Eileen McNaughton [Sun, 20 Dec 2020 23:23:48 +0000 (12:23 +1300)]
Merge pull request #19237 from colemanw/stripTagsFromOptionDescription
APIv4: Normalize option list descriptions as plain text
Eileen McNaughton [Sun, 20 Dec 2020 23:23:02 +0000 (12:23 +1300)]
Merge pull request #19229 from colemanw/searchKitInput
Search kit: Rewrite input widget to support IN sets, relative dates, BETWEEN groups, etc.
Eileen McNaughton [Sun, 20 Dec 2020 21:36:16 +0000 (10:36 +1300)]
Merge pull request #19209 from mattwire/daoeventid
Add a unique event ID so we can match pre/post Insert/Update
Seamus Lee [Sun, 20 Dec 2020 19:28:51 +0000 (06:28 +1100)]
Merge pull request #19235 from colemanw/flex
Add min-width to flex columns for responsive layout on small screens
Tim Otten [Sat, 19 Dec 2020 20:24:04 +0000 (12:24 -0800)]
Merge pull request #19240 from MikeyMJCO/patch-6
(NFC) Fix issue reporting link to go to the corresponding `core` project.
Mikey O'Toole [Sat, 19 Dec 2020 19:20:02 +0000 (19:20 +0000)]
Fix issue reporting link to go to the corresponding `core` project.
Seamus Lee [Fri, 18 Dec 2020 06:51:00 +0000 (17:51 +1100)]
Merge pull request #19214 from eileenmcnaughton/dep2
Remove functions from EmailCommon that were moved to the trait
Seamus Lee [Fri, 18 Dec 2020 06:43:32 +0000 (17:43 +1100)]
Merge pull request #19228 from eileenmcnaughton/inv_assign
Remove duplicated tax assignments from copied code
Coleman Watts [Thu, 17 Dec 2020 21:15:11 +0000 (16:15 -0500)]
APIv4: Normalize option list descriptions as plain text
Our schema is inconsistent about whether `description` fields allow html,
but it's usually assumed to be plain text, so we strip_tags() to standardize it.
Seamus Lee [Thu, 17 Dec 2020 19:44:28 +0000 (06:44 +1100)]
Merge pull request #19224 from artfulrobot/artfulrobot-fix-bulkmail
Fix lab issue 2254 is_bulkmail cannot be set through UI
Coleman Watts [Wed, 16 Dec 2020 22:27:58 +0000 (17:27 -0500)]
Add min-width to flex columns for responsive layout on small screens
The .crm-flex-box class is new and only used in 2 places: Search Kit & the Dashboard.
This sets a min-width on those layouts so the 2 columns collapse to 1 on small screens.
Coleman Watts [Wed, 16 Dec 2020 00:37:31 +0000 (19:37 -0500)]
Search kit: Rewrite input widget to support IN sets, relative dates, BETWEEN groups, etc.
This deletes the crmSearchValue widget (and the now-empty crmSearchKit module),
which had originally been copied from the API Explorer, and replaces it with a more flexible
set of components with separate templates for each data type.
Seamus Lee [Wed, 16 Dec 2020 21:43:19 +0000 (08:43 +1100)]
Merge pull request #19231 from eileenmcnaughton/processConfirm
Convert previously shared function from static to non-static
Seamus Lee [Wed, 16 Dec 2020 21:42:33 +0000 (08:42 +1100)]
Merge pull request #19234 from eileenmcnaughton/cms
Only do cms account create from the one relevant place
colemanw [Wed, 16 Dec 2020 12:00:49 +0000 (07:00 -0500)]
Merge pull request #19226 from eileenmcnaughton/odd
Remove unused tpl assigns
Seamus Lee [Wed, 16 Dec 2020 07:46:15 +0000 (18:46 +1100)]
Merge pull request #19233 from civicrm/5.33
5.33
eileen [Wed, 16 Dec 2020 05:38:37 +0000 (18:38 +1300)]
Only do cms account create from the one relevant place
This function is called from 3 places - create CMS user is not applicable
to the back office form and the other place actually blocks it...
eileen [Wed, 16 Dec 2020 04:03:40 +0000 (17:03 +1300)]
Convert previously shared function from static to non-static
This no longer needs to be static as it is no longer shared with other forms
(although it needs to be public to support the test class
Eileen McNaughton [Wed, 16 Dec 2020 05:24:36 +0000 (18:24 +1300)]
Merge pull request #19230 from totten/master-phpseclib-cxnrpc
composer.json - Update civicrm-cxn-rpc and phpseclib
Tim Otten [Wed, 16 Dec 2020 03:15:55 +0000 (19:15 -0800)]
composer.json - Update civicrm-cxn-rpc and phpseclib
Before
------
Require `civicrm-cxn-rpc` v0.19 (with `phpseclib` v1.x)
After
-----
Require either of:
* `civicrm-cxn-rpc` v0.20 (with `phpseclib` v2.x)
* `civicrm-cxn-rpc` v0.19 (with `phpseclib` v1.x)
Technical Details
-----------------
* The public interfaces from civicrm-cxn-rpc are the same in 0.19+0.20.
They only differ in which verison of `phpseclib` is used.
* As pointed out in https://github.com/civicrm/civicrm-cxn-rpc/issues/9, we're not
the only folks using phpseclib, so some flexibility on that seems good.
* The primary change in phpseclib 2.x is the use of PHP namespaces
(e.g. `Crypt_AES` => `\phpseclib\Crypt\AES`).
* There are newer versions of both v0.19 and v0.20 which bundle an updated certificate.
eileen [Wed, 16 Dec 2020 01:10:48 +0000 (14:10 +1300)]
Remove duplicated tax assignments from copied code
The assignment of tax data is happening twice on the form - once in generic
code and once in code only reached for recurring contributions that
was in previously-shared code. We can be fairly comfortable that
in this latter case we don't need it as this is a marginal flow
on this form whereas the main flow is being used 90% of the time
& is doing the assignment
Rich Lott / Artful Robot [Tue, 15 Dec 2020 21:06:00 +0000 (21:06 +0000)]
Fix lab issue 2254: cannot set is_bulkmail from UI
eileen [Tue, 15 Dec 2020 20:48:11 +0000 (09:48 +1300)]
Remove legacy tpl assigns
These really look like they were copied over from participant forms -
they are not used in the membership tpl receipts
Seamus Lee [Tue, 15 Dec 2020 19:08:36 +0000 (06:08 +1100)]
Merge pull request #19216 from laryn/patch-3
dev/core#2211 Make sure addressee field fits column
Laryn - CEDC.org [Mon, 14 Dec 2020 21:36:10 +0000 (15:36 -0600)]
dev/core#2211 Make sure addressee field fits column
Truncate if addressee field goes beyond the available 255 characters in an export that merges contacts by shared address.
Seamus Lee [Tue, 15 Dec 2020 07:21:48 +0000 (18:21 +1100)]
Merge pull request #19223 from civicrm/5.33
5.33
Seamus Lee [Tue, 15 Dec 2020 05:25:39 +0000 (16:25 +1100)]
Merge pull request #19220 from eileenmcnaughton/nfc
Minor code cleanup
Seamus Lee [Tue, 15 Dec 2020 05:25:10 +0000 (16:25 +1100)]
Merge pull request #19222 from eileenmcnaughton/mem_form
Remove all handling related to pledge, cms user from newly separated function
Seamus Lee [Tue, 15 Dec 2020 05:24:37 +0000 (16:24 +1100)]
Merge pull request #19219 from colemanw/targetTableFix
Fix Invalid argument PHP warning
Eileen McNaughton [Tue, 15 Dec 2020 03:52:37 +0000 (16:52 +1300)]
Merge pull request #19221 from civicrm/5.33
5.33
eileen [Tue, 15 Dec 2020 02:21:34 +0000 (15:21 +1300)]
Remove all handling related to pledge, cms user from newly separated function
Seamus Lee [Tue, 15 Dec 2020 01:58:15 +0000 (12:58 +1100)]
Merge pull request #19217 from totten/master-assert-perm
DispatchPolicy - Actively report any upgrade problems with hook_civicrm_permission
Seamus Lee [Tue, 15 Dec 2020 00:59:45 +0000 (11:59 +1100)]
Merge pull request #19211 from eileenmcnaughton/form_move
Duplicate processFormContribution only Membership form
eileen [Tue, 15 Dec 2020 00:54:17 +0000 (13:54 +1300)]
Minor code cleanup
Coleman Watts [Tue, 15 Dec 2020 00:37:41 +0000 (19:37 -0500)]
Fix Invalid argument PHP warning
Tim Otten [Mon, 14 Dec 2020 21:13:21 +0000 (13:13 -0800)]
DispatchPolicy - Actively report any upgrade problems with hook_civicrm_permission
Overview
--------
This is a preventive/diagnostic revision which would bring to light potential
problems with firing `cleanupPermissions()`/`hook_civicrm_permission` at the
wrong moment during an upgrade.
Before
------
If `cleanupPermissions()` (and its `hook_civicrm_permission`) are fired too
early during an upgrade, then the cleanup runs quietly but omits important
results (because the hook is dropped). On several UF's, the
`cleanupPermissions()` **revokes access** for any omitted permissions. The
sysadmin would have manually re-grant access.
After
-----
If `cleanupPermissions()` (and its `hook_civicrm_permission`) are fired too
early during an upgrade, then it raises an error during the upgrade.
Surely, it's better to report the error rather than silently drop the data.
Comments
--------
* This revision is preventive/diagnostic/speculative. It's based on rumor that
somebody had a problem with permissions in an upgrade. I don't actually have
steps to reproduce a probelmatic case.
* To see this preventive mechanism in action, I provoked a trivial violation:
* Setup a DB with 5.32
* Checkout the code for 5.34.
* Add a local hack https://gist.github.com/totten/
e1448b343f94ff9c3d971402a1b3db3d
which has the effect of running `cleanupPermissions()` prematurely.
* Observe: `cv upgrade:db` fails (cv v0.3.5+)
* It's tempting to think of `hook_civicrm_permission` as returning a static list of
strings -- in which case, there's no real harm to firing during the defensive
phase. The problem is that `hook_civicrm_permission` can also be used for
dynamic scenarios. (The power of hooks!) That's useful for any site-building
extension (e.g. bespoke forms/views/APIs/dashlets) where you generate new
permissions based on site configuration. That will depend on the
correct-functioning of the extension+configuration... which cannot be
ensured during the defensive upgrade-phase... and which creates a parallel
choice between incorrect-results (data-loss) or fatal-error. This is the
real reason why one shouldn't run `cleanupPermissions()` during the defensive
phase. (Of course, we should run it... during the liberal phase...)
eileen [Mon, 14 Dec 2020 19:40:50 +0000 (08:40 +1300)]
Remove functions from EmailCommon that were moved to the trait
Seamus Lee [Mon, 14 Dec 2020 23:31:53 +0000 (10:31 +1100)]
Merge pull request #19019 from eileenmcnaughton/total_fail
dev/core#927 Fully remove cancel & fail from Contribution BAO
Seamus Lee [Mon, 14 Dec 2020 23:28:29 +0000 (10:28 +1100)]
Merge pull request #19207 from eileenmcnaughton/member_ids
[REF] Clean up on $ids['contribution']
eileen [Mon, 14 Dec 2020 19:11:12 +0000 (08:11 +1300)]
Duplicate processFormContribution only Membership form
Seamus Lee [Mon, 14 Dec 2020 22:48:45 +0000 (09:48 +1100)]
Merge pull request #19212 from eileenmcnaughton/form_move2
Move processConfirm function from Utils file back to form class
Tim Otten [Mon, 14 Dec 2020 22:36:49 +0000 (14:36 -0800)]
Merge pull request #19215 from totten/master-dispatch-doc
(NFC) DispatchPolicy - Add comments to docblock
Seamus Lee [Mon, 14 Dec 2020 22:04:49 +0000 (09:04 +1100)]
Merge pull request #19213 from eileenmcnaughton/dep
Remove deprecated function
Tim Otten [Mon, 14 Dec 2020 21:06:24 +0000 (13:06 -0800)]
(NFC) DispatchPolicy - Add comments to docblock
This updates some of the docblocks to reflect https://github.com/civicrm/civicrm-core/pull/17126
eileen [Mon, 14 Dec 2020 19:31:25 +0000 (08:31 +1300)]
Remove deprecated function
eileen [Mon, 14 Dec 2020 19:26:42 +0000 (08:26 +1300)]
Move processConfirm function from Utils file back to only form still using it
This function is really part of the Confirm form. People thought sharing it would
be good once. They were wrong. More specifically sharing large blocks of
code that attempt to service many diferent needs is not helpful
Seamus Lee [Mon, 14 Dec 2020 19:17:30 +0000 (06:17 +1100)]
Merge pull request #19208 from eileenmcnaughton/mem_deb
Remove some more variable variables + some test cleanup
Eileen McNaughton [Mon, 14 Dec 2020 19:00:11 +0000 (08:00 +1300)]
Merge pull request #19181 from colemanw/api4DateRange
APIv4: Support relative date range input
Matthew Wire [Mon, 14 Dec 2020 11:13:54 +0000 (11:13 +0000)]
Add an eventID to the pre/post Insert/Update events so they can be matched together
Seamus Lee [Mon, 14 Dec 2020 08:14:06 +0000 (19:14 +1100)]
Merge pull request #19206 from seamuslee001/migrate_print_array
#REF Migrate the print_array smarty plugin from in packages into core…
eileen [Mon, 14 Dec 2020 06:25:08 +0000 (19:25 +1300)]
Cleanup on test classes to support more flexible use of price set work
eileen [Mon, 14 Dec 2020 06:09:42 +0000 (19:09 +1300)]
Remove some more variable variables
Seamus Lee [Mon, 14 Dec 2020 06:09:24 +0000 (17:09 +1100)]
Merge pull request #19205 from eileenmcnaughton/mem_forms
[REF] Move function to shared parent so MemberForm can use it too
Seamus Lee [Mon, 14 Dec 2020 04:42:55 +0000 (15:42 +1100)]
REF Migrate the print_array smarty plugin from in packages into core as it seems to not be supplied by the upstream package
eileen [Mon, 14 Dec 2020 05:35:51 +0000 (18:35 +1300)]
[REF] Clean up on ids['contribution']
This removes ids['contribution'] and uses the simpler variable contributionID
In addition 2 if clauses are wrapped in if (contributionID) to make it clear
that both are only reachable when there is no contributionID
Seamus Lee [Mon, 14 Dec 2020 05:33:09 +0000 (16:33 +1100)]
Merge pull request #19068 from eileenmcnaughton/actsched
Add column created_date to action_schedule
Seamus Lee [Mon, 14 Dec 2020 05:08:48 +0000 (16:08 +1100)]
Merge pull request #19204 from eileenmcnaughton/ref
Stop passing ids as reference
Eileen McNaughton [Mon, 14 Dec 2020 05:08:32 +0000 (18:08 +1300)]
Merge pull request #19203 from eileenmcnaughton/import
Remove unreachable code.
eileen [Mon, 14 Dec 2020 04:16:25 +0000 (17:16 +1300)]
[REF] Move function to shared parent so MemberForm can use it too
Seamus Lee [Mon, 14 Dec 2020 03:37:53 +0000 (14:37 +1100)]
Merge pull request #19201 from eileenmcnaughton/notice
Enotice fix
eileen [Mon, 14 Dec 2020 03:28:41 +0000 (16:28 +1300)]
Stop passing ids as reference
There are 3 remaining places in the code that call Membership::create with
the ids variable. From my digging none of them use ids afterwards
so there is no need to pass by reference
eileen [Mon, 14 Dec 2020 03:08:35 +0000 (16:08 +1300)]
Remove unreachable code.
The addressee() function doesn't exist so we can be pretty sure it's not being reached
eileen [Mon, 14 Dec 2020 02:35:32 +0000 (15:35 +1300)]
Don't run singleValueAlter on modified_date or create_date
Since we expect these to be managed by mysql to some extent they seem best ignored
eileen [Fri, 11 Dec 2020 05:54:15 +0000 (18:54 +1300)]
Add effective start and end date plus created & modified date to action schedule table
eileen [Mon, 14 Dec 2020 01:27:34 +0000 (14:27 +1300)]
Enotice fix
colemanw [Sun, 13 Dec 2020 23:11:58 +0000 (18:11 -0500)]
Merge pull request #19196 from seamuslee001/apiv4_blob_fields
REF Allow for fields of type Blob or Mediumblob in Apiv4
Eileen McNaughton [Sun, 13 Dec 2020 19:53:48 +0000 (08:53 +1300)]
Merge pull request #19198 from seamuslee001/xdebug_singlevalue
NFC When printing out the result of the correctly update in single va…
Seamus Lee [Sun, 13 Dec 2020 06:13:31 +0000 (17:13 +1100)]
NFC When printing out the result of the correctly update in single value alter ensure that xdebug isn't printed
Seamus Lee [Sun, 13 Dec 2020 03:14:11 +0000 (14:14 +1100)]
Merge pull request #19190 from eileenmcnaughton/import22
Squash 2 if clauses into 1
Seamus Lee [Sun, 13 Dec 2020 02:47:51 +0000 (13:47 +1100)]
Merge pull request #19197 from demeritcowboy/key-comments
[NFC] Update comments in CRM/Core/Key
demeritcowboy [Sat, 12 Dec 2020 22:56:01 +0000 (17:56 -0500)]
update comments
Seamus Lee [Sat, 12 Dec 2020 21:33:01 +0000 (08:33 +1100)]
REF Allow for fields of type Blob or Mediumblob in Apiv4
Seamus Lee [Sat, 12 Dec 2020 20:02:52 +0000 (07:02 +1100)]
Merge pull request #19187 from civicrm/5.33
5.33
Seamus Lee [Sat, 12 Dec 2020 20:01:58 +0000 (07:01 +1100)]
Merge pull request #19145 from totten/master-qfkey
CRM_Core_Key - Provide more debugging hints about mismatched`qfKey`s
Seamus Lee [Sat, 12 Dec 2020 09:49:31 +0000 (20:49 +1100)]
Merge pull request #19193 from eileenmcnaughton/ref
[REF] Extract determination of subscription status information
Seamus Lee [Sat, 12 Dec 2020 09:45:52 +0000 (20:45 +1100)]
Merge pull request #19192 from totten/5.33-upgrade
dev/core#2232 - Upgrade UI contaminates cache via l10n-js. Consolidate isUpgradeMode().
Seamus Lee [Sat, 12 Dec 2020 08:40:21 +0000 (19:40 +1100)]
Merge pull request #19160 from eileenmcnaughton/import
Clean up error handling in legacy functions in import parser
Seamus Lee [Sat, 12 Dec 2020 08:39:58 +0000 (19:39 +1100)]
Merge pull request #19191 from eileenmcnaughton/deprecated
Remove some deprecated code chunks
Seamus Lee [Sat, 12 Dec 2020 08:08:28 +0000 (19:08 +1100)]
Merge pull request #19195 from seamuslee001/5322_rn
Add release-notes/5.32.2.md
Tim Otten [Sat, 12 Dec 2020 06:24:03 +0000 (22:24 -0800)]
Add release-notes/5.32.2.md
eileen [Sat, 12 Dec 2020 06:01:42 +0000 (19:01 +1300)]
[REF] Extract determination of subscription status information
This gets us away from it being buried in a switch
eileen [Sat, 12 Dec 2020 05:37:25 +0000 (18:37 +1300)]
Remove some deprecated code chunks
eileen [Thu, 10 Dec 2020 19:42:27 +0000 (08:42 +1300)]
Clean up error handling in legacy functions in import parser
This makes the handling of errors cleaner & makes it easier for us to unravel what is going on here.
Seamus Lee [Sat, 12 Dec 2020 05:27:49 +0000 (16:27 +1100)]
Merge pull request #19189 from eileenmcnaughton/533q1
Fix failure to assign view tpl variables to view page if context=search is in the url
Tim Otten [Sat, 12 Dec 2020 05:08:20 +0000 (21:08 -0800)]
Partial revert "dev/core#2232 Permit hook_civicrm_container and some other prebootish hooks to run during upgrade and clear out the asset builder cache post upgrade"
This reverts commit
756d9e0dbbe4ff66d2568f02a8ee1f152bd9c5e5.
Tim Otten [Sat, 12 Dec 2020 03:33:23 +0000 (19:33 -0800)]
dev/core#2232 - Upgrade UI contaminates cache via l10n-js. Consolidate isUpgradeMode().
This patch fixes an upgrade bug where `CachedCiviContainer` has stale data after an upgrade.
To do this, it removes an edge-case where two overlapping functions disagree.
Steps to Reproduce
------------------
1. Create a new/empty WP build
2. Install CiviCRM 5.30.1 from zipball
3. Install Mosaico 2.5
4. Download+extract new 5.32.1 zipball
5. Navigate to the GUI upgrade screen. Execute upgrade
6. Click to go back to the CiviCRM dashboard.
7. Receive error about the service 'mosaico_graphics'
Discussion
----------
The problem is created while running the upgrade GUI (step 5). The GUI sends several HTTP
requests (`civicrm/upgrade`, `civicrm/upgrade/queue/ajax/runNext`, etc). At the end, there is
an HTTP request for `civicrm/ajax/l10n-js/en_US`. The `l10n-js` request creates a flawed copy
of `CachedCiviContainer` which is responsible for subsequent errors.
This shouldn't happen - there are defensive mechanism which prevent it from happening (e.g.
during `civicrm/upgrade`). What makes `civicrm/ajax/l10n-js/en_US` different? It turns on
the implementation of `isUpgradeMode()` which activates the defensive mechanisms.
Before
------
There are two implementations of `isUpgradeMode()` (via `CRM_Core_Config` and
`CRM_Utils_System`). They often agree, but not always.
Some defensive measures trigger on `CRM_Core_Config::isUpgradeMode()` and others trigger on
`CRM_Utils_System::isUpgradeMode()`. They often trigger together, but not always.
Let's see how these can playout in a few HTTP requests:
1. `civicrm/dashboard`: The functions agree -- it's a regular page, not an upgrade. Therefore:
* (a) It allows extensions to run fully.
* (b) It enables `CachedCiviContainer` (read or write automatically).
* (a+b) It puts good/full information in the cache.
2. `civicrm/upgrade`: The functions agree -- it's an upgrade. Therefore:
* (a) It runs in paranoid mode (suspended extensions).
* (b) It disables `CachedCiviContainer`.
* (a+b) It puts no information in the cache.
3. `civicrm/ajax/l10n-js/en_US`: The functions *disagree*. In this case:
* (a) It runs in paranoid mode (suspended extensions).
* (b) It enables `CachedCiviContainer` (read or write automatically).
* (a+b) It puts bad/incomplete information in the cache.
After
-----
There is one implementation of `isUpgradeMode()`. It may be called through
either class (`CRM_Core_Config` or `CRM_Utils_System`), but the results will
always agree.
This produces the same appropriate outcome for cases of agreement (1) (2), and it fixes the
wonky/mismatched behavior in (3).
eileen [Sat, 12 Dec 2020 03:34:28 +0000 (16:34 +1300)]
Squash 2 if clauses into 1
The action is the same for both criteria so in_array rather than 2 * if =
makes it more readable
Seamus Lee [Sat, 12 Dec 2020 02:41:20 +0000 (13:41 +1100)]
Merge pull request #19185 from eileenmcnaughton/533q
dev/core#1019 Fix currency formatting of Total Amount on Event and Contribution pages (with multi-currency form support)
eileen [Sat, 12 Dec 2020 02:37:43 +0000 (15:37 +1300)]
Fix failure to assign view tpl variables to view page if context=search is in the url
Whack-a-mole round 10
Seamus Lee [Sat, 12 Dec 2020 01:49:42 +0000 (12:49 +1100)]
Merge pull request #19183 from eileenmcnaughton/533e
dev/core#2248 Ensure variables are assigned to tpl for urls
Mathieu Lutfy [Wed, 9 Dec 2020 14:28:25 +0000 (09:28 -0500)]
dev/core#1019 Fix currency formatting of Total Amount on Event and Contribution pages (with multi-currency form support)
eileen [Fri, 11 Dec 2020 23:44:06 +0000 (12:44 +1300)]
dev/core#2248 Ensure variables are assigned to tpl for urls
Seamus Lee [Fri, 11 Dec 2020 23:34:48 +0000 (10:34 +1100)]
Merge pull request #19182 from eileenmcnaughton/else
Remove extraneous elses
Seamus Lee [Fri, 11 Dec 2020 23:34:05 +0000 (10:34 +1100)]
Merge pull request #19085 from eileenmcnaughton/words
dev/financial#158 change UI parts of contribution soft schema to soft credit
Tim Otten [Fri, 11 Dec 2020 22:08:46 +0000 (14:08 -0800)]
CRM_Core_Key - Add some basic unit tests
Tim Otten [Tue, 8 Dec 2020 23:15:45 +0000 (15:15 -0800)]
CRM_Core_Key - Provide more debugging hints about `qfKey`s
Overview
--------
The `qfKey` parameter is a security mechanism (CSRF). The content of `qfKey` is also inscrutable - so when there's a problem
with `qfKey`, it can be difficult to determine the origin/nature of the problem.
Before
------
The `qfKey` provides a digital signature based on (1) session ID, (2) the
form being processed, (3) a random private-key (unique to the user/session).
In some cases, the `qfKey` also has a random nonce appended to distinguish
between concurrent tabs that work with the same form.
* Ex: `2abc4b7f23d9ae4dfcdbb0c692cc666e5f11256fe84ace7662b0e075834b81958` (w/o nonce)
* Ex: `2abc4b7f23d9ae4dfcdbb0c692cc666e5f11256fe84ace7662b0e075834b81958_9527` (w/nonce)
If there is a logic problem where the `qfKey` of form A gets mixed-up with
form B, then it's extremely hard to understand the mismatch All you see are
two long random codes.
* Inputted qfKey: `2abc4b7f23d9ae4dfcdbb0c692cc666e5f11256fe84ace7662b0e075834b81958`
* Expected fqKey: `89874b7a23192e4d6aab10c622ca369e5e11226f784a5c7652b95075536b81a5e`
After
-----
The `qfKey` has a prefix to indicate the token's intended usage (as well as a digital signature).
* Ex: `CRMContactControllerSearch154eitbf74v3ko0sw94k08gogo8448asdfw4goggkkwgkww08c` (w/o nonce)
* Ex: `CRMContactControllerSearch154eitbf74v3ko0sw94k08gogo8448asdfw4goggkkwgkww08c_9355` (w/ nonce)
If there is a logic problem where the `qfKey` of form A gets mixed-up with
form B, then the prefix can help you understand. Compare:
* Inputted qfKey: `CRMContactControllerSearch154eitbf74v3ko0sw94k08gogo8448asdfw4goggkkwgkww08c`
* Expected qfKey: `CRMContributeFormContribution5o2due205mp0384080sgc8omw8kwggoksw47sswchs80gw0kgs`
This tells you that there's logical mismatch - it's trying to render the contribution
screen using the key for the contact-search screen.
Comments
--------
* The identity of the `formname` is not sensitive information.
* The `qfKey` might look prettier with more delimeters (`{formname}_{signature}_{nonce}`). However, I belive there are random bits of existing code
which use `explode('_')` to split apart the signature and the nonce. This formula seems to be drop-in/interoperable.
* I switched the encoding of the signature from hex (0-9a-f) to base-36 (0-9a-z) to make it a bit shorter.
eileen [Fri, 11 Dec 2020 20:26:45 +0000 (09:26 +1300)]
Remove extraneous elses
eileen [Tue, 1 Dec 2020 03:51:48 +0000 (16:51 +1300)]
dev/financial#158 change UI parts of contribution soft schema to soft credit
Coleman Watts [Fri, 11 Dec 2020 17:33:14 +0000 (12:33 -0500)]
APIv4: Support relative date range input
Supports relative date range expressions with most operators and adds test coverage
Seamus Lee [Fri, 11 Dec 2020 09:05:56 +0000 (20:05 +1100)]
Merge pull request #19180 from civicrm/5.33
5.33
projects / civicrm-core.git / log