Merge pull request #8132 from beck24/master-merge

chore(merge): Merge 1.x up to Master

.travis.yml

@@ -3,7 +3,6 @@ php:
  - 5.4
  - 5.5
  - 5.6
- - 7.0
 
 branches:
   except:
@@ -22,13 +21,10 @@ matrix:
        - phpenv rehash
        - composer self-update
        - composer install
-       - wget https://scrutinizer-ci.com/ocular.phar
       script:
        - bash .scripts/travis/check_commit_msgs.sh
-       - composer lint
-       - phpunit --coverage-clover=coverage.clover
-      after_script:
-       - php ocular.phar code-coverage:upload --format=php-clover coverage.clover
+       - vendor/bin/phpcs --standard=vendor/elgg/sniffs/elgg.xml --warning-severity=0 --ignore=*/tests/*,*/upgrades/*,*/deprecated* engine/classes engine/lib
+       - composer validate
 
     # Build and test javascript
     - php: 5.6
@@ -67,6 +63,11 @@ matrix:
        - sleep 3 # give Web server some time to bind to sockets, etc
       script:
        - curl -o - http://localhost:8888/ | grep "<title>Elgg Travis Site</title>"
+       - phpunit --coverage-clover=coverage.clover
+      after_script:
+       # Report unit test coverage metrics to scrutinizer
+       - wget https://scrutinizer-ci.com/ocular.phar
+       - php ocular.phar code-coverage:upload --format=php-clover coverage.clover
 
 services: 
  - mysql
@@ -86,4 +87,7 @@ script:
 notifications:
   email:
     secure: exC/ws07lLOj3Y43C89jiaKpyB8Yt7DPGSCShV4R3Wkw/hVVzjxt1BinPxzsyL5DC7APUMcTHGOhDB2oCE4ynDE6o6L9bH79fc+V8IYAiNaEIGL0AOuHdnRdGN9GMrr2jv78cZ5MctuUTkeYLaoOEyDGHmkMhqa6SufIDAY8b58=
-
+  webhooks:
+    urls:
+     - secure: "Ug81+4Fa2UFZetSCV79OWOgYi4uVgNQ6rVrVn2HElddOMDwuHxo9CYKoA3Q+joPKMtNFCN2qkMyoyUfIMM83uJi1LmaUx/c7lR1pXBFVgc4Xyt114NcY80I4OCWWKg0G1FDlSiaXil922JjeC3MekYoqjsIyUgabGihe6j7DWz0="
+    on_start: true

CHANGELOG.md

@@ -1,3 +1,64 @@
+<a name="1.10.5"></a>
+### 1.10.5  (2015-04-05)
+
+#### Contributors
+
+* Per Jensen (1)
+* Steve Clay (1)
+
+#### Bug Fixes
+
+* **aalborg_theme:** moves unextend/extend view into init ([3c5fb39b](https://github.com/Elgg/Elgg/commit/3c5fb39ba2c65127c5fc57f6e27eef5ac6127c92), closes [#8105](https://github.com/Elgg/Elgg/issues/8105))
+
+
+<a name="1.10.4"></a>
+### 1.10.4  (2015-03-22)
+
+#### Contributors
+
+* Evan Winslow (3)
+* Jerôme Bakker (2)
+* Juho Jaakkola (2)
+* Matt Beckett (1)
+* Paweł Sroka (1)
+
+#### Bug Fixes
+
+* **core:** don't trigger delete event when you can't edit the entity ([83c69c09](https://github.com/Elgg/Elgg/commit/83c69c09c1a163ae30507043a9c4eaaf9e627d89))
+* **groups:**
+  * respect previous modifications to the write access in group context ([11b55041](https://github.com/Elgg/Elgg/commit/11b55041df54f9c2d193427e7c0acf6a7175882b))
+  * Hides group profile fields that don't have a value ([2bb13db8](https://github.com/Elgg/Elgg/commit/2bb13db8d96bd5a2307c009717476a67cc2698cd))
+
+
+<a name="1.10.3"></a>
+### 1.10.3  (2015-03-08)
+
+#### Contributors
+
+* Juho Jaakkola (5)
+* Jeroen Dalsem (4)
+* Ismayil Khayredinov (1)
+* Jerôme Bakker (1)
+* Matt Beckett (1)
+* Cim (1)
+* Rodrigo (1)
+* Evan Winslow (1)
+
+#### Documentation
+
+* **helpers:** Adds missing underscores to elgg_get_loggedin_user_* functions ([02ef5d7b](https://github.com/Elgg/Elgg/commit/02ef5d7bf6aa70153d5ec9fb9aac1340cad87741))
+* **views:** documented the difference between page/elements/foot and footer ([001be7e4](https://github.com/Elgg/Elgg/commit/001be7e4c19a63932abd1740071f17bdd20bc2b4))
+
+
+#### Bug Fixes
+
+* **upgrade:** reset system cache before upgrade ([468d1c40](https://github.com/Elgg/Elgg/commit/468d1c407ed1912bfdc5f059ba42c2d7af77f951), closes [#6249](https://github.com/Elgg/Elgg/issues/6249))
+* **uservalidationbyemail:** only forward to emailsent page if email sent ([7d8cd3b8](https://github.com/Elgg/Elgg/commit/7d8cd3b83bc32648df3702d25f713f8a63bd399d))
+* **views:**
+  * always add the user guid param to the usersettings/save form ([9e1661d4](https://github.com/Elgg/Elgg/commit/9e1661d4189bc089e632b8ed9a30aabd80155730))
+  * always submit element when there are no userpicker values ([61e295c9](https://github.com/Elgg/Elgg/commit/61e295c9c34e5e8a869f14610e32aa958d9a4720))
+
+
 <a name="1.10.2"></a>
 ### 1.10.2  (2015-02-21)
 

actions/admin/site/update_advanced.php

@@ -82,12 +82,16 @@
 
 $regenerate_site_secret = get_input('regenerate_site_secret', false);
 if ($regenerate_site_secret) {
-	init_site_secret();
-	elgg_reset_system_cache();
+	// if you cancel this even you should present a message to the user
+	if (elgg_trigger_before_event('regenerate_site_secret', 'system')) {
+		init_site_secret();
+		elgg_reset_system_cache();
+		elgg_trigger_after_event('regenerate_site_secret', 'system');
 
-	system_message(elgg_echo('admin:site:secret_regenerated'));
+		system_message(elgg_echo('admin:site:secret_regenerated'));
 
-	elgg_delete_admin_notice('weak_site_key');
+		elgg_delete_admin_notice('weak_site_key');
+	}
 }
 
 if ($site->save()) {

actions/admin/upgrades/upgrade_comments_access.php

@@ -0,0 +1,79 @@
+<?php
+
+/**
+ * Convert comment annotations to entities
+ * 
+ * Run for 2 seconds per request as set by $batch_run_time_in_secs. This includes
+ * the engine loading time.
+ */
+// from engine/start.php
+global $START_MICROTIME;
+$batch_run_time_in_secs = 2;
+
+// if upgrade has run correctly, mark it done
+if (get_input('upgrade_completed')) {
+	// set the upgrade as completed
+	$factory = new ElggUpgrade();
+	$upgrade = $factory->getUpgradeFromPath('admin/upgrades/commentaccess');
+	if ($upgrade instanceof ElggUpgrade) {
+		$upgrade->setCompleted();
+	}
+
+	return true;
+}
+
+// Offset is the total amount of errors so far. We skip these
+// comments to prevent them from possibly repeating the same error.
+$offset = get_input('offset', 0);
+$limit = 50;
+
+$access_status = access_get_show_hidden_status();
+access_show_hidden_entities(true);
+
+$success_count = 0;
+$error_count = 0;
+
+do {
+	$dbprefix = elgg_get_config('dbprefix');
+	$options = array(
+		'type' => 'object',
+		'subtype' => 'comment',
+		'joins' => array(
+			"JOIN {$dbprefix}entities e2 ON e.container_guid = e2.guid"
+		),
+		'wheres' => array(
+			"e.access_id != e2.access_id"
+		),
+		'offset' => $offset,
+		'limit' => $limit,
+		'preload_containers' => true
+	);
+
+	$comments = elgg_get_entities($options);
+
+	foreach ($comments as $comment) {
+		$container = $comment->getContainerEntity();
+
+		if (!$container) {
+			$error_count++;
+			continue;
+		}		
+
+		$comment->access_id = $container->access_id;
+
+		if ($comment->save()) {
+			$success_count++;
+		} else {
+			$error_count++;
+		}
+	}
+
+} while ((microtime(true) - $START_MICROTIME) < $batch_run_time_in_secs);
+
+access_show_hidden_entities($access_status);
+
+// Give some feedback for the UI
+echo json_encode(array(
+	'numSuccess' => $success_count,
+	'numErrors' => $error_count,
+));

actions/comment/save.php

@@ -68,7 +68,7 @@
 				$entity->title,
 				$user->name,
 				$comment_text,
-				$entity->getURL(),
+				$comment->getURL(),
 				$user->name,
 				$user->getURL()
 			), $owner->language),

composer.json

@@ -7,7 +7,7 @@
     "prefer-stable": true,
     "type": "project",
     "require": {
-        "php": "~5.4 | ~7.0",
+        "php": "~5.4",
         "ext-mysql": "*",
         "ext-gd": "*",
         "ext-json": "*",

docs/guides/actions.rst

@@ -425,3 +425,34 @@ You can also access the tokens from javascript:
 These are refreshed periodically so should always be up-to-date.
 
 
+Security Tokens
+===============
+On occasion we need to pass data through an untrusted party or generate an "unguessable token" based on some data.
+The industry-standard `HMAC <http://security.stackexchange.com/a/20301/4982>`_ algorithm is the right tool for this.
+It allows us to verify that received data were generated by our site, and were not tampered with. Note that even
+strong hash functions like SHA-2 should *not* be used directly for these tasks.
+
+Elgg provides ``elgg_build_hmac()`` to generate and validate HMAC message authentication codes that are unguessable
+without the site's private key.
+
+.. code:: php
+
+    // generate a querystring such that $a and $b can't be altered
+    $a = 1234;
+    $b = "hello";
+    $query = http_build_query([
+        'a' => $a,
+        'b' => $b,
+        'mac' => elgg_build_hmac([$a, $b])->getToken(),
+    ]);
+    $url = "action/foo?$query";
+
+
+    // validate the querystring
+    $a = get_input('a', '', false);
+    $b = get_input('b', '', false);
+    $mac = get_input('mac', '', false);
+
+    if (elgg_build_hmac([$a, $b])->matchesToken($mac)) {
+        // $a and $b have not been altered
+    }

docs/guides/events-list.rst

@@ -32,6 +32,13 @@ System events
     might not be shown until after the process is completed. This means that any long-running
     processes will still delay the page load.
 
+**regenerate_site_secret:before, system**
+    Return false to cancel regenerating the site secret. You should also provide a message
+    to the user.
+
+**regenerate_site_secret:after, system**
+    Triggered after the site secret has been regenerated.
+
 **log, systemlog**
 	Called for all triggered events. Used internally by ``system_log_default_logger()`` to populate
 	the ``system_log`` table.
@@ -116,7 +123,10 @@ Entity events
     Triggered for user, group, object, and site entities after creation. Return false to delete entity.
 
 **update, <entity type>**
-	Triggered before an update for the user, group, object, and site entities. Return false to prevent update.
+    Triggered before an update for the user, group, object, and site entities. Return false to prevent update.
+
+**update:after, <entity type>**
+    Triggered after an update for the user, group, object, and site entities.
 
 **delete, <entity type>**
     Triggered before entity deletion. Return false to prevent deletion.

docs/guides/hooks-list.rst

@@ -87,6 +87,9 @@ System hooks
 	Triggered in the ajax forward hook that is called for ajax requests. Allows plugins to alter the
 	output returned, including the forward URL, system messages, and errors.
 
+**parameters, menu:<menu_name>**
+	Triggered by ``elgg_view_menu()``. Used to change menu variables (like sort order) before it is generated.
+
 **register, menu:<menu_name>**
 	Triggered by ``elgg_view_menu()``. Used to add dynamic menu items.
 

docs/guides/settings.rst

@@ -35,6 +35,10 @@ User settings
 
 Your plugin might need to store per user settings too, and you would like to have your plugin's options to appear in the user's settings page. This is also easy to do and follows the same pattern as setting up the global plugin configuration explained earlier. The only difference is that instead of using a ``settings`` file you will use ``usersettings``. So, the path to the user edit view for your plugin would be ``plugins/your_plugin/usersettings.php``.
 
+.. note::
+
+   The title of the usersettings form will default to the plugin name. If you want to change this, add a translation for ``plugin_id:usersettings:title``.
+
 Retrieving settings in your code
 --------------------------------
 

docs/guides/upgrading.rst

@@ -39,6 +39,26 @@ Messages will no longer get the metadata 'msg' for newly created messages. This
 From 1.10 to 1.11
 =================
 
+Comment highlighting
+--------------------
+
+If your theme is using the file ``views/default/css/elements/components.php``, you must add the following style definitions in it to enable highlighting for comments and discussion replies:
+
+.. code:: css
+
+	.elgg-comments .elgg-state-highlight {
+		-webkit-animation: comment-highlight 5s;
+		animation: comment-highlight 5s;
+	}
+	@-webkit-keyframes comment-highlight {
+		from {background: #dff2ff;}
+		to {background: white;}
+	}
+	@keyframes comment-highlight {
+		from {background: #dff2ff;}
+		to {background: white;}
+	}
+
 From 1.9 to 1.10
 ================
 

docs/guides/views.rst

@@ -295,6 +295,34 @@ If your entity list will display the entity owners, you can improve performance
 
 See also :doc:`check this page out first </design/database>`.
 
+Since 1.11, you can define an alternative view to render list items using ```'item_view'``` parameter.
+
+In some cases, default entity views may be unsuitable for your needs. Using ```item_view``` allows you to customize the look, while preserving pagination, list's HTML markup etc.
+
+Consider these two examples:
+
+.. code-block:: php
+
+	echo elgg_list_entities_from_relationship(array(
+	    'type' => 'group',
+	    'relationship' => 'member',
+	    'relationship_guid' => elgg_get_logged_in_user_guid(),
+	    'inverse_relationship' => false,
+	    'full_view' => false,
+	));
+
+.. code-block:: php
+
+	echo elgg_list_entities_from_relationship(array(
+	    'type' => 'group',
+	    'relationship' => 'invited',
+	    'relationship_guid' => (int) $user_guid,
+	    'inverse_relationship' => true,
+	    'item_view' => 'group/format/invitationrequest',
+	));
+
+In the first example, we are displaying a list of groups a user is a member of using the default group view. In the second example, we want to display a list of groups the user was invited to. Since invitations are not entities, they do not have their own views and can not be listed using ``elgg_list_*``. We are providing an alternative item view, that will use the group entity to display an invitation that contains a group name and buttons to access or reject the invitation.
+
 Using a different templating system
 ===================================