- Added workaround for new 'srcdoc' usage that's breaking content in
Firefox, added new 'custom-changes.md' file to document for future.
- Updated old usages of 'new' when creating nodes.
- Tested and changed logic, where required, where 'editor.dom.select'
has been used to replace the old '$' usages.
- Fixed bad boolean value being passed to 'setActive' in task list
logic.
Cleaned up PermissionApplicator to remove old cache system which was
hardly ever actuall caching anything since it was reset after each
public method run.
Changed the scope of 'userCanOnAny' to just check entity permissions,
and added protections of action scope creep, in case a role permission
action was passed by mistake.
Updated ajax search and entity selector usage to display and handle
items that the user does not have permission to interact with.
Started logic changes to not allow permission type to be passed around,
with views instead being the fixed sole permission.
Ran a quick app run-thorugh in FireFox & Chrome, No secondary affects
immediately noticed but possible this could cause changes elsewhere due
to wide-spread grid item child targeting.
For #3523
For PR #3406
- Updated naming from 'redirect' to 'initate/initation'.
- Updated phpunit.xml and .env.example.complete files with the new
option.
- Cleaned up controller logic a bit.
- Added content and design to the new initation view to not leave user
on a blank view for a while.
- Added non-JS button to initiation view as fallback option for
progression.
- Moved new test to it's own Test class and expanded with additional
scenario tests for better functionality coverage.
TinyMCE was adding attributes to <br> elements within code blocks which
would then not be converted to newlines by our code regex match.
This changes the conversion to use dom querying instead.
Fixes#3507
- Also extracted shelf to book view elements to own partial.
- Fixed some existing logic including image param handling in update
request and activity logging against correct element.
Moved export templates elements into their own folder for better
grouping of logical usage.
Within the base export template, added some body classes to allow easier
targeted customisation via custom head css.
Split content of export templates into smaller partials for easier
future customization.
Closes#3443
Uses vdom system to diff and update the current markdown preview view
instead of requiring a full HTML replace change.
This should provide better performance, expecially where dynamically
loaded content such as iframes were in use.
Closes#3454
Now uses the previously timestamp gen name as a backup to the original
name. Aligns with the image manager upload which uses the original name
where given.
Closes#3470
- Allows easier accessibility of inline attachments.
- Introduces a new split-icon-list-item thingy to support such cases
where only part of the button is actually linked.
- Now has a hover state to match other items.
- Now spans the full sidebar with like other items.
- Also updated chapter-toggle to a chapter-contents component, following
the newer component system.
- Improves animation smoothness
- Changed animation slideup/down animations to use max-height instead of height
to better avoid jutter at the end.
- Cleaned spacing to match page items in books listing.
Specifically updates dropdown search and user-search implementation,
although does affect all inputs.
Decouples breadcrum and select-style dropdown search toggles.
Addresses #2678
Would cause effect where scroll area would be cut of by spacing which
looked a bit strange. This retains the same padding sizes but cuts the
content at the header or top of viewport.
Animates the height on breadcrumb dropdown menus to transition to the
loaded animations quicker. Includes a new animation helper for doing
similar tasks in future.
Loading animation would show in an unready state due to animation-delay
on components. Updated to a negative delay to ensure elements were in
correct positions right away upon show.
- Removed harsh theme color border between search and content.
- Prevented intermediate focus on list container to align arrow & tab
behaviour, and to get to content quicker.
- Removed border and rounded list item styles to make hover states have
less edge detail and to align with other UI elements.
- In expanded-detail view, removed space used for entity description if
there is not description content existing.
- Removed background track line since it would darken entity item bars.
- Updated item spacing to be a bit tighter.
- Updated action hover styles to be a bit lighter, and visible on dark
mode, to fit rest of system.
- Tweaked styling to add a little extra shadow and be more rounded to
match other UI areas.
- Added slight horizontal inset when in right sidebar to prevent shadow
being cut-off in most cases.
- Added logic to "drop upwards" if dropping down would take the menu
offscreen.
- Updated all dropdown list item actions into three specific styles:
icon-item, text-item & label-item. Allows a stronger structure while
prevents mixing of styles as we were getting for header dropdown in
dark mode.
- Extracted out page editor top toolbar to its own view file & split
editor switch options to different markdown options.
Extracted page editor view data gathering to its own class for
alignment. Updated the data used in views as part of the process to use
view-specific variables instead of custom attributes added to models.
Also moved tinymce library loading so it's not loaded when not using the
wysiwyg editor.
- Added testing check to buffer stop/clear on streaming output due to
interference during tests.
- Made content-disposition header a little safer in download responses.
- Also aligned how we check for testing environment.
- Fixed issue where redirect for `/settings` view would not be ran
through base url generator so would not create a correct path in some
cases. Now routed through controller with normal redirect.
- Fixed custom head content being active on settings pages due to route
name changes, for when viewing settings, in last release.
Fixes#3356 and #3355
- Updated PhpStan PHP version option to match project.
- Applied StyleCI changes.
- Updated static to self in WebhookFormatter, following static analysis
guidance.
- Fixed mis-matched header tags.
- Split settings out to new views using a core shared layout.
- Extracted added language text to translation files.
- Updated settings routes to be dynamic to category.
- Added redirect for old primary settings route.
- Updated existing tests to cover settings route changes.
- Added tests to cover settings view.
- Improved contrast of settings links for dark mode.
Creates a new organsied formatting system for webhook data, with
interfaces for extending with custom model formatting rules.
Allows easy usage & extension of the default bookstack formatting
behaviour when customizing webhook events via theme system, and keeps
default data customizations organised.
This also makes the following webhook data changes:
- owned_by/created_by/updated_by user details are loaded for events with
Entity details. (POTENTIALLY BREAKING CHANGE).
- current_revision details are loaded for page update/create events.
Added testing to cover added model formatting rules.
For #3279 and #3218
Sets sizes on WYSIWYG code block sections based on content lines
as an early pre-codemirror height prediction to avoid excessive
jumping in the editor.
For #3326
This filters out <br> elements within code blocks and replaces them with
newlines. The editor started using <br>'s more harshley after some
configuration changes upon upgrading tinymce, in which we standardised
on forced br tags to avoid empty elements.
For #3327
- Updated styles to better align checkboxes within page content.
- Updated functionality to use a cross-compatible property on checkbox
click within the editor.
- Configurable via 'ALLOWED_IFRAME_SOURCES' .env option.
- Also updated how CSP rules are set, with a single header being used
instead of many.
- Also applied CSP rules to HTML export outputs.
- Updated tests to cover.
For #3314
- For some reason, TinyMCE would handle empty paragraphs with a ' '
by default but this would be removed when the paragraph had an
attribute. This was fine in the old editor.
- This changes the approach to use '<br>' tags within elements
for "spaced emptiness".
- For compatbility with any existing empty paragraphs, I updated the
styles to show default height for empty paragraph sections.
- This also makes changes to help preserve encoded html tags
since they were getting converted along the journey.
Related to #3302
- Allows for easy unlinking, link preview or link editing.
- Created custom one to limit actions available.
- Performed refactoring of non-plugin toolbar editor code to extact into
its own file.
Related to #3276
- Fixed issues with new code blocks breaking or acting odd due to
misnamed contenteditable attribute.
- Helped fix issue where code blocks may show in a strage blank state
due to timing within shadow dom loading.
- Fixed some function timing issues where some functions required their
async predecessor to have finished.
Tested rather heavily in firefox and brave.
Fixes#3292
Code blocks in tinymce could sometimes end up exploded into the sub
elements of the codemirror display.
This changes the strategy to render codemirror within the shadow dom of
a custom element while preserving the normal pre/code DOM structure.
Still a little instability when moving/adding code blocks within details
blocks but much harder to break things now.
- Ensures padding works across FF & Chrome, was only working on FF
before.
- Fixes sketchy editor positioning focus on FF, since tinyMCE would
add a hidden element to the bottom of the body which would remove/add
our body padding causing unstable positioning.
* New translations activities.php (Hebrew)
* New translations auth.php (Hebrew)
* New translations common.php (Hebrew)
* New translations activities.php (Hebrew)
* New translations common.php (Hebrew)
* New translations entities.php (Hebrew)
* New translations errors.php (Hebrew)
* New translations validation.php (Spanish)
- Removed old 'editor-*-update' commands to instead use the aligned
'editor::replace' command that we already have.
- Changed the way custom styles are loaded for the WYSIWYG editor so we
don't need an API call but instead scape content from the parent page
header using comments as identifiers. Added tests to ensure comments
exist and align.
- To display license info along with shortcuts.
- Extracted out plain layout from 503 error page.
- Added tests to ensure license references are as expected.
- Updated code content to get specific text selection instead of using
node-based handling which could return the whole document when
multiple top-level nodes were in selection.
- Simplified how code gets applied into the page to not be node based
but use native editor methods to replace the selection. Allows
creation from half-way through a block.
Tested on chrome+Firefox on Fedora 35.
Builds upon changes in #3246.
For #3200.
- Split everything into specific plugin/concern files to make things
more managable. Means original component file is now simple and much
of the core config is focused in one place.
- Required changing the docs generator to handle more complex
object-style rules. Bit of a hack for some types (password).
- Extracted core update logic to repo for sharing with API.
- Moved user update language string to align with activity/logging
system.
- Added tests to cover.
Intended to fix positioning quirks caused by changing codemirror
instance size when you have lines that wrap and cause line height
changes. Often caused by editor toolbox expand/collapse.
This adds a debounced resize observer to refresh editor layout on size
change.
Also tweaks toolbox expand/collapse to more consistently set aria
attribute.
For #3186
Quick patch to clear the gallery display when getting the first page.
Duplication of the galler was occuring due to the mulitple upload events
loading the gallery mulitple times while only clearing the existing
gallery at the start of all refreshes.
A bit flashy in terms of user experience, as there will still be
mulitple load/clear events but fixes the duplication. Could be done more
elegently in future by communicating up image upload counts.
For #3160
Further fixes for #3120, Adds DOMPDF specific adjustments to prevent
full width linked images being cut-off as per last tweak.
This does not fix usage in smaller cases (tables) but tested on
master DOMPDF branch shows that will likely be fixed in next DOMPDF
upstream release.
DOMPDF fixes would break WKHTMLTOPDF presentation so system updated
to conditionally apply styles.
Language parsing of code blocks could falter on pasted code blocks due
to the lanuage being parsed with a space which would throw an error when
used as a css class.
This adds more extensive language parsing to be safer.
Fixes#3133
- Added a user-configurable timeout option to webhooks.
- Added webhook fields for last-call/error datetime, in addition to last
error string, which are shown on webhook edit view.
Related to #3122
Was caused by max-width: 100% causing confusion when images were
inside an anchor. This change resets that property on PDF
exports allowing full width images to be shown as so
without affecting smaller sizes.
Fixes#3120
- Copies via loading in model on create view.
- Updated role views while editing to bring up to similar format as
that used for more modern app areas.
- Added tests to cover.
Related to #1123
Updated all password validation to use central password defaults
system while updating length requirements to now all match
at 8 characters minimum.
Some language text was technically correct (More than 7 characters)
but this has been updated for clarity and to prompt other translations
to be updated.
Closes#2237
Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
via hunting via search queries.
- Required the user to be logged in and have permission to manage users
or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
permission to manage users.
For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron
Used upon areas we usually fade-out to provide a focused user
experience. If the user desires more contrasted we prevent this
behaviour using the prefers-contrast media query.
Related to #2634
Adding tabindex=0 means when pressing tab the focus goes right to the TOTP input field. When using a Password Manager this makes it easier than having to hit tab 3X to get the right focus.
Updated the back button to be a proper link instead of a reference to
the last viewed URL since it could break if the last page was the
current one (On validation for example).
Includes test to cover.
Also applied some styleCI changes.
Fixes#2834
Was done for convenience but could potentially be exploited by an
attacker using signing up via one of these routes, then forwarding
an email confirmation to another user so they unknowingly utilise
an account someone else controls.
Tweaks the flow of confirming email, and the user invite flow.
For #3050
Replaces the old suggestion of setting JS head 'window.uploadLimit'
variable. This new env option will be used by back-end validation and
front-end libs/logic too.
Limits already likely exist within prod environments at a PHP and
webserver level but this allows an app-level limit and centralises the
option on the BookStack side into the .env
Closes#3033
As per #3047.
Also made some SAML specific fixes:
- IDP initiated login was broken due to forced default session value.
Double checked against OneLogin lib docs that this reverted logic was fine.
- Changed how the saml login flow works to use 'withoutMiddleware' on
the route instead of hacking out the session driver. This was due to
the array driver (previously used for the hack) no longer being
considered non-persistent.
Is a little awkward, emulates a 'list' API endpoint but has unstable
paging and does not support filters/sort. This is detailed on the
endpoint though.
Made some updates to the docs system to better support parameters
and examples on GET requests.
Includes tests to cover.
For #909
Updating filters via sidebar would wipe the created_by/update_by filters
since these were not part of the sidebar filter form.
This adds them, if existing, as hidden inputs.
Includes tests to cover.
Closes#2736
Created a new class to manage formatting of content for search results.
Turned out to be quite a complex task. This only does the preview text
so far, not titles or tags.
Not yet tested.
Relations now loaded during back-end query phase instead of being lazy
loaded one-by-one within views.
Reduced queries in testing from ~60 to ~20.
Need to check other areas list-item.php's "showPath" option is used to
ensure relations are properly loaded for those listings.