Merge branch 'sync' into 'develop'

chore: sync mono develop

See merge request 2pisoftware/cosine/core!442

Author: MaddyUnderStars

system/config.php

@@ -95,4 +95,6 @@
     ],
 ]);
 
+Config::set('system.include_frame_options_header', true); // set to false to disable X-Frame-Options header
+
 Config::set('system.use_api', true);

system/modules/auth/models/AuthService.php

@@ -337,11 +337,11 @@ public function allowed($path, $url = null)
         // If I have an authentication header: and it has a token -> else fallthrough to original logic
         // ie: expecting [...curl...etc...] -H "Authorization: Bearer {token}"
         /*
-                Note! If under Apache & HTTP_AUTHORIZATION is dropped, prove site HTPPS and then patch access:
-                RewriteEngine On
-                RewriteCond %{HTTP:Authorization} ^(.+)$
-                RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-                */
+            Note! If under Apache & HTTP_AUTHORIZATION is dropped, prove site HTPPS and then patch access:
+            RewriteEngine On
+            RewriteCond %{HTTP:Authorization} ^(.+)$
+            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+        */
 
         if (empty($this->user()) && (Config::get('system.use_api') === true) && !empty($_SERVER['HTTP_AUTHORIZATION'])) {
             $speculativeToken = TokensService::getInstance($this->w)->getTokenFromAuthorisationHeader($_SERVER['HTTP_AUTHORIZATION']);

system/modules/auth/models/User.php

@@ -408,10 +408,10 @@ public function allowed($path)
     public function encryptPassword($password)
     {
         // If User's password salt is not built into the password hash use SHA1.
-        // Should not be used in Cmfive v5
-        // if (!empty($this->password_salt)) {
-        //     return sha1($this->password_salt . $password);
-        // }
+        // This is actually necessary to prevent issues rehashing SHA1 passwords to the new bcrypt hash
+        if (!empty($this->password_salt)) {
+            return sha1($this->password_salt . $password);
+        }
 
         $hash = false;
         $algorithm = PASSWORD_DEFAULT;
@@ -462,11 +462,16 @@ public function updatePasswordHash($password)
             return false;
         }
 
-        if (!empty($this->password_salt)) {
-            $this->password_salt = null;
+        // This will need to change if we ever want to rehash to another algorithm.
+        if (startsWith($this->password, "$2y$")) {
+            // The password is already using bcrypt.
+            return false;
         }
+        
+        $this->password_salt = null;
 
-        // $this->setPassword($password);
+        // Actually set the password to the new hash.
+        $this->setPassword($password);
         return $this->update(true);
     }
 

system/modules/channels/models/EmailChannelOption.php

@@ -34,7 +34,7 @@ public function __construct($params)
         $host     = isset($params->host)     ? $params->host     : 'localhost';
         $password = isset($params->password) ? $params->password : '';
         $port     = isset($params->port)     ? $params->port     : null;
-        $ssl      = isset($params->ssl)      ? $params->ssl      : false;
+        $ssl      = isset($params->ssl)      ? ($port !== 993 ? "tls" : $params->ssl) : false;
         $options  = isset($params->options)  ? $params->options  : null;
 
         $this->protocol = new ZendMailProtocolImap();
@@ -78,10 +78,10 @@ public function connect($host, $port = null, $ssl = false, $options = [])
         ErrorHandler::start();
 
         // Use stream_context_create instead of fsockopen as it allows us to specify SSL stream options
-        $stream = stream_context_create();
-        if ($ssl !== false && !is_null($options) && is_array($options) && array_key_exists('ssl', $options)) {
-            stream_context_set_option($stream, $options);
-        }
+        $stream = stream_context_create($options);
+        // if ($ssl !== false && !is_null($options) && is_array($options) && array_key_exists('ssl', $options)) {
+        //     stream_context_set_option($stream, $options);
+        // }
 
         $this->socket = stream_socket_client($host . ':' . $port, $errno, $errstr, self::TIMEOUT_CONNECTION, STREAM_CLIENT_CONNECT, $stream);
 

system/modules/file/actions/multipart/ajax_done.php

@@ -21,6 +21,16 @@ function ajax_done_POST(Web $w)
 
     $obj->delete();
 
+    $w->callHook(
+        "file",
+        "multipart_upload_done",
+        $attachment !== true
+            ? [
+                "attachment" => $attachment
+            ]
+            : null
+    );
+
     $w->out(
         (new JsonResponse())
             ->setSuccessfulResponse(

system/modules/file/assets/ts/MultipartUploaderComponent.vue

@@ -59,13 +59,15 @@ const upload = async (e: SubmitEvent) => {
     done.value = true;
 
     // This is kind of awful, sorry
-    //@ts-ignore
-    cmfiveEventBus
-        .dispatchEvent(new CustomEvent("multipart-upload-success", {
-            detail: {
-                files: files.value,
-            }
-        }));
+    if (failed_count.value === 0) {
+        //@ts-ignore
+        cmfiveEventBus
+            .dispatchEvent(new CustomEvent("multipart-upload-success", {
+                detail: {
+                    files: files.value,
+                }
+            }));
+    }
 };
 
 const updateFilePreview = (event: ChangeEvent<HTMLInputElement>) => {

system/modules/file/config.php

@@ -13,7 +13,8 @@
     ],
     'hooks' => [
         'admin',
-        'core_web'
+        'core_web',
+        "file",
     ],
     'adapters' => [
         'local' => [

system/modules/file/install/migrations/20250705120000-FileMultipartDisplaynameMigration.php

@@ -1,11 +1,14 @@
 <?php
 
-class FileMultipartDisplaynameMigration extends CmfiveMigration {
-    public function up() {
+class FileMultipartDisplaynameMigration extends CmfiveMigration
+{
+    public function up()
+    {
         $this->addColumnToTable("file_s3_object", "display_name", "text", ["null" => true]);
     }
 
-    public function down() {
+    public function down()
+    {
         $this->removeColumnFromTable("file_s3_object", "display_name");
     }
-}
+}

system/modules/file/models/FileMultipartUploadService.php

@@ -103,11 +103,14 @@ public function finishMultipart(FileS3Object $obj)
                 return $existing;
             }
 
+            $slash_pos = strpos($obj->key_path, "/");
+            $filename = !$slash_pos ? $obj->key_path : substr($obj->key_path, $slash_pos + 1);
+
             $attachment = new Attachment($this->w);
+            $attachment->title = $obj->display_name;
             $attachment->parent_table = $obj->parent_table;
             $attachment->parent_id = $obj->parent_id;
-            $attachment->filename = substr($obj->key_path, strpos($obj->key_path, "/") + 1);
-            $attachment->title = $obj->display_name;
+            $attachment->filename = $filename;
             $attachment->adapter = "s3";
             $attachment->fullpath = $obj->key_path;
             $attachment->skip_path_prefix = true;

system/modules/report/actions/edit.php

@@ -177,6 +177,9 @@ function edit_POST(Web $w)
 {
     $p = $w->pathMatch("id");
 
+    /**
+     * @var Report $report
+     */
     $report = !empty($p['id']) ? ReportService::getInstance($w)->getReport($p['id']) : new Report($w);
     if (!empty($p['id']) && empty($report->id)) {
         $w->error("Report not found", "/report");
@@ -201,6 +204,9 @@ function edit_POST(Web $w)
 
     // Insert or Update
     $report->fill($_POST);
+    if (isset($_POST['report_code'])) {
+        $report->report_code = json_decode($_POST['report_code']);
+    }
 
     // Force select statements only
     $report->sqltype = "select";