Merge branch 'master' into filters-with-untouched-name

Author: tabacitu

SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Supported Versions
+
+Updates are provided according to table below.
+
+| Version | Security Updates   |  Feature Updates   |  Bug Fixes         |
+| ------- | ------------------ | ------------------ | ------------------ |
+| 4.1.x   | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| 4.0.x   | :white_check_mark: | :x:                | :x:                |
+| 3.6.x   | :white_check_mark: | :x:                | :x:                |
+| 3.5.x   | :x:                | :x:                | :x:                |
+| 3.4.x   | :x:                | :x:                | :x:                |
+| < 4.0   | :x:                | :x:                | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover any security related issues, please email [email protected] instead of using the issue tracker.
+
+## Past Vulnerabilities
+
+Since its inception in 2016, Backpack has had zero security breaches or reported security issues. However, its dependencies _have_ had security flaws discovered and fixed - even major ones like Laravel, Bootstrap and jQuery. That's why it's a good idea for any project to be reasonably up-to-date. If we consider a security issue is something that affects our users, we'll email you. 
+
+It's _heavily_ recommended that you **[subscribe to the Backpack Newsletter](http://backpackforlaravel.com/newsletter)** so you can find out about any security updates, breaking changes or major features. We send an email about 1-2 emails per year. Sometimes less.

package-lock.json

@@ -10,34 +10,34 @@
         "production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
     },
     "devDependencies": {
-        "cross-env": "^7.0.0",
+        "cross-env": "^7.0.2",
         "css-loader": "^3.6.0",
-        "laravel-mix": "^5.0.0",
-        "lodash": "^4.17.13",
+        "laravel-mix": "^5.0.4",
+        "lodash": "^4.17.20",
         "pace": "0.0.4",
         "resolve-url-loader": "^3.1.1",
-        "sass": "^1.26.9",
-        "sass-loader": "^8.0.2",
+        "sass": "^1.26.10",
+        "sass-loader": "^9.0.3",
         "vue-template-compiler": "^2.6.11"
     },
     "dependencies": {
         "@coreui/coreui": "^2.1.16",
         "@digitallyhappy/backstrap": "^0.3.2",
         "animate.css": "^3.7.2",
-        "bootstrap": "^4.4.1",
+        "bootstrap": "^4.5.2",
         "bootstrap-colorpicker": "^3.2.0",
         "bootstrap-datepicker": "^1.9.0",
         "bootstrap-daterangepicker": "^3.1.0",
         "bootstrap-iconpicker": "^1.8.2",
         "ckeditor": "^4.12.1",
         "cropperjs": "^1.5.7",
-        "datatables.net": "^1.10.20",
-        "datatables.net-bs4": "^1.10.20",
-        "datatables.net-fixedheader": "^3.1.6",
-        "datatables.net-fixedheader-bs4": "^3.1.6",
+        "datatables.net": "^1.10.21",
+        "datatables.net-bs4": "^1.10.21",
+        "datatables.net-fixedheader": "^3.1.7",
+        "datatables.net-fixedheader-bs4": "^3.1.7",
         "datatables.net-responsive": "^2.2.5",
         "datatables.net-responsive-bs4": "^2.2.5",
-        "easymde": "^2.10.1",
+        "easymde": "^2.11.0",
         "jquery": "^3.5.1",
         "jquery-colorbox": "^1.6.4",
         "jquery-cropper": "^1.0.1",
@@ -48,17 +48,17 @@
         "nonblockjs": "^1.0.8",
         "noty": "^3.2.0-beta",
         "pace-js": "^1.0.2",
-        "pc-bootstrap4-datetimepicker": "^4.17.50",
+        "pc-bootstrap4-datetimepicker": "^4.17.51",
         "perfect-scrollbar": "^1.5.0",
         "places.js": "^1.19.0",
         "popper.js": "^1.16.1",
         "select2": "^4.0.13",
         "select2-bootstrap-theme": "0.1.0-beta.10",
-        "simple-line-icons": "^2.4.1",
+        "simple-line-icons": "^2.5.5",
         "simplemde": "^1.11.2",
         "source-sans-pro": "^3.6",
         "summernote": "^0.8.18",
         "sweetalert": "^2.1.2",
-        "tinymce": "^5.4.0"
+        "tinymce": "^5.4.2"
     }
 }

package.json

@@ -46,6 +46,6 @@ private function checkLicenseCodeExists()
      */
     private function validCode($j)
     {
-        $k = str_replace('-', '', $j); $s = substr($k, 0, 8); $c = substr($k, 8, 2); $a = substr($k, 10, 2); $l = substr($k, 12, 2); $p = substr($k, 14, 2); $n = substr($k, 16, 2); $m = substr($k, 18, 2); $z = substr($k, 20, 24); $w = 'ADEFHKLMVWXYZ146'; $x = $s; for ($i = 0; $i < strlen($w); $i++) { $r = $w[$i]; $x = str_replace($r, '-', $x); } $x = str_replace('-', '', $x); if ($x != '') { return false; } if (substr_count($j, '-') != 5) { return false; } $e = substr(crc32(substr($k, 0, 20)), -4); if ($z !== $e) { return false; } $o = strrev(substr(preg_replace('/[0-9]+/', '', strtoupper(sha1($a.'sand('.$s.')'.$n.'tos()'))), 2, 2)); if ($m !== $o) { return false; } return true;
+        $k = str_replace('-', '', $j); $s = substr($k, 0, 8); $c = substr($k, 8, 2); $a = substr($k, 10, 2); $l = substr($k, 12, 2); $p = substr($k, 14, 2); $n = substr($k, 16, 2); $m = substr($k, 18, 2); $z = substr($k, 20, 24); $w = 'ADEFHKLMVWXYZ146'; $x = $s; for ($i = 0; $i < strlen($w); $i++) { $r = $w[$i]; $x = str_replace($r, '-', $x); } $x = str_replace('-', '', $x); if ($x != '') { return false; } if (substr_count($j, '-') != 5) { return false; } $e = substr(hexdec(hash('crc32b', substr($k, 0, 20))), -4); if ($z !== $e) { return false; } $o = strrev(substr(preg_replace('/[0-9]+/', '', strtoupper(sha1($a.'sand('.$s.')'.$n.'tos()'))), 2, 2)); if ($m !== $o) { return false; } $o2 = substr(((int)preg_replace('/[^0-9]/','', $s.$c)==0 ? 8310 : (int)preg_replace('/[^0-9]/','', $s.$c) )*9971, -2);if ($a !== $o2) {return false;} return true; 
     }
 }

src/LicenseCheck.php

@@ -100,7 +100,7 @@ public function search()
                 // clear any past orderBy rules
                 $this->crud->query->getQuery()->orders = null;
                 // apply the current orderBy rules
-                $this->crud->query->orderBy($column['name'], $column_direction);
+                $this->crud->query->orderByRaw($this->crud->model->getTableWithPrefix().'.'.$column['name'].' '.$column_direction);
             }
 
             // check for custom order logic in the column definition
@@ -126,7 +126,7 @@ public function search()
             }
         });
         if (! $hasOrderByPrimaryKey) {
-            $this->crud->query->orderByDesc($this->crud->model->getKeyName());
+            $this->crud->query->orderByRaw($this->crud->model->getTableWithPrefix().'.'.$this->crud->model->getKeyName().' DESC');
         }
 
         $entries = $this->crud->getEntries();

src/app/Http/Controllers/Operations/ListOperation.php

@@ -15,6 +15,6 @@ public function redirectPath()
             return $this->redirectTo();
         }
 
-        return property_exists($this, 'redirectTo') ? $this->redirectTo : '/home';
+        return property_exists($this, 'redirectTo') ? $this->redirectTo : '/dashboard';
     }
 }

src/app/Library/Auth/RedirectsUsers.php

@@ -2,6 +2,7 @@
 
 namespace Backpack\CRUD\app\Library\CrudPanel;
 
+use Closure;
 use Illuminate\Support\Str;
 use Symfony\Component\HttpFoundation\ParameterBag;
 

src/app/Library/CrudPanel/CrudFilter.php

@@ -177,7 +177,7 @@ protected function overwriteFieldNameFromEntity($field)
         }
 
         // only 1-1 relationships are supported, if it's anything else, abort
-        if ($field['relation_type'] != 'BelongsTo') {
+        if ($field['relation_type'] != 'HasOne') {
             return $field;
         }
 

src/app/Library/CrudPanel/Traits/FieldsProtectedMethods.php

@@ -24,18 +24,19 @@ public function getSaveActionDefaultForCurrentOperation()
      */
     public function getFallBackSaveAction()
     {
-        //we get the higher order in save actions array. It will return something only when explicit by developer
+        //we get the higher order in save actions array. By default it would be `save_and_back`
         $higherAction = $this->getSaveActionByOrder(1);
 
-        if (empty($higherAction)) {
-            if ($this->hasOperationSetting('defaultSaveAction')) {
-                return $this->getOperationSetting('defaultSaveAction');
-            }
+        //if there is an higher action and that action is not the backpack default higher one `save_and_back` we return it.
+        if (! empty($higherAction) && key($higherAction) !== 'save_and_back') {
+            return key($higherAction);
+        }
 
-            return $this->getSaveActionDefaultForCurrentOperation();
+        if ($this->hasOperationSetting('defaultSaveAction')) {
+            return $this->getOperationSetting('defaultSaveAction');
         }
 
-        return key($higherAction);
+        return $this->getSaveActionDefaultForCurrentOperation();
     }
 
     /**

src/app/Library/CrudPanel/Traits/SaveActions.php

@@ -4,7 +4,6 @@
 
 use DB;
 use Illuminate\Database\Eloquent\Model;
-use Illuminate\Support\Facades\Config;
 
 /*
 |--------------------------------------------------------------------------
@@ -39,7 +38,7 @@ public function getConnectionWithExtraTypeMappings()
      */
     public function getTableWithPrefix()
     {
-        $prefix = Config::get('database.connections.'.$this->getConnectionName().'.prefix');
+        $prefix = $this->getConnection()->getTablePrefix();
         $tableName = $this->getTable();
 
         return $prefix.$tableName;