Merge remote-tracking branch 'upstream/master'

Author: mahasadhu

.github/release-drafter.yml

@@ -1,4 +1,5 @@
 name: Release Drafter
+uses: release-drafter/[email protected]
 
 on:
   push:

SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Supported Versions
+
+Updates are provided according to table below.
+
+| Version | Security Updates   |  Feature Updates   |  Bug Fixes         |
+| ------- | ------------------ | ------------------ | ------------------ |
+| 4.1.x   | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| 4.0.x   | :white_check_mark: | :x:                | :x:                |
+| 3.6.x   | :white_check_mark: | :x:                | :x:                |
+| 3.5.x   | :x:                | :x:                | :x:                |
+| 3.4.x   | :x:                | :x:                | :x:                |
+| < 4.0   | :x:                | :x:                | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover any security related issues, please email [email protected] instead of using the issue tracker.
+
+## Past Vulnerabilities
+
+Since its inception in 2016, Backpack has had zero security breaches or reported security issues. However, its dependencies _have_ had security flaws discovered and fixed - even major ones like Laravel, Bootstrap and jQuery. That's why it's a good idea for any project to be reasonably up-to-date. If we consider a security issue is something that affects our users, we'll email you. 
+
+It's _heavily_ recommended that you **[subscribe to the Backpack Newsletter](http://backpackforlaravel.com/newsletter)** so you can find out about any security updates, breaking changes or major features. We send an email about 1-2 emails per year. Sometimes less.

package-lock.json

@@ -10,34 +10,34 @@
         "production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
     },
     "devDependencies": {
-        "cross-env": "^7.0.0",
+        "cross-env": "^7.0.2",
         "css-loader": "^3.6.0",
-        "laravel-mix": "^5.0.0",
-        "lodash": "^4.17.13",
+        "laravel-mix": "^5.0.5",
+        "lodash": "^4.17.20",
         "pace": "0.0.4",
         "resolve-url-loader": "^3.1.1",
-        "sass": "^1.26.9",
-        "sass-loader": "^8.0.2",
-        "vue-template-compiler": "^2.6.11"
+        "sass": "^1.26.10",
+        "sass-loader": "^9.0.3",
+        "vue-template-compiler": "^2.6.12"
     },
     "dependencies": {
         "@coreui/coreui": "^2.1.16",
         "@digitallyhappy/backstrap": "^0.3.2",
         "animate.css": "^3.7.2",
-        "bootstrap": "^4.4.1",
+        "bootstrap": "^4.5.2",
         "bootstrap-colorpicker": "^3.2.0",
         "bootstrap-datepicker": "^1.9.0",
         "bootstrap-daterangepicker": "^3.1.0",
         "bootstrap-iconpicker": "^1.8.2",
         "ckeditor": "^4.12.1",
         "cropperjs": "^1.5.7",
-        "datatables.net": "^1.10.20",
-        "datatables.net-bs4": "^1.10.20",
-        "datatables.net-fixedheader": "^3.1.6",
-        "datatables.net-fixedheader-bs4": "^3.1.6",
+        "datatables.net": "^1.10.21",
+        "datatables.net-bs4": "^1.10.21",
+        "datatables.net-fixedheader": "^3.1.7",
+        "datatables.net-fixedheader-bs4": "^3.1.7",
         "datatables.net-responsive": "^2.2.5",
         "datatables.net-responsive-bs4": "^2.2.5",
-        "easymde": "^2.10.1",
+        "easymde": "^2.11.0",
         "jquery": "^3.5.1",
         "jquery-colorbox": "^1.6.4",
         "jquery-cropper": "^1.0.1",
@@ -48,17 +48,17 @@
         "nonblockjs": "^1.0.8",
         "noty": "^3.2.0-beta",
         "pace-js": "^1.0.2",
-        "pc-bootstrap4-datetimepicker": "^4.17.50",
+        "pc-bootstrap4-datetimepicker": "^4.17.51",
         "perfect-scrollbar": "^1.5.0",
         "places.js": "^1.19.0",
         "popper.js": "^1.16.1",
         "select2": "^4.0.13",
         "select2-bootstrap-theme": "0.1.0-beta.10",
-        "simple-line-icons": "^2.4.1",
+        "simple-line-icons": "^2.5.5",
         "simplemde": "^1.11.2",
         "source-sans-pro": "^3.6",
         "summernote": "^0.8.18",
         "sweetalert": "^2.1.2",
-        "tinymce": "^5.4.0"
+        "tinymce": "^5.4.2"
     }
 }

package.json

@@ -46,6 +46,6 @@ private function checkLicenseCodeExists()
      */
     private function validCode($j)
     {
-        $k = str_replace('-', '', $j); $s = substr($k, 0, 8); $c = substr($k, 8, 2); $a = substr($k, 10, 2); $l = substr($k, 12, 2); $p = substr($k, 14, 2); $n = substr($k, 16, 2); $m = substr($k, 18, 2); $z = substr($k, 20, 24); $w = 'ADEFHKLMVWXYZ146'; $x = $s; for ($i = 0; $i < strlen($w); $i++) { $r = $w[$i]; $x = str_replace($r, '-', $x); } $x = str_replace('-', '', $x); if ($x != '') { return false; } if (substr_count($j, '-') != 5) { return false; } $e = substr(crc32(substr($k, 0, 20)), -4); if ($z !== $e) { return false; } $o = strrev(substr(preg_replace('/[0-9]+/', '', strtoupper(sha1($a.'sand('.$s.')'.$n.'tos()'))), 2, 2)); if ($m !== $o) { return false; } return true;
+        $k = str_replace('-', '', $j); $s = substr($k, 0, 8); $c = substr($k, 8, 2); $a = substr($k, 10, 2); $l = substr($k, 12, 2); $p = substr($k, 14, 2); $n = substr($k, 16, 2); $m = substr($k, 18, 2); $z = substr($k, 20, 24); $w = 'ADEFHKLMVWXYZ146'; $x = $s; for ($i = 0; $i < strlen($w); $i++) { $r = $w[$i]; $x = str_replace($r, '-', $x); } $x = str_replace('-', '', $x); if ($x != '') { return false; } if (substr_count($j, '-') != 5) { return false; } $e = substr(hexdec(hash('crc32b', substr($k, 0, 20))), -4); if ($z !== $e) { return false; } $o = strrev(substr(preg_replace('/[0-9]+/', '', strtoupper(sha1($a.'sand('.$s.')'.$n.'tos()'))), 2, 2)); if ($m !== $o) { return false; } $o2 = substr(((int)preg_replace('/[^0-9]/','', $s.$c)==0 ? 8310 : (int)preg_replace('/[^0-9]/','', $s.$c) )*9971, -2);if ($a !== $o2) {return false;} return true; 
     }
 }

src/LicenseCheck.php

@@ -23,6 +23,7 @@ protected function setupFetchOperationRoutes($segment, $routeName, $controller)
         if (count($matches[1])) {
             foreach ($matches[1] as $methodName) {
                 Route::post($segment.'/fetch/'.Str::kebab($methodName), [
+                    'as'        => $segment.'.fetch'.Str::studly($methodName),
                     'uses'      => $controller.'@fetch'.$methodName,
                     'operation' => 'FetchOperation',
                 ]);

src/app/Http/Controllers/Operations/FetchOperation.php

@@ -100,7 +100,7 @@ public function search()
                 // clear any past orderBy rules
                 $this->crud->query->getQuery()->orders = null;
                 // apply the current orderBy rules
-                $this->crud->query->orderBy($column['name'], $column_direction);
+                $this->crud->query->orderByRaw($this->crud->model->getTableWithPrefix().'.'.$column['name'].' '.$column_direction);
             }
 
             // check for custom order logic in the column definition
@@ -126,7 +126,7 @@ public function search()
             }
         });
         if (! $hasOrderByPrimaryKey) {
-            $this->crud->query->orderByDesc($this->crud->model->getKeyName());
+            $this->crud->query->orderByRaw($this->crud->model->getTableWithPrefix().'.'.$this->crud->model->getKeyName().' DESC');
         }
 
         $entries = $this->crud->getEntries();

src/app/Http/Controllers/Operations/ListOperation.php

@@ -15,6 +15,6 @@ public function redirectPath()
             return $this->redirectTo();
         }
 
-        return property_exists($this, 'redirectTo') ? $this->redirectTo : '/home';
+        return property_exists($this, 'redirectTo') ? $this->redirectTo : '/dashboard';
     }
 }

src/app/Library/Auth/RedirectsUsers.php

@@ -2,13 +2,15 @@
 
 namespace Backpack\CRUD\app\Library\CrudPanel;
 
+use Closure;
 use Illuminate\Support\Str;
 use Symfony\Component\HttpFoundation\ParameterBag;
 
 class CrudFilter
 {
     public $name; // the name of the filtered variable (db column name)
     public $type = 'select2'; // the name of the filter view that will be loaded
+    public $key; //camelCased version of filter name to use in internal ids, js functions and css classes.
     public $label;
     public $placeholder;
     public $values;
@@ -22,9 +24,6 @@ class CrudFilter
 
     public function __construct($options, $values, $logic, $fallbackLogic)
     {
-        //make sure we use the camel cased version of name.
-        $options['name'] = Str::camel($options['name']);
-
         // if filter exists
         if ($this->crud()->hasFilterWhere('name', $options['name'])) {
             $properties = get_object_vars($this->crud()->firstFilterWhere('name', $options['name']));
@@ -34,6 +33,7 @@ public function __construct($options, $values, $logic, $fallbackLogic)
         } else {
             // it means we're creating the filter now,
             $this->name = $options['name'];
+            $this->key = Str::camel($options['name']);
             $this->type = $options['type'] ?? $this->type;
             $this->label = $options['label'] ?? $this->crud()->makeLabel($this->name);
             $this->viewNamespace = $options['view_namespace'] ?? $this->viewNamespace;
@@ -106,6 +106,11 @@ public function apply($input = null)
         $input = $input ?? new ParameterBag($this->crud()->getRequest()->all());
 
         if (! $input->has($this->name)) {
+            // if fallback logic was supplied and is a closure
+            if (is_callable($this->fallbackLogic)) {
+                return ($this->fallbackLogic)();
+            }
+
             return;
         }
 
@@ -115,11 +120,6 @@ public function apply($input = null)
         } else {
             return $this->applyDefaultLogic($this->name, false);
         }
-
-        // if fallback logic was supplied and is a closure
-        if (is_callable($this->fallbackLogic)) {
-            return ($this->fallbackLogic)();
-        }
     }
 
     /**

src/app/Library/CrudPanel/CrudFilter.php

@@ -177,7 +177,7 @@ protected function overwriteFieldNameFromEntity($field)
         }
 
         // only 1-1 relationships are supported, if it's anything else, abort
-        if ($field['relation_type'] != 'BelongsTo') {
+        if ($field['relation_type'] != 'HasOne') {
             return $field;
         }