Skip to content
Projects
Groups
Snippets
Help
Sign in / Register
Toggle navigation
Minds Backend - Engine
Project overview
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Locked Files
Issues
276
Merge Requests
35
CI / CD
Security & Compliance
Packages
Analytics
Wiki
Snippets
Members
Collapse sidebar
Close sidebar
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Minds
Minds Backend - Engine
Commits
f2c0a7b1
Commit
f2c0a7b1
authored
53 minutes ago
by
Marcelo Rivera
Browse files
Options
Download
Merge remote-tracking branch 'upstream/master' into feat/hide-share-buttons
parents
ba4346cb
5c9218c9
feat/hide-share-buttons
1 merge request
!463
Allow users to permanently hide "share" buttons in settings
Pipeline
#117989663
passed with stages
in 7 minutes and 24 seconds
Changes
8
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
44 additions
and
11 deletions
+44
-11
.gitlab-ci.yml
View file @
f2c0a7b1
...
...
@@ -48,6 +48,11 @@ prepare:fpm:
--build-arg SENTRY_DSN=$SENTRY_DSN \
.
-
docker push $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID
-
>
if [ $CI_COMMIT_BRANCH == "master" ]; then
docker tag $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID $CI_REGISTRY_IMAGE/fpm:latest &&
docker push $CI_REGISTRY_IMAGE/fpm:latest
fi
prepare:runners:
stage
:
prepare
...
...
@@ -64,6 +69,11 @@ prepare:runners:
--build-arg SENTRY_DSN=$SENTRY_DSN \
.
-
docker push $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID
-
>
if [ $CI_COMMIT_BRANCH == "master" ]; then
docker tag $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID $CI_REGISTRY_IMAGE/runners:latest &&
docker push $CI_REGISTRY_IMAGE/runners:latest
fi
prepare:all:sentry:
stage
:
prepare
...
...
This diff is collapsed.
Controllers/api/v1/channel.php
View file @
f2c0a7b1
...
...
@@ -70,7 +70,6 @@ class channel implements Interfaces\Api
$response
[
'channel'
][
'briefdescription'
]
=
$response
[
'channel'
][
'briefdescription'
]
?:
''
;
$response
[
'channel'
][
'city'
]
=
$response
[
'channel'
][
'city'
]
?:
""
;
$response
[
'channel'
][
'gender'
]
=
$response
[
'channel'
][
'gender'
]
?:
""
;
$response
[
'channel'
][
'dob'
]
=
$response
[
'channel'
][
'dob'
]
?:
""
;
if
(
!
$user
->
merchant
||
!
$supporters_count
)
{
$db
=
new
Core\Data\Call
(
'entities_by_time'
);
...
...
@@ -234,7 +233,7 @@ class channel implements Interfaces\Api
$update
=
[];
foreach
([
'name'
,
'website'
,
'briefdescription'
,
'gender'
,
'dob'
,
'city'
,
'coordinates'
,
'monetized'
]
as
$field
)
{
'city'
,
'coordinates'
,
'monetized'
]
as
$field
)
{
if
(
isset
(
$_POST
[
$field
]))
{
$update
[
$field
]
=
$_POST
[
$field
];
$owner
->
$field
=
$_POST
[
$field
];
...
...
This diff is collapsed.
Core/Config/Exported.php
View file @
f2c0a7b1
...
...
@@ -123,6 +123,9 @@ class Exported
if
(
$pro
=
$this
->
proDomain
->
lookup
(
$_SERVER
[
'HTTP_HOST'
]
??
null
))
{
$exported
[
'pro'
]
=
$pro
;
}
elseif
(
!
$this
->
proDomain
->
isRoot
(
$_SERVER
[
'HTTP_HOST'
]
??
null
))
{
// If not a pro site and not root then tell frontend to redirect
$exported
[
'redirect_to_root_on_init'
]
=
true
;
}
return
$exported
;
...
...
This diff is collapsed.
Core/Security/XSRF.php
View file @
f2c0a7b1
...
...
@@ -17,8 +17,8 @@ class XSRF
public
static
function
validateRequest
()
{
if
(
!
Core\Session
::
isLoggedIn
()
&&
$_SERVER
[
'REQUEST_METHOD'
]
===
'GET'
)
{
return
true
;
//
If logged out and GET request we can accept
if
(
$_SERVER
[
'REQUEST_METHOD'
]
===
'GET'
)
{
return
true
;
//
XSRF only needed for modifiers
}
if
(
!
isset
(
$_SERVER
[
'HTTP_X_XSRF_TOKEN'
]))
{
...
...
This diff is collapsed.
Core/Security/XSS/GenericRule.php
View file @
f2c0a7b1
...
...
@@ -163,7 +163,7 @@ class GenericRule implements Interfaces\XSSRule
//make all urls force open in a new tab/window
if
(
$element
->
nodeName
==
'a'
)
{
$element
->
setAttribute
(
'target'
,
'_blank'
);
$element
->
setAttribute
(
'rel'
,
'noopener noreferrer nofollow'
);
//nofollow hurts spammers
$element
->
setAttribute
(
'rel'
,
'noopener noreferrer nofollow
ugc
'
);
//nofollow hurts spammers
}
}
...
...
This diff is collapsed.
Entities/User.php
View file @
f2c0a7b1
...
...
@@ -1216,7 +1216,6 @@ class User extends \ElggUser
return
array_merge
(
parent
::
getExportableValues
(),
[
'website'
,
'briefdescription'
,
'dob'
,
'gender'
,
'city'
,
'merchant'
,
...
...
@@ -1418,4 +1417,26 @@ class User extends \ElggUser
return
$this
;
}
/**
* Gets the Surge Token of the user for push notifications.
*
* @return string Token.
*/
public
function
getSurgeToken
()
:
string
{
return
(
string
)
$this
->
surge_token
??
''
;
}
/**
* Sets the Surge Token of the user for push notifications.
*
* @param string $token - the token string.
* @return User instance of $this for chaining.
*/
public
function
setSurgeToken
(
string
$token
=
''
)
:
User
{
$this
->
surge_token
=
$token
;
return
$this
;
}
}
This diff is collapsed.
Spec/Core/Security/XSSSpec.php
View file @
f2c0a7b1
...
...
@@ -39,25 +39,25 @@ class XSSSpec extends ObjectBehavior
public
function
it_should_dissallow_onClick_attributes
()
{
$dirty
=
"<a onclick=
\"
console.log('hmmm...')
\"
>click me</a>"
;
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
\"
>click me</a>"
);
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
ugc
\"
>click me</a>"
);
}
public
function
it_should_allow_href_on_anchor_tags
()
{
$dirty
=
"<a href=
\"
https://www.minds.com
\"
>take me home</a>"
;
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a href=
\"
https://www.minds.com
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
\"
>take me home</a>"
);
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a href=
\"
https://www.minds.com
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
ugc
\"
>take me home</a>"
);
}
public
function
it_should_not_allow_bad_url_schemes
()
{
$dirty
=
"<a href=
\"
javascript:alert('HEYHO')
\"
>bad scheme here</a>"
;
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a href=
\"
alert('HEYHO')
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
\"
>bad scheme here</a>"
);
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a href=
\"
alert('HEYHO')
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
ugc
\"
>bad scheme here</a>"
);
}
public
function
it_should_not_allow_bad_url_schemes_with_case_hacks
()
{
$dirty
=
"<a href=
\"
Javascript:alert('HEYHO')
\"
>bad scheme here</a>"
;
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a href=
\"
alert('HEYHO')
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
\"
>bad scheme here</a>"
);
$this
->
clean
(
$dirty
)
->
shouldReturn
(
'<?xml encoding="utf-8" ?>'
.
"<a href=
\"
alert('HEYHO')
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer nofollow
ugc
\"
>bad scheme here</a>"
);
}
public
function
it_should_not_allow_bad_url_schemes_from_multiple_keywords
()
...
...
This diff is collapsed.
containers/php-runners/Dockerfile
View file @
f2c0a7b1
...
...
@@ -6,7 +6,7 @@ ADD --chown=www-data . /var/www/Minds/engine
# Remove the local settings file (if it exists)
RUN
rm
-f
/var/www/Minds/engine/settings.php
#
RUN rm -f /var/www/Minds/engine/settings.php
# Setup our supervisor service
...
...
This diff is collapsed.
Please
register
or
sign in
to comment