Merge remote-tracking branch 'origin/10.5' into 10.6

README.md

@@ -20,7 +20,7 @@ Pimcore - Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM,
 ## Contribute  
 **Bug fixes:** please create a pull request including a step by step description to reproduce the problem  
 **Contribute features:** contact the core-team on our [Gitter channel](https://gitter.im/pimcore/pimcore) before you start developing   
-**Security vulnerabilities:** please use [this form](https://pimcorehq.wufoo.com/forms/pimcore-security-report/)
+**Security vulnerabilities:** please see our [security policy](https://github.com/pimcore/pimcore/security/policy)
 
 For details, please have a look at our [contributing guide](CONTRIBUTING.md).
 

SECURITY.md

@@ -5,6 +5,7 @@
 If you think that you have found a security issue, 
 don’t use the bug tracker and don’t publish it publicly. 
 Instead, all security issues must be reported via 📫 to [[email protected]](mailto:[email protected]).
+Additionally, we also check issues reported via [huntr.dev](https://huntr.dev/repos/pimcore/pimcore/).
 
 
 ## Resolving Process

bundles/AdminBundle/Controller/Admin/DataObject/DataObjectController.php

@@ -515,7 +515,7 @@ static function (Task $task) {
             }
 
             if ($currentLayoutId === null && count($validLayouts) > 0) {
-                $currentLayoutId = $validLayouts[0]->getId();
+                $currentLayoutId = reset($validLayouts)->getId();
             }
 
             if (!empty($validLayouts)) {

bundles/AdminBundle/Controller/Admin/Document/PageController.php

@@ -30,6 +30,7 @@
 use Pimcore\Model\Redirect;
 use Pimcore\Model\Schedule\Task;
 use Pimcore\Templating\Renderer\EditableRenderer;
+use Pimcore\Tool\Frontend;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -293,8 +294,25 @@ public function checkPrettyUrlAction(Request $request): JsonResponse
         ]);
 
         if ($list->getTotalCount() > 0) {
-            $success = false;
-            $message[] = 'URL path already exists.';
+            $checkDocument = Document::getById($docId);
+            $checkSite     = Frontend::getSiteForDocument($checkDocument);
+            $checkSiteId   = empty($checkSite) ? 0 : $checkSite->getId();
+
+            foreach ($list as $document) {
+                if (empty($document)) {
+                    continue;
+                }
+
+                $site   = Frontend::getSiteForDocument($document);
+                $siteId = empty($site) ? 0 : $site->getId();
+
+                if ($siteId === $checkSiteId) {
+                    $success   = false;
+                    $message[] = 'URL path already exists.';
+
+                    break;
+                }
+            }
         }
 
         return $this->adminJson([

bundles/AdminBundle/Controller/Admin/UserController.php

@@ -21,12 +21,14 @@
 use Pimcore\Bundle\AdminBundle\HttpFoundation\JsonResponse;
 use Pimcore\Controller\KernelControllerEventInterface;
 use Pimcore\Logger;
+use Pimcore\Model\Asset;
 use Pimcore\Model\DataObject;
 use Pimcore\Model\Element;
 use Pimcore\Model\User;
 use Pimcore\Tool;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
+use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
@@ -797,6 +799,15 @@ public function uploadImageAction(Request $request)
             throw $this->createAccessDeniedHttpException('Only admin users are allowed to modify admin users');
         }
 
+        //Check if uploaded file is an image
+        $avatarFile = $request->files->get('Filedata');
+
+        $assetType = Asset::getTypeFromMimeMapping($avatarFile->getMimeType(), $avatarFile);
+
+        if (!$avatarFile instanceof UploadedFile || $assetType !== 'image') {
+            throw new \Exception('Unsupported file format.');
+        }
+
         $userObj->setImage($_FILES['Filedata']['tmp_name']);
 
         // set content-type to text/html, otherwise (when application/json is sent) chrome will complain in

bundles/AdminBundle/Controller/Searchadmin/SearchController.php

@@ -50,8 +50,11 @@ class SearchController extends AdminController
      * @return JsonResponse
      *
      * @todo: $conditionTypeParts could be undefined
+     *
      * @todo: $conditionSubtypeParts could be undefined
+     *
      * @todo: $conditionClassnameParts could be undefined
+     *
      * @todo: $data could be undefined
      */
     public function findAction(Request $request, EventDispatcherInterface $eventDispatcher, GridHelperService $gridHelperService)

bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js

@@ -1360,9 +1360,6 @@ pimcore.object.classes.klass = Class.create({
         }
     },
 
-
-
-
     removeChild: function (tree, record) {
         if (this.id != 0) {
             if (this.currentNode == record.data.editor) {
@@ -1382,7 +1379,7 @@ pimcore.object.classes.klass = Class.create({
         if (node.data.editor) {
             if (typeof node.data.editor.getData == "function") {
                 data = node.data.editor.getData();
-
+                data.invalidFieldError = null;
                 data.name = trim(data.name);
 
                 // field specific validation
@@ -1426,6 +1423,10 @@ pimcore.object.classes.klass = Class.create({
 
                     var invalidFieldsText = t("class_field_name_error") + ": '" + data.name + "'";
 
+                    if (data.invalidFieldError) {
+                        invalidFieldsText = invalidFieldsText + " (" + data.invalidFieldError + ")";
+                    }
+
                     if(node.data.editor.invalidFieldNames){
                         invalidFieldsText = t("reserved_field_names_error")
                             +(implode(',',node.data.editor.forbiddenNames));

bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/advancedManyToManyObjectRelation.js

@@ -110,6 +110,7 @@ pimcore.object.classes.data.advancedManyToManyObjectRelation = Class.create(pimc
             name: 'allowedClassId',
             value: this.datax.allowedClassId,
             forceSelection:true,
+            allowBlank: false,
             listeners: {
                 change: function(field, classNamevalue, oldValue) {
                     this.datax.allowedClassId = classNamevalue;
@@ -118,7 +119,6 @@ pimcore.object.classes.data.advancedManyToManyObjectRelation = Class.create(pimc
                     }
                 }.bind(this)
             }
-
         });
 
         this.specificPanel.add(this.classCombo);
@@ -386,6 +386,22 @@ pimcore.object.classes.data.advancedManyToManyObjectRelation = Class.create(pimc
         return this.datax;
     },
 
+    isValid: function ($super) {
+        if(!$super()) {
+            return false;
+        }
+
+        const data = this.getData();
+        const allowedClassId = trim(data.allowedClassId);
+
+        if (!allowedClassId || allowedClassId === "null" || allowedClassId.length < 1) {
+            this.datax.invalidFieldError = t("mandatory_field_empty") + " - " + t('objectsMetadata_allowed_class');
+            return false;
+        }
+
+        return true;
+    },
+
     applyData: function ($super){
         $super();
         return this.getData();

bundles/AdminBundle/Resources/public/js/pimcore/object/tags/advancedManyToManyObjectRelation.js

@@ -45,19 +45,29 @@ pimcore.object.tags.advancedManyToManyObjectRelation = Class.create(pimcore.obje
         var visibleFields = Ext.isString(this.fieldConfig.visibleFields) ? this.fieldConfig.visibleFields.split(",") : [];
         this.visibleFields = visibleFields;
 
-        fields.push("id");
-        fields.push("index");
-        fields.push("inheritedFields");
-        fields.push("metadata");
+        fields.push({name: "id"});
+        fields.push({name: "index"});
+        fields.push({name: "inheritedFields"});
+        fields.push({name: "metadata"});
 
         var i;
 
         for (i = 0; i < visibleFields.length; i++) {
-            fields.push(visibleFields[i]);
+            fields.push({name: visibleFields[i]});
         }
 
         for (i = 0; i < this.fieldConfig.columns.length; i++) {
-            fields.push(this.fieldConfig.columns[i].key);
+            let defaultValue = null;
+            switch(this.fieldConfig.columns[i].type.toLowerCase()){
+                case "bool":
+                    defaultValue = this.fieldConfig.columns[i].value ? (this.fieldConfig.columns[i].value).toLowerCase() == "true" : null;
+                    break;
+                case "text":
+                case "number":
+                    defaultValue = this.fieldConfig.columns[i].value;
+                    break;
+            }
+            fields.push({name: this.fieldConfig.columns[i].key, defaultValue: defaultValue});
         }
 
         var modelName = 'ObjectsMultipleRelations';

bundles/AdminBundle/Resources/public/js/pimcore/object/tags/advancedManyToManyRelation.js

@@ -40,20 +40,31 @@ pimcore.object.tags.advancedManyToManyRelation = Class.create(pimcore.object.tag
 
         var fields = [];
 
-        fields.push("id");
-        fields.push("path");
-        fields.push("inheritedFields");
-        fields.push("metadata");
-        fields.push("type");
-        fields.push("subtype");
+        fields.push({name: "id"});
+        fields.push({name:"path"});
+        fields.push({name:"inheritedFields"});
+        fields.push({name:"metadata"});
+        fields.push({name:"type"});
+        fields.push({name:"subtype"});
 
         var i;
 
         for (i = 0; i < this.fieldConfig.columns.length; i++) {
-            fields.push(this.fieldConfig.columns[i].key);
+            let defaultValue = null;
+            switch(this.fieldConfig.columns[i].type.toLowerCase()){
+                case "bool":
+                case "columnbool":
+                    defaultValue = this.fieldConfig.columns[i].value ? (this.fieldConfig.columns[i].value).toLowerCase() == "true" : null;
+                    break;
+                case "text":
+                case "number":
+                    defaultValue = this.fieldConfig.columns[i].value;
+                    break;
+            }
+            fields.push({name: this.fieldConfig.columns[i].key, defaultValue: defaultValue});
         }
 
-        fields.push("rowId");
+        fields.push({name: "rowId"});
 
         var modelName = 'ObjectsMultihrefMetadataEntry';
         if (!Ext.ClassManager.isCreated(modelName)) {

bundles/AdminBundle/Resources/public/js/pimcore/settings/profile/panel.js

@@ -250,6 +250,9 @@ pimcore.settings.profile.panel = Class.create({
                                 Ext.getCmp("pimcore_profile_delete_image_" + this.currentUser.id).setVisible(true);
                                 pimcore.helpers.reloadUserImage(this.currentUser.id);
                                 this.currentUser.hasImage = true;
+                            }.bind(this),
+                            function () {
+                                Ext.MessageBox.alert(t('error'), t("unsupported_filetype"));
                             }.bind(this)
                         );
                     }.bind(this)

bundles/AdminBundle/Resources/public/js/pimcore/settings/user/user/settings.js

@@ -177,6 +177,9 @@ pimcore.settings.user.user.settings = Class.create({
                                 Ext.getCmp("pimcore_user_delete_image_" + this.currentUser.id).setVisible(true);
                                 pimcore.helpers.reloadUserImage(this.currentUser.id);
                                 this.currentUser.hasImage = true;
+                            }.bind(this),
+                            function () {
+                                Ext.MessageBox.alert(t('error'), t("unsupported_filetype"));
                             }.bind(this)
                         );
                     }.bind(this)

composer.json

@@ -28,7 +28,7 @@
     "docs": "https://pimcore.com/docs/latest/"
   },
   "require": {
-    "php": "^8.0",
+    "php": "~8.0.0 || ~8.1.0",
     "ext-SimpleXML": "*",
     "ext-dom": "*",
     "ext-exif": "*",

doc/Development_Documentation/23_Installation_and_Upgrade/01_System_Requirements.md

@@ -14,7 +14,7 @@ For production, we highly recommend a *nix based system.
 - Nginx
 
 
-### PHP >= 8.0
+### PHP >=8.0 <8.2
 Both **mod_php** and **FCGI (FPM)** are supported.  
 
 #### Required Settings and Modules & Extensions

doc/Development_Documentation/23_Installation_and_Upgrade/07_Updating_Pimcore/10_V6_to_V10.md

@@ -1,11 +1,11 @@
 # Upgrading Pimcore from Version 6.x to Version 10
 
 ## System Requirement changes
- - PHP >= 8.0
+ - PHP >=8.0 <8.2
  - Apache >= 2.4
  - Composer >= 2.0
 
-> As Pimcore 6.x works only with PHP < 8.0 and Pimcore 10 works only with PHP >= 8.0, a switch of PHP version is needed during the upgrade process.
+> As Pimcore 6.x works only with PHP < 8.0 and Pimcore 10 works only with PHP >=8.0 <8.2, a switch of PHP version is needed during the upgrade process.
 
 ## Database Requirement changes
 - MariaDB >= 10.3
@@ -159,10 +159,10 @@ mv var/config/custom-logo.* var/admin/custom-logo.image
 
 ## SWITCH COMPOSER AND PHP VERSION, AND DO THE UPDATE!
 - Ensure Composer is updated to version >= 2.0
-- Switch PHP version to PHP >= 8.0
+- Switch PHP version to PHP >=8.0 <8.2
 - Run composer update (`COMPOSER_MEMORY_LIMIT=-1 composer update`)
 
-## CHANGES TO DO AFTER THE UPDATE! (TO DO WITH PHP >= 8.0)
+## CHANGES TO DO AFTER THE UPDATE! (TO DO WITH PHP >=8.0 <8.2)
 
 ### Verify migrations execution
 By default, Composer update runs Pimcore migrations automatically, however it is better to check if all migrations are executed for smooth transition.

models/DataObject/ClassDefinition/Data/Slider.php

@@ -420,6 +420,11 @@ public function isEqual($oldValue, $newValue): bool
         return false;
     }
 
+    public function isEmpty(mixed $data): bool
+    {
+        return !is_numeric($data);
+    }
+
     /**
      * {@inheritdoc}
      */

models/DataObject/Fieldcollection/Data/AbstractData.php

@@ -18,11 +18,13 @@
 use Pimcore\Model;
 use Pimcore\Model\DataObject\ClassDefinition\Data\LazyLoadingSupportInterface;
 use Pimcore\Model\DataObject\Concrete;
+use Pimcore\Model\DataObject\Localizedfield;
+use Pimcore\Model\DataObject\ObjectAwareFieldInterface;
 
 /**
  * @method Dao getDao()
  */
-abstract class AbstractData extends Model\AbstractModel implements Model\DataObject\LazyLoadedFieldsInterface, Model\Element\ElementDumpStateInterface, Model\Element\DirtyIndicatorInterface
+abstract class AbstractData extends Model\AbstractModel implements Model\DataObject\LazyLoadedFieldsInterface, Model\Element\ElementDumpStateInterface, Model\Element\DirtyIndicatorInterface, ObjectAwareFieldInterface
 {
     use Model\Element\ElementDumpStateTrait;
     use Model\DataObject\Traits\LazyLoadedRelationTrait;
@@ -119,6 +121,10 @@ public function setObject(?Concrete $object)
         $this->objectId = $object ? $object->getId() : null;
         $this->object = $object;
 
+        if (property_exists($this, 'localizedfields') && $this->localizedfields instanceof Localizedfield) {
+            $this->localizedfields->setObject($object, false);
+        }
+
         return $this;
     }
 

models/DataObject/Objectbrick/Data/AbstractData.php

@@ -20,13 +20,15 @@
 use Pimcore\Model\DataObject\ClassDefinition\Data\LazyLoadingSupportInterface;
 use Pimcore\Model\DataObject\Concrete;
 use Pimcore\Model\DataObject\Exception\InheritanceParentNotFoundException;
+use Pimcore\Model\DataObject\Localizedfield;
+use Pimcore\Model\DataObject\ObjectAwareFieldInterface;
 
 /**
  * @method Dao getDao()
  * @method void save(Concrete $object, $params = [])
  * @method array getRelationData($field, $forOwner, $remoteClassId)
  */
-abstract class AbstractData extends Model\AbstractModel implements Model\DataObject\LazyLoadedFieldsInterface, Model\Element\ElementDumpStateInterface, Model\Element\DirtyIndicatorInterface
+abstract class AbstractData extends Model\AbstractModel implements Model\DataObject\LazyLoadedFieldsInterface, Model\Element\ElementDumpStateInterface, Model\Element\DirtyIndicatorInterface, ObjectAwareFieldInterface
 {
     use Model\DataObject\Traits\LazyLoadedRelationTrait;
     use Model\Element\ElementDumpStateTrait;
@@ -198,6 +200,10 @@ public function setObject(?Concrete $object)
         $this->objectId = $object ? $object->getId() : null;
         $this->object = $object;
 
+        if (property_exists($this, 'localizedfields') && $this->localizedfields instanceof Localizedfield) {
+            $this->localizedfields->setObject($object, false);
+        }
+
         return $this;
     }
 

models/DataObject/Service.php

@@ -996,7 +996,7 @@ public static function rewriteIds($object, $rewriteConfig, $params = [])
     /**
      * @param Concrete $object
      *
-     * @return DataObject\ClassDefinition\CustomLayout[]
+     * @return array<string, DataObject\ClassDefinition\CustomLayout>
      */
     public static function getValidLayouts(Concrete $object)
     {