Merge branch 'develop' into wip-laravel-11

Dheia · Jul 3, 2024 · 4076d17 · 4076d17
2 parents eb2dc00 + ad46ccc
commit 4076d17
Show file tree

Hide file tree

Showing 16 changed files with 122 additions and 58 deletions.
diff --git a/README.md b/README.md
@@ -9,8 +9,7 @@ No matter how large or small your project is, Winter provides a rich development
 [![Version](https://img.shields.io/github/v/release/wintercms/winter?sort=semver&style=flat-square)](https://github.com/wintercms/winter/releases)
 [![Tests](https://img.shields.io/github/actions/workflow/status/wintercms/winter/tests.yml?branch=develop&label=tests&style=flat-square)](https://github.com/wintercms/winter/actions)
 [![License](https://img.shields.io/github/license/wintercms/winter?label=open%20source&style=flat-square)](https://packagist.org/packages/wintercms/winter)
-[![Discord](https://img.shields.io/discord/816852513684193281?label=discord&style=flat-square)](https://discord.gg/D5MFSPH6Ux)
-[![RINGER](https://www.ringerhq.com/images/get-support-on-ringer.svg)](https://www.ringerhq.com/i/wintercms/winter)
+[![Discord](https://img.shields.io/badge/discord-join-purple?style=flat-square&logo=discord&logoColor=white)](https://discord.gg/D5MFSPH6Ux)
 
 [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/wintercms/winter)
 

diff --git a/composer.json b/composer.json
@@ -24,7 +24,7 @@
     ],
     "support": {
         "issues": "https://github.com/wintercms/winter/issues",
-        "docs": "https://wintercms.github.io/docs/",
+        "docs": "https://wintercms.com/docs/",
         "discord": "https://discord.gg/D5MFSPH6Ux",
         "source": "https://github.com/wintercms/winter"
     },

diff --git a/config/app.php b/config/app.php
@@ -14,6 +14,10 @@
     | You can create a CMS page with route "/error" to set the contents
     | of this page. Otherwise a default error page is shown.
     |
+    | IMPORTANT: Always have debug mode set to false in production environments
+    | as it can reveal sensitive information about your application and
+    | infrastructure to untrusted users through more detailed errors.
+    |
     */
 
     'debug' => env('APP_DEBUG', true),

diff --git a/modules/backend/assets/css/winter.css b/modules/backend/assets/css/winter.css
@@ -304,7 +304,7 @@ html.mobile .control-scrollbar{overflow:auto;-webkit-overflow-scrolling:touch}
 .control-treeview ol>li>div{font-size:14px;font-weight:normal;background:#fff;border-bottom:1px solid #ecf0f1;position:relative}
 .control-treeview ol>li>div>a{color:#2b3e50;padding:11px 45px 10px 61px;display:block;line-height:150%;text-decoration:none;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
 .control-treeview ol>li>div:before{content:' ';background-image:url(../images/treeview-icons.png);background-position:0 -28px;background-repeat:no-repeat;background-size:42px auto;position:absolute;width:21px;height:22px;left:28px;top:15px}
-.control-treeview ol>li>div span.comment{display:block;font-weight:400;color:#95a5a6;font-size:13px;margin-top:2px;overflow:hidden;text-overflow:ellipsis}
+.control-treeview ol>li>div span.comment{display:block;font-weight:400;color:#95a5a6;font-size:13px;margin-top:2px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
 .control-treeview ol>li>div>span.expand{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0;display:none;position:absolute;width:20px;height:20px;top:19px;left:2px;cursor:pointer;color:#bdc3c7;-webkit-transition:transform 0.1s ease;transition:transform 0.1s ease}
 .control-treeview ol>li>div>span.expand:before{font-family:"Font Awesome 6 Free";font-weight:900;-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;font-style:normal;font-variant:normal;text-rendering:auto;content:"\f0da";line-height:100%;font-size:15px;position:relative;left:8px;top:2px}
 .control-treeview ol>li>div>span.drag-handle{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0;-webkit-transition:opacity 0.4s;transition:opacity 0.4s;position:absolute;right:9px;bottom:0;width:18px;height:19px;cursor:move;color:#bdc3c7;opacity:0;filter:alpha(opacity=0)}
@@ -358,8 +358,10 @@ html.mobile .control-scrollbar{overflow:auto;-webkit-overflow-scrolling:touch}
 .control-treeview ol>li.has-subitems>div.popover-highlight:before{background-position:0 -52px}
 .control-treeview ol>li.has-subitems>div span.expand{display:block}
 .control-treeview ol>li.placeholder{position:relative;opacity:0.5;filter:alpha(opacity=50)}
+.control-treeview ol>li.placeholder ol{display:none}
 .control-treeview ol>li.dragged{position:absolute;z-index:2000;opacity:0.25;filter:alpha(opacity=25)}
 .control-treeview ol>li.dragged>div{-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}
+.control-treeview ol>li.dragged ol{display:none}
 .control-treeview ol>li.drop-target>div{background-color:#2581b8 !important}
 .control-treeview ol>li.drop-target>div>a{color:#fff}
 .control-treeview ol>li.drop-target>div>a>span.comment{color:#fff}
@@ -438,7 +440,7 @@ html.mobile .control-scrollbar{overflow:auto;-webkit-overflow-scrolling:touch}
 .control-treeview.treeview-light ol>li>div>ul.submenu li p a{display:table-cell;vertical-align:middle;height:100%;padding:0 20px;font-size:13px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
 .control-treeview.treeview-light ol>li>div>ul.submenu li p a i.control-icon{font-size:22px;margin-right:0}
 body.dragging .control-treeview ol.dragging,
-body.dragging .control-treeview ol.dragging ol{background:#ccc;padding-right:20px;-webkit-transition:padding 1s;transition:padding 1s}
+body.dragging .control-treeview ol.dragging ol{background:#ccc;padding-right:0}
 body.dragging .control-treeview ol.dragging>li>div,
 body.dragging .control-treeview ol.dragging ol>li>div{margin-right:0;-webkit-transition:margin 1s;transition:margin 1s}
 body.dragging .control-treeview ol.dragging>li>div .custom-checkbox,
@@ -1101,4 +1103,4 @@ html.cssanimations .fancy-layout *:not(.nested-form)>.form-widget>.layout-row>.f
 .flyout-toggle i{margin:7px 0 0 6px;display:inline-block}
 .flyout-toggle:hover i{color:#fff}
 body.flyout-visible{overflow:hidden}
-body.flyout-visible .flyout-overlay{background-color:rgba(0,0,0,0.3)}
+body.flyout-visible .flyout-overlay{background-color:rgba(0,0,0,0.3)}
diff --git a/modules/backend/assets/less/controls/treeview.less b/modules/backend/assets/less/controls/treeview.less
@@ -57,6 +57,7 @@
                     margin-top: 2px;
                     overflow: hidden;
                     text-overflow: ellipsis;
+                    white-space: nowrap;
                 }
 
                 > span.expand {
@@ -297,6 +298,10 @@
             &.placeholder {
                 position: relative;
                 .opacity(.5);
+
+                ol {
+                    display: none;
+                }
             }
 
             &.dragged {
@@ -307,6 +312,10 @@
                 > div {
                     .border-radius(3px);
                 }
+
+                ol {
+                    display: none;
+                }
             }
 
             &.drop-target {
@@ -548,8 +557,7 @@
 body.dragging .control-treeview {
     ol.dragging, ol.dragging ol {
         background: #ccc;
-        padding-right: 20px;
-        .transition(padding 1s);
+        padding-right: 0;
 
         > li {
             > div {

diff --git a/modules/backend/controllers/Auth.php b/modules/backend/controllers/Auth.php
@@ -1,18 +1,18 @@
 <?php namespace Backend\Controllers;
 
-use Mail;
-use Flash;
+use ApplicationException;
 use Backend;
-use Request;
-use Validator;
 use BackendAuth;
-use Backend\Models\AccessLog;
 use Backend\Classes\Controller;
+use Backend\Models\AccessLog;
+use Config;
+use Exception;
+use Flash;
+use Mail;
+use Request;
 use System\Classes\UpdateManager;
-use ApplicationException;
 use ValidationException;
-use Exception;
-use Config;
+use Validator;
 use Winter\Storm\Foundation\Http\Middleware\CheckForTrustedHost;
 
 /**
@@ -52,6 +52,10 @@ public function index()
      */
     public function signin()
     {
+        if (BackendAuth::user()) {
+            return Backend::redirect('backend');
+        }
+
         $this->bodyClass = 'signin';
 
         // Clear Cache and any previous data to fix invalid security token issue

diff --git a/modules/backend/formwidgets/RelationManager.php b/modules/backend/formwidgets/RelationManager.php
@@ -4,8 +4,8 @@
 
 use Backend\Classes\FormField;
 use Backend\Classes\FormWidgetBase;
-use Lang;
-use SystemException;
+use Illuminate\Support\Facades\Lang;
+use Winter\Storm\Exception\SystemException;
 
 class RelationManager extends FormWidgetBase
 {
@@ -17,17 +17,17 @@ class RelationManager extends FormWidgetBase
     /**
      * Disables the ability to add, update, delete or create relations.
      */
-    protected bool $readOnly = false;
+    protected ?bool $readOnly = null;
 
     /**
      * Path to controller action to open a record.
      */
-    protected string $recordUrl = '';
+    protected ?string $recordUrl = null;
 
     /**
      * Custom JavaScript code to execute when clicking on a record.
      */
-    protected string $recordOnClick = '';
+    protected ?string $recordOnClick = null;
 
     /**
      * Relation name if different from the field name.
@@ -43,7 +43,7 @@ public function init(): void
             'relation',
         ]);
 
-        if (!isset($this->readOnly)) {
+        if (!isset($this->readOnly) && $this->config->previewMode) {
             $this->readOnly = $this->config->previewMode;
         }
     }
@@ -58,12 +58,17 @@ public function render()
             throw new SystemException($error);
         }
 
-        $options = [
-            'readOnly' => $this->readOnly,
-            'recordUrl' => $this->recordUrl,
-        ];
+        $options = [];
 
-        if ($this->recordOnClick) {
+        if (!is_null($this->readOnly)) {
+            $options['readOnly'] = $this->readOnly;
+        }
+
+        if (!is_null($this->recordUrl)) {
+            $options['recordUrl'] = $this->recordUrl;
+        }
+
+        if (!is_null($this->recordOnClick)) {
             $options['recordOnClick'] = $this->recordOnClick;
         }
 

diff --git a/modules/backend/formwidgets/sensitive/partials/_sensitive.php b/modules/backend/formwidgets/sensitive/partials/_sensitive.php
@@ -15,10 +15,9 @@
                 value="<?= ($hasValue) ? $hiddenPlaceholder : '' ?>"
                 placeholder="<?= e(trans($this->formField->placeholder)) ?>"
                 class="form-control"
-                <?php if ($this->previewMode): ?>
-                    disabled="disabled"
-                <?php endif ?>
-                autocomplete="off"
+                <?= $this->previewMode ? 'disabled="disabled"' : '' ?>
+                <?= $this->formField->hasAttribute('autocomplete') ? '' : 'autocomplete="new-password"' ?>
+                <?= $this->formField->getAttributes() ?>
                 data-input
             />
             <?php if ($allowCopy): ?>

diff --git a/modules/backend/lang/en/lang.php b/modules/backend/lang/en/lang.php
@@ -112,8 +112,8 @@
             'updates_pending' => 'Pending software updates',
             'updates_nil' => 'Software is up to date',
             'updates_link' => 'Update',
-            'warnings_pending' => 'Some issues need attention',
-            'warnings_nil' => 'No warnings to display',
+            'warnings_pending' => 'Some Winter CMS configuration issues need attention',
+            'warnings_nil' => 'Your Winter CMS installation is configured correctly',
             'warnings_link' => 'View',
             'core_build' => 'System build',
             'event_log' => 'Event log',
@@ -369,14 +369,18 @@
         'mass_assignment_failed' => "Mass assignment failed for Model attribute ':attribute'.",
     ],
     'warnings' => [
-        'tips' => 'System configuration tips',
-        'tips_description' => 'There are issues you need to pay attention to in order to configure the system properly.',
-        'permissions' => 'Directory :name or its subdirectories is not writable for PHP. Please set corresponding permissions for the webserver on this directory.',
-        'extension' => 'The PHP extension :name is not installed. Please install this library and activate the extension.',
-        'plugin_missing' => 'The plugin :name is a dependency but is not installed. Please install this plugin.',
-        'debug' => 'Debug mode is enabled. This is not recommended for production installations.',
-        'decompileBackendAssets' => 'Assets in the Backend are currently decompiled. This is not recommended for production installations.',
+        'tips' => 'Winter CMS configuration recommendations',
+        'tips_description' => 'We have detected some issues with your configuration that may compromise the security, functionality or performance of your Winter CMS installation. Please review the issues below.',
+        'how_to_fix' => 'How to fix',
+        'permissions' => 'Directory :name or its subdirectories is not writable for PHP. Please ensure that this directory and all subdirectories are writable by your hosting environment.',
+        'extension' => 'The PHP extension :name is not installed. Please install and activate this PHP extension in your hosting environment.',
+        'plugin_missing' => 'The plugin :name is a dependency of an installed plugin but is not available. Please install this plugin.',
+        'debug' => 'Debug mode is enabled. This is not recommended for production installations as it may reveal sensitive information only intended for developers.',
+        'decompileBackendAssets' => 'Assets in the Backend are currently decompiled. This is not recommended for production installations as it may affect performance.',
         'default_backend_user' => 'A user with the default login details (admin / [email protected]) was found. Change their username and / or email address to help protect the system.',
+        'auth_throttle_disabled' => 'Backend authentication throttling is disabled. This is not recommended for production installations as it may allow malicious users to brute-force user passwords.',
+        'csrf' => 'CSRF protection is disabled. This is not recommended for production installations as it compromises the security of the installations and may allow cross-site scripting attacks.',
+        'restrict_base_dir' => 'The base directory restriction is disabled. This is not recommended for production installations as it may allow themes and configuration files to access files outside of your Winter CMS installation.',
     ],
     'editor' => [
         'menu_label' => 'Editor settings',

diff --git a/modules/backend/lang/fr/lang.php b/modules/backend/lang/fr/lang.php
@@ -55,7 +55,7 @@
         'unsuspend_working' => 'Réactivation...',
         'signed_in_as' => 'Connecté en tant que :full_name',
         'sign_out' => 'Déconnexion',
-        'login' => 'OK',
+        'login' => 'Connexion',
         'reset' => 'Réinitialiser',
         'restore' => 'Restaurer',
         'login_placeholder' => 'identifiant',

diff --git a/modules/backend/widgets/form/partials/_field_password.php b/modules/backend/widgets/form/partials/_field_password.php
@@ -9,7 +9,7 @@
         value=""
         placeholder="<?= e(trans($field->placeholder)) ?>"
         class="form-control"
-        autocomplete="off"
+        <?= $field->hasAttribute('autocomplete') ? '' : 'autocomplete="new-password"' ?>
         <?= $field->hasAttribute('maxlength') ? '' : 'maxlength="255"' ?>
         <?= $field->getAttributes() ?>
     />

diff --git a/modules/cms/classes/Theme.php b/modules/cms/classes/Theme.php
@@ -356,7 +356,7 @@ public function getConfig(): array
             return $this->configCache = [];
         }
 
-        $config = Yaml::parse($data['content']);
+        $config = Yaml::parse($data['content']) ?: [];
 
         /**
          * @event cms.theme.extendConfig

diff --git a/modules/system/behaviors/SettingsModel.php b/modules/system/behaviors/SettingsModel.php
@@ -127,12 +127,12 @@ public function getSettingsRecord()
             $query = $query->remember($this->cacheTtl, $this->getCacheKey());
         }
 
+        $record = null;
         try {
             $record = $query->first();
         } catch (QueryException $ex) {
             // SQLSTATE[42S02]: Base table or view not found - migrations haven't run yet
             if ($ex->getCode() === '42S02') {
-                $record = null;
                 traceLog($ex);
             }
         }

diff --git a/modules/system/classes/ImageResizer.php b/modules/system/classes/ImageResizer.php
@@ -748,7 +748,7 @@ public static function normalizeImage($image): array
             }
         }
 
-        if (!$disk || !$path || !$selectedSource || (!in_array(strtolower(FileHelper::extension($path)), ['jpg', 'jpeg', 'png', 'webp', 'gif']))) {
+        if (!$disk || !$path || !$selectedSource || (!in_array(strtolower(FileHelper::extension($path)), ['jpg', 'jpeg', 'png', 'webp', 'gif', 'avif']))) {
             if (is_object($image)) {
                 $image = get_class($image);
             }

diff --git a/modules/system/reportwidgets/Status.php b/modules/system/reportwidgets/Status.php
@@ -99,19 +99,46 @@ protected function getSystemWarnings()
             $writablePaths[] = themes_path();
         }
 
+        // Warn if debug mode is enabled - this is a security risk
         if (Config::get('app.debug', true)) {
-            $warnings[] = Lang::get('backend::lang.warnings.debug');
+            $warnings[] = [
+                'message' => Lang::get('backend::lang.warnings.debug'),
+                'fixUrl' => 'https://wintercms.com/docs/v1.2/docs/setup/configuration#debug-mode',
+            ];
         }
-
-        if (Config::get('develop.decompileBackendAssets', false)) {
-            $warnings[] = Lang::get('backend::lang.warnings.decompileBackendAssets');
+        // Warn if CSRF protection is disabled - this is a security risk
+        if (Config::get('cms.enableCsrfProtection', true) === false) {
+            $warnings[] = [
+                'message' => Lang::get('backend::lang.warnings.csrf'),
+                'fixUrl' => 'https://wintercms.com/docs/v1.2/docs/setup/configuration#csrf-protection',
+            ];
         }
-
+        // Warn if backend auth throttling is disabled - this is a security risk
+        if (Config::get('auth.throttle.enabled', true) === false) {
+            $warnings[] = [
+                'message' => Lang::get('backend::lang.warnings.auth_throttle_disabled'),
+            ];
+        }
+        // Warn if the user has disabled base directory restriction - this is a security risk
+        if (Config::get('cms.restrictBaseDir', true) === false) {
+            $warnings[] = [
+                'message' => Lang::get('backend::lang.warnings.restrict_base_dir'),
+            ];
+        }
+        // Warn if the default backend user is using the default username or email, and has access to manage users
         if (
             BackendAuth::getUser()->hasAccess('backend.manage_users')
             && User::where('login', 'admin')->orWhere('email', '[email protected]')->count()
         ) {
-            $warnings[] = Lang::get('backend::lang.warnings.default_backend_user');
+            $warnings[] = [
+                'message' => Lang::get('backend::lang.warnings.default_backend_user'),
+            ];
+        }
+        // Warn if backend assets are being decompiled
+        if (Config::get('develop.decompileBackendAssets', false)) {
+            $warnings[] = [
+                'message' => Lang::get('backend::lang.warnings.decompileBackendAssets'),
+            ];
         }
 
         $requiredExtensions = [
@@ -124,22 +151,29 @@ protected function getSystemWarnings()
 
         foreach ($writablePaths as $path) {
             if (!is_writable($path)) {
-                $warnings[] = Lang::get('backend::lang.warnings.permissions', ['name' => '<strong>'.$path.'</strong>']);
+                $warnings[] = [
+                    'message' => Lang::get('backend::lang.warnings.permissions', ['name' => '<strong>'.$path.'</strong>'])
+                ];
             }
         }
 
         foreach ($requiredExtensions as $extension => $installed) {
             if (!$installed) {
-                $warnings[] = Lang::get('backend::lang.warnings.extension', ['name' => '<strong>'.$extension.'</strong>']);
+                $warnings[] = [
+                    'message' => Lang::get('backend::lang.warnings.extension', ['name' => '<strong>'.$extension.'</strong>']),
+                    'fixUrl' => 'https://wintercms.com/docs/v1.2/docs/setup/installation#minimum-system-requirements',
+                ];
             }
         }
 
         foreach ($missingDependencies as $pluginCode => $plugin) {
             foreach ($plugin as $missingPluginCode) {
-                $warnings[] = Lang::get('system::lang.updates.update_warnings_plugin_missing', [
-                    'code' => '<strong>' . $missingPluginCode . '</strong>',
-                    'parent_code' => '<strong>' . $pluginCode . '</strong>'
-                ]);
+                $warnings[] = [
+                    'message' => Lang::get('system::lang.updates.update_warnings_plugin_missing', [
+                        'code' => '<strong>' . $missingPluginCode . '</strong>',
+                        'parent_code' => '<strong>' . $pluginCode . '</strong>'
+                    ]),
+                ];
             }
         }