joomla
diff --git a/‎administrator/components/com_actionlogs/src/Helper/ActionlogsHelper.php‎
Lines changed: 3 additions & 2 deletions b/‎administrator/components/com_actionlogs/src/Helper/ActionlogsHelper.php‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎administrator/components/com_admin/script.php‎
Lines changed: 20 additions & 2 deletions b/‎administrator/components/com_admin/script.php‎
Lines changed: 20 additions & 2 deletions
diff --git a/‎administrator/components/com_admin/src/Controller/DisplayController.php‎
Lines changed: 23 additions & 0 deletions b/‎administrator/components/com_admin/src/Controller/DisplayController.php‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎administrator/components/com_admin/src/View/Sysinfo/HtmlView.php‎
Lines changed: 3 additions & 2 deletions b/‎administrator/components/com_admin/src/View/Sysinfo/HtmlView.php‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎administrator/components/com_banners/forms/banner.xml‎
Lines changed: 1 addition & 1 deletion b/‎administrator/components/com_banners/forms/banner.xml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎administrator/components/com_banners/src/Controller/TracksController.php‎
Lines changed: 3 additions & 0 deletions b/‎administrator/components/com_banners/src/Controller/TracksController.php‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎administrator/components/com_banners/src/Model/BannerModel.php‎
Lines changed: 6 additions & 27 deletions b/‎administrator/components/com_banners/src/Model/BannerModel.php‎
Lines changed: 6 additions & 27 deletions
diff --git a/‎administrator/components/com_banners/tmpl/download/default.php‎
Lines changed: 2 additions & 1 deletion b/‎administrator/components/com_banners/tmpl/download/default.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎administrator/components/com_categories/forms/category.xml‎
Lines changed: 2 additions & 2 deletions b/‎administrator/components/com_categories/forms/category.xml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎administrator/components/com_categories/src/Model/CategoryModel.php‎
Lines changed: 6 additions & 9 deletions b/‎administrator/components/com_categories/src/Model/CategoryModel.php‎
Lines changed: 6 additions & 9 deletions
@@ -237,12 +237,13 @@ public static function getHumanReadableLogMessage($log, $generateLinks = true)
 	 * @param   string   $contentType
 	 * @param   integer  $id
 	 * @param   string   $urlVar
+	 * @param   JObject  $object
 	 *
 	 * @return  string  Link to the content item
 	 *
 	 * @since   3.9.0
 	 */
-	public static function getContentTypeLink($component, $contentType, $id, $urlVar = 'id')
+	public static function getContentTypeLink($component, $contentType, $id, $urlVar = 'id', $object = null)
 	{
 		// Try to find the component helper.
 		$eName = str_replace('com_', '', $component);
@@ -257,7 +258,7 @@ public static function getContentTypeLink($component, $contentType, $id, $urlVar
 
 			if (class_exists($cName) && is_callable(array($cName, 'getContentTypeLink')))
 			{
-				return $cName::getContentTypeLink($contentType, $id);
+				return $cName::getContentTypeLink($contentType, $id, $object);
 			}
 		}
 
 
@@ -1460,7 +1460,6 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/administrator/components/com_media/controllers/file.json.php',
 			'/administrator/components/com_media/controllers/file.php',
 			'/administrator/components/com_media/controllers/folder.php',
-			'/administrator/components/com_media/helpers/media.php',
 			'/administrator/components/com_media/layouts/toolbar/deletemedia.php',
 			'/administrator/components/com_media/layouts/toolbar/newfolder.php',
 			'/administrator/components/com_media/layouts/toolbar/uploadmedia.php',
@@ -3874,9 +3873,11 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/libraries/vendor/leafo/lessphp/lessify',
 			'/libraries/vendor/leafo/lessphp/lessify.inc.php',
 			'/libraries/vendor/leafo/lessphp/plessc',
+			'/libraries/vendor/paragonie/random_compat/LICENSE',
 			'/libraries/vendor/paragonie/random_compat/lib/byte_safe_strings.php',
 			'/libraries/vendor/paragonie/random_compat/lib/cast_to_int.php',
 			'/libraries/vendor/paragonie/random_compat/lib/error_polyfill.php',
+			'/libraries/vendor/paragonie/random_compat/lib/random.php',
 			'/libraries/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php',
 			'/libraries/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php',
 			'/libraries/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php',
@@ -5423,6 +5424,8 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/libraries/vendor/ozdemirburak/iris/src/Traits/HsTrait.php',
 			'/libraries/vendor/ozdemirburak/iris/src/Traits/HslTrait.php',
 			'/libraries/vendor/ozdemirburak/iris/src/Traits/RgbTrait.php',
+			'/libraries/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey',
+			'/libraries/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc',
 			'/libraries/vendor/psr/http-factory/.pullapprove.yml',
 			'/libraries/vendor/spomky-labs/cbor-php/.php_cs.dist',
 			'/libraries/vendor/spomky-labs/cbor-php/CODE_OF_CONDUCT.md',
@@ -5843,6 +5846,19 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/templates/cassiopeia/scss/tools/mixins/_margin.scss',
 			'/templates/cassiopeia/scss/tools/mixins/_visually-hidden.scss',
 			'/templates/system/js/error-locales.js',
+			// 4.0 from RC 1 to RC 2
+			'/administrator/components/com_fields/tmpl/field/modal.php',
+			'/administrator/templates/atum/scss/pages/_com_admin.scss',
+			'/administrator/templates/atum/scss/pages/_com_finder.scss',
+			'/administrator/templates/atum/scss/pages/_com_joomlaupdate.scss',
+			'/libraries/src/Error/JsonApi/InstallLanguageExceptionHandler.php',
+			'/libraries/src/MVC/Controller/Exception/InstallLanguage.php',
+			'/media/com_fields/js/admin-field-edit-modal-es5.js',
+			'/media/com_fields/js/admin-field-edit-modal-es5.min.js',
+			'/media/com_fields/js/admin-field-edit-modal-es5.min.js.gz',
+			'/media/com_fields/js/admin-field-edit-modal.js',
+			'/media/com_fields/js/admin-field-edit-modal.min.js',
+			'/media/com_fields/js/admin-field-edit-modal.min.js.gz',
 		);
 
 		$folders = array(
@@ -6167,6 +6183,7 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/libraries/vendor/simplepie/simplepie',
 			'/libraries/vendor/simplepie',
 			'/libraries/vendor/phpmailer/phpmailer/extras',
+			'/libraries/vendor/paragonie/random_compat/lib',
 			'/libraries/vendor/leafo/lessphp',
 			'/libraries/vendor/leafo',
 			'/libraries/vendor/joomla/session/Joomla/Session/Storage',
@@ -6797,7 +6814,6 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/administrator/components/com_media/views/images',
 			'/administrator/components/com_media/views',
 			'/administrator/components/com_media/models',
-			'/administrator/components/com_media/helpers',
 			'/administrator/components/com_media/controllers',
 			'/administrator/components/com_login/views/login/tmpl',
 			'/administrator/components/com_login/views/login',
@@ -7051,6 +7067,8 @@ public function deleteUnexistingFiles($dryRun = false, $suppressOutput = false)
 			'/media/vendor/punycode/js',
 			'/media/templates/atum/js',
 			'/media/templates/atum',
+			'/libraries/vendor/paragonie/random_compat/dist',
+			'/libraries/vendor/paragonie/random_compat',
 			'/libraries/vendor/ozdemirburak/iris/src/Traits',
 			'/libraries/vendor/ozdemirburak/iris/src/Helpers',
 			'/libraries/vendor/ozdemirburak/iris/src/Exceptions',
 
@@ -20,5 +20,28 @@
  */
 class DisplayController extends BaseController
 {
+	/**
+	 * View method
+	 *
+	 * @param   boolean  $cachable   If true, the view output will be cached
+	 * @param   array    $urlparams  An array of safe URL parameters and their variable types, for valid values see {@link \JFilterInput::clean()}.
+	 *
+	 * @return  static  Supports chaining.
+	 *
+	 * @since   3.9
+	 */
+	public function display($cachable = false, $urlparams = array())
+	{
+		$viewName = $this->input->get('view', $this->default_view);
+		$format   = $this->input->get('format', 'html');
 
+		// Check CSRF token for sysinfo export views
+		if ($viewName === 'sysinfo' && ($format === 'text' || $format === 'json'))
+		{
+			// Check for request forgeries.
+			$this->checkToken('GET');
+		}
+
+		return parent::display($cachable, $urlparams);
+	}
 }
@@ -17,6 +17,7 @@
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\MVC\View\HtmlView as BaseHtmlView;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;
 use Joomla\CMS\Toolbar\ToolbarHelper;
 use Joomla\Component\Admin\Administrator\Model\SysinfoModel;
 
@@ -110,12 +111,12 @@ protected function addToolbar(): void
 	{
 		ToolbarHelper::title(Text::_('COM_ADMIN_SYSTEM_INFORMATION'), 'info-circle systeminfo');
 		ToolbarHelper::link(
-			Route::_('index.php?option=com_admin&view=sysinfo&format=text'),
+			Route::_('index.php?option=com_admin&view=sysinfo&format=text&' . Session::getFormToken() . '=1'),
 			'COM_ADMIN_DOWNLOAD_SYSTEM_INFORMATION_TEXT',
 			'download'
 		);
 		ToolbarHelper::link(
-			Route::_('index.php?option=com_admin&view=sysinfo&format=json'),
+			Route::_('index.php?option=com_admin&view=sysinfo&format=json&' . Session::getFormToken() . '=1'),
 			'COM_ADMIN_DOWNLOAD_SYSTEM_INFORMATION_JSON',
 			'download'
 		);
 
@@ -4,7 +4,7 @@
 
 		<field
 			name="id"
-			type="number"
+			type="text"
 			label="JGLOBAL_FIELD_ID_LABEL"
 			default="0"
 			readonly="true"
 
@@ -109,6 +109,9 @@ public function display($cachable = false, $urlparams = array())
 		// Get and render the view.
 		if ($view = $this->getView($vName, 'raw'))
 		{
+			// Check for request forgeries.
+			$this->checkToken('GET');
+
 			// Get the model for the view.
 			/** @var \Joomla\Component\Banners\Administrator\Model\TracksModel $model */
 			$model = $this->getModel($vName);
 
@@ -210,6 +210,12 @@ public function getForm($data = array(), $loadData = true)
 			$form->setFieldAttribute('sticky', 'filter', 'unset');
 		}
 
+		// Don't allow to change the created_by user if not allowed to access com_users.
+		if (!Factory::getUser()->authorise('core.manage', 'com_users'))
+		{
+			$form->setFieldAttribute('created_by', 'filter', 'unset');
+		}
+
 		return $form;
 	}
 
@@ -460,31 +466,4 @@ private function canCreateCategory()
 	{
 		return Factory::getUser()->authorise('core.create', 'com_banners');
 	}
-
-	/**
-	 * Method to validate the form data.
-	 *
-	 * @param   Form    $form   The form to validate against.
-	 * @param   array   $data   The data to validate.
-	 * @param   string  $group  The name of the field group to validate.
-	 *
-	 * @return  array|boolean  Array of filtered data if valid, false otherwise.
-	 *
-	 * @see     JFormRule
-	 * @see     JFilterInput
-	 * @since   3.9.25
-	 */
-	public function validate($form, $data, $group = null)
-	{
-		// Don't allow to change the users if not allowed to access com_users.
-		if (!Factory::getUser()->authorise('core.manage', 'com_users'))
-		{
-			if (isset($data['created_by']))
-			{
-				unset($data['created_by']);
-			}
-		}
-
-		return parent::validate($form, $data, $group);
-	}
 }
@@ -11,6 +11,7 @@
 
 use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Router\Route;
+use \Joomla\CMS\Session\Session;
 
 /** @var \Joomla\Component\Banners\Administrator\View\Download\HtmlView $this */
 
@@ -22,7 +23,7 @@
 		class="form-horizontal form-validate"
 		id="download-form"
 		name="adminForm"
-		action="<?php echo Route::_('index.php?option=com_banners&task=tracks.display&format=raw'); ?>"
+		action="<?php echo Route::_('index.php?option=com_banners&task=tracks.display&format=raw&' . Session::getFormToken() . '=1'); ?>"
 		method="post">
 
 		<?php foreach ($this->form->getFieldset() as $field) : ?>
 
@@ -3,7 +3,7 @@
 
 	<field
 		name="id"
-		type="number"
+		type="text"
 		label="JGLOBAL_FIELD_ID_LABEL"
 		default="0"
 		class="readonly"
@@ -12,7 +12,7 @@
 
 	<field
 		name="hits"
-		type="number"
+		type="text"
 		label="JGLOBAL_HITS"
 		default="0"
 		class="readonly"
 
@@ -289,6 +289,12 @@ public function getForm($data = array(), $loadData = true)
 			$form->setFieldAttribute('published', 'filter', 'unset');
 		}
 
+		// Don't allow to change the created_user_id user if not allowed to access com_users.
+		if (!Factory::getUser()->authorise('core.manage', 'com_users'))
+		{
+			$form->setFieldAttribute('created_user_id', 'filter', 'unset');
+		}
+
 		return $form;
 	}
 
@@ -368,15 +374,6 @@ protected function loadFormData()
 	 */
 	public function validate($form, $data, $group = null)
 	{
-		// Don't allow to change the users if not allowed to access com_users.
-		if (!Factory::getUser()->authorise('core.manage', 'com_users'))
-		{
-			if (isset($data['created_user_id']))
-			{
-				unset($data['created_user_id']);
-			}
-		}
-
 		if (!Factory::getUser()->authorise('core.admin', $data['extension']))
 		{
 			if (isset($data['rules']))
Original file line number	Diff line number	Diff line change
`@@ -237,12 +237,13 @@ public static function getHumanReadableLogMessage($log, $generateLinks = true)`
`237`	`237`	`* @param string $contentType`
`238`	`238`	`* @param integer $id`
`239`	`239`	`* @param string $urlVar`
	`240`	`+ * @param JObject $object`
`240`	`241`	`*`
`241`	`242`	`* @return string Link to the content item`
`242`	`243`	`*`
`243`	`244`	`* @since 3.9.0`
`244`	`245`	`*/`
`245`		`- public static function getContentTypeLink($component, $contentType, $id, $urlVar = 'id')`
	`246`	`+ public static function getContentTypeLink($component, $contentType, $id, $urlVar = 'id', $object = null)`
`246`	`247`	`{`
`247`	`248`	`// Try to find the component helper.`
`248`	`249`	`$eName = str_replace('com_', '', $component);`
`@@ -257,7 +258,7 @@ public static function getContentTypeLink($component, $contentType, $id, $urlVar`
`257`	`258`
`258`	`259`	`if (class_exists($cName) && is_callable(array($cName, 'getContentTypeLink')))`
`259`	`260`	`{`
`260`		`- return $cName::getContentTypeLink($contentType, $id);`
	`261`	`+ return $cName::getContentTypeLink($contentType, $id, $object);`
`261`	`262`	`}`
`262`	`263`	`}`
`263`	`264`