CHANGELOG-1.3.md

CHANGELOG FOR 1.3.X

v1.3.16 (2020-01-27)

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

v1.3.14, v1.3.15 (2019-12-03, 2019-12-05)

CVE-2019-16768: Internal exception message exposure in login action.

Details:

Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer.

A validation message with the exception details will be presented to the user when one will try to log into the shop.

Solution:

This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.

v1.3.13 (2019-05-29)

Details

• #10228 Improve taxon UI (@kulczy, @Zales0123)
• #10290 [Docs] Update "Customizing Repositories" (@AdamKasp)
• #10299 [Docs] Update "Customizing Models" (@Tomanhez)
• #10314 [Docs] Update "Customizing Forms" (@Tomanhez)
• #10315 [Docs] Update "Customizing Factories" (@Tomanhez)
• #10330 [Docs] Update "Customizing Controllers" (@Tomanhez)
• #10344 [Docs] Update "Customizing Templates" (@Tomanhez)
• #10348 [Docs] Update "customizing menus" (@AdamKasp)
• #10349 [Docs] Update "Customizing Validation" (@AdamKasp)
• #10351 [Docs] Update "Customizing translations" (@AdamKasp)
• #10353 [Docs] Update "Customization flashes " (@AdamKasp)
• #10359 [Docs] Update "Customizing Grids" (@Tomanhez)
• #10363 [Behat][Shop] Wait for province form loading (@Zales0123)
• #10364 As an Administrator, I want always to have proper option values selected while editing a product variant (@Tomanhez, @monro93)
• #10365 [Admin][Promotion] Fix removing taxon used in promotion rule (@GSadee)
• #10372 Image display in edit form (@AdamKasp)
• #10375 [Docs] Update "Customizing State Machine" (@AdamKasp)
• #10386 [Build Fix][Behat] Change scenarios to @javascript due to taxon tree changes (@Zales0123)
• #10394 Fix error caused by the taxon tree (@kulczy)
• #10407 Bump the Sylius release versions in docs (@teohhanhui)
• #10414 Use HTTPS links when possible (@javiereguiluz)

v1.3.12 (2019-05-07)

TL;DR

• Extracted packages from the core (#10325, #10326, #10327)

Details

• #10304 [Docs] Update contributing guide (@Tomanhez)
• #10308 Fix base locale (@igormukhingmailcom)
• #10309 Do not depend on transient dependencies for "symfony/intl" package (@pamil)
• #10320 fix OrderBundle depends on Core component #10319 ()
• #10324 Add a workaround for GridBundle & Symfony 4.2.7 to make tests passing (@pamil)
• #10325 Extract Mailer component & bundle (@pamil)
• #10326 [WIP] Extract Grid component & bundle (@pamil)
• #10327 [WIP] Extract Resource component & bundle (@pamil)
• #10328 Remove dead configuration related to pre-stable Sylius RBAC (@pamil)
• #10331 [Shop] Update grid action and filter keys to decouple shop from admin (@GSadee)
• #10335 Bring back "pay" grid action for backwards compatibility (@pamil)
• #10338 Removing unused service (@loevgaard)
• #10340 Fix #9646 by removing lambdas in JS file (@tchapi)
• #10341 Revert "Fix base locale" (@pamil)
• #10350 fix default repository for variant and association type resources (@loic425)
• #10352 Update documentation products.rst (@tom-schmitz)
• #10356 Quick fix product variants api invalid json (@shql)
• #10357 Fix wrong use statement in example (@teohhanhui)
• #10358 [Maintenance] Upgrade minimal jquery version (@lchrusciel)
• #10360 Revert "fix default repository for variant and association type resources" (@lchrusciel)
• #10362 Update release process with dates for 1.5 - 1.7 releases (@pamil)

v1.3.11 (2019-04-15)

Details

• #10178 Wrong regular expression for locale (@superbull)
• #10279 [Documentation] [ResourceBundle] 7.1. Overriding the Template and Criteria invalid config (@kboduch)
• #10283 [UserBundle] Fix user comparaison on user delete listener (@loic425)
• #10289 Fix re-authenticating for impersonated users (@semin-lev, @lchrusciel)
• #10294 [Docs] Fix presentation of "How to configure mailer" cookbook (@theyoux)
• #10298 [DOC] [Installation] Fix minor typo (@MatthieuCutin)

v1.3.10 (2019-04-01)

Details

• #9902 [cs] remove unnecesary variables and if conditions (@TomasVotruba, @lchrusciel)
• #10205 [Docs] Remove misleading channel context docs (@Zales0123)
• #10211 [Docs] Plugins section update (@CoderMaggie)
• #10213 Fix product form submit (@kulczy)
• #10214 Add behat/transliterator library (@mkalkowski83)
• #10215 Fix Sylius Grid on smaller screens (@kulczy)
• #10221 [Docs] Refresh "Installation" section of the book (@pamil)
• #10222 [Docs] Refresh "Contributing code" section (@pamil, @CoderMaggie)
• #10230 [Docs] Roadmap Link (@CoderMaggie)
• #10231 [Docs] Core Team (@CoderMaggie)
• #10232 Make PR template great again (@Zales0123)
• #10237 Fixing incorrect location in documentation for turning off admin norifications (@officialbalazs)
• #10239 [Resource] [Grid] deprecation warning fixed for deprecated Resource drivers (@doctorx32)
• #10242 Fix variant without options values generation (@Tomanhez)
• #10243 Taxonomy tree modified - 'go level up' moved to the end of tree (@AdamKasp)
• #10246 [Phpspec] Add missing specs on customer core model (@loic425)
• #10247 Non consistent file names (@AdamKasp)
• #10254 Fix assertion's message for ProductOptionValueCollectionType (@diimpp)
• #10255 [HotFix] Conflict with Twig 2.7.3 that breaks themes bundle (@Zales0123)
• #10256 Revert "[HotFix] Conflict with Twig 2.7.3 that breaks themes bundle" (@pamil)
• #10259 [BuildFix] Ignore psalm annotations (@Zales0123)
• #10263 Fix a grammar mistake (@romankosiuh)
• #10264 Added a missing word (@romankosiuh)
• #10265 Add plugin-feature docs style (@kulczy)
• #10270 Update installation.rst (@GCalmels)
• #10278 Travis with mySQL 5.7 + product sorting fix (@Zales0123, @laSyntez)
• #10280 [Travis] Update mysql version to speed up builds (@Zales0123)

v1.3.9 (2019-03-05)

TL;DR

• Extracted some packages from Sylius core (#10182, #10184, #10188)

Details

• #10126 [Docs] Change base dir for override config resources (@oallain)
• #10147 Remove flush() call, its done in the remover itself (@stefandoorn)
• #10156 Fix recent Composer deprecations (@pamil)
• #10157 Update to PHPUnit ^7.0 (@pamil)
• #10162 Change branches in Sylius PR template to supported ones (@Zales0123)
• #10164 Scaling text input field to keep enough room for the buttons (@4c0n)
• #10167 Cart flow documented (@bartoszpietrzak1994)
• #10169 Don't fail on billing or shipping address not set ver.2 (@DmitriyTrt, @Zales0123)
• #10171 Improve release process docs (@pamil)
• #10175 [Docs] Reverse parts in Custom Translatable Model (@xElysioN)
• #10182 Extract FixturesBundle (@pamil)
• #10184 Extract ThemeBundle (@pamil)
• #10185 Add Sylius demo link (@kulczy)
• #10188 Extract Registry component (@pamil)

v1.3.8 (2019-02-04)

TL;DR

• PHP 7.3 support (#9914)

Details

• #9914 Include PHP 7.3 in the build (@pamil)
• #10112 [Documentation] Update Sylius config path (@jelen07)
• #10118 [Product Review] fixed review validation when edited by admin (@kboduch)
• #10119 Using channel code in shipping method configuration (@nedac-sorbo)
• #10128 Syntax error in documentation (@hatem20)
• #10132 Add missing Length constraint on product translation slug (@venyii)
• #10135 Move bundle registration from Kernel class to "bundles.php" (@pamil)
• #10136 [HotFix] 500 on taxons list error fix (, @Zales0123)
• #10140 Use phpspec 5.0 in packages (@pamil)
• #10141 [1.1] Fix select attributes according to recent Symfony form changes (@Zales0123)
• #10145 Make build passing for TaxonomyBundle (@pamil)

v1.3.7 (2019-01-17)

TL;DR

• Added support for overriding templates from plugins (#10082, #10083)
• Fixed pagination on product list page (#10070)

Details

• #9988 Fix when trying to delete shop user having same ID than logged … (@laurent35240)
• #10002 Avoid deprecated notice when using symfony/config > 4.2 (@odolbeau)
• #10021 [Behat] Test for assigning main taxon on new product (@stefandoorn, @Zales0123, @pamil)
• #10026 External command informing about GUS existence (@bartoszpietrzak1994)
• #10039 Removed unused use statement (@stefandoorn)
• #10040 [Fixtures] StreetAddress instead of StreetName (@stefandoorn)
• #10043 Behat JS scenarios war vol.1 (@Zales0123)
• #10044 [Docs] Fix docs with page object extension usage (@loic425)
• #10045 Add scalar types in Behat/Page/Admin directory (@Zales0123)
• #10053 Fixed sorting path while sorting by position (@filipcro)
• #10054 [Admin] Taxon order : fix element(data) always returns 0 (@pierre-H, @pamil)
• #10059 Cover specs with PHPStan (@pamil)
• #10061 GUS existence mentioned in Sylius installation guide (@bartoszpietrzak1994)
• #10063 Do not require clearing cache when changing ResourceBundle drivers or metadata classes (@pamil)
• #10064 Make Sylius tests not fail on PHP 7.3 (@Zales0123)
• #10065 Remove unused Behat method (@Zales0123)
• #10070 #9699 Fix for viewing products when they belong to a taxon and to one… (@laurent35240)
• #10072 It's 2019! (@bartoszpietrzak1994)
• #10076 [Docs] Remove vagrant references (@lchrusciel)
• #10077 Fix select attributes according to recent Symfony form changes (@Zales0123)
• #10081 [CoreBundle] Fix Type in Construct for ChannelDeletionListener (@Donjohn)
• #10082 [Theme] Allow overriding templates from plugins (1.2.*) (@Zales0123, @pamil)
• #10083 [Theme] Allow overriding templates from plugins (^1.3) (@Zales0123)
• #10086 Remove container cleanup in test environment (1.2) (@Zales0123)
• #10088 Fix GridBundle build (@Zales0123)
• #10093 Typo (@OskarStark)
• #10094 Overriding plugin templates in themes tests (@Zales0123)
• #10095 Fix build failing due to newest twig version (@Zales0123)
• #10096 fix link (@OskarStark)
• #10097 less noise (@OskarStark)
• #10100 [Documentation] Visually mark most of the component&bundle docs outdated (@kulczy, @CoderMaggie)
• #10101 Fix build (1.3) (@Zales0123)

v1.3.6 (2018-12-17)

TL;DR

• Fixed compatibility issues with Symfony 4.1.18 and 4.1.19 (#10020, #10038)

Details

• #9837 Repaired shipping method fixture (@JakobTolkemit)
• #9893 Correcting the documentation about how to customise forms templates (@Konafets)
• #9919 #9858 Fix for promotion of 100 percent with coupon (@laurent35240)
• #9975 Ignore locale request restriction for profiler and it's toolbar (@Peteck)
• #9979 Update book/installation docs with correct config folder (@dakorpar)
• #9985 Add missing code and calculator mandatory field on tax rate documenation (@Soullivaneuh)
• #9995 Remove AppBundle from docs. (@Konafets)
• #9997 Fix typo cookbook about emails (@Konafets)
• #9998 Improve the ShippingBundle doc (@Konafets)
• #10004 [Console] Add command for showing available Sylius plugins (@GSadee)
• #10011 [Kernel] Move WebServerBundle to dev/test environment (@GSadee)
• #10012 Fixed incorrect Behat MinkExtension key in the docs (@jzawadzki)
• #10016 Column 'position' cannot be null (@zspine)
• #10018 [docs] fix config directory path and added info for orm mappings in customization/model (@dakorpar)
• #10020 [HotFix][BuildFix] Use old PhpMatcherDumper to avoid trailing slash problems (@Zales0123)
• #10023 Remove billingAddress and shippingAddress (@Konafets)
• #10025 [Console] Fix RBAC url (@GSadee)
• #10029 Fix type annotation for $addToCartCommand (@daniellienert)
• #10038 Fix the build on 1.3 by more flexible router overriding (@pamil)

v1.3.5 (2018-11-28)

TL;DR

• Security fixes according to problems with dominictarr/event-stream library
• Hot-fix preventing installation of symfony/symfony:4.1.8 due to Behat tests problems

Details

• #9860 [Behat] Viewing errors (@loic425)
• #9932 [Phpspec] add a missing scenario on customer context spec (@loic425)
• #9934 Use correct path for view overriding (@kaszim)
• #9937 [Payum] Add missing model interfaces (@GSadee)
• #9945 Fix for 9942 (@igormukhingmailcom)
• #9949 Fix sylius:theme:assets:install command (@alekseyp)
• #9950 [Docs][Book] Promotion priorities (@CoderMaggie)
• #9955 Remove inline css (@Prometee)
• #9956 Update disabling-localised-urls.rst (@alekseyp)
• #9961 Fixed: 9959 (added public/media/image/.gitkeep to repo) (@igormukhingmailcom)
• #9963 [Docs][OrderBundle] Remove old, incorrect docs (@CoderMaggie)
• #9970 [Hot-fix] Make build great again (@Zales0123)
• #9971 Make build great again (one more time) (@Zales0123)
• #9972 Update gulp-livereload (@kulczy)

v.1.3.4 (2018-11-16)

Details

• #9885 fixed ad blocking issue (@loevgaard)
• #9887 use behat page object extension (@loic425)
• #9898 #9862 Number of items in order summary page (@laurent35240)
• #9906 Product images deletion fix (@Zales0123)
• #9908 [Documentation] Add new styles (@kulczy)
• #9910 [Composer] Update ApiTestCase (@lchrusciel)
• #9918 Make use of sylius_core.public_dir in ThemeBundle (@alekseyp)
• #9922 Apply coding standard fixes from SyliusLabs/CodingStandard ^3.0@dev (@pamil)
• #9923 Use oneline phpdocs for property type info (@pamil)
• #9926 Fix plugin naming convention documentation (@Zales0123)
• #9927 Fix version widget and add better quality logo (@kulczy)
• #9929 Update SyliusLabs/CodingStandard to ^3.0 (@pamil)

v1.3.3 (2018-11-07)

TL;DR

• Fixed configuration files overriding in app/Resources/ (#9889)

  You need to update your application by following UPGRADE instructions in order to make use of it.

Details

• #9836 [Core] Bad reverting of ShippingPercentageDiscount promotion (@fendrychl)
• #9854 Update installation.rst (@zghosts)
• #9856 #9694 Do not show bulk sections and checkboxes if bulk actions are di… (@laurent35240)
• #9866 [Order] Changing function typing (@Roshyo)
• #9868 [Fix] Indentation error .platform.app.yml in docs (@jatempa)
• #9878 Fix select attribute values accordion (@Zales0123)
• #9883 Hydrate promotion_rules directly on loading active promotions for a channel (1n) (@stefandoorn)
• #9889 Allow to overwrite a specific config file (@pamil)
• #9892 [Order] Removing after SM callback (@Roshyo)
• #9900 Fix typos in BDD Transformers docs (@sarjon)

v1.3.2 (2018-10-24)

Details

• #9796 Improve product attributes JS (@Zales0123)
• #9815 remove web server bundle on prod environment (@loic425)
• #9817 Upgrade security checker (@pamil)
• #9827 Custom homepage controller as public service (@davidroberto)
• #9829 Wrong usage of returned data (@Prometee)
• #9830 SensioGeneratorBundle vs SymfonyMakerBundle (@davidroberto)
• #9832 Fix gulp uglify error with arrow functions (@magentix)
• #9839 [Docs] How to disable admin notifications (@stefandoorn)
• #9841 [Documentation] Make bundle templates extension part correct (@pamil)

v1.3.1 (2018-10-11)

TL;DR

• Fixed templates overriding (#9726, #9804)

Details

• #8093 [Order] Fixed sylius:remove-expired-carts help (@sweoggy)
• #8494 set gender u as default value - resolves #8493 (@pamil, @kochen)
• #9627 Narrow down selectors to prevent unexpected bugs (@teohhanhui)
• #9646 [Admin][Product edit] Change the value of the taxons individually when checked/unchecked. (@sbarbat)
• #9685 Update gulpfile.babel.js (@mihaimitrut)
• #9726 Use native Twig references for templates (@wadjeroudi)
• #9739 [Documentation] Change parameters to env variables (@Zales0123)
• #9740 Change command examples according to new Symfony recommendations (@Zales0123)
• #9742 [Behat] Changing my account password with token I received scenario (@loic425)
• #9743 Update shipments.rst (@hmonglee)
• #9746 [Documentation] v1.3 Update (@CoderMaggie)
• #9751 Update PR template (@CoderMaggie)
• #9752 Update installation.rst for Flex (@dunglas)
• #9754 Fix the "REST APIs" link in the documentation (@dunglas)
• #9755 [Documentation] Fix API example for creating a taxon (@pamil)
• #9756 Allow for null hostname in ChannelFixture (@pamil)
• #9757 Make ArrayGridProvider more performant & suitable for PHP-PM (@pamil)
• #9758 [ThemeBundle] Fix risky tests (@pamil)
• #9759 [GridBundle] Do not put unnecessary "andWhere" in ExpressionBuilder (@pamil)
• #9760 [CoreBundle] Make sure promotion action/rule amount is an integer (@pamil)
• #9761 [ThemeBundle] Replace "symfony/symfony" dependency with specific Symfony packages (@pamil)
• #9762 [Grid] Fix getting enabled grid items (@pamil)
• #9763 Update "Configuring taxation" docs (@pamil)
• #9764 [ShippingBundle] Add validation for ShippingMethod calculator (@pamil)
• #9765 Keep the existing pagination when changing sorting on product list page (@pamil)
• #9766 Update Composer's branch-alias for 1.3 (@pamil)
• #9769 [Behat] Add scenarios on resetting password validation feature (@loic425)
• #9771 Trigger deprecation when deprecated image fixture definition is used (@pamil)
• #9772 Fix doubled province id on checkout addressing page (@pamil)
• #9774 Ask for confirmation when cancelling an order (@pamil)
• #9775 Limit products shown in associated products autocomplete field (@pamil)
• #9776 [Core] Make implicit dependency explicit (@pamil)
• #9779 Fix error templates path (@pamil)
• #9783 Correct grammar mistake in README (@pamil)
• #9788 Update installation.rst (@hmonglee)
• #9790 Update disabling-localised-urls.rst (@hmonglee)
• #9791 [Docs] Update year in copyright (@CoderMaggie)
• #9800 Removed leftover Symfony3 references (@ping-localhost)
• #9801 Update template.rst (@bitbager)
• #9803 purge_mode has been rename to mode (@Prometee)
• #9804 [ThemeBundle] Add support for Twig namespaced paths and "templates/" top-level directory (@pamil)
• #9805 [Shop] Fix password request & contact pages with a mobile view. (@versgui)

v1.3.0, v1.3.0-BETA (2018-09-27, 2018-09-24)

TL;DR

• Bumped minimal PHP version to 7.2 (#9498)
• Changed to Symfony 4 directory structure (#9643)
• Introduced Symfony Flex support (#9665)
• Added possibility of searching products in nested taxons (#9621)
• Deprecated MongoDB and PHPCR drivers (#9551)
• Started using Rollup to bundle JS code (#9494)
• Added support for authorized state in payments (#9437)
• Added registration after checkout (#9656)
• Fixed promotion rules application (#9596)

Details

• #9437 [Payment] Support for authorized state (@pamil, @JakobTolkemit)
• #9492 Update Sylius issue templates (@CoderMaggie)
• #9494 Use rollup to bundle JS (ES6 modules) (@teohhanhui)
• #9498 Require PHP ^7.2 in Sylius ^1.3 (@pamil)
• #9551 Deprecate MongoDB and PHPCR drivers in ResourceBundle and GridBundle (@pamil)
• #9557 Use generic names for data-* properties in sylius-lazy-choice-tree.js (@teohhanhui)
• #9567 Add a template for security issues (@pamil)
• #9583 Remove Symfony Version from README.md (@psren)
• #9596 Take unitTotal of order item to check if taxon rule can be applied (@jdeveloper)
• #9615 Simplify code of sylius-product-images-preview module (@nenadalm)
• #9616 Added account verification option to fixture parser (@mamazu)
• #9621 Taxon with children taxons behavior in listing (@bartoszpietrzak1994)
• #9643 Symfony 4 directory structure (@pamil)
• #9656 [Shop] Registration after checkout (@GSadee)
• #9663 Theme translation : Add support of Windows OS (@pierre-H)
• #9665 Introduce Symfony Flex (@pamil)
• #9666 Bring back incenteev/composer-parameter-handler package to keep backwards compatibility better (@pamil)
• #9671 Add backwards compatibility layer for Behat configuration referenced in Sylius-Standard (@pamil)
• #9672 Provide a BC layer for files in "app/config/" referenced by PluginSkeleton (@pamil)
• #9676 Fix routing BC layer (@pamil)
• #9682 Remove unused parameters.yml.dist file (@pamil)
• #9695 Fix resolving environment variables (@Zales0123)