0000 (08:55 +0100)]
dev-core/1719: replace xml encoding function in CaseType
colemanw [Fri, 17 Apr 2020 23:32:06 +0000 (19:32 -0400)]
Merge pull request #17098 from mattwire/removeunusedparameterjob
Remove unused parameter from function
Seamus Lee [Fri, 17 Apr 2020 21:49:07 +0000 (07:49 +1000)]
Merge pull request #17051 from eileenmcnaughton/ex
Remove outputHeader as a param for writeCSVFile as it is always true
Seamus Lee [Fri, 17 Apr 2020 21:48:22 +0000 (07:48 +1000)]
Merge pull request #17102 from mattwire/removevar
Remove var that is defined on parent
Matthew Wire [Fri, 17 Apr 2020 19:47:51 +0000 (20:47 +0100)]
Remove var that is defined on parent
Tim Otten [Fri, 17 Apr 2020 19:25:27 +0000 (12:25 -0700)]
(NFC) Gitlab Template - Request more detail about upgrades
Matthew Wire [Fri, 17 Apr 2020 14:40:34 +0000 (15:40 +0100)]
Merge pull request #17087 from eileenmcnaughton/ids
[REF] Stop passing ids to membership::create from createRelatedMemberships
Matthew Wire [Fri, 17 Apr 2020 14:39:46 +0000 (15:39 +0100)]
Merge pull request #17086 from eileenmcnaughton/memview
Don't pass empty ids parameter, fix fatal
Matthew Wire [Fri, 17 Jan 2020 19:02:32 +0000 (19:02 +0000)]
Remove unused parameter from function
colemanw [Fri, 17 Apr 2020 12:40:59 +0000 (08:40 -0400)]
Merge pull request #17089 from eileenmcnaughton/memdate
[REF] get rid of variable variable structure
Matthew Wire [Fri, 17 Apr 2020 10:53:22 +0000 (11:53 +0100)]
Merge pull request #16714 from christianwach/lab-1638
Introduce "civi.dao.preUpdate" and "civi.dao.preInsert" events
Seamus Lee [Fri, 17 Apr 2020 09:44:14 +0000 (19:44 +1000)]
Merge pull request #17095 from civicrm/5.25
5.25
Seamus Lee [Fri, 17 Apr 2020 09:43:20 +0000 (19:43 +1000)]
Merge pull request #17097 from seamuslee001/5.25
Add release-notes/5.24.4.md
Tim Otten [Fri, 17 Apr 2020 09:30:06 +0000 (02:30 -0700)]
Add release-notes/5.24.4.md
Tim Otten [Fri, 17 Apr 2020 03:56:19 +0000 (20:56 -0700)]
Merge pull request #17085 from seamuslee001/typo3_drupal8
Generalise typo3/phar-stream-wrapper so CiviCRM can be installed on d…
eileen [Thu, 16 Apr 2020 06:23:26 +0000 (18:23 +1200)]
[REF] get rid of variable variable structure
Readability improvement
eileen [Fri, 17 Apr 2020 02:57:34 +0000 (14:57 +1200)]
[NFC] Remove calculation of unused parameter
Eileen McNaughton [Fri, 17 Apr 2020 02:27:53 +0000 (14:27 +1200)]
Merge pull request #17092 from civicrm/5.25
5.25
Eileen McNaughton [Fri, 17 Apr 2020 02:22:49 +0000 (14:22 +1200)]
Merge pull request #17090 from colemanw/ssCleanup
[REF] SavedSearch - additional cleanup & bugfixes
Seamus Lee [Fri, 17 Apr 2020 02:04:38 +0000 (12:04 +1000)]
Merge pull request #17081 from eileenmcnaughton/session
Fix unsubscribe regression
Seamus Lee [Fri, 17 Apr 2020 02:01:36 +0000 (12:01 +1000)]
Merge pull request #17088 from eileenmcnaughton/ids2
[NFC] Remove all the places where tests unnecessarily pass to Membership::create
Seamus Lee [Fri, 17 Apr 2020 02:00:12 +0000 (12:00 +1000)]
Merge pull request #17073 from eileenmcnaughton/msg_template
Add MessageTemplate api to v4
Eileen McNaughton [Fri, 17 Apr 2020 01:39:11 +0000 (13:39 +1200)]
Merge pull request #17074 from joshgowans/patch-4
Archive text
Coleman Watts [Thu, 9 Apr 2020 15:31:23 +0000 (11:31 -0400)]
SavedSearch - additional cleanup & bugfixes
colemanw [Thu, 16 Apr 2020 14:38:54 +0000 (10:38 -0400)]
Merge pull request #17062 from colemanw/apiExpPerf
[REF] APIv4 Explorer - improve performance
joshgowans [Thu, 16 Apr 2020 12:45:30 +0000 (13:45 +0100)]
Correct spelling
Correct spelling of work 'recognition'.
colemanw [Thu, 16 Apr 2020 11:56:19 +0000 (07:56 -0400)]
Merge pull request #17003 from colemanw/smartererGroups
Allow other base tables for api4-based smart groups
Coleman Watts [Tue, 7 Apr 2020 00:56:43 +0000 (20:56 -0400)]
Allow other base tables for api4-based smart groups
eileen [Thu, 16 Apr 2020 06:04:27 +0000 (18:04 +1200)]
[NFC] Remove all the places where tests unnecessarily pass to Membership::create
The param is deprecated - no reasonn to pass in the tests
eileen [Thu, 16 Apr 2020 05:54:24 +0000 (17:54 +1200)]
Stop passing ids to membership::create from createRelatedMemberships
We are passing in an empty array. Per the code comments there was concern that the array might NOT be empty after calling
create & that needed to be checked out. However, I just went through it & concluded that values in the ids var would
only ever be set if ids['membership'] was passed in - so if it goes in empty it will come out empty
eileen [Thu, 16 Apr 2020 05:33:28 +0000 (17:33 +1200)]
Don't pass empty ids paramter, fix fatal
Seamus Lee [Thu, 16 Apr 2020 04:45:16 +0000 (14:45 +1000)]
Generalise typo3/phar-stream-wrapper so CiviCRM can be installed on drupal8
Seamus Lee [Thu, 16 Apr 2020 02:12:23 +0000 (12:12 +1000)]
Merge pull request #17083 from seamuslee001/master
5.25
Seamus Lee [Thu, 16 Apr 2020 02:11:08 +0000 (12:11 +1000)]
Merge 5.25
eileen [Thu, 16 Apr 2020 01:37:00 +0000 (13:37 +1200)]
Fix issue with form values not being available onn submit
Possible fix for https://civicrm.stackexchange.com/questions/35323/missing-parameters-error-in-unsubscribe-confirmation
The theory is that not having committed the transaction is causing the session not to be saved
CiviCRM [Thu, 16 Apr 2020 02:04:24 +0000 (02:04 +0000)]
Set version to 5.25.beta2
Tim Otten [Thu, 16 Apr 2020 01:28:50 +0000 (18:28 -0700)]
release-notes - Small copy edits
Seamus Lee [Thu, 16 Apr 2020 01:02:23 +0000 (11:02 +1000)]
Add in release notes for 5.24.3
Tim Otten [Fri, 3 Apr 2020 02:45:21 +0000 (19:45 -0700)]
Update composer.lock (`composer update --lock`)
Tim Otten [Fri, 3 Apr 2020 02:34:00 +0000 (19:34 -0700)]
[MOSS] CIV-01-001 - Display sensible error if someone tries to use "qunit" when it's missing
Tim Otten [Fri, 3 Apr 2020 02:23:03 +0000 (19:23 -0700)]
[MOSS] CIV-01-001 - Remove more unnecessary files from google-code-prettifier
Seamus Lee [Wed, 18 Mar 2020 01:25:01 +0000 (12:25 +1100)]
[MOSS] CIV-01-001 Remove Qunit and google-code-prettifier demo html file
Seamus Lee [Thu, 12 Dec 2019 20:08:34 +0000 (07:08 +1100)]
Include the job name and job details on the popup notice and also on the form asking if your sure about executing it
Allow disabled jobs to be executed and fix copy
Seamus Lee [Tue, 10 Dec 2019 20:07:57 +0000 (07:07 +1100)]
security/core#10 Ensure there is CSRF Protection when running Scheduled Jobs from the Admin scheduled jobs UI
Seamus Lee [Sun, 29 Mar 2020 21:23:33 +0000 (08:23 +1100)]
Remove code handling for profile search listing
Seamus Lee [Sun, 29 Mar 2020 20:55:14 +0000 (07:55 +1100)]
Also escape when value starts with a [ and validate the negative operation as well
Seamus Lee [Tue, 3 Mar 2020 20:48:35 +0000 (07:48 +1100)]
[MOSS] CIV-01-020 Validate value in the query building logic for privacy flag fields
Seamus Lee [Sat, 29 Feb 2020 22:32:21 +0000 (09:32 +1100)]
[MOSS] CIV-01-014 Validate status_id and campaign_type_id for camapginSummary function and the source_record_id and activity_type_id for Activity delete function
Seamus Lee [Sun, 9 Feb 2020 08:32:48 +0000 (19:32 +1100)]
security/core#40 Purify activity details when viewing case activities and case reports
Patrick Figel [Tue, 18 Feb 2020 19:44:11 +0000 (20:44 +0100)]
security/core#60 - Fix PHP Object Injection via Phar Deserialization
This mitigates Phar deserialization vulnerabilities by registering an
alternative Phar stream wrapper that filters out insecure Phar files.
PHP makes it possible to trigger Object Injection vulnerabilities by using
a side-effect of the phar:// stream wrapper that unserializes Phar
metadata. To mitigate this vulnerability, projects such as TYPO3 and Drupal
have implemented an alternative Phar stream wrapper that disallows
inclusion of phar files based on certain parameters. This change implements
a similar approach for Civi in environments where the vulnerability isn't
mitigated by the CMS.
Fixes security/core#60
Tim Otten [Wed, 4 Mar 2020 02:54:50 +0000 (18:54 -0800)]
CIV-01-021 - Improve entity name sanitization
Before
------
* There exist two functions which purport to take an API entity name and sanitize it,
producing a canonical API entity name. (`\Civi\API\Request::normalizeEntityName`
and `_civicrm_api_get_camel_name`)
* The two functions are identical for typical inputs. Both call `convertStringToCamel()`.
* The difference relates to unusual/unspecified input characters like `/` or `.` or `+`.
* `_civicrm_api_get_camel_name()` allows/returns unusual characters.
* `normalizeEntityName()` filters them out via `\CRM_Utils_String::munge()`
After
-----
* `_civicrm_api_get_camel_name()` just calls `normalizeEntityName()`
* A unit-test provides some comparison/contrast between the old+new behaviors.
Comments
--------
I came into this because CIV-01-021 pointed out that `_civicrm_api_get_camel_name()` had
insufficient sanitization of wonky inputs and could potentially lead to unexpected file-reads.
You can potentially address those wonky inputs by filtering them out or by throwing an exception.
I initially started doing an exception... but it turned out that `normalizeEntityName()` was already
filtering out and didn't really need a change. Also, regardless of the policy, the functions should be
brought into alignment.
Anyway, it seemed like this was the simpler change - it keeps `normalizeEntityName()` working exactly
as before, and only changes `_civicrm_api_get_camel_name()` to match.
Patrick Figel [Tue, 18 Feb 2020 20:54:05 +0000 (21:54 +0100)]
security/core#73 - Fix Contact.getquick API key exposure
This fixes an issue where API keys can be exposed via the field_name
parameter of the Contact.getquick API. Since there is no valid use-case
for requesting API keys via getquick, the fix simply triggers an API
error if the API key is requested.
Eileen McNaughton [Wed, 15 Apr 2020 21:10:52 +0000 (09:10 +1200)]
Merge pull request #17066 from mattwire/fixselectedchild
Fix 'selectedChild' parameter for pages with tabs
Coleman Watts [Wed, 15 Apr 2020 20:50:01 +0000 (16:50 -0400)]
Import - extract duplicate code to function
FIXME: Extracting this was a first step, but there's also still lots of inconsistency
and duplication with how the various import classes handle custom data.
colemanw [Wed, 15 Apr 2020 20:41:34 +0000 (16:41 -0400)]
Merge pull request #17055 from mattwire/customgroupfield_id
Add ID to custom group/field admin forms
Matthew Wire [Wed, 15 Apr 2020 09:28:45 +0000 (10:28 +0100)]
Merge pull request #17076 from agh1/cancelnotban
Export: use X icon `fa-times` for closing things
Eileen McNaughton [Wed, 15 Apr 2020 02:16:35 +0000 (14:16 +1200)]
Merge pull request #16756 from eileenmcnaughton/memtest
[NFC] Improve cleanup on membershipStatus to cope with undeleted memberships
eileen [Wed, 15 Apr 2020 00:35:38 +0000 (12:35 +1200)]
Use apiv4 on save
colemanw [Wed, 15 Apr 2020 00:30:01 +0000 (20:30 -0400)]
Merge pull request #17077 from eileenmcnaughton/dedup
Follow up fix on change to merge sqls
eileen [Wed, 15 Apr 2020 00:17:33 +0000 (12:17 +1200)]
[REF] MessageTemplate form code level improvements
I'm looking to cleanup this form to use the apiv4 (I'd rather got the extra step & switch it to an afform but
that seems like too big a leap).
This switches the loading to use apiv4. Note that
1) I decided that it doesn't make sense to setCheckPermissions = FALSE - I think the form should not
be availble to non-permissioned users (& perhaps a hook might like to play a role here).
2) I removed the inheritence from the parent which seemed to do 3 things
- added admin.css - none of the classes seemed to apply
- added iconpicker - didn't seem to apply
- loaded the defaults - which this change does on the form more succinctly
eileen [Tue, 14 Apr 2020 01:44:23 +0000 (13:44 +1200)]
Add MsgTemplate api to v4
eileen [Tue, 14 Apr 2020 21:43:48 +0000 (09:43 +1200)]
Follow up fix on change to merge sqls
This turns out to have been a missing piece from
https://github.com/civicrm/civicrm-core/pull/17060 as revealed from
https://github.com/civicrm/civicrm-core/pull/17072
Andrew Hunt [Tue, 14 Apr 2020 21:36:45 +0000 (17:36 -0400)]
Export: use X icon `fa-times` for closing things
See https://docs.civicrm.org/dev/en/latest/framework/ui/#icon-meaning-and-consistency
colemanw [Tue, 14 Apr 2020 15:06:55 +0000 (11:06 -0400)]
Merge pull request #16998 from lcdservices/dev-core-1693
dev/core#1693 inline text title override
joshgowans [Tue, 14 Apr 2020 05:02:49 +0000 (06:02 +0100)]
Archive text
Update intro text to archive contrib.txt in favor of recognizing contributors via the release notest.
Eileen McNaughton [Tue, 14 Apr 2020 01:04:38 +0000 (13:04 +1200)]
Merge pull request #17070 from eileenmcnaughton/msg_template
[NFC] Remove a handful of legacy svn notations
colemanw [Mon, 13 Apr 2020 23:55:56 +0000 (19:55 -0400)]
Merge pull request #17060 from eileenmcnaughton/dupefix
Dupe improve custom data handling
eileen [Mon, 13 Apr 2020 23:16:59 +0000 (11:16 +1200)]
[NFC] Remove a handful of legacy svn notations
eileen [Thu, 9 Apr 2020 05:58:31 +0000 (17:58 +1200)]
Dupe improve custom data handling
The current custom data handling code does the following
1) For normal single rows it first inserts a row. This has the impact of rendering the
update that follows meaningless (this was an intentional change). It then deletes the row.
Hence the upshot is simply that it deletes the row. A separate process transfers the custom
data for the row. In other words we are engaging in 3 queries with a fairly high chance of
causing deadlocks in order to just delete the row.
2) For single rows where the entity reference refers to the merged contact the row is
updated to refer to the merged contact (without the insert this works) and a further unnecessary delete follows
3) For custom groups supporting multiple rows the rows are updated to have the new entity id. An unnecessary delete follows.
This change only affects the first of these. I would like to, in a future PR, change UPDATE IGNORE to just UPDATE &
remove the unnecessary delete - with more testing.
Note that this does include a slight change of behaviour. Currently if ANY fields in a custom group
are transferred from one contact to another during merge the row is deleted (with all the custom fields in it).
However, if no fields in a set are deleted then the row is not deleted.
This felt like it was a bit short on consistency. If has a potential advantage from a DB size point of view (any
deleting is better than none) but it also increases the number of locking queries in a process that is fairly
prone to cause DB locks. Based on these considerations I didn't think it worth re-adding code complexity to
retain inconsistent deletion.
A note on tests - I pre-added a bunch of tests into _api3_ContactTest to cover the 3 scenarios above.
Coleman Watts [Mon, 13 Apr 2020 21:00:59 +0000 (17:00 -0400)]
[REF] Remove duplicate checks for an array key existing
Eileen McNaughton [Mon, 13 Apr 2020 20:03:48 +0000 (08:03 +1200)]
Merge pull request #17063 from colemanw/api4limit
APIv4 - Fix setting offset with no limit
Coleman Watts [Mon, 13 Apr 2020 02:09:16 +0000 (22:09 -0400)]
APIv4 Explorer - performance boost with less intensive loops
Coleman Watts [Sun, 12 Apr 2020 23:56:41 +0000 (19:56 -0400)]
APIv4 Explorer - performance boost with fewer watch expressions
Matthew Wire [Mon, 13 Apr 2020 14:42:55 +0000 (15:42 +0100)]
Fix 'selectedChild' parameter for pages with tabs
Coleman Watts [Sun, 12 Apr 2020 18:36:29 +0000 (14:36 -0400)]
APIv4 Explorer - performance boost with one-time-binding expressions
Coleman Watts [Mon, 13 Apr 2020 02:34:32 +0000 (22:34 -0400)]
APIv4 - Fix setting offset with no limit
The API treats 0 as "no limit" but mysql does not.
This allows setting an offset with no limit but applying the maximum possible row count, as mysql does not allow LIMIT NULL.
See https://stackoverflow.com/questions/255517/mysql-offset-infinite-rows
Eileen McNaughton [Mon, 13 Apr 2020 00:36:27 +0000 (12:36 +1200)]
Merge pull request #17057 from eileenmcnaughton/email3
[REF] move all functions associated with the submit function onto the Trait
eileen [Wed, 1 Apr 2020 03:52:20 +0000 (16:52 +1300)]
[REF] move all functions associated with the submit function onto the Trait
colemanw [Sat, 11 Apr 2020 23:22:53 +0000 (19:22 -0400)]
Merge pull request #17058 from eileenmcnaughton/mem
[NFC] Code cleanup around comments, strict comparison, formatting
colemanw [Sat, 11 Apr 2020 17:56:33 +0000 (13:56 -0400)]
Merge pull request #17050 from colemanw/one-time-binding
Improve AngularJS performance with one-time binding for static strings
eileen [Sat, 11 Apr 2020 03:15:34 +0000 (15:15 +1200)]
[NFC] Code cleanup around comments, strict comparison, formatting
Coleman Watts [Fri, 10 Apr 2020 01:47:43 +0000 (21:47 -0400)]
Improve AngularJS performance with one-time binding for static strings
Use one-time binding for all static strings being passed through ts().
This prevents unnecessary $watch expressions, making the digest loop faster.
See https://docs.angularjs.org/guide/expression#one-time-binding