Mirrors/grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2025-02-20 19:56:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'develop' of github.com:getgrav/grav into develop

Browse Source
This commit is contained in:
Andy Miller 2021-10-26 11:39:19 -06:00
commit 6fc2bc4f91
No known key found for this signature in database
GPG Key ID: 9F2CF38AEBDB0AE0
4 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -4,10 +4,13 @@
1. [](#new)
* Added support for image watermarks
* Added support to disable a form, making it readonly
2. [](#improved)
* Flex `$user->authorize()` now checks user groups before `admin.super`, allowing deny rules to work properly
3. [](#bugfix)
* Fixed a bug in `PermissionsReader` in PHP 7.3
* Fixed `session_store_active` language option (#3464)
* Fixed deprecated warnings on `ArrayAccess` in PHP 8.1
* Fixed XSS detection with `:`
# v1.7.23
## 09/29/2021

12
system/src/Grav/Common/Flex/Types/Users/UserObject.php
View File

@ -274,6 +274,7 @@ class UserObject extends FlexObject implements UserInterface, Countable
}
}
// Check custom application access.
$authorizeCallable = static::$authorizeCallable;
if ($authorizeCallable instanceof Closure) {
$authorizeCallable->bindTo($this);
@ -290,13 +291,14 @@ class UserObject extends FlexObject implements UserInterface, Countable
return $authorized;
}
// If specific rule isn't hit, check if user is super user.
if ($access->authorize('admin.super') === true) {
return true;
// Check group access.
$authorized = $this->getGroups()->authorize($action, $scope);
if (is_bool($authorized)) {
return $authorized;
}
// Check group access.
return $this->getGroups()->authorize($action, $scope);
// If any specific rule isn't hit, check if user is a superuser.
return $access->authorize('admin.super') === true;
}
/**

2
system/src/Grav/Common/Page/Pages.php
View File

@ -649,7 +649,7 @@ class Pages
$cmd = $value;
$params = [];
} elseif (is_array($value) && count($value) === 1 && !is_int(key($value))) {
// Format: @command.param: { attr1: value1, attr2: value2 }
// Format: @command.param: { attr1: value1, attr2: value2 }
$cmd = (string)key($value);
$params = (array)current($value);
} else {

2
system/src/Grav/Common/Security.php
View File

@ -203,7 +203,7 @@ class Security
$string = preg_replace('!(&#0+[0-9]+)!u', '$1;', $string);
// Decode entities
$string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');
// Strip whitespace characters
$string = preg_replace('!\s!u', '', $string);