Merge branch '5.2' into edit-entity-twice-5.x

Author: escopecz

.github/workflows/transifex.yml

@@ -1,35 +1,39 @@
 name: Push translations to Transifex
 
 on:
-  pull_request:
-    types: [closed]
+  push:
+    branches:
+      - '[0-9].*'
     paths:
       - '**/Translations/en_US/*.ini'
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 jobs:
   push-to-transifex:
+    # Run only in the 'mautic/mautic' repository and on the default branch (or manually triggered via UI)
+    if: github.repository == 'mautic/mautic' && (github.ref_name == github.event.repository.default_branch || github.event_name == 'workflow_dispatch')
     name: Push translations to Transifex
     runs-on: ubuntu-latest
-    if: github.event.pull_request.merged == true
 
     steps:
-    - uses: actions/checkout@v4
+    - name: Checkout
+      uses: actions/checkout@v4
 
-    - name: Setup PHP, with composer and extensions
+    - name: Setup PHP with extensions
       uses: shivammathur/setup-php@v2
       with:
         php-version: 8.3
         extensions: mbstring, xml, ctype, iconv, intl, pdo_sqlite, mysql, pdo_mysql
 
-    - name: Install dependencies
+    - name: Install Composer dependencies
       uses: "ramsey/composer-install@v3"
 
     - name: Push translations to Transifex
       env:
-        MAUTIC_CONFIG_PARAMETERS: '{"transifex_api_token": "${{ secrets.TRANSIFEX_API_TOKEN }}" }'  
+        MAUTIC_CONFIG_PARAMETERS: '{"transifex_api_token": "${{ secrets.TRANSIFEX_API_TOKEN }}"}'
       run: |
         echo "MAUTIC_CONFIG_PARAMETERS=${MAUTIC_CONFIG_PARAMETERS}" >> $GITHUB_ENV
         php bin/console mautic:transifex:push

.htaccess

@@ -99,6 +99,11 @@
 
 # Apache 2.4+
 <IfModule authz_core_module>
+    # Deny access via HTTP requests to all .env files.
+    <FilesMatch "^\.env.*$">
+        Require all denied
+    </FilesMatch>
+
     # Deny access via HTTP requests to all PHP files.
     <FilesMatch "\.php$">
         Require all denied
@@ -117,6 +122,12 @@
 
 # Fallback for Apache < 2.4
 <IfModule !authz_core_module>
+    # Deny access via HTTP requests to all .env files.
+    <FilesMatch "^\.env.*$">
+        Order deny,allow
+        Deny from all
+    </FilesMatch>
+
     # Deny access via HTTP requests to all PHP files.
     <FilesMatch "\.php$">
         Order deny,allow

app/assets/scaffold/files/htaccess

@@ -99,6 +99,11 @@
 
 # Apache 2.4+
 <IfModule authz_core_module>
+    # Deny access via HTTP requests to all .env files.
+    <FilesMatch "^\.env.*$">
+        Require all denied
+    </FilesMatch>
+
     # Deny access via HTTP requests to all PHP files.
     <FilesMatch "\.php$">
         Require all denied
@@ -117,6 +122,12 @@
 
 # Fallback for Apache < 2.4
 <IfModule !authz_core_module>
+    # Deny access via HTTP requests to all .env files.
+    <FilesMatch "^\.env.*$">
+        Order deny,allow
+        Deny from all
+    </FilesMatch>
+
     # Deny access via HTTP requests to all PHP files.
     <FilesMatch "\.php$">
         Order deny,allow

app/bundles/AssetBundle/Entity/DownloadRepository.php

@@ -56,11 +56,13 @@ public function getLeadDownloads($leadId = null, array $options = [])
             ->leftJoin('d', MAUTIC_TABLE_PREFIX.'assets', 'a', 'd.asset_id = a.id');
 
         if ($leadId) {
-            $query->where('d.lead_id = '.(int) $leadId);
+            $query->where('d.lead_id = :leadId')
+                ->setParameter('leadId', $leadId);
         }
 
         if (isset($options['search']) && $options['search']) {
-            $query->andWhere($query->expr()->like('a.title', $query->expr()->literal('%'.$options['search'].'%')));
+            $query->andWhere('a.title LIKE :search')
+                  ->setParameter('search', '%'.$options['search'].'%');
         }
 
         return $this->getTimelineResults($query, $options, 'a.title', 'd.date_download', [], ['date_download'], null, 'd.id');

app/bundles/CampaignBundle/Entity/LeadEventLogRepository.php

@@ -95,7 +95,8 @@ public function getLeadLogs($leadId = null, array $options = [])
                         ->setParameter('eventType', 'decision');
 
         if ($leadId) {
-            $query->where('ll.lead_id = '.(int) $leadId);
+            $query->where('ll.lead_id = :leadId')
+                ->setParameter('leadId', $leadId);
         }
 
         if (isset($options['scheduledState'])) {
@@ -121,12 +122,12 @@ public function getLeadLogs($leadId = null, array $options = [])
         if (isset($options['search']) && $options['search']) {
             $query->andWhere(
                 $query->expr()->or(
-                    $query->expr()->like('e.name', $query->expr()->literal('%'.$options['search'].'%')),
-                    $query->expr()->like('e.description', $query->expr()->literal('%'.$options['search'].'%')),
-                    $query->expr()->like('c.name', $query->expr()->literal('%'.$options['search'].'%')),
-                    $query->expr()->like('c.description', $query->expr()->literal('%'.$options['search'].'%'))
+                    $query->expr()->like('e.name', ':search'),
+                    $query->expr()->like('e.description', ':search'),
+                    $query->expr()->like('c.name', ':search'),
+                    $query->expr()->like('c.description', ':search')
                 )
-            );
+            )->setParameter('search', '%'.$options['search'].'%');
         }
 
         return $this->getTimelineResults($query, $options, 'e.name', 'll.date_triggered', ['metadata'], ['dateTriggered', 'triggerDate'], null, 'll.id');
@@ -363,30 +364,27 @@ public function getChartQuery($options): array
             ->join('ll', MAUTIC_TABLE_PREFIX.'campaign_events', 'e', 'e.id = ll.event_id');
 
         if (isset($options['channel'])) {
-            $query->andwhere("e.channel = '".$options['channel']."'");
+            $query->andWhere('e.channel = '.$query->expr()->literal($options['channel']));
         }
 
         if (isset($options['channelId'])) {
-            $query->andwhere('e.channel_id = '.(int) $options['channelId']);
+            $query->andWhere('e.channel_id = '.(int) $options['channelId']);
         }
 
         if (isset($options['type'])) {
-            $query->andwhere("e.type = '".$options['type']."'");
+            $query->andWhere('e.type = '.$query->expr()->literal($options['type']));
         }
 
         if (isset($options['logChannel'])) {
-            $query->andwhere("ll.channel = '".$options['logChannel']."'");
+            $query->andWhere('ll.channel = '.$query->expr()->literal($options['logChannel']));
         }
 
         if (isset($options['logChannelId'])) {
-            $query->andwhere('ll.channel_id = '.(int) $options['logChannelId']);
+            $query->andWhere('ll.channel_id = '.(int) $options['logChannelId']);
         }
 
-        if (!isset($options['is_scheduled'])) {
-            $query->andWhere($query->expr()->eq('ll.is_scheduled', 0));
-        } else {
-            $query->andWhere($query->expr()->eq('ll.is_scheduled', 1));
-        }
+        $isScheduled = isset($options['is_scheduled']) ? 1 : 0;
+        $query->andWhere('ll.is_scheduled = '.$isScheduled);
 
         return $chartQuery->fetchTimeData('('.$query.')', 'date_triggered');
     }

app/bundles/CampaignBundle/Tests/Functional/Campaign/CampaignDecisionTest.php

@@ -15,17 +15,17 @@
 use Mautic\LeadBundle\Entity\CompanyLead;
 use Mautic\LeadBundle\Entity\CompanyRepository;
 use Mautic\LeadBundle\Entity\Lead;
-use Mautic\LeadBundle\Entity\LeadField;
 use Mautic\LeadBundle\Entity\LeadList;
 use Mautic\LeadBundle\Entity\LeadRepository;
 use Mautic\LeadBundle\Entity\ListLead;
 use Mautic\LeadBundle\Model\CompanyModel;
-use Mautic\LeadBundle\Model\FieldModel;
 use Mautic\LeadBundle\Model\LeadModel;
+use Mautic\LeadBundle\Tests\Traits\LeadFieldTestTrait;
 use PHPUnit\Framework\Assert;
 
 class CampaignDecisionTest extends MauticMysqlTestCase
 {
+    use LeadFieldTestTrait;
     protected $useCleanupRollback = false;
 
     /**
@@ -58,7 +58,7 @@ public function testCampaignContactFieldValueDecision(
                 ],
             ],
         ];
-        $this->makeField($fieldDetails);
+        $this->createField($fieldDetails);
 
         $segment  = $this->createSegment('seg1', []);
         $lead1    = $this->createLeadData($segment, $object, $fieldDetails, $additionalValue, 1);
@@ -164,24 +164,6 @@ private function getLeadIds(array $campaignEventLogs): array
         return $leadIds;
     }
 
-    /**
-     * @param array<mixed> $fieldDetails
-     */
-    private function makeField(array $fieldDetails): void
-    {
-        $field = new LeadField();
-        $field->setLabel($fieldDetails['alias']);
-        $field->setType($fieldDetails['type']);
-        $field->setObject($fieldDetails['object'] ?? 'lead');
-        $field->setGroup($fieldDetails['group'] ?? 'core');
-        $field->setAlias($fieldDetails['alias']);
-        $field->setProperties($fieldDetails['properties']);
-
-        $fieldModel = self::$container->get('mautic.lead.model.field');
-        \assert($fieldModel instanceof FieldModel);
-        $fieldModel->saveEntity($field);
-    }
-
     /**
      * @param array<mixed> $filters
      *

app/bundles/CategoryBundle/Controller/CategoryController.php

@@ -219,7 +219,6 @@ public function newAction(Request $request, $bundle)
         $cancelled  = $valid  = false;
         $method     = $request->getMethod();
         $inForm     = $this->getInFormValue($request, $method);
-        $showSelect = $request->get('show_bundle_select', false);
 
         // not found
         if (!$this->security->isGranted($model->getPermissionBase($bundle).':create')) {
@@ -230,7 +229,7 @@ public function newAction(Request $request, $bundle)
             'objectAction' => 'new',
             'bundle'       => $bundle,
         ]);
-        $form = $model->createForm($entity, $this->formFactory, $action, ['bundle' => $bundle, 'show_bundle_select' => $showSelect]);
+        $form = $model->createForm($entity, $this->formFactory, $action, ['bundle' => $bundle, 'show_bundle_select' => 'category' === $bundle]);
         $form['inForm']->setData($inForm);
         // /Check for a submitted form and process it
         if (Request::METHOD_POST === $method) {

app/bundles/CategoryBundle/Tests/Controller/CategoryControllerFunctionalTest.php

@@ -78,7 +78,7 @@ public function testNewActionWithInForm(): void
         $crawler->addHtmlContent($html);
         $saveButton = $crawler->selectButton('category_form[buttons][save]');
         $form       = $saveButton->form();
-        $form['category_form[bundle]']->setValue('category');
+        $form['category_form[bundle]']->setValue('global');
         $form['category_form[title]']->setValue('Test');
         $form['category_form[isPublished]']->setValue('1');
         $form['category_form[inForm]']->setValue('1');
@@ -110,4 +110,24 @@ public function testEditLockCategory(): void
         $this->client->request(Request::METHOD_GET, 's/categories/category/edit/'.$category->getId());
         $this->assertStringContainsString('is currently checked out by', $this->client->getResponse()->getContent());
     }
+
+    public function testTypeFieldPersistsAfterValidationFailure(): void
+    {
+        $crawler                = $this->client->request(Request::METHOD_GET, 's/categories/category/new');
+        $clientResponse         = json_decode($this->client->getResponse()->getContent(), true);
+        $html                   = $clientResponse['newContent'];
+        $crawler->addHtmlContent($html);
+        $saveButton = $crawler->selectButton('category_form[buttons][save]');
+        $form       = $saveButton->form();
+        $form['category_form[bundle]']->setValue('global');
+        $form['category_form[title]']->setValue('');
+        $form['category_form[isPublished]']->setValue('1');
+        $form['category_form[inForm]']->setValue('1');
+
+        $this->client->submit($form);
+        Assert::assertTrue($this->client->getResponse()->isOk());
+        $clientResponse = $this->client->getResponse();
+        $body           = json_decode($clientResponse->getContent(), true);
+        $this->assertNotEmpty($crawler->filter('select#category_form_bundle')->count(), 'The "Type" (bundle) field should remain visible after validation failure.');
+    }
 }

app/bundles/ChannelBundle/Entity/MessageQueueRepository.php

@@ -102,13 +102,14 @@ public function getLeadTimelineEvents($leadId = null, array $options = [])
             mq.scheduled_date as scheduledDate, mq.last_attempt as lastAttempt, mq.date_sent as dateSent');
 
         if ($leadId) {
-            $query->where('mq.lead_id = '.(int) $leadId);
+            $query->where('mq.lead_id = :leadId')
+                ->setParameter('leadId', $leadId);
         }
 
         if (isset($options['search']) && $options['search']) {
-            $query->andWhere($query->expr()->or(
-                $query->expr()->like('mq.channel', $query->expr()->literal('%'.$options['search'].'%'))
-            ));
+            $query->andWhere(
+                $query->expr()->like('mq.channel', ':search')
+            )->setParameter('search', '%'.$options['search'].'%');
         }
 
         return $this->getTimelineResults($query, $options, 'mq.channel', 'mq.date_published', [], ['dateAdded'], null, 'mq.id');

app/bundles/CoreBundle/Controller/AbstractFormController.php

@@ -6,6 +6,7 @@
 use Symfony\Component\Form\Form;
 use Symfony\Component\Form\FormError;
 use Symfony\Component\Form\FormInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 
 abstract class AbstractFormController extends CommonController
@@ -25,15 +26,25 @@ public function unlockAction(Request $request, $objectId, $objectModel)
             if (null !== $entity && null !== $entity->getCheckedOutBy()) {
                 $model->unlockEntity($entity);
             }
-            $returnUrl = urldecode($request->get('returnUrl'));
-            if (empty($returnUrl)) {
+
+            $currentUrl = $request->getUri();
+            $returnUrl  = urldecode($request->get('returnUrl'));
+
+            if (!filter_var($returnUrl, FILTER_VALIDATE_URL)) {
                 $returnUrl = $this->generateUrl('mautic_dashboard_index');
+            } else {
+                $currentHost = parse_url($currentUrl, PHP_URL_HOST);
+                $returnHost  = parse_url($returnUrl, PHP_URL_HOST);
+
+                if ($currentHost !== $returnHost) {
+                    $returnUrl = $this->generateUrl('mautic_dashboard_index');
+                }
             }
 
             $this->addFlashMessage(
                 'mautic.core.action.entity.unlocked',
                 [
-                    '%name%' => urldecode($request->get('name')),
+                    '%name%' => htmlspecialchars(urldecode($request->get('name')), ENT_QUOTES, 'UTF-8'),
                 ]
             );
 
@@ -51,7 +62,7 @@ public function unlockAction(Request $request, $objectId, $objectModel)
      * @param string $model
      * @param bool   $batch          Flag if a batch action is being performed
      *
-     * @return \Symfony\Component\HttpFoundation\JsonResponse|\Symfony\Component\HttpFoundation\RedirectResponse|array
+     * @return \Symfony\Component\HttpFoundation\JsonResponse|RedirectResponse|array
      */
     protected function isLocked($postActionVars, $entity, $model, $batch = false)
     {