diff --git a/.scripts/release.php b/.scripts/release.php
index 929c893bd0..2feedc2b9a 100755
--- a/.scripts/release.php
+++ b/.scripts/release.php
@@ -34,10 +34,8 @@ function run_commands($commands) {
$branch = "release-$version";
-
// Setup. Version checks are here so we fail early if any deps are missing
run_commands([
- "tx --version",
"git --version",
"npm --version",
"node --version",
@@ -47,25 +45,6 @@ function run_commands($commands) {
"git checkout -B $branch",
]);
-// Update translations
-run_commands([
- "tx pull -af --minimum-perc=95",
-]);
-
-// Clean translations
-$cleaner = new Elgg\I18n\ReleaseCleaner();
-$cleaner->cleanInstallation(dirname(__DIR__));
-foreach ($cleaner->log as $msg) {
- echo "ReleaseCleaner: $msg\n";
-}
-
-run_commands([
- "sphinx-build -b gettext docs docs/locale/pot",
- "sphinx-intl build --locale-dir=docs/locale/",
- "git add .",
- "git commit -am \"chore(i18n): update translations\"",
-]);
-
// Update version in composer.json
$encoding = new \Elgg\Json\EmptyKeyEncoding();
@@ -77,6 +56,8 @@ function run_commands($commands) {
// Generate changelog
run_commands(array(
+ "sphinx-build -b gettext docs docs/locale/pot",
+ "sphinx-intl build --locale-dir=docs/locale/",
"npm install && npm update",
"node .scripts/write-changelog.js",
"git add .",
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 582dcab9ec..0ddfca0cd1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,36 @@
+
+### 1.12.13 (2016-10-02)
+
+#### Contributors
+
+* Jerôme Bakker (3)
+* Steve Clay (2)
+* Sébastien Lemay (1)
+
+#### Bug Fixes
+
+* **core:** page owner entity only returns users/groups user can see ([0d333100](https://github.com/Elgg/Elgg/commit/0d33310031024aa8940f9d3bbe5cdd80f2a4da57))
+* **docs:** Fixed link to 'our supporters page' ([fe144644](https://github.com/Elgg/Elgg/commit/fe144644faa84f9849604abfd4c34efb2df0d165))
+* **notifications:** only prefetch subscribers for ElggEntities ([65be05c5](https://github.com/Elgg/Elgg/commit/65be05c567692694e052ae4711450b7c19f2d571))
+* **profile:** use correct default access for profile fields ([63a01b6f](https://github.com/Elgg/Elgg/commit/63a01b6f8c9314ddae5819e8194938c988871a60))
+
+
+
+### 1.12.12 (2016-08-05)
+
+#### Contributors
+
+* Steve Clay (11)
+* Ismayil Khayredinov (2)
+
+#### Bug Fixes
+
+* **blog:** pass entity to the object/elements/full ([134c5b83](https://github.com/Elgg/Elgg/commit/134c5b837c476f36ff52ecbe4e1e5b213833df31))
+* **groups:** unfeaturing a group no longer leaves useless metadata ([2f3cf28a](https://github.com/Elgg/Elgg/commit/2f3cf28ac0d879fa13a874e99227faad6ef5bb4c))
+* **logging:** make clearer exception numbers are timestamps ([9c70596e](https://github.com/Elgg/Elgg/commit/9c70596e591198a72a713218ecdaf780f33539c2), closes [#9924](https://github.com/Elgg/Elgg/issues/9924))
+* **plugins:** now checks plugin instances before parsing priorities ([26d21f88](https://github.com/Elgg/Elgg/commit/26d21f886c809517890e8264ee4a6181293cad50))
+
+
### 1.12.11 (2016-06-13)
diff --git a/COPYRIGHT.txt b/COPYRIGHT.txt
index 2625153864..8e94dbed0b 100644
--- a/COPYRIGHT.txt
+++ b/COPYRIGHT.txt
@@ -1,14 +1,15 @@
The follow individuals, companies, or entities have contributed significant
code to the Elgg project and share the copyright. (In alphabetical order.)
-Organizations:
-The MITRE Corportation (jricher@mitre.org)
-Curverider Ltd (info@elgg.com)
-
-Individuals:
Steve Clay (steve@mrclay.org)
Cash Costello (cash.costello@gmail.com)
Brett Profitt (brett.profitt@gmail.com)
Dave Tosh (davidgtosh@gmail.com)
Ben Werdmuller (ben@benwerd.com)
Evan Winslow (evan.b.winslow@gmail.com)
+
+Organizations:
+The MITRE Corportation (jricher@mitre.org)
+Curverider Ltd (info@elgg.com)
+
+When adding to this list, update the list of copyright owners in LICENSE.txt.
diff --git a/ChangeLog b/ChangeLog
index faa0e9b0ac..10d0930be0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,108 @@
+2016-10-02 Steve Clay
+
+ * CHANGELOG.md, composer.json, docs/locale/pot/about.pot,
+ docs/locale/pot/admin.pot, docs/locale/pot/appendix.pot,
+ docs/locale/pot/contribute.pot, docs/locale/pot/design.pot,
+ docs/locale/pot/guides.pot, docs/locale/pot/index.pot,
+ docs/locale/pot/intro.pot, docs/locale/pot/plugins.pot,
+ docs/locale/pot/tutorials.pot: chore(release): v1.12.13
+
+2016-09-28 Steve Clay
+
+ * engine/classes/Elgg/Forms/StickyForms.php, engine/lib/input.php:
+ security(forms): passwords no longer stored with sticky form data Also makes
+ clearer the documentation for the sticky functions.
+
+2016-08-29 Steve Clay
+
+ * engine/classes/Elgg/Database/AccessCollections.php,
+ engine/tests/ElggCoreAccessSQLTest.php: chore(tests): test entity
+ accessibility in the notifications flow Adds tests to verify that entities
+ with ACCESS_LOGGED_IN and ACCESS_PUBLIC are treated as accessible with
+ ignored access
+
+2016-09-06 iionly
+
+ * mod/bookmarks/actions/bookmarks/save.php, mod/bookmarks/languages/en.php,
+ mod/bookmarks/lib/bookmarks.php, mod/bookmarks/start.php,
+ mod/bookmarks/views/default/forms/bookmarks/save.php: chore(bookmarks):
+ Removal of unused 'shares' code and unused language strings from bookmarks
+
+2016-09-06 Steve Clay
+
+ * mod/pages/actions/pages/delete.php, mod/pages/actions/pages/edit.php,
+ mod/pages/lib/pages.php: fix(pages): operations keep track of more than 10
+ child pages Sets `0` limit on queries for child queries, converts to
+ batches, some small refactoring for clarity.
+
+2016-08-29 Steve Clay
+
+ * mod/htmlawed/vendors/htmLawed/htmLawed.php,
+ mod/htmlawed/vendors/htmLawed/htmLawedTest.php,
+ mod/htmlawed/vendors/htmLawed/htmLawed_README.htm,
+ mod/htmlawed/vendors/htmLawed/htmLawed_README.txt,
+ .../vendors/htmLawed/htmLawed_TESTCASE.txt: security(htmlawed): upgrades
+ htmLawed to latest, currently 1.1.22 Fixes #10126
+
+2016-08-17 Steve Clay
+
+ * COPYRIGHT.txt, LICENSE.txt: docs(license): clarifies dual licensing in
+ LICENSE.txt
+
+2016-08-05 Steve Clay
+
+ * CHANGELOG.md, composer.json, docs/locale/pot/about.pot,
+ docs/locale/pot/admin.pot, docs/locale/pot/appendix.pot,
+ docs/locale/pot/contribute.pot, docs/locale/pot/design.pot,
+ docs/locale/pot/guides.pot, docs/locale/pot/index.pot,
+ docs/locale/pot/intro.pot, docs/locale/pot/plugins.pot,
+ docs/locale/pot/tutorials.pot: chore(release): v1.12.12
+
+2016-07-21 Steve Clay
+
+ * .scripts/languages.php, .scripts/release.php: chore(project): separate
+ i18n updates from releases Language updates are super slow and ruin the DX
+ of cutting releases. Also, pairing them with releases puts a large amount of
+ pressure on core devs to rubber stamp language changes without any public
+ review. This allows language files (code, not docs) to be updated
+ independently of releases. The follow up to this would be to update the docs
+ in 2.x to recommend running the language intake separately and sending in
+ standard pull requests independently of releases.
+
+2016-06-10 Steve Clay
+
+ * docs/guides/routing.rst, engine/lib/elgglib.php: chore(routing): reject
+ requests for unknown walled garden views Existing code passed arbitrary
+ input (URL segment) into HTML attributes. Although URL segments are now HTML
+ escaped, we should not invite risk or present bad examples to devs.
+
+2016-07-18 Steve Clay
+
+ * js/tests/ElggSpinnerTest.js, views/default/js/elgg/spinner.js:
+ chore(tests): eliminates setTimeout race in ElggSpinnerTest Even though the
+ class should be added at 20ms, with a wait of 100ms tests were still failing.
+ Apparently there's no way to reliably test that a timeout of a particular
+ period is used, so now the module fires a test event, allowing the test to
+ directly listen instead of guessing how long to wait. This still at least
+ tests that there is *some* delay.
+
+2016-07-08 Steve Clay
+
+ * mod/web_services/lib/api_user.php, mod/web_services/lib/tokens.php:
+ security(web_services): increase entropy of API keys
+
+2016-06-11 Steve Clay
+
+ * engine/classes/Elgg/Http/Request.php,
+ engine/tests/phpunit/Elgg/Http/RequestTest.php: security(routing): HTML
+ escapes URL segments Just in case a developer unwisely injects URL content
+ directly into HTML, we escape `&"'<>` with HTML entities.
+
+2016-07-02 Steve Clay
+
+ * engine/lib/elgglib.php, views/failsafe/messages/exceptions/exception.php:
+ fix(logging): make clearer exception numbers are timestamps Fixes #9924
+
2016-06-13 Steve Clay
* CHANGELOG.md, composer.json: chore(release): v1.12.11
diff --git a/LICENSE.txt b/LICENSE.txt
index f833d881e5..304da45729 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,3 +1,48 @@
+Bundled plugins (the contents of the "/mod" directory) are available
+only under the GPLv2 license.
+
+The remainder of the project is available under either MIT or GPLv2.
+
+Both licenses can be found below.
+
+More info: http://learn.elgg.org/en/latest/intro/license.html
+
+------------------------------------------------------------------------
+
+The MIT License (MIT)
+Copyright (c) 2016 The following parties:
+
+ Steve Clay (steve@mrclay.org)
+ Cash Costello (cash.costello@gmail.com)
+ Brett Profitt (brett.profitt@gmail.com)
+ Dave Tosh (davidgtosh@gmail.com)
+ Ben Werdmuller (ben@benwerd.com)
+ Evan Winslow (evan.b.winslow@gmail.com)
+
+ The MITRE Corportation (jricher@mitre.org)
+ Curverider Ltd (info@elgg.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+------------------------------------------------------------------------
+
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
diff --git a/actions/profile/edit.php b/actions/profile/edit.php
index 34f2b5fb6b..e75306047a 100755
--- a/actions/profile/edit.php
+++ b/actions/profile/edit.php
@@ -82,6 +82,10 @@ function profile_array_decoder(&$v) {
// go through custom fields
if (sizeof($input) > 0) {
+
+ // fetch default access level for the user for use in fallback cases
+ $user_default_access = get_default_access($owner);
+
foreach ($input as $shortname => $value) {
$options = array(
'guid' => $owner->guid,
@@ -98,7 +102,7 @@ function profile_array_decoder(&$v) {
$access_id = (int) $accesslevel[$shortname];
} else {
// this should never be executed since the access level should always be set
- $access_id = ACCESS_DEFAULT;
+ $access_id = $user_default_access;
}
if (is_array($value)) {
$i = 0;
diff --git a/composer.json b/composer.json
index 8439222243..a47ef32e26 100644
--- a/composer.json
+++ b/composer.json
@@ -1,6 +1,6 @@
{
"name": "elgg/elgg",
- "version": "1.12.11",
+ "version": "1.12.13",
"description": "Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications.",
"license": "GPL-2.0",
"minimum-stability": "dev",
diff --git a/composer.lock b/composer.lock
index f15af611b3..66b7057de0 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,21 +4,21 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
- "hash": "580a06f0ab2af0c709271191a58fca41",
- "content-hash": "9fb38151c8596ccf451a07e1bacde460",
+ "hash": "678141e74d7009affbb6848093c0e408",
+ "content-hash": "9dbae73e24cdb140503437f67b627bfa",
"packages": [
{
"name": "composer/installers",
- "version": "v1.0.25",
+ "version": "v1.2.0",
"source": {
"type": "git",
"url": "https://github.com/composer/installers.git",
- "reference": "36e5b5843203d7f1cf6ffb0305a97e014387bd8e"
+ "reference": "d78064c68299743e0161004f2de3a0204e33b804"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/composer/installers/zipball/36e5b5843203d7f1cf6ffb0305a97e014387bd8e",
- "reference": "36e5b5843203d7f1cf6ffb0305a97e014387bd8e",
+ "url": "https://api.github.com/repos/composer/installers/zipball/d78064c68299743e0161004f2de3a0204e33b804",
+ "reference": "d78064c68299743e0161004f2de3a0204e33b804",
"shasum": ""
},
"require": {
@@ -65,21 +65,26 @@
"MODX Evo",
"Mautic",
"OXID",
+ "Plentymarkets",
+ "RadPHP",
"SMF",
"Thelia",
"WolfCMS",
"agl",
"aimeos",
"annotatecms",
+ "attogram",
"bitrix",
"cakephp",
"chef",
+ "cockpit",
"codeigniter",
"concrete5",
"croogo",
"dokuwiki",
"drupal",
"elgg",
+ "expressionengine",
"fuelphp",
"grav",
"installer",
@@ -96,16 +101,18 @@
"piwik",
"ppi",
"puppet",
+ "reindex",
"roundcube",
"shopware",
"silverstripe",
"symfony",
"typo3",
"wordpress",
+ "yawik",
"zend",
"zikula"
],
- "time": "2016-04-13 19:46:30"
+ "time": "2016-08-13 20:53:52"
},
{
"name": "elgg/login_as",
@@ -315,16 +322,16 @@
},
{
"name": "psr/cache",
- "version": "1.0.0",
+ "version": "1.0.1",
"source": {
"type": "git",
"url": "https://github.com/php-fig/cache.git",
- "reference": "9e66031f41fbbdda45ee11e93c45d480ccba3eb3"
+ "reference": "d11b50ad223250cf17b86e38383413f5a6764bf8"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/php-fig/cache/zipball/9e66031f41fbbdda45ee11e93c45d480ccba3eb3",
- "reference": "9e66031f41fbbdda45ee11e93c45d480ccba3eb3",
+ "url": "https://api.github.com/repos/php-fig/cache/zipball/d11b50ad223250cf17b86e38383413f5a6764bf8",
+ "reference": "d11b50ad223250cf17b86e38383413f5a6764bf8",
"shasum": ""
},
"require": {
@@ -357,7 +364,7 @@
"psr",
"psr-6"
],
- "time": "2015-12-11 02:52:07"
+ "time": "2016-08-06 20:24:11"
},
{
"name": "roave/security-advisories",
@@ -365,20 +372,24 @@
"source": {
"type": "git",
"url": "https://github.com/Roave/SecurityAdvisories.git",
- "reference": "96f1ef760845211c8acbb15970e706db1e4b2c5e"
+ "reference": "47cd1dcac8df83b6f8a5fe85e3b743d079160643"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/Roave/SecurityAdvisories/zipball/96f1ef760845211c8acbb15970e706db1e4b2c5e",
- "reference": "96f1ef760845211c8acbb15970e706db1e4b2c5e",
+ "url": "https://api.github.com/repos/Roave/SecurityAdvisories/zipball/47cd1dcac8df83b6f8a5fe85e3b743d079160643",
+ "reference": "47cd1dcac8df83b6f8a5fe85e3b743d079160643",
"shasum": ""
},
"conflict": {
+ "amphp/artax": ">=2,<2.0.4|>0.7.1,<1.0.4",
"aws/aws-sdk-php": ">=3,<3.2.1",
- "cakephp/cakephp": ">=3,<3.0.15|>=2,<2.4.99|>=2.5,<2.5.90|>=2.6,<2.6.12|>=1.3,<1.3.18|>=2.7,<2.7.6|>=3.1,<3.1.3",
- "codeigniter/framework": "<3.0.3",
+ "bugsnag/bugsnag-laravel": ">=2,<2.0.2",
+ "cakephp/cakephp": ">=3,<3.0.15|>=2,<2.4.99|>=2.5,<2.5.99|>=2.6,<2.6.12|>=1.3,<1.3.18|>=2.7,<2.7.6|>=3.1,<3.1.4",
+ "cartalyst/sentry": "<2.1",
+ "codeigniter/framework": "<=3.0.6",
"composer/composer": "<=1.0.0-alpha11",
- "contao/core": ">=2.11,<3|>=3,<3.1|>=3.1,<3.2|>=3.2,<3.2.19|>=3.3,<3.4|>=3.4,<3.4.4",
+ "contao-components/mediaelement": ">=2.14.2,<2.21.1",
+ "contao/core": ">=2.11,<3.5.15",
"doctrine/annotations": ">=1,<1.2.7",
"doctrine/cache": ">=1,<1.3.2|>=1.4,<1.4.2",
"doctrine/common": ">=2,<2.4.3|>=2.5,<2.5.1",
@@ -389,14 +400,18 @@
"doctrine/mongodb-odm-bundle": ">=2,<3.0.1",
"doctrine/orm": ">=2,<2.4.8|>=2.5,<2.5.1",
"dompdf/dompdf": ">=0.6,<0.6.2",
+ "drupal/core": ">=8,<8.1.10",
+ "drupal/drupal": ">=8,<8.1.10",
"firebase/php-jwt": "<2",
"friendsofsymfony/rest-bundle": ">=1.2,<1.2.2",
- "friendsofsymfony/user-bundle": ">=1.2,<1.3|>=1.3,<1.3.5",
+ "friendsofsymfony/user-bundle": ">=1.2,<1.3.5",
+ "guzzlehttp/guzzle": ">=6,<6.2.1|>=4.0.0-rc2,<4.2.4|>=5,<5.3.1",
"illuminate/auth": ">=4,<4.0.99|>=4.1,<4.1.26",
"illuminate/database": ">=4,<4.0.99|>=4.1,<4.1.29",
"joomla/session": "<1.3.1",
"laravel/framework": ">=4,<4.0.99|>=4.1,<4.1.29",
"laravel/socialite": ">=1,<1.0.99|>=2,<2.0.10",
+ "magento/magento2ce": ">=2,<2.2",
"monolog/monolog": ">=1.8,<1.12",
"namshi/jose": "<2.2",
"oro/crm": ">=1.7,<1.7.4",
@@ -404,33 +419,33 @@
"phpmailer/phpmailer": ">=5,<5.2.14",
"pusher/pusher-php-server": "<2.2.1",
"sabre/dav": ">=1.6,<1.6.99|>=1.7,<1.7.11|>=1.8,<1.8.9",
- "shopware/shopware": "<4.3.7|>=5,<5.1|>=5.1,<5.1.5",
+ "shopware/shopware": "<4.3.7|>=5,<5.1.5",
"silverstripe/cms": ">=3.1,<3.1.11|>=3,<=3.0.11",
"silverstripe/forum": "<=0.6.1|>=0.7,<=0.7.3",
- "silverstripe/framework": ">=3,<3.1|>=3.1,<3.2|>=3.2,<3.3",
+ "silverstripe/framework": ">=3,<3.3",
"silverstripe/userforms": "<3",
- "simplesamlphp/simplesamlphp": "<=1.14.1",
+ "simplesamlphp/simplesamlphp": "<1.14.4",
"socalnick/scn-social-auth": "<1.15.2",
"swiftmailer/swiftmailer": ">=4,<4.99.99|>=5,<5.2.1",
"symfony/dependency-injection": ">=2,<2.0.17",
- "symfony/form": ">=2.3,<2.3.35|>=2.4,<2.5|>=2.5,<2.6|>=2.6,<2.6.12|>=2.7,<2.7.7",
- "symfony/framework-bundle": ">=2,<2.1|>=2.1,<2.2|>=2.2,<2.3|>=2.3,<2.3.18|>=2.4,<2.4.8|>=2.5,<2.5.2",
- "symfony/http-foundation": ">=2,<2.1|>=2.1,<2.2|>=2.2,<2.3|>=2.3,<2.3.27|>=2.4,<2.5|>=2.5,<2.5.11|>=2.6,<2.6.6",
- "symfony/http-kernel": ">=2,<2.1|>=2.1,<2.2|>=2.2,<2.3|>=2.3,<2.3.29|>=2.4,<2.5|>=2.5,<2.5.12|>=2.6,<2.6.8",
+ "symfony/form": ">=2.3,<2.3.35|>=2.4,<2.6.12|>=2.7,<2.7.7",
+ "symfony/framework-bundle": ">=2,<2.3.18|>=2.4,<2.4.8|>=2.5,<2.5.2",
+ "symfony/http-foundation": ">=2,<2.3.27|>=2.4,<2.5.11|>=2.6,<2.6.6",
+ "symfony/http-kernel": ">=2,<2.3.29|>=2.4,<2.5.12|>=2.6,<2.6.8",
"symfony/routing": ">=2,<2.0.19",
- "symfony/security": ">=2.3,<2.3.37|>=2.4,<2.5|>=2.5,<2.6|>=2.6,<2.6.13|>=2.7,<2.7.9|>=2,<2.0.25|>=2.1,<2.1.13|>=2.2,<2.2.9",
- "symfony/security-core": ">=2.8,<2.8.6|>=3,<3.0.6|>=2.4,<2.5|>=2.5,<2.6|>=2.6,<2.6.13|>=2.7,<2.7.9",
- "symfony/security-http": ">=2.4,<2.5|>=2.5,<2.6|>=2.6,<2.7|>=2.7,<2.7.13|>=2.3,<2.3.41|>=2.8,<2.8.6|>=3,<3.0.6",
+ "symfony/security": ">=2.3,<2.3.37|>=2.4,<2.6.13|>=2.7,<2.7.9|>=2,<2.0.25|>=2.1,<2.1.13|>=2.2,<2.2.9",
+ "symfony/security-core": ">=2.8,<2.8.6|>=3,<3.0.6|>=2.4,<2.6.13|>=2.7,<2.7.9",
+ "symfony/security-http": ">=2.4,<2.7.13|>=2.3,<2.3.41|>=2.8,<2.8.6|>=3,<3.0.6",
"symfony/serializer": ">=2,<2.0.11",
- "symfony/symfony": ">=2,<2.1|>=2.1,<2.2|>=2.2,<2.3|>=2.3,<2.3.41|>=2.4,<2.5|>=2.5,<2.6|>=2.6,<2.7|>=2.7,<2.7.13|>=2.8,<2.8.6|>=3,<3.0.6",
+ "symfony/symfony": ">=2,<2.3.41|>=2.4,<2.7.13|>=2.8,<2.8.6|>=3,<3.0.6",
"symfony/translation": ">=2,<2.0.17",
"symfony/validator": ">=2,<2.0.24|>=2.1,<2.1.12|>=2.2,<2.2.5|>=2.3,<2.3.3",
- "symfony/web-profiler-bundle": ">=2,<2.1|>=2.1,<2.2|>=2.2,<2.3|>=2.3,<2.3.19|>=2.4,<2.4.9|>=2.5,<2.5.4",
+ "symfony/web-profiler-bundle": ">=2,<2.3.19|>=2.4,<2.4.9|>=2.5,<2.5.4",
"symfony/yaml": ">=2,<2.0.22|>=2.1,<2.1.7",
"thelia/backoffice-default-template": ">=2.1,<2.1.2",
"thelia/thelia": ">=2.1.0-beta1,<2.1.3|>=2.1,<2.1.2",
"twig/twig": "<1.20",
- "typo3/cms": ">=6.2,<6.2.25|>=7,<7.1|>=7.1,<7.2|>=7.2,<7.3|>=7.3,<7.4|>=7.4,<7.5|>=7.5,<7.6|>=7.6,<7.6.8|>=8,<8.1.1",
+ "typo3/cms": ">=6.2,<6.2.27|>=8,<8.3.1|>=7,<7.6.11",
"typo3/flow": ">=1,<1.0.4|>=1.1,<1.1.1|>=2,<2.0.1|>=2.3,<2.3.7|>=3,<3.0.1",
"typo3/neos": ">=1.1,<1.1.3|>=1.2,<1.2.13|>=2,<2.0.4",
"willdurand/js-translation-bundle": "<2.1.1",
@@ -456,7 +471,7 @@
"zendframework/zend-view": ">=2,<2.2.7|>=2.3,<2.3.1",
"zendframework/zend-xmlrpc": ">=2.1,<2.1.6|>=2.2,<2.2.6",
"zendframework/zendframework": ">=2,<2.4.9|>=2.5,<2.5.1",
- "zendframework/zendframework1": ">=1,<1.11.15|>=1.12,<1.12.18",
+ "zendframework/zendframework1": "<1.12.20",
"zendframework/zendopenid": ">=2,<2.0.2",
"zendframework/zendxml": ">=1,<1.0.1",
"zf-commons/zfc-user": "<1.2.2",
@@ -476,20 +491,20 @@
}
],
"description": "Prevents installation of composer packages with known security vulnerabilities: no API, simply require it",
- "time": "2016-05-25 05:33:34"
+ "time": "2016-09-30 13:56:41"
},
{
"name": "symfony/http-foundation",
- "version": "v2.8.7",
+ "version": "v2.8.11",
"source": {
"type": "git",
"url": "https://github.com/symfony/http-foundation.git",
- "reference": "744dae663ffcfa21d8a111fb63541954199acbb2"
+ "reference": "1d4ab8de2215e44e57fddc1e6b5d122546769e7d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/symfony/http-foundation/zipball/744dae663ffcfa21d8a111fb63541954199acbb2",
- "reference": "744dae663ffcfa21d8a111fb63541954199acbb2",
+ "url": "https://api.github.com/repos/symfony/http-foundation/zipball/1d4ab8de2215e44e57fddc1e6b5d122546769e7d",
+ "reference": "1d4ab8de2215e44e57fddc1e6b5d122546769e7d",
"shasum": ""
},
"require": {
@@ -531,7 +546,7 @@
],
"description": "Symfony HttpFoundation Component",
"homepage": "https://symfony.com",
- "time": "2016-06-06 11:11:27"
+ "time": "2016-09-06 10:55:00"
},
{
"name": "symfony/polyfill-mbstring",
@@ -905,16 +920,16 @@
},
{
"name": "phpdocumentor/reflection-docblock",
- "version": "3.1.0",
+ "version": "3.1.1",
"source": {
"type": "git",
"url": "https://github.com/phpDocumentor/ReflectionDocBlock.git",
- "reference": "9270140b940ff02e58ec577c237274e92cd40cdd"
+ "reference": "8331b5efe816ae05461b7ca1e721c01b46bafb3e"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/9270140b940ff02e58ec577c237274e92cd40cdd",
- "reference": "9270140b940ff02e58ec577c237274e92cd40cdd",
+ "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/8331b5efe816ae05461b7ca1e721c01b46bafb3e",
+ "reference": "8331b5efe816ae05461b7ca1e721c01b46bafb3e",
"shasum": ""
},
"require": {
@@ -946,7 +961,7 @@
}
],
"description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.",
- "time": "2016-06-10 09:48:41"
+ "time": "2016-09-30 07:12:33"
},
{
"name": "phpdocumentor/type-resolver",
@@ -1302,16 +1317,16 @@
},
{
"name": "phpunit/phpunit",
- "version": "4.8.26",
+ "version": "4.8.27",
"source": {
"type": "git",
"url": "https://github.com/sebastianbergmann/phpunit.git",
- "reference": "fc1d8cd5b5de11625979125c5639347896ac2c74"
+ "reference": "c062dddcb68e44b563f66ee319ddae2b5a322a90"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/fc1d8cd5b5de11625979125c5639347896ac2c74",
- "reference": "fc1d8cd5b5de11625979125c5639347896ac2c74",
+ "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/c062dddcb68e44b563f66ee319ddae2b5a322a90",
+ "reference": "c062dddcb68e44b563f66ee319ddae2b5a322a90",
"shasum": ""
},
"require": {
@@ -1370,7 +1385,7 @@
"testing",
"xunit"
],
- "time": "2016-05-17 03:09:28"
+ "time": "2016-07-21 06:48:14"
},
{
"name": "phpunit/phpunit-mock-objects",
@@ -1546,23 +1561,23 @@
},
{
"name": "sebastian/environment",
- "version": "1.3.7",
+ "version": "1.3.8",
"source": {
"type": "git",
"url": "https://github.com/sebastianbergmann/environment.git",
- "reference": "4e8f0da10ac5802913afc151413bc8c53b6c2716"
+ "reference": "be2c607e43ce4c89ecd60e75c6a85c126e754aea"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/4e8f0da10ac5802913afc151413bc8c53b6c2716",
- "reference": "4e8f0da10ac5802913afc151413bc8c53b6c2716",
+ "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/be2c607e43ce4c89ecd60e75c6a85c126e754aea",
+ "reference": "be2c607e43ce4c89ecd60e75c6a85c126e754aea",
"shasum": ""
},
"require": {
- "php": ">=5.3.3"
+ "php": "^5.3.3 || ^7.0"
},
"require-dev": {
- "phpunit/phpunit": "~4.4"
+ "phpunit/phpunit": "^4.8 || ^5.0"
},
"type": "library",
"extra": {
@@ -1592,7 +1607,7 @@
"environment",
"hhvm"
],
- "time": "2016-05-17 03:18:57"
+ "time": "2016-08-18 05:49:44"
},
{
"name": "sebastian/exporter",
@@ -1950,16 +1965,16 @@
},
{
"name": "symfony/yaml",
- "version": "v3.1.1",
+ "version": "v3.1.4",
"source": {
"type": "git",
"url": "https://github.com/symfony/yaml.git",
- "reference": "c5a7e7fc273c758b92b85dcb9c46149ccda89623"
+ "reference": "f291ed25eb1435bddbe8a96caaef16469c2a092d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/symfony/yaml/zipball/c5a7e7fc273c758b92b85dcb9c46149ccda89623",
- "reference": "c5a7e7fc273c758b92b85dcb9c46149ccda89623",
+ "url": "https://api.github.com/repos/symfony/yaml/zipball/f291ed25eb1435bddbe8a96caaef16469c2a092d",
+ "reference": "f291ed25eb1435bddbe8a96caaef16469c2a092d",
"shasum": ""
},
"require": {
@@ -1995,32 +2010,33 @@
],
"description": "Symfony Yaml Component",
"homepage": "https://symfony.com",
- "time": "2016-06-14 11:18:07"
+ "time": "2016-09-02 02:12:52"
},
{
"name": "webmozart/assert",
- "version": "1.0.2",
+ "version": "1.1.0",
"source": {
"type": "git",
"url": "https://github.com/webmozart/assert.git",
- "reference": "30eed06dd6bc88410a4ff7f77b6d22f3ce13dbde"
+ "reference": "bb2d123231c095735130cc8f6d31385a44c7b308"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/webmozart/assert/zipball/30eed06dd6bc88410a4ff7f77b6d22f3ce13dbde",
- "reference": "30eed06dd6bc88410a4ff7f77b6d22f3ce13dbde",
+ "url": "https://api.github.com/repos/webmozart/assert/zipball/bb2d123231c095735130cc8f6d31385a44c7b308",
+ "reference": "bb2d123231c095735130cc8f6d31385a44c7b308",
"shasum": ""
},
"require": {
- "php": ">=5.3.3"
+ "php": "^5.3.3|^7.0"
},
"require-dev": {
- "phpunit/phpunit": "^4.6"
+ "phpunit/phpunit": "^4.6",
+ "sebastian/version": "^1.0.1"
},
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "1.0-dev"
+ "dev-master": "1.2-dev"
}
},
"autoload": {
@@ -2044,7 +2060,7 @@
"check",
"validate"
],
- "time": "2015-08-24 13:29:44"
+ "time": "2016-08-09 15:02:57"
}
],
"aliases": [],
diff --git a/docs/contribute/money.rst b/docs/contribute/money.rst
index 292a3674f9..7e0e9a7e92 100755
--- a/docs/contribute/money.rst
+++ b/docs/contribute/money.rst
@@ -13,7 +13,7 @@ For only $50 per year for individuals or $150 per year for organizations,
you can get listed as a supporter on `our supporters page`_.
Elgg supporters are listed there unless they request not to be.
-.. _our supporters page: http://elgg.org/supporters.php
+.. _our supporters page: http://elgg.org/supporter.php
Supporters are able to put this official logo on their site if they wish:
diff --git a/docs/guides/routing.rst b/docs/guides/routing.rst
index a95d5d83b9..c19b928aed 100755
--- a/docs/guides/routing.rst
+++ b/docs/guides/routing.rst
@@ -18,6 +18,7 @@ available via ``get_input()``)
The site URL (home page) is a special case that produces an empty string identifier and
an empty segments array.
+.. warning:: URL identifier/segments should be considered potentially dangerous user input. Elgg uses ``htmlspecialchars`` to escapes HTML entities in them.
Page Handler
============
diff --git a/docs/locale/pot/about.pot b/docs/locale/pot/about.pot
index b526835f8e..f7879b256a 100755
--- a/docs/locale/pot/about.pot
+++ b/docs/locale/pot/about.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/admin.pot b/docs/locale/pot/admin.pot
index 639b54a382..07b62bcbd5 100755
--- a/docs/locale/pot/admin.pot
+++ b/docs/locale/pot/admin.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/appendix.pot b/docs/locale/pot/appendix.pot
index ab004c059a..478a362659 100755
--- a/docs/locale/pot/appendix.pot
+++ b/docs/locale/pot/appendix.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/contribute.pot b/docs/locale/pot/contribute.pot
index 5fb1cebf31..2ac0eb7e9d 100755
--- a/docs/locale/pot/contribute.pot
+++ b/docs/locale/pot/contribute.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/design.pot b/docs/locale/pot/design.pot
index 50046a56a4..8cfca0e9bd 100755
--- a/docs/locale/pot/design.pot
+++ b/docs/locale/pot/design.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/guides.pot b/docs/locale/pot/guides.pot
index 4ecf558792..9a3b062413 100755
--- a/docs/locale/pot/guides.pot
+++ b/docs/locale/pot/guides.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
@@ -4887,87 +4887,91 @@ msgstr ""
msgid "The site URL (home page) is a special case that produces an empty string identifier and an empty segments array."
msgstr ""
-#: ../../guides/routing.rst:23
+#: ../../guides/routing.rst:21
+msgid "URL identifier/segments should be considered potentially dangerous user input. Elgg uses ``htmlspecialchars`` to escapes HTML entities in them."
+msgstr ""
+
+#: ../../guides/routing.rst:24
msgid "Page Handler"
msgstr ""
-#: ../../guides/routing.rst:25
+#: ../../guides/routing.rst:26
msgid "To handle all URLs that begin with a particular identifier, you can register a function to act as a :doc:`/guides/pagehandler`. When the handler is called, the segments array is passed in as the first argument."
msgstr ""
-#: ../../guides/routing.rst:29
+#: ../../guides/routing.rst:30
msgid "The following code registers a page handler for \"blog\" URLs and shows how one might route the request to a resource view."
msgstr ""
-#: ../../guides/routing.rst:56
+#: ../../guides/routing.rst:57
msgid "The ``route`` Plugin Hook"
msgstr ""
-#: ../../guides/routing.rst:58
+#: ../../guides/routing.rst:59
msgid "The ``route`` plugin hook is triggered earlier, before page handlers are called. The URL identifier is given as the type of the hook. This hook can be used to modify the identifier or segments, to take over page rendering completely, or just to add some logic before the request is handled elsewhere."
msgstr ""
-#: ../../guides/routing.rst:63
+#: ../../guides/routing.rst:64
msgid "Generally devs should use a page handler unless they need to affect a single page or a wider variety of URLs."
msgstr ""
-#: ../../guides/routing.rst:65
+#: ../../guides/routing.rst:66
msgid "The following code intercepts requests to the page handler for ``customblog`` and internally redirects them to the ``blog`` page handler."
msgstr ""
-#: ../../guides/routing.rst:78
+#: ../../guides/routing.rst:79
msgid "The following code results in ``/blog/all`` requests being completely handled by the plugin hook handler. For these requests the ``blog`` page handler is never called."
msgstr ""
-#: ../../guides/routing.rst:103
+#: ../../guides/routing.rst:104
msgid "Routing overview"
msgstr ""
-#: ../../guides/routing.rst:105
+#: ../../guides/routing.rst:106
msgid "For regular pages, Elgg's program flow is something like this:"
msgstr ""
-#: ../../guides/routing.rst:107
+#: ../../guides/routing.rst:108
msgid "A user requests ``http://example.com/blog/owner/jane``."
msgstr ""
-#: ../../guides/routing.rst:108
+#: ../../guides/routing.rst:109
msgid "Plugins are initialized."
msgstr ""
-#: ../../guides/routing.rst:109
+#: ../../guides/routing.rst:110
msgid "Elgg parses the URL to identifier ``blog`` and segments ``['owner', 'jane']``."
msgstr ""
-#: ../../guides/routing.rst:110
+#: ../../guides/routing.rst:111
msgid "Elgg triggers the plugin hook ``route, blog`` (see above)."
msgstr ""
-#: ../../guides/routing.rst:111
+#: ../../guides/routing.rst:112
msgid "Elgg finds a registered page handler (see above) for ``blog``, and calls the function, passing in the segments."
msgstr ""
-#: ../../guides/routing.rst:113
+#: ../../guides/routing.rst:114
msgid "The page handler function determines it needs to render a single user's blog. It stores the username via ``set_input()`` and calls the view ``resources/blog/owner``."
msgstr ""
-#: ../../guides/routing.rst:115
+#: ../../guides/routing.rst:116
msgid "The ``resources/blog/owner`` view gets the username via ``get_input()``, and uses many other views and formatting functions like ``elgg_view_layout()`` and ``elgg_view_page()`` to create the entire HTML page."
msgstr ""
-#: ../../guides/routing.rst:117
+#: ../../guides/routing.rst:118
msgid "The page handler echos the view HTML and returns ``true`` to indicate it handled the request."
msgstr ""
-#: ../../guides/routing.rst:118
+#: ../../guides/routing.rst:119
msgid "PHP invokes Elgg's shutdown sequence."
msgstr ""
-#: ../../guides/routing.rst:119
+#: ../../guides/routing.rst:120
msgid "The user receives a fully rendered page."
msgstr ""
-#: ../../guides/routing.rst:121
+#: ../../guides/routing.rst:122
msgid "Elgg's coding standards suggest a particular URL layout, but there is no syntax enforced."
msgstr ""
diff --git a/docs/locale/pot/index.pot b/docs/locale/pot/index.pot
index 7cd17f72d0..decaf7c1fd 100755
--- a/docs/locale/pot/index.pot
+++ b/docs/locale/pot/index.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/intro.pot b/docs/locale/pot/intro.pot
index eea80b42be..42b967e53c 100755
--- a/docs/locale/pot/intro.pot
+++ b/docs/locale/pot/intro.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/plugins.pot b/docs/locale/pot/plugins.pot
index 8a3a5365ed..639fce4c59 100755
--- a/docs/locale/pot/plugins.pot
+++ b/docs/locale/pot/plugins.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/docs/locale/pot/tutorials.pot b/docs/locale/pot/tutorials.pot
index b6a5da70c4..4b629769d8 100755
--- a/docs/locale/pot/tutorials.pot
+++ b/docs/locale/pot/tutorials.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Elgg 1.12\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-06-13 21:32-0400\n"
+"POT-Creation-Date: 2016-10-02 15:25-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
diff --git a/engine/classes/Elgg/Database/AccessCollections.php b/engine/classes/Elgg/Database/AccessCollections.php
index ad6c4268ed..30e82d173c 100755
--- a/engine/classes/Elgg/Database/AccessCollections.php
+++ b/engine/classes/Elgg/Database/AccessCollections.php
@@ -317,8 +317,10 @@ function getWhereSql(array $options = array()) {
* @return bool
*/
function hasAccessToEntity($entity, $user = null) {
-
-
+ if (!$entity instanceof \ElggEntity) {
+ return false;
+ }
+
// See #7159. Must not allow ignore access to affect query
$ia = elgg_set_ignore_access(false);
diff --git a/engine/classes/Elgg/Forms/StickyForms.php b/engine/classes/Elgg/Forms/StickyForms.php
index 848daa1e3c..13eec3fd29 100755
--- a/engine/classes/Elgg/Forms/StickyForms.php
+++ b/engine/classes/Elgg/Forms/StickyForms.php
@@ -13,7 +13,7 @@
class StickyForms {
/**
- * Load all the GET and POST variables into the sticky form cache
+ * Save form submission data (all GET and POST vars) into a session cache
*
* Call this from an action when you want all your submitted variables
* available if the submission fails validation and is sent back to the form
@@ -23,7 +23,13 @@ class StickyForms {
* @return void
*/
public function makeStickyForm($form_name) {
-
+
+ $banned_keys = [];
+ // TODO make $banned_keys an argument
+ if (in_array($form_name, ['register', 'useradd', 'usersettings'])) {
+ $banned_keys = ['password', 'password2'];
+ }
+
elgg_clear_sticky_form($form_name);
$session = _elgg_services()->session;
@@ -32,13 +38,16 @@ public function makeStickyForm($form_name) {
// will go through XSS filtering in elgg_get_sticky_value()
$vars = array_merge($req->query->all(), $req->request->all());
+ foreach ($banned_keys as $key) {
+ unset($vars[$key]);
+ }
$data[$form_name] = $vars;
$session->set('sticky_forms', $data);
}
/**
- * Clear the sticky form cache
+ * Remove form submission data from the session
*
* Call this if validation is successful in the action handler or
* when they sticky values have been used to repopulate the form
@@ -56,7 +65,7 @@ function clearStickyForm($form_name) {
}
/**
- * Has this form been made sticky?
+ * Does form submission data exist for this form?
*
* @param string $form_name Form namespace
*
@@ -69,7 +78,7 @@ function isStickyForm($form_name) {
}
/**
- * Get a specific sticky variable
+ * Get a specific value from cached form submission data
*
* @param string $form_name The name of the form
* @param string $variable The name of the variable
@@ -95,7 +104,7 @@ function getStickyValue($form_name, $variable = '', $default = null, $filter_res
}
/**
- * Get all the values in a sticky form in an array
+ * Get all submission data cached for a form
*
* @param string $form_name The name of the form
* @param bool $filter_result Filter for bad input if true
@@ -120,7 +129,7 @@ function getStickyValues($form_name, $filter_result = true) {
}
/**
- * Clear a specific sticky variable
+ * Remove one value of form submission data from the session
*
* @param string $form_name The name of the form
* @param string $variable The name of the variable to clear
diff --git a/engine/classes/Elgg/Http/Request.php b/engine/classes/Elgg/Http/Request.php
index d5936f23f9..01723e01c7 100755
--- a/engine/classes/Elgg/Http/Request.php
+++ b/engine/classes/Elgg/Http/Request.php
@@ -71,10 +71,15 @@ public function initialize(array $query = array(), array $request = array(), arr
*
* @see \Elgg\Http\Request::getPathInfo()
*
- * @return array
+ * @param bool $raw If true, the segments will not be HTML escaped
+ *
+ * @return string[]
*/
- public function getUrlSegments() {
+ public function getUrlSegments($raw = false) {
$path = trim($this->query->get('__elgg_uri'), '/');
+ if (!$raw) {
+ $path = htmlspecialchars($path, ENT_QUOTES, 'UTF-8');
+ }
if (!$path) {
return array();
}
diff --git a/engine/classes/Elgg/Notifications/SubscriptionsService.php b/engine/classes/Elgg/Notifications/SubscriptionsService.php
index 2b00bc892a..93a60b1858 100755
--- a/engine/classes/Elgg/Notifications/SubscriptionsService.php
+++ b/engine/classes/Elgg/Notifications/SubscriptionsService.php
@@ -61,12 +61,14 @@ public function getSubscriptions(\Elgg\Notifications\Event $event) {
if (!$object) {
return $subscriptions;
}
-
- $prefixLength = strlen(self::RELATIONSHIP_PREFIX);
- $records = $this->getSubscriptionRecords($object->getContainerGUID());
- foreach ($records as $record) {
- $deliveryMethods = explode(',', $record->methods);
- $subscriptions[$record->guid] = substr_replace($deliveryMethods, '', 0, $prefixLength);
+
+ if ($object instanceof \ElggEntity) {
+ $prefixLength = strlen(self::RELATIONSHIP_PREFIX);
+ $records = $this->getSubscriptionRecords($object->getContainerGUID());
+ foreach ($records as $record) {
+ $deliveryMethods = explode(',', $record->methods);
+ $subscriptions[$record->guid] = substr_replace($deliveryMethods, '', 0, $prefixLength);
+ }
}
$params = array('event' => $event);
diff --git a/engine/classes/ElggPluginPackage.php b/engine/classes/ElggPluginPackage.php
index e6c9136024..489bb2a016 100755
--- a/engine/classes/ElggPluginPackage.php
+++ b/engine/classes/ElggPluginPackage.php
@@ -503,18 +503,25 @@ private function checkDepPlugin(array $dep, array $plugins, $inverse = false) {
private function checkDepPriority(array $dep, array $plugins, $inverse = false) {
// grab the \ElggPlugin using this package.
$plugin_package = elgg_get_plugin_from_id($this->getID());
- $plugin_priority = $plugin_package->getPriority();
+ if (!$plugin_package) {
+ return array(
+ 'status' => true,
+ 'value' => 'uninstalled'
+ );
+ }
+
$test_plugin = elgg_get_plugin_from_id($dep['plugin']);
// If this isn't a plugin or the plugin isn't installed or active
// priority doesn't matter. Use requires to check if a plugin is active.
- if (!$plugin_package || !$test_plugin || !$test_plugin->isActive()) {
+ if (!$test_plugin || !$test_plugin->isActive()) {
return array(
'status' => true,
'value' => 'uninstalled'
);
}
+ $plugin_priority = $plugin_package->getPriority();
$test_plugin_priority = $test_plugin->getPriority();
switch ($dep['priority']) {
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index b23bfd7337..e138359138 100755
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -796,7 +796,7 @@ function elgg_trigger_plugin_hook($hook, $type, $params = null, $returnvalue = n
*/
function _elgg_php_exception_handler($exception) {
$timestamp = time();
- error_log("Exception #$timestamp: $exception");
+ error_log("Exception at time $timestamp: $exception");
// Wipe any existing output buffer
ob_end_clean();
@@ -852,8 +852,8 @@ function _elgg_php_exception_handler($exception) {
$timestamp = time();
$message = $e->getMessage();
http_response_code(500);
- echo "Fatal error in exception handler. Check log for Exception #$timestamp";
- error_log("Exception #$timestamp : fatal error in exception handler : $message");
+ echo "Fatal error in exception handler. Check log for Exception at time $timestamp";
+ error_log("Exception at time $timestamp : fatal error in exception handler : $message");
}
}
@@ -1254,7 +1254,7 @@ function elgg_http_url_is_identical($url1, $url2, $ignore_params = array('offset
* @return mixed
* @since 1.8.0
*/
-function elgg_extract($key, array $array, $default = null, $strict = true) {
+function elgg_extract($key, $array, $default = null, $strict = true) {
if (!is_array($array)) {
return $default;
}
@@ -1790,6 +1790,9 @@ function _elgg_walled_garden_index() {
*/
function _elgg_walled_garden_ajax_handler($page) {
$view = $page[0];
+ if (!elgg_view_exists("core/walled_garden/$view")) {
+ return false;
+ }
$params = array(
'content' => elgg_view("core/walled_garden/$view"),
'class' => 'elgg-walledgarden-single hidden',
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 9de0137161..9d5b850139 100755
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -90,7 +90,7 @@ function is_email_address($address) {
}
/**
- * Load all the GET and POST variables into the sticky form cache
+ * Save form submission data (all GET and POST vars) into a session cache
*
* Call this from an action when you want all your submitted variables
* available if the submission fails validation and is sent back to the form
@@ -105,7 +105,7 @@ function elgg_make_sticky_form($form_name) {
}
/**
- * Clear the sticky form cache
+ * Remove form submission data from the session
*
* Call this if validation is successful in the action handler or
* when they sticky values have been used to repopulate the form
@@ -121,7 +121,7 @@ function elgg_clear_sticky_form($form_name) {
}
/**
- * Has this form been made sticky?
+ * Does form submission data exist for this form?
*
* @param string $form_name Form namespace
*
@@ -133,7 +133,7 @@ function elgg_is_sticky_form($form_name) {
}
/**
- * Get a specific sticky variable
+ * Get a specific value from cached form submission data
*
* @param string $form_name The name of the form
* @param string $variable The name of the variable
@@ -147,11 +147,10 @@ function elgg_is_sticky_form($form_name) {
*/
function elgg_get_sticky_value($form_name, $variable = '', $default = null, $filter_result = true) {
return _elgg_services()->stickyForms->getStickyValue($form_name, $variable, $default, $filter_result);
-
}
/**
- * Get all the values in a sticky form in an array
+ * Get all submission data cached for a form
*
* @param string $form_name The name of the form
* @param bool $filter_result Filter for bad input if true
@@ -164,7 +163,7 @@ function elgg_get_sticky_values($form_name, $filter_result = true) {
}
/**
- * Clear a specific sticky variable
+ * Remove one value of form submission data from the session
*
* @param string $form_name The name of the form
* @param string $variable The name of the variable to clear
diff --git a/engine/lib/pageowner.php b/engine/lib/pageowner.php
index 0d63d5b83c..f43bde1d71 100755
--- a/engine/lib/pageowner.php
+++ b/engine/lib/pageowner.php
@@ -44,19 +44,18 @@ function elgg_get_page_owner_guid($guid = 0) {
/**
* Gets the owner entity for the current page.
*
- * @note Access is disabled when getting the page owner entity.
- *
* @return \ElggUser|\ElggGroup|false The current page owner or false if none.
*
* @since 1.8.0
*/
function elgg_get_page_owner_entity() {
$guid = elgg_get_page_owner_guid();
- if ($guid > 0) {
- $ia = elgg_set_ignore_access(true);
- $owner = get_entity($guid);
- elgg_set_ignore_access($ia);
+ if (!$guid) {
+ return false;
+ }
+ $owner = get_entity($guid);
+ if ($owner instanceof ElggUser || $owner instanceof ElggGroup) {
return $owner;
}
diff --git a/engine/tests/ElggCoreAccessSQLTest.php b/engine/tests/ElggCoreAccessSQLTest.php
index 6ea7ff4155..541d5eb3c0 100755
--- a/engine/tests/ElggCoreAccessSQLTest.php
+++ b/engine/tests/ElggCoreAccessSQLTest.php
@@ -33,7 +33,7 @@ public function __construct() {
public function setUp() {
// Replace current hook service with new instance for each test
$this->original_hooks = _elgg_services()->hooks;
- _elgg_services()->hooks = new \Elgg\PluginHooksService();
+ _elgg_services()->setValue('hooks', new \Elgg\PluginHooksService());
}
/**
@@ -41,7 +41,7 @@ public function setUp() {
*/
public function tearDown() {
// Restore original hook service
- _elgg_services()->hooks = $this->original_hooks;
+ _elgg_services()->setValue('hooks', $this->original_hooks);
}
/**
@@ -175,6 +175,49 @@ public function testAccessPluginHookAddAnd() {
$this->assertTrue($this->assertSqlEqual($ans, $sql), "$sql does not match $ans");
}
+ public function testHasAccessToEntity() {
+ $session = elgg_get_session();
+ $test_user = $session->getLoggedInUser();
+
+ $object = new ElggObject();
+ $object->access_id = ACCESS_PRIVATE;
+ $object->save();
+
+ $session->removeLoggedInUser();
+ $this->assertFalse(has_access_to_entity($object));
+ $this->assertFalse(has_access_to_entity($object, $this->user));
+ $session->setLoggedInUser($test_user);
+
+ $object->access_id = ACCESS_PUBLIC;
+ $object->save();
+
+ $session->removeLoggedInUser();
+ $this->assertTrue(has_access_to_entity($object));
+ $this->assertTrue(has_access_to_entity($object, $this->user));
+ $session->setLoggedInUser($test_user);
+
+ $object->access_id = ACCESS_LOGGED_IN;
+ $object->save();
+
+ $session->removeLoggedInUser();
+ $this->assertFalse(has_access_to_entity($object));
+ $this->assertTrue(has_access_to_entity($object, $this->user));
+ $session->setLoggedInUser($test_user);
+
+ $test_user->addFriend($this->user->guid);
+
+ $object->access_id = ACCESS_FRIENDS;
+ $object->save();
+
+ $session->removeLoggedInUser();
+ $this->assertFalse(has_access_to_entity($object));
+ $this->assertTrue(has_access_to_entity($object, $this->user));
+ $session->setLoggedInUser($test_user);
+
+ $test_user->removeFriend($this->user->guid);
+ $object->delete();
+ }
+
public function addAndCallback($hook, $type, $clauses, $params) {
$clauses['ands'][] = '57 > 32';
return $clauses;
diff --git a/engine/tests/phpunit/Elgg/Http/RequestTest.php b/engine/tests/phpunit/Elgg/Http/RequestTest.php
index 63be02a609..d3a799bf9a 100644
--- a/engine/tests/phpunit/Elgg/Http/RequestTest.php
+++ b/engine/tests/phpunit/Elgg/Http/RequestTest.php
@@ -12,6 +12,20 @@ public function testCanDetectElggPath() {
$this->assertEquals(['foo', 'bar'], $req->getUrlSegments());
}
+ public function testUrlSegmentsAutoHtmlEscaped() {
+ $req = new Request([
+ '__elgg_uri' => '/fo