[5.3] Upmerge changes from 5.2-dev 2025-01-10

Author: bembelimen

administrator/components/com_newsfeeds/tmpl/newsfeed/modalreturn.php

@@ -2,7 +2,7 @@
 
 /**
  * @package     Joomla.Administrator
- * @subpackage  com_content
+ * @subpackage  com_newsfeeds
  *
  * @copyright   (C) 2023 Open Source Matters, Inc. <https://www.joomla.org>
  * @license     GNU General Public License version 2 or later; see LICENSE.txt

administrator/components/com_scheduler/src/Table/TaskTable.php

@@ -172,7 +172,7 @@ protected function _getAssetName(): string
      *
      * @return  string
      *
-     * @since   5.3.0
+     * @since   5.2.3
      */
     protected function _getAssetTitle(): string
     {
@@ -191,7 +191,7 @@ protected function _getAssetTitle(): string
      *
      * @return  integer
      *
-     * @since   5.3.0
+     * @since   5.2.3
      */
     protected function _getAssetParentId(?Table $table = null, $id = null): int
     {

administrator/language/en-GB/plg_system_httpheaders.ini

@@ -11,26 +11,26 @@ PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY="<a href='https://developer.mozilla
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_CLIENT="Client"
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED="frame-ancestors 'self'" ; Do not translate
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC="Enable the CSP clickjacking protection frame-ancestors and only allow the origin 'self'. Please use the form below to allow origins other than 'self'."
-PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_NONCE_ENABLED="<a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src' target='_blank' rel='noopener noreferrer'>Nonce</a>" ; Please only change the URL
+PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_NONCE_ENABLED="<a href='https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce' target='_blank' rel='noopener noreferrer'>Nonce</a>" ; Please only change the URL
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_NONCE_ENABLED_DESC="Enable the whitelist for specific inline scripts using a cryptographic nonce (number used once) for all scripts and styles using the Joomla API. Specifying a nonce makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without nonce support."
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Use the header 'Content-Security-Policy-Report-Only' instead of 'Content-Security-Policy'." ; Do not translate 'Content-Security-Policy' & 'Content-Security-Policy-Report-Only'
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_REPORT_ONLY="Report-Only" ; Do not translate
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_STRICT_DYNAMIC_ENABLED="strict-dynamic" ; Do not translate
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_STRICT_DYNAMIC_ENABLED_DESC="The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allowed or source expressions such as 'self' or 'unsafe-inline' will be ignored." ; Do not translate 'strict-dynamic', 'self' and 'unsafe-inline'
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_SCRIPT_HASHES_ENABLED="<a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src' target='_blank' rel='noopener noreferrer'>Script hashes</a>" ; Please only change the URL
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_SCRIPT_HASHES_ENABLED_DESC="Enable the optional hash based whitelist inline scripts using a cryptographic hash for all scripts using the Joomla API. Specifying hashes makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without hash support."
-PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_STYLE_HASHES_ENABLED="<a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src' target='_blank' rel='noopener noreferrer'>Style hashes</a>" ; Please only change the URL
+PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_STYLE_HASHES_ENABLED="<a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src' target='_blank' rel='noopener noreferrer'>Style hashes</a>" ; Please only change the URL
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_STYLE_HASHES_ENABLED_DESC="Enable the optional hash based whitelist inline styles using a cryptographic hash for all styles using the Joomla API. Specifying hashes makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without hash support."
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_VALUES="Add Directive"
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_VALUES_DIRECTIVE="Policy Directive"
 PLG_SYSTEM_HTTPHEADERS_CONTENTSECURITYPOLICY_VALUES_VALUE="Value"
 PLG_SYSTEM_HTTPHEADERS_COOP="Cross-Origin-Opener-Policy" ; Do not translate
 PLG_SYSTEM_HTTPHEADERS_HEADER_CLIENT="Client"
 PLG_SYSTEM_HTTPHEADERS_HEADER_CLIENT_BOTH="Both"
-PLG_SYSTEM_HTTPHEADERS_HSTS="<a href='https://hstspreload.org' target='_blank' rel='noopener noreferrer'>HTTP Strict Transport Security (HSTS)</a>" ; Do not translate
+PLG_SYSTEM_HTTPHEADERS_HSTS="<a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security' target='_blank' rel='noopener noreferrer'>HTTP Strict Transport Security (HSTS)</a>" ; Please only change the URL
 PLG_SYSTEM_HTTPHEADERS_HSTS_MAXAGE="max-age" ; Do not translate
 PLG_SYSTEM_HTTPHEADERS_HSTS_MAXAGE_DESC="This option sets the time for 'max-age', it is specified in seconds. The default value is 31536000, which corresponds to one year" ; Please do not translate 'max-age'
-PLG_SYSTEM_HTTPHEADERS_HSTS_PRELOAD="Preload" ; Do not translate
+PLG_SYSTEM_HTTPHEADERS_HSTS_PRELOAD="<a href='https://hstspreload.org' target='_blank' rel='noopener noreferrer'>Preload</a>" ; Do not translate
 PLG_SYSTEM_HTTPHEADERS_HSTS_PRELOAD_DESC="This option activates the opt-in for inclusion in so-called browser preload lists."
 PLG_SYSTEM_HTTPHEADERS_HSTS_PRELOAD_NOTE="Important"
 PLG_SYSTEM_HTTPHEADERS_HSTS_PRELOAD_NOTE_DESC="HSTS means that your domain can no longer be called without HTTPS. Once added to the preload list, this is not easy to undo. Domains can be removed, but it takes months for users to make a change with a browser update.<br><strong>This option is very important to prevent 'man-in-the-middle attacks', so it should be activated in any case, but only if you are sure that HTTPS is supported for domain and all subdomains in the long run! The value for 'max-age' must be set to 63072000 (2 years) for recording.</strong>" ; Please do not translate 'max-age'

administrator/modules/mod_quickicon/tmpl/default.php

@@ -22,7 +22,7 @@
 $html = HTMLHelper::_('icons.buttons', $buttons);
 ?>
 <?php if (!empty($html)) : ?>
-    <nav class="quick-icons px-3 pb-3" aria-label="<?php echo Text::_('MOD_QUICKICON_NAV_LABEL') . ' ' . $module->title; ?>">
+    <nav class="quick-icons px-3 pb-3" aria-label="<?php echo Text::_('MOD_QUICKICON_NAV_LABEL') . ' ' . htmlspecialchars($module->title, ENT_QUOTES, 'UTF-8'); ?>">
         <ul class="nav flex-wrap">
             <?php echo $html; ?>
         </ul>

build/build-modules-js/init/common/resolve-package.cjs

@@ -27,7 +27,7 @@ module.exports.resolvePackageFile = (relativePath) => {
  * @returns {[]}
  */
 module.exports.getPackagesUnderScope = (scope) => {
-  const cmModules = [];
+  const cmModules = new Set();
 
   // Get the scope roots
   const roots = [];
@@ -41,9 +41,9 @@ module.exports.getPackagesUnderScope = (scope) => {
   // List of modules
   roots.forEach((rootPath) => {
     readdirSync(rootPath).forEach((subModule) => {
-      cmModules.push(`${scope}/${subModule}`);
+      cmModules.add(`${scope}/${subModule}`);
     });
   });
 
-  return cmModules;
+  return [...cmModules];
 };

components/com_privacy/src/Controller/DisplayController.php

@@ -11,7 +11,6 @@
 namespace Joomla\Component\Privacy\Site\Controller;
 
 use Joomla\CMS\MVC\Controller\BaseController;
-use Joomla\CMS\Router\Route;
 
 // phpcs:disable PSR1.Files.SideEffects
 \defined('_JEXEC') or die;
@@ -39,15 +38,6 @@ public function display($cachable = false, $urlparams = [])
     {
         $view = $this->input->get('view', $this->default_view);
 
-        // Submitting information requests and confirmation through the frontend is restricted to authenticated users at this time
-        if (\in_array($view, ['confirm', 'request']) && $this->app->getIdentity()->guest) {
-            $this->setRedirect(
-                Route::_('index.php?option=com_users&view=login&return=' . base64_encode('index.php?option=com_privacy&view=' . $view), false)
-            );
-
-            return $this;
-        }
-
         // Set a Referrer-Policy header for views which require it
         if (\in_array($view, ['confirm', 'remind'])) {
             $this->app->setHeader('Referrer-Policy', 'no-referrer', true);

components/com_privacy/src/Dispatcher/Dispatcher.php

@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * @package     Joomla.Site
+ * @subpackage  com_privacy
+ *
+ * @copyright   (C) 2024 Open Source Matters, Inc. <https://www.joomla.org>
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Component\Privacy\Site\Dispatcher;
+
+use Joomla\CMS\Dispatcher\ComponentDispatcher;
+use Joomla\CMS\Router\Route;
+
+// phpcs:disable PSR1.Files.SideEffects
+\defined('_JEXEC') or die;
+// phpcs:enable PSR1.Files.SideEffects
+
+/**
+ * ComponentDispatcher class for com_privacy
+ *
+ * @since  5.2.3
+ */
+class Dispatcher extends ComponentDispatcher
+{
+    /**
+     * Method to check component access permission
+     *
+     * @since   5.2.3
+     *
+     * @return  void
+     */
+    protected function checkAccess()
+    {
+        parent::checkAccess();
+
+        $view = $this->input->get('view');
+
+        // Submitting information requests and confirmation through the frontend is restricted to authenticated users at this time
+        if (\in_array($view, ['confirm', 'request']) && $this->app->getIdentity()->guest) {
+            $this->app->redirect(
+                Route::_('index.php?option=com_users&view=login&return=' . base64_encode('index.php?option=com_privacy&view=' . $view), false)
+            );
+        }
+    }
+}

components/com_users/src/Controller/DisplayController.php

@@ -10,9 +10,7 @@
 
 namespace Joomla\Component\Users\Site\Controller;
 
-use Joomla\CMS\Component\ComponentHelper;
 use Joomla\CMS\MVC\Controller\BaseController;
-use Joomla\CMS\Router\Route;
 
 // phpcs:disable PSR1.Files.SideEffects
 \defined('_JEXEC') or die;
@@ -50,61 +48,11 @@ public function display($cachable = false, $urlparams = false)
         if ($view = $this->getView($vName, $vFormat)) {
             // Do any specific processing by view.
             switch ($vName) {
-                case 'registration':
-                    // If the user is already logged in, redirect to the profile page.
-                    $user = $this->app->getIdentity();
-
-                    if ($user->guest != 1) {
-                        // Redirect to profile page.
-                        $this->setRedirect(Route::_('index.php?option=com_users&view=profile', false));
-
-                        return;
-                    }
-
-                    // Check if user registration is enabled
-                    if (ComponentHelper::getParams('com_users')->get('allowUserRegistration') == 0) {
-                        // Registration is disabled - Redirect to login page.
-                        $this->setRedirect(Route::_('index.php?option=com_users&view=login', false));
-
-                        return;
-                    }
-
-                    // The user is a guest, load the registration model and show the registration page.
-                    $model = $this->getModel('Registration');
-                    break;
-
-                case 'profile':
-                    // Handle view specific models.
-                    // If the user is a guest, redirect to the login page.
-                    $user = $this->app->getIdentity();
-
-                    if ($user->guest == 1) {
-                        // Redirect to login page.
-                        $this->setRedirect(Route::_('index.php?option=com_users&view=login', false));
-
-                        return;
-                    }
-
-                    $model = $this->getModel($vName);
-                    break;
-
-                case 'login':
-                    // Handle the default views.
-                    $model = $this->getModel($vName);
-                    break;
-
                 case 'remind':
                 case 'reset':
-                    // If the user is already logged in, redirect to the profile page.
-                    $user = $this->app->getIdentity();
-
-                    if ($user->guest != 1) {
-                        // Redirect to profile page.
-                        $this->setRedirect(Route::_('index.php?option=com_users&view=profile', false));
-
-                        return;
-                    }
-
+                case 'registration':
+                case 'login':
+                case 'profile':
                     $model = $this->getModel($vName);
                     break;
 

components/com_users/src/Dispatcher/Dispatcher.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * @package     Joomla.Site
+ * @subpackage  com_privacy
+ *
+ * @copyright   (C) 2024 Open Source Matters, Inc. <https://www.joomla.org>
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Component\Users\Site\Dispatcher;
+
+use Joomla\CMS\Component\ComponentHelper;
+use Joomla\CMS\Dispatcher\ComponentDispatcher;
+use Joomla\CMS\Router\Route;
+
+// phpcs:disable PSR1.Files.SideEffects
+\defined('_JEXEC') or die;
+// phpcs:enable PSR1.Files.SideEffects
+
+/**
+ * ComponentDispatcher class for com_privacy
+ *
+ * @since  5.2.3
+ */
+class Dispatcher extends ComponentDispatcher
+{
+    /**
+     * Method to check component access permission
+     *
+     * @since   5.2.3
+     *
+     * @return  void
+     */
+    protected function checkAccess()
+    {
+        parent::checkAccess();
+
+        $view = $this->input->get('view');
+        $user = $this->app->getIdentity();
+
+        // Do any specific processing by view.
+        switch ($view) {
+            case 'registration':
+                // If the user is already logged in, redirect to the profile page.
+                if ($user->get('guest') != 1) {
+                    // Redirect to profile page.
+                    $this->app->redirect(Route::_('index.php?option=com_users&view=profile', false));
+                }
+
+                // Check if user registration is enabled
+                if (ComponentHelper::getParams('com_users')->get('allowUserRegistration') == 0) {
+                    // Registration is disabled - Redirect to login page.
+                    $this->app->redirect(Route::_('index.php?option=com_users&view=login', false));
+                }
+                break;
+
+                // Handle view specific models.
+            case 'profile':
+                if ($user->get('guest') == 1) {
+                    // Redirect to login page.
+                    $this->app->redirect(Route::_('index.php?option=com_users&view=login', false));
+                }
+                break;
+
+            case 'remind':
+            case 'reset':
+                if ($user->get('guest') != 1) {
+                    // Redirect to profile page.
+                    $this->app->redirect(Route::_('index.php?option=com_users&view=profile', false));
+                }
+        }
+    }
+}