Direct links to the login pages for public instances could lead to a
redirect back to an external page upon login.
This adds a check to ensure the URL is a URL expected from the current
bookstack instance, or at least under the same domain.
Fixes#2073
- Added testing to cover.
- Linked logging into Laravel's monolog logging system and made log
channel configurable.
- Updated env var names to be specific to login access.
- Added extra locations as to where failed logins would be captured.
Related to #1881 and #728
- Intended to prevent enumeration to check if a user exists.
- Updated messages on both the reqest-reset and set-password elements.
- Also updated notification auto-hide to be dynamic based upon the
amount of words within the notification.
- Added tests to cover.
For #2016
- Updated logic to take url from referrer rather than pass as a query parameter.
- Added tests to cover functionality.
- Updated 404 page with login action button if not signed in.
- Updated 404 page with text to indicate permissions may be affecting visibility.
Related to #1817 and #1706
- Included tests to cover for LDAP and SAML
- Updated wording for external auth id option.
- Updated 'assertPermissionError' test case to be usable in BrowserKitTests
- Removed LDAP specific logic from login controller, placed in Guard.
- Created safer base user provider for ldap login, to be used for SAML
soon.
- Moved LDAP auth work from user provider to guard.
- Was only used to disable registration when LDAP was enabled.
- Caused saved option not to show on settings page causing confusion.
- Extended setting logic where used to take ldap into account instead of
global override.
- Added warning on setting page to show registration enable setting is
not used while ldap is active.
For #1541
- Aligned and formatted config options.
- Provided way to override onelogin lib options if required.
- Added endpoints in core bookstack routes.
- Provided way to debug details provided by idp and formatted by
bookstack.
- Started on test work
- Handled case of email address already in use.
* Started mass-refactoring of the current entity repos
* Rewrote book tree logic
- Now does two simple queries instead of one really complex one.
- Extracted logic into its own class.
- Remove model-level akward union field listing.
- Logic now more readable than being large separate query and
compilation functions.
* Extracted and split book sort logic
* Finished up Book controller/repo organisation
* Refactored bookshelves controllers and repo parts
* Fixed issues found via phpunit
* Refactored Chapter controller
* Updated Chapter export controller
* Started Page controller/repo refactor
* Refactored another chunk of PageController
* Completed initial pagecontroller refactor pass
* Fixed tests and continued reduction of old repos
* Removed old page remove and further reduced entity repo
* Removed old entity repo, split out page controller
* Ran phpcbf and split out some page content methods
* Tidied up some EntityProvider elements
* Fixed issued caused by viewservice change
- Added {$service}_AUTO_REGISTER and {$service}_AUTO_CONFIRM_EMAIL env
options for each social auth system.
- Auto-register will allow registration from login, even if registration
is disabled.
- Auto-confirm-email indicates trust and will mark new registrants as
'email_confirmed' and skip 'confirmation email' flow.
- Also added covering tests.
LDAP group sync was trying to find users based on the external_auth_id
which is not garunteed to match the username entered so somtimes
the search for a user would fail.
This passes the username to the group sync.
Picked up by @yoyokko in #959.
* Started move to laravel 5.3
* Started updating login & registration flows for laravel 5.3 update
* Updated app emails to notification system
* Fixed registations bugs and removed email confirmation model
* Fixed large portion of laravel post-upgrade issues
* Fixed and tested LDAP process
The email_confirmed user field now actually indicates if an email is confirmed rather than defaulting to true if not checked.
This ensures toggleing the 'Require email confirmation' setting actually makes all currently unconfirmed users confirm thier emails.
