neos-bot / flow-development-collection Goto Github PK

Jira issue originally created by user @bwaidelich:

The security documentation still mentions "voters" even though they have been removed with FLOW-11

Apart from that we should adjust/remove the TYPO3.Flow.security.authorization.allowAccessIfAllVotersAbstain setting!

Option A: Rename to grantAccessIfAllPrivilegesAbstain and add code migration

Option B: Remove setting as its probably never used and would have unwanted effects

Jira-URL: https://jira.neos.io/browse/FLOW-125

Jira issue originally created by user benjamink:

When updating a site or when the cache is empty, the user gets a short message that the service is currently not available. It would be nice to have a setting to change the default html-template file like

TYPO3.Flow.core.pathToLockedSite: 'resource://My.Package/.../MyLockedSitePage.html'

or sth. similar.

Jira-URL: https://jira.neos.io/browse/FLOW-168

Jira issue originally created by user pumatertion:

PHP should know about timezone independent from context.
So f.e. having vhosts setting php_admin_value date.timezone "Europe/Berlin" the cli still runs with master value of timezone "UTC". Imho timezone should be a part of yaml and be set by ini_set() to get equal timezone in cli/http.

Jira-URL: https://jira.neos.io/browse/FLOW-173

Jira issue originally created by user @hlubek:

It is not safe to add an entry to an array setting by using "-" for the key, e.g.:

    persistence:
      doctrine:
        eventListeners:
          -
            events: ['postPersist', 'postUpdate', 'postRemove']
            listener: 'TYPO3\Neos\Domain\EventListener\AccountPostEventListener'

If a second package does the same, this will end up in only one event listener, which will be overridden by the second one. This happened at least with the phpyaml extension being used to parse YAML files.

Jira-URL: https://jira.neos.io/browse/FLOW-22

Jira issue originally created by user @robertlemke:

CSS files (and probably other types of assets) may contain relative or absolute URLs pointing to other resources – such as web fonts or images. Publishing theses assets as they are will result in broken links when using a CDN. Neos / Flow must replace the URLs to correct absolute URLs pointing to the CDN servers.

Jira-URL: https://jira.neos.io/browse/FLOW-115

Jira issue originally created by user ryzy:

We should add TYPO3 Flow to the list of automatically tested frameworks on HHVM site: http://hhvm.com/frameworks/

From what I understand, the HHVM team pays attention to these tests and it gives them a clue what other incompatibilities with PHP are still there. In a long term, instead of workarounds in Flow we would have it fixed in HHVM.

Jira-URL: https://jira.neos.io/browse/FLOW-195

Jira issue originally created by user @radmiraal:

class_uses() returns all traits used by given class, but this does not show traits used by parent classes. To support this in flow we should either extend the api of the reflection service or somehow build this into the proxy class building

Jira-URL: https://jira.neos.io/browse/FLOW-252

Jira issue originally created by user pumatertion:

1. Persisting a DateTime with timezone America/Caracas f.e.
2. $this->persistenceManager->clearState();
3. Query the datetime from db.

Results in: @see attached file.

We are losing timezone diff in this case.
imho the value of a datetime should be converted before persisting into utc.
on reading this datetime again, it should be converted in the configured timezone.

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-174

Jira issue originally created by user @albe:

It would be nice if Fluid would inform the developer that he forgot to add the "enctype" attribute on the form when he is using an upload field, where enctype "multipart/form-data" is required.

Currently, the file upload will then just silently fail.

Jira-URL: https://jira.neos.io/browse/FLOW-176

Jira issue originally created by user vertexvaar:

Reviving an old Ticket because the bug occured to me: https://forge.typo3.org/issues/47271

Original Text:
I have a structure with a parent class and several subclasses. I want a before advice for all set* methods of these classes.

Some methods from the parent class are invoked on objects of the subclass.
When having the advice before the set* methods, the following error occurs:

Notice: Undefined property: MyPackage\Domain\Model\MySubclass::$Flow_Aop_Proxy_targetMethodsAndGroupedAdvices in .../Data/Temporary/Development/Cache/Code/Flow_Object_Classes/MyPackage_Domain_Model_MyClass.php line 629
where MyClass is the parent class of MySubclass.

The reason seems to be that the AOP properties of a class are marked as "private", which makes them inacessible from parent (and subclass) methods. I don't know if this could/should be solved by changing the type to protected, as this might raise other issues (I'm not too deeply into the AOP code of Flow), but AFAIS this is a possible solution.

Jira-URL: https://jira.neos.io/browse/FLOW-155

Jira issue originally created by user mostwanted:

http://flow.typo3.org/documentation/guide

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-166

Jira issue originally created by user mhelmich:

I'm not sure if this behaviour is intentional; please feel free to yell if this is NOT a bug. I also noticed that it is very similar to FLOW-155 reported by [~vertexvaar] and can possibly be fixed with the same proposed solution.

I have a class hierarchy, and an advice around a method in the parent class. When calling the method (which calls it's parent method) on an instance of the subclass, the advice is called twice.

Simple example:

abstract class AbstractFoo {
    public function hello() {
        echo "Hello world.";
    }
    public function bye() {
        echo "Goodbye world.";
    }
}

class ConcreteFoo extends AbstractFoo {
    public function hello() {
        parent::hello();
        echo "Hallo Welt!";
    }
}

/****
 * @Flow\Aspect
 */
class HelloByeAspect {
    /****
     ** @Flow\Around("method(**.->hello())")
     */
    public function myHelloAspect(JoinPointInterface $joinPoint) {
        echo "called hello()";
    }
    /****
     ** @Flow\Around("method(**.->bye())")
     */
    public function myByeAspect(JoinPointInterface $joinPoint) {
        echo "called bye()";
    }
}

When calling ConcreteFoo->hello, I'd expect the advice to be invoked once; but it is actually invoked twice.
The same goes for ConcreteFoo->bye, which isn't even overwritten in ConcreteFoo, but the advice is called twice nevertheless.

My best guess is that, the Flow*Aop_Proxy*methodIsInAdviceMode property in the proxy classes is actually supposed to prevent this. However, this property is private and thus not visible in super(!)classes. Changing the visibility of this property to protected helps.

I tested with Flow 2.3, but probably occurs in earlier releases and in master, too. Will push a patch into Gerrit shortly.

Jira-URL: https://jira.neos.io/browse/FLOW-158

Jira issue originally created by user @kitsunet:

Jira-URL: https://jira.neos.io/browse/FLOW-160

Jira issue originally created by user witrin:

Nesting the f:switch view helper in the following way ends with an exception:

<f:switch expression="{expression}">
    <f:case value="matching">
        <f:render partial="Partial" arguments="{argument: argument}" />
    </f:case>
</f:switch>

<f:switch expression="{expression}">
    <f:case value="matching">
        Foo
    </f:case>
</f:switch>

The thrown exception is:

#1243352249: No value found for key "TYPO3\Fluid\ViewHelpers\SwitchViewHelper->break", thus the key cannot be removed.

Jira-URL: https://jira.neos.io/browse/FLOW-165

Jira issue originally created by user pumatertion:

php 5.5 supports Foo::class to get the classname as string.
We should use this systemwide.

Jira-URL: https://jira.neos.io/browse/FLOW-225

Jira issue originally created by user mhelmich:

Cloned doctrine entities cannot be persisted. Consider the following example code:

$objectOne = $this->repository->findOneByFoo('bar');
$objectTwo = clone $objectOne;

$this->repository->add($objectTwo);

This will result in a fatal error:

Fatal error: Call to a member function getModelType() on a non-object in /.../Data/Temporary/Development/Cache/Code/Flow*Object_Classes/TYPO3_Flow_Persistence_Doctrine*PersistenceManager.php on line 71.```

Looking into the PersistenceManager class, we can see that the `onFlush` method tries to load the class schema from the ReflectionService using the `getClassSchema` method. This method is passed the entity, and determines the entity's class name using `get_class`. However, if `$entity` is not an instance of the entity class, but a Doctrine proxy, no class schema will be loaded for this class.

I hacked a workaround for this into the ReflectionService and will push it into Gerrit shortly. It's quite QAD and I'm not really happy with it, so I'd be open to any kinds of suggestions.

 Jira-URL: https://jira.neos.io/browse/FLOW-24

Jira issue originally created by user cerlestes:

TYPO3\Flow\Persistence\Doctrine\Query, Line 107:
$this->queryBuilder = $entityManager->createQueryBuilder()->select('e')->from($this->entityClassName, 'e');

Because the QueryBuilder is only told to select 'e', it can happen that a query (especially with logical-or constraints and joins) fetches the same entity multiple times. This is a major bug when also a LIMIT is set for that query.
With de-duplication applied, this leads to a result set that is smaller than the desired LIMIT, as the duplicate rows are skipped.
Without de-duplication applied, this would result in a fatal double appearance of the entity in the result set.

Luckily, somewhere in Doctrine or Flow deduplication happens on the result sets (though I gave up after 30 minutes of trying to find where exactly this happens).
This leaves us with the query result that holds less than the desired amount of entities and thus breaks stuff like pagination.

The fix is very easy though: on the mentioned line 107 turn
select('e')
into
select('DISTINCT e')
as one should do, when querying for intrinsically unique datasets.

This might also benefit the overall performance of the TYPO3 Flow framework, as I'm sure there are some queries that run into the same problem, but don't experience it due to the de-duplication efforts and a missing LIMIT statement.

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-21

Jira issue originally created by user @bwaidelich:

Since https://forge.typo3.org/issues/28544 Fluid compiles templates into PHP when they are parsed for the first time.
But this compilation is disabled if a ViewHelper is used, that:

• implements ChildNodeAccessInterface and
• does not implement CompilableInterface

This is the case for the SwitchViewHelper.
We should implement the CompilableInterface in a similar fashion to how AbstractConditionViewHelper solves that.

See https://forge.typo3.org/issues/64449 for the original report (in the TYPO3 CMS bugtracker)

Jira-URL: https://jira.neos.io/browse/FLOW-224

Jira issue originally created by user @hlubek:

The session cache backend currently writes data back for every access (including read-only requests) at the end of each request.

For Neos this involves the following keys (individual cache entries) for each request (also in the frontend), while having an active session:

• lastVisitedNode
• TYPO3_Flow_Security_Accounts
• TYPO3_Flow_Object_ObjectManager

We could greatly optimize I/O and cache file contention by checking on a cache frontend level if the data was actually changed. The idea is to store md5 sums of the data that was fetched (get) and comparing that on subsequent set operations and doing nothing if they are equal. Doing that on the frontend layer would not require an additional serialize call.

Jira-URL: https://jira.neos.io/browse/FLOW-147

Jira issue originally created by user @dimaip:

It's now currently not possible to get all nodes with date > now.
That is because operand is always a string in Eel, and can not be an object.
Proper solution would be to allow operands of other types than string.
As that may take really long time to implement, I propose a temporary solution: cast any object of type DateTime in FilterOperation->evaluateOperator to UTC time string like format('r'). That would allow comparisons and filtering on such property, without causing unwanted side-effects.
It's really important to get it working in a feasable future, as this is a essential functionality people expect from FlowQuery (along with sort).

Jira-URL: https://jira.neos.io/browse/FLOW-180

Jira issue originally created by user cerlestes:

Using Fluid's SelectViewHelper inside a FormViewHelper and setting the 'multiple' argument to a truthy value while providing an empty array or Collection to the 'options' argument will render the fieldname missing from the trusted properties, which means that the PropertyMapper will object to what it received when parsing the arguments for the form's target action, unless you allow the property in the PropertyMappingConfiguration for that argument.

This is because there's no case for when 'options' are provided to a 'multiple' SelectViewHelper, but are empty.

The best possible fix is for this is to invoke registerFieldNameForFormTokenGeneration() with the non-'multiple' name received via getName().

A patchfile is attached.

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-119

Jira issue originally created by user baumgartl:

If you have a hierarchy like this:

• Show
  **** Season
  ***** Episode

And want to filter the shows by a property of the episodes you can do this with (Repository find method):

$query = $this->createQuery();

$constraint = $query->equals('seasons.episodes.propertyName', 'operand');

$query->matching($constraint)->execute();

But if you want to get the seasons with $show->getSeaons() for this filtered list, you get ALL linked seasons. The same applies for episodes.

With the attached path, you can add all joined tables to the query select. The result will be mapped to the objects and the get seasons and get episodes method only returns the filtered entities.

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-232

Jira issue originally created by user @astehlik:

The automatic detection of the package key in the Logger class does not work correctly.

There is already a FIXME annotation in the log() method:

// FIXME: This is not really the package key:

The detection of the actual package key needs to be improved.

Jira-URL: https://jira.neos.io/browse/FLOW-226

Jira issue originally created by user jpaardekooper:

Our application has some serious problems with the performance of persisting data of large data sets. I'll try to explain it as clear as possible with a basic scenario.

Say our application has users that can be linked to one or more companies. A company is fairly large object with alot of OneToMany relations, for example Cars, Houses, Pets etc. Alot of stuff. Most of these objects have their own repository as well.

We have a UI that lets us create a Car and link it to a company. The performance of this is fine when the current user isn't link to alot of Companies that don't have alot of Cars, Houses, Pets etc. However, as soon as the data set becomes larger (say, 50 companies each with 25 Cars, Houses and Pets), it takes about 30 seconds to insert one simple Car.

The basic object model:

class Company {

    /****
     * @var string
     */
    protected $name;

    /****
     * @var \Doctrine\Common\Collections\ArrayCollection<Car>
     * @ORM\OneToMany(mappedBy="company")
     * @Flow\Lazy
     */
    protected $cars;

    // alot more fields
}

class Car {

    /****
     * @var string
     */
    $licensePlate

    /****
     * @var Company
     * @ORM\ManyToOne(inversedBy="cars")
     */
    protected $company;

    // some more fields
}

I've tracked the performance down to the TYPO3.Flow/Classes/TYPO3/Flow/Persistence/Doctrine/PersistenceManager.php file, where the Car object is triggered for validation (line 82). It then goes into the validateObject method and validates the Car. But when it validates the Car, it will also validate the Company and the Company will also validate all the Houses, Pets, etc.

A temporary solution is to add the @flow\IgnoreValidation annotation to the $company property in Car. I don't think that's a very flexible and nice solution and wonder if it could be done better.

Jira-URL: https://jira.neos.io/browse/FLOW-17

Jira issue originally created by user @bwaidelich:

The Flow ExceptionHandler s currently only adjust their rendering based on request type (Web/CLI) and context (DebugExceptionHandler/ProductionExceptionHandler).

They should, in addition, be able to react upon the requested format, e.g. by evaluating the Accept HTTP header of the current request.

Jira-URL: https://jira.neos.io/browse/FLOW-202

Jira issue originally created by user @RafaelKa:

Very nice feature is not documented :/

Jira-URL: https://jira.neos.io/browse/FLOW-117

Jira issue originally created by user hanshoechtl:

I'm trying to render backreferences on my current page.
Nodes have references to my current page and I'd like to render them, by using this:

snippets = TYPO3.Neos:ContentCollection
snippets {
    collection = ${q(site).children('[instanceof Vendor.MySite:Snippet]').filter('[pagesToDisplay *= "'<ins>node</ins>'"]')}
}

pagesToDisplay is my property of type references.

I figured out that the value of the property pagesToDisplay is being evaluated to an array of Node-objects (which is correct)
inside the method matchesAttributeFilter:

protected function matchesAttributeFilter($element, array $attributeFilter) {
        if ($attributeFilter['Identifier'] !== NULL) {
            $value = $this->getPropertyPath($element, $attributeFilter['Identifier']);  // <- HERE
        } else {
            $value = $element;
        }
        $operand = NULL;
        if (isset($attributeFilter['Operand'])) {
            $operand = $attributeFilter['Operand'];
        }

        return $this->evaluateOperator($value, $attributeFilter['Operator'], $operand);  // <- only instanceof has special treatment in this method
    }

But because I'm not doing an "instanceof" operation, this array is being passed to the method evaluateOperator of TYPO3\Eel\FlowQuery\Operations\Object\FilterOperation which only does a strpos comparison.
So I guess this is only supposed to work on string-properties, but I suggest the contains filter-operation to work on arrays (here array of nodes) to.

Jira-URL: https://jira.neos.io/browse/FLOW-154

Jira issue originally created by user lorenzulrich:

In https://git.typo3.org/Packages/TYPO3.Flow.git/blobdiff/e867cd66913d54d67beae30d05980f9db2619dfb..f38b3570c95f6d25906d101d3634091cc3ecf420:/Classes/TYPO3/Flow/Resource/ResourceTypeConverter.php the ResourceTypeConverter was revised. After these changes I have the following problem:

I have a form that is generated with TYPO3.Form and contains multiple (standard) File Upload fields. Before this change, if I didn't select a file, the form passed validation. After this change, if I don't select a file for uploading (it's not a mandatory field), I get the following error:

The resource manager could not create a Resource instance.

The problem seems to be in the method convertFrom. If no file is uploaded, $source['hash'] is set, but empty. convertFrom only checks for the existence of $source['hash'] and therefore assumes that a file upload did happen. But since there was none, it fails at handleHashAndData with this exception. I could solve it by changing line 129 from

to

} elseif ((isset($source['hash']) && !empty($source['hash'])) ](| isset($source['data'))) {

but I doubt that this is a clean solution.

Jira-URL: https://jira.neos.io/browse/FLOW-172

Jira issue originally created by user mjonuschat:

When using Paas Providers it has become a common practice to provide the configuration parameters for a database connection in form of an environment variable along the lines of DATABASE_URL. This variable would contain a connection string in the form of postgresql://my.database.host:54321/flow_test.

As Doctrine already supports using URLs for a connection (see: [http://doctrine-dbal.readthedocs.org/en/latest/reference/configuration.html#connecting-using-a-url]) it would be nice if the Configuration/Settings.yaml would allow configuring the connection parameters using a URL string (not necessarily directly read from the Environment, this would be an added bonus)

Jira-URL: https://jira.neos.io/browse/FLOW-211

Jira issue originally created by user @bwaidelich:

Jira-URL: https://jira.neos.io/browse/FLOW-149

Jira issue originally created by user @bwaidelich:

It should be possible to define global flags that can be used for all commands

Jira-URL: https://jira.neos.io/browse/FLOW-216

Jira issue originally created by user baschny:

It could be useful to the first time user setting up their Flow application to know what options are available in the Settings.yaml related to the persistence. Since these are passed one-to-one to Doctrine DBAL, just point to their up-to-date documentation.

Jira-URL: https://jira.neos.io/browse/FLOW-251

Jira issue originally created by user Songyu:

In 'TYPO3\Flow\Composer\InstallerScripts::postPackageUpdateAndInstall' at lines 67, 68, 70 & 71 the variable $relativeInstallPath contains a slash at its end. The path-string it gets combined with however contains another slash at its own beginning, resulting in a path like this: 'Packages/Application/TYPO3.Neos//Resources/Private/Installer/Distribution/Defaults'. Note the two slashes between Neos & Resources.

This second, additional slash later prevents a str_replace in 'TYPO3\Flow\Utility\Files::copyDirectoryRecursively' at line 261 from returning the correct relative path for each found file, resulting in a copying of each file from its source path to a target path that is the same (except for a './' prepended to it).
Basicely nothing happens or the file just overwrites itself. Either way the feature to 'Automatically copy/overwrite files from a package to installation on composer install/update' (don't know what to call it) offered by Flows InstallerScripts is broken.

Only tested this on 2.2.x though. I checked 2.1.x source and found the excess slash there too. However I didn't test its functionality yet. Will do it this weekend though.

If needed, I can give a little more debugging information for each call & variables involved, I just don't have them at hand at the moment.

Jira-URL: https://jira.neos.io/browse/FLOW-23

Jira issue originally created by user timo.kiefer:

We have that problem about every 6 month, that the parsedFormats variable in DatesReader Cache is empty. We don't how this error occured. Our work around is to remove the whole caches of DatesReader.

Catchable Fatal Error: Argument 2 passed to TYPO3\Flow\I18n\Formatter\DatetimeFormatter*Original::doFormattingWithParsedFormat() must be of the type array, null given, called in /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow_Object_Classes/TYPO3_Flow_I18n_Formatter_DatetimeFormatter.php on line 108 and defined in /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow_Object_Classes/TYPO3_Flow_I18n_Formatter*DatetimeFormatter.php line 155

#0 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/TYPO3_Flow_I18n_Formatter*DatetimeFormatter.php(155): TYPO3\Flow\Error\ErrorHandler->handleError(4096, 'Argument 2 pass...', '/var/www/SETUPI...', 155, Array) 
#1 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/TYPO3_Flow_I18n_Formatter_DatetimeFormatter.php(108): TYPO3\Flow\I18n\Formatter\DatetimeFormatter_Original->doFormattingWithParsedFormat(Object(DateTime), NULL, Array) #2 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow_Object_Classes/TYPO3_Flow_I18n_Formatter_DatetimeFormatter.php(68): TYPO3\Flow\I18n\Formatter\DatetimeFormatter*Original->formatDate(Object(DateTime), Object(TYPO3\Flow\I18n\Locale), 'default') 
#3 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_ProductController.php(793): TYPO3\Flow\I18n\Formatter\DatetimeFormatter*Original->format(Object(DateTime), Object(TYPO3\Flow\I18n\Locale), Array) 
#4 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_ProductController.php(281): DGP\PIG\ViewHelpers\Widget\Controller\ProductController_Original->getTooltip() #5 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow_Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_ProductController.php(431): DGP\PIG\ViewHelpers\Widget\Controller\ProductController*Original->transformObject() 
#6 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_ProductController.php(408): DGP\PIG\ViewHelpers\Widget\Controller\ProductController*Original->transformChildren(Array) 
#7 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_AbstractWidgetController.php(186): DGP\PIG\ViewHelpers\Widget\Controller\ProductController*Original->transformObject() 
#8 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_AbstractWidgetController.php(171): DGP\PIG\ViewHelpers\Widget\Controller\AbstractWidgetController*Original->transformValue() 
#9 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_AbstractWidgetController.php(124): DGP\PIG\ViewHelpers\Widget\Controller\AbstractWidgetController*Original->transformValue() 
#10 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget_Controller_ProductController.php(164): DGP\PIG\ViewHelpers\Widget\Controller\AbstractWidgetController*Original->indexAction() 
#11 [internal function]: DGP\PIG\ViewHelpers\Widget\Controller\ProductController_Original->indexAction() 
#12 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/TYPO3_Flow_Mvc_Controller_ActionController.php(373): call_user_func*array(Array, Array) 
#13 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/TYPO3_Flow_Mvc_Controller_ActionController.php(169): TYPO3\Flow\Mvc\Controller\ActionController*Original->callActionMethod() 
#14 /var/www/SETUPIM/Packages/Framework/TYPO3.Fluid/Classes/TYPO3/Fluid/Core/Widget/AbstractWidgetController.php(53): TYPO3\Flow\Mvc\Controller\ActionController_Original->processRequest(Object(TYPO3\Flow\Mvc\ActionRequest), Object(TYPO3\Flow\Http\Response)) 
#15 /var/www/SETUPIM/Packages/Framework/TYPO3.Fluid/Classes/TYPO3/Fluid/Core/Widget/AbstractWidgetViewHelper.php(198): TYPO3\Fluid\Core\Widget\AbstractWidgetController->processRequest(Object(TYPO3\Flow\Mvc\ActionRequest), Object(TYPO3\Flow\Http\Response)) 
#16 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/DGP_PIG_ViewHelpers_Widget*ProductViewHelper.php(42): TYPO3\Fluid\Core\Widget\AbstractWidgetViewHelper->initiateSubRequest() 
#17 [internal function]: DGP\PIG\ViewHelpers\Widget\ProductViewHelper_Original->render(Object(TYPO3\Flow\Persistence\Doctrine\QueryResult), Object(DGP\PIG\Domain\Model\Node), Object(DateTime), Object(DGP\PIG\Domain\Model\Type), NULL, NULL, NULL, 'editing') 
#18 /var/www/SETUPIM/Packages/Framework/TYPO3.Fluid/Classes/TYPO3/Fluid/Core/ViewHelper/AbstractViewHelper.php(270): call*user_func*array(Array, Array) #19 /var/www/SETUPIM/Packages/Framework/TYPO3.Fluid/Classes/TYPO3/Fluid/Core/Widget/AbstractWidgetViewHelper.php(102): TYPO3\Fluid\Core\ViewHelper\AbstractViewHelper->callRenderMethod() 
#20 /var/www/SETUPIM/Data/Temporary/Production/Cache/Code/Flow*Object_Classes/TYPO3_Fluid_Core_Parser_SyntaxTree*ViewHelperNode.php(141): TYPO3\Fluid\Core\Widget\AbstractWidgetViewHelper->initializeArgumentsAndRender() 
#21 /var/www/SETUPIM/Packages/Framework/TYPO3.Fluid/Classes/TYPO3/Fluid/Core/Parser/SyntaxTree/AbstractNode.php(51): TYPO3\Fluid\Core\Parser\SyntaxTree\ViewHelperNode_Original->evaluate(Object(TYPO3\Fluid\Core\Rendering\RenderingContext)) 
#22 ...

Jira-URL: https://jira.neos.io/browse/FLOW-277

Jira issue originally created by user @hlubek:

Browser offer plenty of security related headers that can prevent many client side attacks on websites. This includes possible XSS, Clickjacking, Man-in-the-middle and other attacks.

We should offer a way to set these headers in a configurable and extensible way, especially for CSP (Content Security Policy) which allows for a pretty complex configuration.

The HTTP components could provide a good point to integrate the headers, for Neos we need to think about a TypoScript solution that can contribute to the CSP configuration.

Some inspiration can be taken from Django Security (http://ipsec.pl/django/2013/introducing-django-security.html) which offers a nice list of available middlewares.

Jira-URL: https://jira.neos.io/browse/FLOW-15

Jira issue originally created by user econic:

If you render an edit/delete form, you can just replace the hidden **identity input to another entity's uuid that you have read access on and voilà, you can edit this entity.

Therefore i suggest the trustedProperties to contain also the **identity's value.

Since as a developer you would expect this to be checked, i regard this bug as critical because this opens up security vulnerabilities in all flow applications with edit/delete forms.

Jira-URL: https://jira.neos.io/browse/FLOW-138

Jira issue originally created by user @kitsunet:

Currently some operations set a permission mask and some don't. We should unify that and set proper permissions everywhere. Currently it can happen that cache files created during deployment won't be overwritable later by web requests for example.

Jira-URL: https://jira.neos.io/browse/FLOW-275

Jira issue originally created by user pumatertion:

Lets say f.e. you send an api request in a createAction to a payment provider.
he answers with status "500". in this case you need to forward to referrer including submitted arguments. but formviewhelpers does not show the submitted arguments because there are no errors in validation results.
vh should always use submitted arguments. no deed to check for validation errors + submitted argument decission. errors can happen also external, not only in internal validation.

Jira-URL: https://jira.neos.io/browse/FLOW-109

Jira issue originally created by user starhorst:

When selecting entities from a repository with a custom query containing statements like GROUP BY or/ and HAVING the internal count-query fails. Resulting in an misbehaviour of fluid which does no render the result.

My query causing the bug:

php$q = $this->createQuery(); $qb = ObjectAccess::getProperty($q, 'queryBuilder', TRUE); $qb ->leftJoin('e.solutions', 's') ->groupBy('e') ->having('COUNT(s) > 0');

Fixed the problem using
<f:if condition="{issues.first}">
instead of
<f:if condition="{issues}">

Jira-URL: https://jira.neos.io/browse/FLOW-104

Jira issue originally created by user @albe:

Currently, nested if conditions in fluid templates become hardly readable pretty soon, either due to deep indentation or repeated opening of <f:if>:

<f:if condition="{a}">
<f:then>
A!
</f:then>
<f:else>
    <f:if condition="{b}">
    <f:then>
        B!
    </f:then>
    <f:else>
        <f:if condition="{c}">
        <f:then>
           C!
       </f:then>
       <f:else>
           D!
       </f:else>
       </f:if>
    </f:else>
    </f:if>
</f:else>
</f:if>

Hence I suggest adding a elseif condition to the if ViewHelper like this:

<f:if condition="{a}">
  <f:then>
    A!
  </f:then>
  <f:elseif condition="{b}">
    B!
  </f:elseif>
  <f:elseif condition="{c}">
    C!
  </f:elseif>
  <f:else>
    D!
  </f:else>
</f:if>

Jira-URL: https://jira.neos.io/browse/FLOW-18

Jira issue originally created by user pumatertion:

JsonView accepts encoding options
json_encode should support multiple bitmask options
see: http://www.php.net/manual/en/json.constants.php

Jira-URL: https://jira.neos.io/browse/FLOW-157

Jira issue originally created by user cognifloyd:

Given the following trait (as a random example of a trait that includes an imported property):

namespace Some\Package;
use TYPO3\Flow\Package\PackageManagerInterface;
trait FancyTrait {
  /****
   * @Flow\Import
   * @var PackageManagerInterface
   */
   $packageManager;
}

The following does not work:

namespace Some\Package;
use FancyTrait;
class SomeClass {
  use FancyTrait;
}

Uncaught Exception: TYPO3\Flow\Core\Booting\Exception\SubProcessException

Message

  Uncaught Exception: TYPO3\Flow\Object\Exception\UnknownObjectException

  Message
    The object "PackageManagerInterface" which was specified as a property
  in
    the object configuration of object
    "Some\Package\SomeClass"
    (automatically registered class) does not exist. Check for spelling
    mistakes and if that dependency is correctly configured.

  More Information
    Exception code 1265213849
    File          
  Packages/Framework/TYPO3.Flow/Classes/TYPO3/Flow/Object/DependencyInjection/ProxyClassBuilder.php
  line 538
    Reference code 20141231173308a299ca


More Information
  Exception code 1355480641
  File           Packages/Framework/TYPO3.Flow/Classes/TYPO3/Flow/Core/Booting/Scripts.php line 528
  Reference code 201412311733073dade3

To get around the issue, I have to use anything used in the trait in the class that uses the trait. That means that the following does not trigger the same error:

namespace Some\Package;
use FancyTrait;
use TYPO3\Flow\Package\PackageManagerInterface;
class SomeClass {
  use FancyTrait;
}

So, Flow needs to be able to look in traits while compiling. It is really ugly to import things that the file is not using, and PhpStorm helpfully offers to remove those unused references, so it's easy to end up with a broken system since Flow is not taking traits into account.

Jira-URL: https://jira.neos.io/browse/FLOW-170

Jira issue originally created by user pumatertion:

My 7 cents about migration commands.
Is it realy needed to make a difference between core:migrate / doctrine:migrate and if its needed, their generic arguments should be unified (f.e. --verbose vs. --quiet).

1. "flow migrate" (to run all necessary migrations)
2. "flow migrate --type=doctrine|core" (to make the difference wich is currently done by different commands)
3. Generic "--dry-run" argument or at least "flow core:migrate --dry-run | flow doctrine:migrate --dry-run"
4. Generic "--status or --version" argument. Currenlty doctrine:migrate --version and core_migrate --status has the same job for me: Simply getting current state information of the migration.
5. Generic "--verbose or --quiet" argument. Currenlty doctrine:migrate is using --quiet and core:migrate using --verbose.
6. "flow core:migrate --status" shows "migrated" or "not migrated, skipped". "not migrated, skipped" is a mixup and not clear to me. its not possible in my opinion that some migration is skippable if no migration happened before. i can only skip migrated ones. for me a better information is "no migration necessary"
7. Output of what is "skipped" should be located in a result message of "flow core:migrate (--dry-run) --verbose".

Jira-URL: https://jira.neos.io/browse/FLOW-204

Jira issue originally created by user @bwaidelich:

Since https://forge.typo3.org/issues/28544 Fluid compiles templates into PHP when they are parsed for the first time.
But this compilation is disabled if a ViewHelper is used, that:

• implements ChildNodeAccessInterface and
• does not implement CompilableInterface

This is true for all widgets by default.

This is especially bad in the case of the PaginateViewHelper that is commonly used in large templates that could benefit profoundly from being compiled.

Maybe we can fix this for all widgets, but at least we should try to implement the CompilableInterface in the PaginateViewHelper.

I just stumbled upon this issue by chance - we should consider some kind of logging for non-compilable templates.

Jira-URL: https://jira.neos.io/browse/FLOW-196