Alice Frumin [Wed, 6 Mar 2019 21:49:48 +0000 (16:49 -0500)]
5.11.0 release notes: bulk of work from Alice
* moving things to misc
* organizing prs
* linking to gitlab issues
* first stab
* more release notes
* more release notes progress
* annotating
* cleaning up
* updating contributers
Andrew Hunt [Thu, 14 Feb 2019 15:48:50 +0000 (10:48 -0500)]
5.11.0 release notes: added boilerplate
Andrew Hunt [Thu, 14 Feb 2019 15:46:36 +0000 (10:46 -0500)]
5.11.0 release notes: raw from script
Seamus Lee [Wed, 6 Mar 2019 03:32:48 +0000 (14:32 +1100)]
Merge pull request #13754 from eileenmcnaughton/5.11-
dev/core#745 do not filter on 'on_hold' if it is an empty string
Seamus Lee [Mon, 4 Mar 2019 05:19:00 +0000 (16:19 +1100)]
Merge pull request #13755 from eileenmcnaughton/event_fix
dev/core#766 fix loss of custom fields when creating an event from template
eileen [Mon, 4 Mar 2019 01:32:07 +0000 (14:32 +1300)]
dev/core#766 fix loss of custom fields when creating an event from template
eileen [Mon, 4 Mar 2019 01:11:10 +0000 (14:11 +1300)]
dev/core#745 do not filter on 'on_hold' if it is an empty string
Although I couldn't replicate this apparently in groups created in an earlier version it could
be. We only care about number (0 or 1) or arrays (from the select widget)
so add an extra check
Eileen McNaughton [Sat, 2 Mar 2019 06:20:28 +0000 (19:20 +1300)]
Merge pull request #13731 from eileenmcnaughton/5.11
dev/core#731 Add upgrade routine to convert on_hold to an array for sites with
Eileen McNaughton [Sat, 2 Mar 2019 01:07:50 +0000 (14:07 +1300)]
Merge pull request #13743 from greenpeace-cee/fix-tag-search
CRM/Contact - Fix fatal error on tag search
Patrick Figel [Fri, 1 Mar 2019 18:28:27 +0000 (19:28 +0100)]
CRM/Contact - Fix fatal error on tag search
This fixes a fatal error caused by the CommaSeparatedIntegers not
accepting empty strings. This can be triggered by performing a
search with "Tag(s) IS NULL" using the search builder.
Eileen McNaughton [Fri, 1 Mar 2019 06:50:26 +0000 (19:50 +1300)]
Merge pull request #13734 from eileenmcnaughton/mem
dev/membership#10 fix incorrect validation error saying Start date must be the same or later than Member since
Seamus Lee [Fri, 1 Mar 2019 04:03:01 +0000 (15:03 +1100)]
Merge pull request #13738 from jitendrapurohit/core-768-rc
dev/core#768 - Fix fatal error on group search
Eileen McNaughton [Fri, 1 Mar 2019 03:43:21 +0000 (16:43 +1300)]
Merge pull request #13737 from seamuslee001/pdf_receipts_fix_enotice
Fix up e-notice error when using a user from email address same issue…
Jitendra Purohit [Fri, 1 Mar 2019 02:39:31 +0000 (08:09 +0530)]
dev/core#768 - Fix fatal error on group search
Seamus Lee [Fri, 1 Mar 2019 00:28:00 +0000 (11:28 +1100)]
Fix up e-notice error when using a user from email address same issue as dev/core#644
eileen [Thu, 28 Feb 2019 21:44:22 +0000 (10:44 +1300)]
Add upgrade routine to convert on_hold to an array for sites with
civimail_multiple_bulk_emails set.
with that set we get a select box which needs an array rather than a checkbox.
Note from my testing there is problem loading the defaults due to the field name being
wrong - this aligns groups created before & after the 5.9 upgrade but does not resolve that.
// preferred communication method
if (Civi::settings()->get('civimail_multiple_bulk_emails')) {
->addSelect('email_on_hold',
array('entity' => 'email', 'multiple' => 'multiple', 'label' => ts('Email On Hold'), 'options' => CRM_Core_PseudoConstant::emailOnHoldOptions()));
}
else {
->add('advcheckbox', 'email_on_hold', ts('Email On Hold')
eileen [Thu, 28 Feb 2019 22:33:13 +0000 (11:33 +1300)]
dev/membership#10 fix incorrect validation error saying Start date must be the same or later than Member since
This problem is because both dates exclude time but the default setting includes it - leading to a
comparison of a datetime with a date+midnight time
Eileen McNaughton [Thu, 28 Feb 2019 20:59:46 +0000 (09:59 +1300)]
Merge pull request #13723 from eileenmcnaughton/5.11
financial#46 - clean money format at form layer - Fix mistreatment of event fees > 1000 when saving
Eileen McNaughton [Thu, 28 Feb 2019 19:47:11 +0000 (08:47 +1300)]
Merge pull request #13725 from JMAConsulting/CRM-21754-rc
Don't break loop if address fields not found while formatting rows in Reports
Monish Deb [Thu, 28 Feb 2019 09:49:29 +0000 (15:19 +0530)]
Don't break loop if address fields not found while formatting rows in Reports
eileen [Thu, 28 Feb 2019 06:01:39 +0000 (19:01 +1300)]
Fix mistreatment of event fees > 1000 when saving
Eileen McNaughton [Thu, 28 Feb 2019 05:33:35 +0000 (18:33 +1300)]
Merge pull request #13721 from MegaphoneJon/5.11
financial#46 - clean money format at form layer
Eileen McNaughton [Thu, 28 Feb 2019 05:23:20 +0000 (18:23 +1300)]
Merge pull request #13711 from greenpeace-cee/fix-multi-currency-soft-credit
dev/core#756 - CRM/Contribute - Fix multi-currency soft credit summary
Jon Goldberg [Thu, 28 Feb 2019 03:24:40 +0000 (22:24 -0500)]
financial#46 - clean money format at form layer
Patrick Figel [Tue, 26 Feb 2019 20:06:13 +0000 (21:06 +0100)]
dev/core#756 - CRM/Contribute - Fix multi-currency soft credit summary
This fixes an exception caused by multiple currencies being passed to
CRM_Utils_Money::format. It also resolves some inconsistencies in how
the summary table is rendered for soft credits.
colemanw [Tue, 26 Feb 2019 17:44:48 +0000 (12:44 -0500)]
Merge pull request #13709 from JMAConsulting/dev-core#757-rc
Viewing Contact Note comments is broken in 5.10.4.
Ken West [Tue, 26 Feb 2019 11:33:52 +0000 (22:33 +1100)]
Viewing Contact Note comments is broken in 5.10.4.
Update Javascript to use Note-NNNNN rather than cnote_NNNN as the ID of Note rows.
Completes change started in commit
57abcbbf5cf85b1266377e0ad9af4fb5865d5bc0.
Seamus Lee [Sat, 23 Feb 2019 04:41:59 +0000 (15:41 +1100)]
Merge pull request #13683 from seamuslee001/5_11_5_10_4_Release_Notes
Add in 5.10.4 Release notes
Seamus Lee [Fri, 22 Feb 2019 23:02:29 +0000 (10:02 +1100)]
Add in 5.10.4 Release notes
Eileen McNaughton [Sat, 23 Feb 2019 01:08:31 +0000 (14:08 +1300)]
Merge pull request #13673 from eileenmcnaughton/511geocode
Remove tests that no longer work due to dead service
Seamus Lee [Fri, 22 Feb 2019 23:18:25 +0000 (10:18 +1100)]
Merge pull request #13663 from seamuslee001/lab_core_747
Hotfix for dev/core#747 To fix generation of contact image urls
Seamus Lee [Fri, 22 Feb 2019 21:00:43 +0000 (08:00 +1100)]
Extract checking of filename into own function and add tests
Eileen McNaughton [Fri, 22 Feb 2019 20:23:28 +0000 (09:23 +1300)]
Merge pull request #13670 from MegaphoneJon/reporting-10-rc
reporting#10 - fix pagination on Contribution Detail report
eileen [Sun, 17 Feb 2019 01:42:47 +0000 (14:42 +1300)]
Remove tests that no longer work due to dead service
Jon Goldberg [Fri, 22 Feb 2019 02:06:13 +0000 (21:06 -0500)]
reporting#10 - fix pagination on Contribution Detail report
Tim Otten [Fri, 22 Feb 2019 08:24:49 +0000 (00:24 -0800)]
CRM_Core_Page_File - Only delivers directly under the customFileUploadDir
Tim Otten [Fri, 22 Feb 2019 08:22:03 +0000 (00:22 -0800)]
CRM_Core_Page_File - Fix warning when using filename mode
The idea here is that `id+eid+fcs` and `filename` are two separate modes.
In `filename` mode, you don't need warnings about the missing `fcs`.
Tim Otten [Fri, 22 Feb 2019 06:45:45 +0000 (22:45 -0800)]
CRM_Core_Page_File - More consistent capitalization/prose
Seamus Lee [Fri, 22 Feb 2019 05:38:57 +0000 (16:38 +1100)]
Merge pull request #13662 from seamuslee001/hotfix_746
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Seamus Lee [Fri, 22 Feb 2019 01:11:53 +0000 (12:11 +1100)]
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Fix GroupContactCacheTest
Seamus Lee [Fri, 22 Feb 2019 01:25:38 +0000 (12:25 +1100)]
Hotfix for dev/core#747 To fix generation of contact image urls
Eileen McNaughton [Fri, 22 Feb 2019 00:42:32 +0000 (13:42 +1300)]
Merge pull request #13660 from seamuslee001/5.11
5.11 - merge in security
Tim Otten [Thu, 21 Feb 2019 06:38:50 +0000 (22:38 -0800)]
release-notes/5.10.3.md - Update "Feedback" to be... closer to reality wrt SA's
Tim Otten [Thu, 21 Feb 2019 06:27:09 +0000 (22:27 -0800)]
release-notes/5.10.3.md - TOC should match actual headings
Seamus Lee [Sat, 16 Feb 2019 03:59:52 +0000 (14:59 +1100)]
Add in 5.10.3 Security Release Notes
Seamus Lee [Tue, 19 Feb 2019 01:39:50 +0000 (12:39 +1100)]
Fix file e-notice by using the correct url variables
Seamus Lee [Wed, 13 Feb 2019 23:33:45 +0000 (10:33 +1100)]
Fix variables to match image file hash generation
Tim Otten [Wed, 13 Feb 2019 22:34:33 +0000 (14:34 -0800)]
CRM_Profile_Form - Add fcs for download link on custom field
Tim Otten [Wed, 13 Feb 2019 20:58:33 +0000 (12:58 -0800)]
(REF) Clearer docblocks and file names
Tim Otten [Wed, 13 Feb 2019 20:50:02 +0000 (12:50 -0800)]
Fix multiple issues with file URLs. Use clearer variables and docblocks to reduce confusion.
Seamus Lee [Wed, 13 Feb 2019 20:09:26 +0000 (07:09 +1100)]
Try and use the correct variable for file id in custom field uploads and use the standard checksum timout as well
Tim Otten [Tue, 12 Feb 2019 23:58:57 +0000 (15:58 -0800)]
generateFileHash() - If we can't generate a secure, then don't generate any token
Falling back to a constant negates any security benefit of using a hash.
IMHO, the edge-case where `CIVICRM_SITE_KEY` is missing should be
obscure/rare and signifies broader problems for the deployment. It needs to
be corrected. If you're worried that having an error-symptom here is too
obscure, then let's add a more prominent error-message via
`CRM_Utils_Check`.
NOTE: There is one pre-existing case in core where (in absence of a key) it
procedes with a constant in lieu of a `CIVICRM_SITE_KEY` . Specifically,
`CRM_Core_Error::generateLogFileHash()`. That is not a good example to
follow because it is qualitiatively different:
* In `generateLogFileHash`(), `CIVICRM_SITE_KEY` functions as one of
multiple redundant security mechanisms -- e.g. even if
`CIVICRM_SITE_KEY` is missing, the log file remains hard-to-access because
(1) the DSN is part of the hash and (2) the httpd protects `ConfigAndLog`.
(Contrast: The file-hash-code is not *redundant* in the same way.)
* In the context of logging, raising any error (even if it's real error
condition) can provoke a weird loop (because then that error needs to be
logged). The log needs to avoid such loops. (Contrast:
`generateFileHash()` is part of the normal post-boot application logic, so
it's free to register errors normally.)
Tim Otten [Tue, 12 Feb 2019 23:50:40 +0000 (15:50 -0800)]
generateFileHash() and validateFileHash() should be colocated
The two functions (`generateFileHash()` and `validateFileHash()`) are
tightly-coupled. Most changes to one would require a matching change in the
other. So they should be parallel.
It'd be OK to say "the hash formula is a general utility for any party using
file APIs" (so put `generateFileHash()` and `validateFileHash()` in `CRM_Core_BAO_File`).
It'd be OK to say "the hash formula is specific to the end-point/page which
serves files" (so put `generateFileHash()` and `validateFileHash()` in
`CRM_Core_Page_File`).
The former feels a bit more accurate, so I pushed it toward that.
Seamus Lee [Mon, 4 Feb 2019 21:48:25 +0000 (08:48 +1100)]
Switch to Sha256 and add in a ttl
Further WHIP fixing hmac implementation now need to get it generating consistant hashes
Remove debugging
Seamus Lee [Tue, 22 Jan 2019 19:11:45 +0000 (06:11 +1100)]
Block access if no Hash is supplied
Seamus Lee [Fri, 18 Jan 2019 22:01:17 +0000 (09:01 +1100)]
security/core#26 Add in a generated Hash to download files so that URLs can't just be tested by annon users
Seamus Lee [Fri, 8 Feb 2019 03:46:36 +0000 (14:46 +1100)]
prevent timing attacks on the contact checksum validation
eileen [Mon, 14 Jan 2019 04:03:28 +0000 (17:03 +1300)]
Remove support for passing a filename into civicrm/file.
I can find no evidence this is used & it feels like a security risk, albeit they still need
the path
eileen [Mon, 14 Jan 2019 01:25:29 +0000 (14:25 +1300)]
Remove unused file parameters
Coleman Watts [Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)]
security/core#33 - Patch jQuery for CVE-2015-9251
See https://github.com/jquery/jquery/issues/2432#issuecomment-
403761229
This will no longer be needed after upgrading to jQuery 3.x.
Tim Otten [Tue, 15 Jan 2019 00:01:26 +0000 (16:01 -0800)]
(NFC) Cleanup new docblocks
Tim Otten [Mon, 14 Jan 2019 23:58:53 +0000 (15:58 -0800)]
Follow-up security/core#25 - Consistently change interface
The previous commit
4c1e702f96403bdc84b6900027d1be61ea601321 expanded the
signature of `fillWithSql()` to accept a third argument, but it wasn't
consistent about whether the third argument was optional or required.
This makes it consistently optional (default `[]`).
Seamus Lee [Sat, 27 Oct 2018 21:44:08 +0000 (08:44 +1100)]
Resolve security/core#25 Escape use of cacheKey to prevent SQLI when populating the prevNextCache
Security #25 Update Redis implementation to match function sig of interface function
Patrick Figel [Sun, 6 Jan 2019 17:30:30 +0000 (18:30 +0100)]
security/core#16 - Smarty - Fix XSS in crmMoney plugin
This fixes an XSS in the crmMoney smarty plugin by checking the
currency against the currency list and adds some basic tests.
Fixes security/core#16
Patrick Figel [Sun, 6 Jan 2019 21:16:40 +0000 (22:16 +0100)]
security/core#28 - CRM_Contact - Use uniqid() for table alias
Patrick Figel [Sat, 27 Oct 2018 19:08:32 +0000 (21:08 +0200)]
security/core#28 - CRM_Contact - Fix SQL injection in group/tag search
This fixes various SQL injections in CRM_Contact_BAO_Query in the group
and tag search code. CRM_Contact_BAO_Query is used by the API and some
other core features such as the advanced contact search.
For CRM_Contact_BAO_Query::tag, the lack of input validation meant that
API syntax that would typically not work for other parameters works for
tag search, so the fix attempts to not break backwards-compatibility
for API calls like Contact.get tag="1, 2" (i.e. using a comma-separated
list with spaces).
Seamus Lee [Sun, 30 Dec 2018 01:09:45 +0000 (12:09 +1100)]
security/core#32 Fix Reflected XSS in Logging Detail report
Seamus Lee [Sat, 27 Oct 2018 04:08:25 +0000 (15:08 +1100)]
Also Purify the output of the frozen entity reference and that of a select2 output as well
Seamus Lee [Tue, 3 Jul 2018 23:49:35 +0000 (09:49 +1000)]
Resolve #9 by purifying label of entity reference values
Seamus Lee [Tue, 19 Feb 2019 05:44:08 +0000 (16:44 +1100)]
Merge pull request #13637 from jitendrapurohit/core737
dev/core#737 - SMS not sent if 'Send Immediately' option is chosen on…
Jitendra Purohit [Tue, 19 Feb 2019 04:02:20 +0000 (09:32 +0530)]
dev/core#737 - SMS not sent if 'Send Immediately' option is chosen on the last screen
Eileen McNaughton [Sat, 16 Feb 2019 23:33:06 +0000 (12:33 +1300)]
Merge pull request #13613 from colemanw/openCampaignWidget
Auto-open campaign widget and sort by start date
Coleman Watts [Sat, 16 Feb 2019 21:25:18 +0000 (16:25 -0500)]
Auto-open campaign widget and sort by start date
Seamus Lee [Thu, 14 Feb 2019 22:26:45 +0000 (09:26 +1100)]
Merge pull request #13599 from seamuslee001/5.11
Add in release notes for 5.10.2
Tim Otten [Thu, 14 Feb 2019 22:14:38 +0000 (14:14 -0800)]
Update 5.10.2.md
Tim Otten [Thu, 14 Feb 2019 22:14:19 +0000 (14:14 -0800)]
Update 5.10.2.md
Minor copy-edits:
* Punctuation to match other point-release docs
* Use consistent reverse-alpha in credits
* Add some more authors+reviewers from Github
Seamus Lee [Thu, 14 Feb 2019 21:45:19 +0000 (08:45 +1100)]
Merge pull request #13593 from eileenmcnaughton/acl_regression
dev/core#721 Fix regression on refreshing group_contact cache before checking acls
Seamus Lee [Thu, 14 Feb 2019 20:34:43 +0000 (07:34 +1100)]
Add in release notes for 5.10.2
Update release notes as per Eileen's comment
Add in notes on merge of dev/core#715 fix
eileen [Thu, 14 Feb 2019 05:37:14 +0000 (18:37 +1300)]
Fix regression on refreshing group_contact cache before checking acls
We seem to be checking if the cache needs a rebuild and IF SO doing 2 actions
1) rebuilding it
2) permitting access to contacts related to it
When really it should do only 1) above - this patch changes as such
This seems to be whackamole off https://github.com/civicrm/civicrm-core/pull/12344
going too far one way & https://github.com/civicrm/civicrm-core/pull/13448
fixing but adding this new variant
Eileen McNaughton [Wed, 13 Feb 2019 01:46:07 +0000 (14:46 +1300)]
Merge pull request #13581 from colemanw/dev/core#715
dev/core#715 - Fix delete action on RelationshipType form
Coleman Watts [Tue, 12 Feb 2019 17:08:48 +0000 (12:08 -0500)]
dev/core#715 - Fix delete action on RelationshipType form
Eileen McNaughton [Tue, 12 Feb 2019 02:23:03 +0000 (15:23 +1300)]
Merge pull request #13575 from seamuslee001/5_10_1_release_notes_11
Release notes for 5.10.1 release
Seamus Lee [Mon, 11 Feb 2019 22:46:38 +0000 (09:46 +1100)]
Merge pull request #13572 from eileenmcnaughton/cc_511
Fix regression whereby making receive_date required breaks back offic…
Seamus Lee [Mon, 11 Feb 2019 21:09:03 +0000 (08:09 +1100)]
Release notes for 5.10.1 release
eileen [Mon, 11 Feb 2019 20:16:22 +0000 (09:16 +1300)]
Fix regression whereby making receive_date required breaks back office cc
Regression from https://lab.civicrm.org/dev/core/issues/680
led to https://civicrm.stackexchange.com/questions/28410/unable-to-take-credit-card-payment-after-civi-update
CiviCRM [Thu, 7 Feb 2019 01:44:56 +0000 (01:44 +0000)]
Set version to 5.11.beta1
Tim Otten [Thu, 7 Feb 2019 01:40:32 +0000 (20:40 -0500)]
Merge pull request #13552 from seamuslee001/master
Update 5.10.0.md
Tim Otten [Thu, 7 Feb 2019 00:30:09 +0000 (19:30 -0500)]
Update 5.10.0.md
Seamus Lee [Wed, 6 Feb 2019 22:10:40 +0000 (09:10 +1100)]
Merge pull request #13550 from civicrm/5.10
5.10
Seamus Lee [Wed, 6 Feb 2019 20:47:11 +0000 (12:47 -0800)]
Merge pull request #13494 from agh1/5.10.0-releasenotes
5.10.0 release notes
colemanw [Wed, 6 Feb 2019 18:01:47 +0000 (13:01 -0500)]
Merge pull request #13544 from pradpnayak/ContactImage
core/issues/698, send correct MIME type for .jpg files
Andrew Hunt [Wed, 6 Feb 2019 14:49:40 +0000 (09:49 -0500)]
5.10.0 release notes: late changes, credits, and last-minute fixes
Tim Otten [Wed, 16 Jan 2019 22:12:16 +0000 (14:12 -0800)]
Add release-notes/5.9.1.md
Alice Frumin [Wed, 6 Feb 2019 14:29:08 +0000 (09:29 -0500)]
5.10.0 release notes: bulk of edits
* pulling out misc and organizing lines with gitlab issue numbers
* linking to gitlab issues
* update lines with gitlab issues to have the gitlab titles
* progress
* second pass
* finished first pass of notes
* deleting rows related to merge
* reorganizing sections
Andrew Hunt [Tue, 22 Jan 2019 19:05:14 +0000 (14:05 -0500)]
5.10.0 release notes: added boilerplate
Andrew Hunt [Tue, 22 Jan 2019 19:01:53 +0000 (14:01 -0500)]
5.10.0 release notes: raw from script
Eileen McNaughton [Wed, 6 Feb 2019 04:19:03 +0000 (17:19 +1300)]
Merge pull request #13548 from civicrm/5.10
5.10 to master
Monish Deb [Wed, 6 Feb 2019 04:16:32 +0000 (09:46 +0530)]
Merge pull request #13536 from eileenmcnaughton/export_sc
dev/core#651 Fix group by on export soft credits (possible recent regression, clearly wrong).
Eileen McNaughton [Wed, 6 Feb 2019 02:19:44 +0000 (15:19 +1300)]
Merge pull request #13547 from eileenmcnaughton/master
Re-run gencode for fix on PriceField DAO
eileen [Tue, 5 Feb 2019 22:22:03 +0000 (11:22 +1300)]
Re-run gencode for fix on PriceField DAO
projects / civicrm-core.git / log