Merge 2.3 into master

CHANGELOG.md

@@ -1,3 +1,95 @@
+<a name="2.3.2"></a>
+### 2.3.2  (2017-03-16)
+
+#### Contributors
+
+* Steve Clay (5)
+* Ismayil Khayredinov (1)
+* Jerôme Bakker (1)
+* Matt Beckett (1)
+
+#### Performance
+
+* **db:** improved performance of disable/delete of an entity ([5adf2ecf](https://github.com/Elgg/Elgg/commit/5adf2ecfcb211cc473beadd06d83dbf7da558f14))
+
+
+#### Documentation
+
+* **security:** explains current password hashing ([d3affbd9](https://github.com/Elgg/Elgg/commit/d3affbd9287c197daba58b26d45bdd086a90f552), closes [#10778](https://github.com/Elgg/Elgg/issues/10778))
+
+
+#### Bug Fixes
+
+* **install:** explicitly allow .well-known in rewrite rules ([bb35cb9c](https://github.com/Elgg/Elgg/commit/bb35cb9c317c1176542b76592c7e70805a91b9d9))
+* **js:** make sure elgg.forward() always reloads the page ([c42b9c9c](https://github.com/Elgg/Elgg/commit/c42b9c9c8fda8508300db347ee6399a75a87eaf7))
+* **output:** elgg_normalize_url() again handles multibyte chars and spaces ([62bf31c0](https://github.com/Elgg/Elgg/commit/62bf31c0ccdaab549a7e585a4412443e09821db3), closes [#10771](https://github.com/Elgg/Elgg/issues/10771))
+* **twitter_api:** do not feed remote URLs to icon resize API ([bad30edc](https://github.com/Elgg/Elgg/commit/bad30edca34f09d5ce1f8a0d95d717c0f369964d))
+
+
+#### Deprecations
+
+* **logging:** removes warnings about metadata/annotation value casting ([97b2b51f](https://github.com/Elgg/Elgg/commit/97b2b51fc7bd049c5c8b66579a1921ae1ff84ee3), closes [#10749](https://github.com/Elgg/Elgg/issues/10749))
+
+
+<a name="2.3.1"></a>
+### 2.3.1  (2017-02-14)
+
+#### Contributors
+
+* Steve Clay (8)
+* Jerôme Bakker (5)
+* Jeroen Dalsem (2)
+* Ismayil Khayredinov (1)
+* Yanwei Jiang (1)
+* iionly (1)
+
+#### Bug Fixes
+
+* **access:** use ignore access only when querying the database ([fb57c02c](https://github.com/Elgg/Elgg/commit/fb57c02c7bc9fed92c848a6ceeac7d9d5a0866fe))
+* **admin:** prevents simultaneous plugin (de)activation/reordering ([907c9b67](https://github.com/Elgg/Elgg/commit/907c9b6714c4457dbb86c2aa6e692d20c9a009ea), closes [#10706](https://github.com/Elgg/Elgg/issues/10706))
+* **ajax:** elgg/Ajax now uses spinner if 2nd fetch occurs in done handler ([afef3c4e](https://github.com/Elgg/Elgg/commit/afef3c4e2f115b2365c9af179d678e2ba74b9318))
+* **comments:** use elgg/Ajax to load inline comment form ([17d93a5b](https://github.com/Elgg/Elgg/commit/17d93a5bd370a325ea21a81680b19b2c0a517437))
+* **discussions:** river entries are once again visible to logged out users ([65e6664d](https://github.com/Elgg/Elgg/commit/65e6664de7c3004e6c59a9ab8c637ef47b549568))
+* **embed:** Inserting medium thumbnail size again instead of small on embedding images ([aea45030](https://github.com/Elgg/Elgg/commit/aea45030e3618b5c449f5294cc8d18ec40fb01a0))
+* **html:** elgg_normalize_url() handles tel: links ([48a51709](https://github.com/Elgg/Elgg/commit/48a51709c956b5a676711a3febb32c65a5df1e0e), closes [#10689](https://github.com/Elgg/Elgg/issues/10689))
+* **icons:**
+  * detect image format for resizing ([dd9af8a9](https://github.com/Elgg/Elgg/commit/dd9af8a9fb72723e8b1e724c37d3e2343e157116))
+  * set correct filename for temp resizing file ([aeed7060](https://github.com/Elgg/Elgg/commit/aeed7060c394284758b899a021a4328c59571fd3))
+* **menus:** return to default of sorting menus by text ([9636790f](https://github.com/Elgg/Elgg/commit/9636790fc84c685e2f0c92fd65ea85d8eb63ea19), closes [#10737](https://github.com/Elgg/Elgg/issues/10737))
+* **security:** random byte generation improved on some systems ([03285ba7](https://github.com/Elgg/Elgg/commit/03285ba7c7090f4881797bb74c14aaf74b48c47e), closes [#10750](https://github.com/Elgg/Elgg/issues/10750))
+* **uservalidationbyemail:** unset emailsent after showing it once ([4e16cc9b](https://github.com/Elgg/Elgg/commit/4e16cc9b093f6f004dc9af426cb9c9acce00aa96))
+* **views:**
+  * elgg_view_field no longer leaves #type in attributes ([e4e316e9](https://github.com/Elgg/Elgg/commit/e4e316e9e699e0083b85559a3e707af0341eb19f), closes [#10699](https://github.com/Elgg/Elgg/issues/10699))
+  * in table lists, rows now have IDs ([e42fa636](https://github.com/Elgg/Elgg/commit/e42fa636ab73102ad55ef60463f1eeb309211f52), closes [#10696](https://github.com/Elgg/Elgg/issues/10696))
+
+
+<a name="2.3.0"></a>
+## 2.3.0  (2016-12-27)
+
+#### Contributors
+
+* Ismayil Khayredinov (4)
+* Steve Clay (3)
+* Jerôme Bakker (2)
+* iionly (2)
+
+#### Documentation
+
+* **core:** Improve docs about creation of cache symlink ([f984a051](https://github.com/Elgg/Elgg/commit/f984a051e3e14cc316f312475396a3222138c2e6))
+
+
+#### Bug Fixes
+
+* **ajax:** elgg/Ajax view() and form() set $vars as expected ([abf8a9ce](https://github.com/Elgg/Elgg/commit/abf8a9ce87117ab24cb62e937805750eca780de1), closes [#10667](https://github.com/Elgg/Elgg/issues/10667))
+* **core:** Check existence of cache symlink without usage of readlink() ([3e4dc6a1](https://github.com/Elgg/Elgg/commit/3e4dc6a1f2e2b20c5e31800e925ca5779a6f40cf))
+* **entities:** entity is now loaded from cache during save operations ([009f74da](https://github.com/Elgg/Elgg/commit/009f74dac2ab5c1834ec672a82e5642dc7c3ab75), closes [#10612](https://github.com/Elgg/Elgg/issues/10612))
+* **files:** mitigate issues with special chars in file names ([4a7b74ea](https://github.com/Elgg/Elgg/commit/4a7b74ea27b31be159fba9fb5c3dda405da15409))
+* **forms:** fieldset with a legend no longer overrides the class ([726cca18](https://github.com/Elgg/Elgg/commit/726cca18e23510ae1b473f3cfd8b408e557a4c83))
+* **http:** elgg/Ajax error responses with 200 status use Ajax wrapper ([1cae50cf](https://github.com/Elgg/Elgg/commit/1cae50cf025a75f32500836f3cd885fedb720b9a))
+* **notifications:** incorrect use statement no longer throws ([2a6d782b](https://github.com/Elgg/Elgg/commit/2a6d782b2978cf670a89f0fd9cb5b0ce2820a37d))
+* **web_services:** handle string params with proper escaping ([702ce46c](https://github.com/Elgg/Elgg/commit/702ce46c44aec2546f953902061166bf3f48a5af))
+
+
 <a name="2.3.0"></a>
 ## 2.3.0  (2016-12-27)
 
@@ -138,6 +230,23 @@
 * **metadata:** metadata access control is deprecated ([a9523d97](https://github.com/Elgg/Elgg/commit/a9523d979431016352a424fd3580ffad717c4d6b))
 
 
+<a name="2.2.4"></a>
+### 2.2.4  (2017-01-27)
+
+#### Contributors
+
+* Steve Clay (2)
+* Ismayil Khayredinov (1)
+* iionly (1)
+
+#### Bug Fixes
+
+* **ajax:** elgg/Ajax view() and form() set $vars as expected ([abf8a9ce](https://github.com/Elgg/Elgg/commit/abf8a9ce87117ab24cb62e937805750eca780de1), closes [#10667](https://github.com/Elgg/Elgg/issues/10667))
+* **core:** Check existence of cache symlink without usage of readlink() ([3e4dc6a1](https://github.com/Elgg/Elgg/commit/3e4dc6a1f2e2b20c5e31800e925ca5779a6f40cf))
+* **files:** mitigate issues with special chars in file names ([4a7b74ea](https://github.com/Elgg/Elgg/commit/4a7b74ea27b31be159fba9fb5c3dda405da15409))
+* **web_services:** handle string params with proper escaping ([702ce46c](https://github.com/Elgg/Elgg/commit/702ce46c44aec2546f953902061166bf3f48a5af))
+
+
 <a name="2.2.3"></a>
 ### 2.2.3  (2016-11-08)
 
@@ -1265,6 +1374,18 @@ change them to external AMD modules and load them with `elgg_require_js`.
 
 Fixes #2718 ([c91f1f3e](https://github.com/Elgg/Elgg/commit/c91f1f3e5b0c825e34feae248a1a3ff5a5e2b640))
 
+<a name="1.12.15"></a>
+### 1.12.15  (2017-01-25)
+
+#### Contributors
+
+* Johnny Mast (1)
+* jdalsem (1)
+
+#### Bug Fixes
+
+* **views:** corrected syntax error in input/date ([a7277f30](https://github.com/Elgg/Elgg/commit/a7277f307596f19dbc3c8415c9048a20a8493287))
+
 <a name="1.12.14"></a>
 ### 1.12.14  (2016-11-08)
 

LICENSE.txt

@@ -10,7 +10,7 @@ More info: http://learn.elgg.org/en/latest/intro/license.html
 ------------------------------------------------------------------------
 
 The MIT License (MIT)
-Copyright (c) 2016 The following parties:
+Copyright (c) 2017 The following parties:
 
 	Steve Clay (steve@mrclay.org)
 	Cash Costello (cash.costello@gmail.com)

actions/admin/plugins/activate.php

@@ -57,10 +57,7 @@
 	$plugin = get_entity($plugin_guids[0]);
 	$id = $css_id = preg_replace('/[^a-z0-9-]/i', '-', $plugin->getID());
 	$url = "$url#id";
-	$data = [
-		'list' => elgg_view('admin/plugins', ['list_only' => true]),
-	];
-	return elgg_ok_response($data, '', $url);
+	return elgg_ok_response('', '', $url);
 } else {
 	// forward to top of page with a failure so remove any #foo
 	$url = $_SERVER['HTTP_REFERER'];

actions/admin/plugins/deactivate.php

@@ -47,10 +47,7 @@
 	$plugin = get_entity($plugin_guids[0]);
 	$id = preg_replace('/[^a-z0-9-]/i', '-', $plugin->getID());
 	$url = "$url#$id";
-	$data = [
-		'list' => elgg_view('admin/plugins', ['list_only' => true]),
-	];
-	return elgg_ok_response($data, '', $url);
+	return elgg_ok_response('', '', $url);
 } else {
 	forward(REFERER);
 }

docs/contribute/releases.rst

@@ -18,7 +18,6 @@ Requirements
 * Commit access to http://github.com/Elgg/Elgg
 * Admin access to https://elgg.org/
 * Access to `Twitter account`_
-* Access to `G+ page`_
 * Node.js and NPM installed
 * Sphinx installed (``easy_install sphinx && easy_install sphinx-intl``)
 * Transifex client installed (``easy_install transifex-client``)
@@ -85,6 +84,8 @@ Install the prerequisites:
     easy_install sphinx-intl
     easy_install transifex-client
 
+.. note:: On Windows you need to run these command in a console with admin privileges
+
 Run the ``release.php`` script. For example, to release 1.12.5:
 
 .. code:: sh
@@ -119,6 +120,17 @@ Once approved and merged, tag the release:
     git tag -a ${version} -m'Elgg ${version}'
     git push --tags origin release-${version}
 
+Or create a release on GitHub
+
+* Goto releases
+* Click 'Draft a new release'
+* Enter the version
+* Select the correct branch (eg 1.12 for a 1.12.x release, 2.3 for a 2.3.x release, etc)
+* Set the release title as 'Elgg {version}'
+* Paste the CHANGELOG.md part related to this release in the description
+
+Some final administration
+
 * Mark GitHub release milestones as completed
 * Move unresolved tickets in released milestones to later milestones
 
@@ -133,11 +145,19 @@ Build zip package
 
 Use ``elgg-scripts/build/elgg-starter-project.sh`` to generate the .zip file. Run without arguments to see usage.
 
+.. note::
+
+	If this is your first time on the server building a release run ``composer global require "fxp/composer-asset-plugin:^1.2.0"``.
+	This will make sure you can download bower-assets during the build process.
+
 .. code:: sh
 
+	# login as user deploy
+	sudo -su deploy
+
     # regular release
     ./elgg-starter-project.sh master 2.0.4 /var/www/www.elgg.org/download/
-
+	
     # MIT release
     ./elgg-starter-project.sh master 2.0.4-mit /var/www/www.elgg.org/download/
 
@@ -159,11 +179,23 @@ Use ``elgg-scripts/build/build.sh`` to generate the .zip file. Run without argum
     # MIT release
     ./build.sh 1.12.5 1.12.5-mit /var/www/www.elgg.org/download/
 
+Update elgg.org download page
+-----------------------------
+
+* Clone https://github.com/Elgg/community
+* Add the new version to ``classes/Elgg/Releases.php``
+* Commit and push the changes
+* Update the plugin on www.elgg.org
+
+.. code:: sh
+
+	composer update elgg/community
+
 Update elgg.org
 ---------------
 
 * Clone https://github.com/Elgg/www.elgg.org
-* Add the new versions to ``src/Elgg/Releases.php``
+* Change the required Elgg version in ``composer.json``
 * Update vendors
 
 .. code:: sh
@@ -197,8 +229,5 @@ This should be the very last thing you do.
 #. Copy in the CHANGELOG contents, clear formatting, and manually remove the SVG anchors
 #. Add tags ``release`` and ``elgg2.x`` where x is whatever branch is being released
 #. Tweet from the elgg `Twitter account`_
-#. Post from the `G+ page`_
 
-.. _G+ page: https://plus.google.com/+ElggOrg
 .. _Twitter account: https://twitter.com/elgg
-

docs/design/database.rst

@@ -136,7 +136,6 @@ Beyond the standard ElggEntity properties, ElggUsers also support:
 -  ``name`` The user's plain text name. e.g. "Hugh Jackman"
 -  ``username`` Their login name. E.g. "hjackman"
 -  ``password`` A hashed version of their password
--  ``salt`` The salt that their password has been hashed with
 -  ``email`` Their email address
 -  ``language`` Their default language code.
 -  ``code`` Their session code (moved to a separate table in 1.9).
@@ -310,6 +309,9 @@ Each annotation has:
 -  An access permission distinct from the entity it's attached to
 -  An owner
 
+Like metadata, values are stored as strings unless the value given is a PHP integer (``is_int($value)`` is true),
+or unless the ``$vartype`` is manually specified as ``integer``.
+
 Adding an annotation
 --------------------
 
@@ -388,6 +390,8 @@ reference). What you need to know is:
    to the owner of the entity it's attached to
 -  You can potentially have multiple items of each type of metadata
    attached to a single entity
+-  Like annotations, values are stored as strings unless the value given is a PHP integer (``is_int($value)`` is true),
+   or unless the ``$value_type`` is manually specified as ``integer`` (see below).
 
 .. note:: Metadata's ``access_id`` value will be ignored in Elgg 3.0 and all metadata values will be available in all contexts.
 
@@ -478,7 +482,7 @@ defined as follows:
             $entity_guid,           // The GUID of the parent entity
             $name,                  // The name of the metadata (eg 'tags')
             $value,                 // The metadata value
-            $value_type,            // Currently either 'string' or 'integer'
+            $value_type,            // Currently either 'text' or 'integer'
             $owner_guid,            // The owner of the metadata
             $access_id = 0,         // The access restriction
             $allow_multiple = false // Do we have more than one value?

docs/design/security.rst

@@ -19,22 +19,12 @@ Password validation
 
 The only restriction that Elgg places on a password is that it must be at least 6 characters long by default, though this may be changed in ``/elgg-config/settings.php``. Additional criteria can be added by a plugin by registering for the ``registeruser:validate:password`` plugin hook.
 
-Password salting
-----------------
-
-Elgg salts passwords with a unique 8 character random string. The salt is generated each time the password is set. The main security advantages of the salting are:
- * preventing anyone with access to the database from conducting a precomputed dictionary attack
- * preventing a site administration from noting users with the same password.
-
 Password hashing
 ----------------
 
-The hashed password is computed using md5 from the user's password text and the salt.
-
-Password storage
-----------------
+Passwords are never stored, only salted hashes produced with bcrypt. This is done via the standard ``password_hash()`` function. On older systems, the ``password-compat`` polyfill is used, but the algorithm is identical.
 
-The hashed password and the salt are stored in the users table. Neither are stored in any cookies on a user's computer.
+Elgg installations created before version 1.10 may have residual "legacy" password hashes created using salted MD5. These are migrated to bcrypt as users log in, and will be completely removed when a system is upgraded to Elgg 3.0. In the meantime we're happy to assist site owners to manually remove these legacy hashes, though it would force those users to reset their passwords.
 
 Password throttling
 -------------------

docs/guides/helpers.rst

@@ -27,8 +27,8 @@ Entity and context retrieval
 - ``get_user($user_guid)`` Given a GUID, returns a full ElggUser entity
 - ``elgg_get_page_owner_guid()`` Returns the GUID of the current page owner, if there is one
 - ``elgg_get_page_owner_entity()`` Like elgg_get_page_owner_guid() but returns the full entity
-- ``get_context()`` Returns the current page's context - eg "blog" for the blog plugin, "thewire" for the wire, etc. Returns "main" as default
-- ``set_context($context)`` Forces the context to be a particular value
+- ``elgg_get_context()`` Returns the current page's context - eg "blog" for the blog plugin, "thewire" for the wire, etc. Returns "main" as default
+- ``elgg_set_context($context)`` Forces the context to be a particular value
 - ``elgg_push_context($context)`` Adds a context to the stack
 - ``elgg_pop_context()`` Removes the top context from the stack
 - ``elgg_in_context($context)`` Checks if you're in a context (this checks the complete stack, eg. 'widget' in 'groups')

engine/classes/Elgg/Database/AccessCollections.php

@@ -367,9 +367,6 @@ public function hasAccessToEntity($entity, $user = null) {
 			return true;
 		}
 
-		// See #7159. Must not allow ignore access to affect query
-		$ia = elgg_set_ignore_access(false);
-
 		$user_guid = isset($user) ? (int) $user->guid : elgg_get_logged_in_user_guid();
 
 		if ($user_guid && $user_guid == $entity->owner_guid) {
@@ -382,6 +379,9 @@ public function hasAccessToEntity($entity, $user = null) {
 			return true;
 		}
 
+		// See #7159. Must not allow ignore access to affect query
+		$ia = elgg_set_ignore_access(false);
+
 		$row = $this->entities->getRow($entity->guid, $user_guid);
 
 		elgg_set_ignore_access($ia);
@@ -685,7 +685,7 @@ public function delete($collection_id) {
 	 * Transforms a database row to an instance of ElggAccessCollection
 	 *
 	 * @param \stdClass $row Database row
-	 * @return ElggAccessCollection
+	 * @return \ElggAccessCollection
 	 */
 	public function rowToElggAccessCollection(\stdClass $row) {
 		return new \ElggAccessCollection($row);

engine/classes/Elgg/Database/Annotations.php

@@ -86,8 +86,8 @@ function create($entity_guid, $name, $value, $value_type = '', $owner_guid = 0,
 		$result = false;
 
 		$entity_guid = (int) $entity_guid;
-		$value_type = detect_extender_valuetype($value, $value_type);
-	
+		$value_type = \ElggExtender::detectValueType($value, $value_type);
+
 		$owner_guid = (int) $owner_guid;
 		if ($owner_guid == 0) {
 			$owner_guid = $this->session->getLoggedInUserGuid();
@@ -156,7 +156,7 @@ function update($annotation_id, $name, $value, $value_type, $owner_guid, $access
 		}
 
 		$name = trim($name);
-		$value_type = detect_extender_valuetype($value, $value_type);
+		$value_type = \ElggExtender::detectValueType($value, $value_type);
 
 		$owner_guid = (int) $owner_guid;
 		if ($owner_guid == 0) {