Merge pull request civicrm#8989 from civicrm/4.7.11-rc

4.7.11 rc

CRM/Core/BAO/SchemaHandler.php

@@ -370,11 +370,24 @@ public static function dropTable($tableName) {
   /**
    * @param string $tableName
    * @param string $columnName
+   * @param bool $l18n
+   *
    */
-  public static function dropColumn($tableName, $columnName) {
+  public static function dropColumn($tableName, $columnName, $l18n = FALSE) {
     if (self::checkIfFieldExists($tableName, $columnName)) {
       $sql = "ALTER TABLE $tableName DROP COLUMN $columnName";
-      CRM_Core_DAO::executeQuery($sql);
+      if ($l18n) {
+        CRM_Core_DAO::executeQuery($sql);
+      }
+      else {
+        CRM_Core_DAO::executeQuery($sql, array(), TRUE, NULL, FALSE, FALSE);
+      }
+      $domain = new CRM_Core_DAO_Domain();
+      $domain->find(TRUE);
+      if ($domain->locales) {
+        $locales = explode(CRM_Core_DAO::VALUE_SEPARATOR, $domain->locales);
+        CRM_Core_I18n_Schema::rebuildMultilingualSchema($locales, NULL);
+      }
     }
   }
 

CRM/Upgrade/Incremental/php/FourSeven.php

@@ -99,8 +99,11 @@ public function setPostUpgradeMessage(&$postUpgradeMessage, $rev) {
 
       $postUpgradeMessage .= '<p>' . ts('The custom fatal error template setting has been removed.') . '</p>';
     }
+    //if ($rev == '4.7.11') {
+    //  $postUpgradeMessage .= '<br /><br />' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'");
+    //}
     if ($rev == '4.7.11') {
-      $postUpgradeMessage .= '<br /><br />' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'");
+      $postUpgradeMessage .= '<br /><br />' . ts("By default, CiviCRM now disables the ability to import directly fro SQL. To use this feature, you must explicitly grant permission 'import SQL datasource'.");
     }
   }
 
@@ -232,6 +235,7 @@ public function upgrade_4_7_10($rev) {
   public function upgrade_4_7_11($rev) {
     $this->addTask(ts('Upgrade DB to %1: SQL', array(1 => $rev)), 'runSql', $rev);
     $this->addTask('Dashboard schema updates', 'dashboardSchemaUpdate');
+    $this->addTask(ts('Fill in setting "remote_profile_submissions"'), 'migrateRemoteSubmissionsSetting');
   }
 
   /*
@@ -457,6 +461,35 @@ public static function migrateOnBehalfOfInfo(CRM_Queue_TaskContext $ctx) {
     return TRUE;
   }
 
+  /**
+   * v4.7.11 adds a new setting "remote_profile_submissions". This is
+   * long-standing feature that existing sites may be using; however, it's
+   * a bit prone to abuse. For new sites, the default is to disable it
+   * (since that is more secure). For existing sites, the default is to
+   * enable it (since that is more compatible).
+   *
+   * @param \CRM_Queue_TaskContext $ctx
+   *
+   * @return bool
+   */
+  public function migrateRemoteSubmissionsSetting(CRM_Queue_TaskContext $ctx) {
+    $domains = CRM_Core_DAO::executeQuery("SELECT DISTINCT d.id FROM civicrm_domain d LEFT JOIN civicrm_setting s ON d.id=s.domain_id AND s.name = 'remote_profile_submissions' WHERE s.id IS NULL");
+    while ($domains->fetch()) {
+      CRM_Core_DAO::executeQuery(
+        "INSERT INTO civicrm_setting (`name`, `value`, `domain_id`, `is_domain`, `contact_id`, `component_id`, `created_date`, `created_id`)
+          VALUES (%2, %3, %4, %5, NULL, NULL, %6, NULL)",
+        array(
+          2 => array('remote_profile_submissions', 'String'),
+          3 => array('s:1:"1";', 'String'),
+          4 => array($domains->id, 'Integer'),
+          5 => array(1, 'Integer'),
+          6 => array(date('Y-m-d H:i:s'), 'String'),
+        )
+      );
+    }
+    return TRUE;
+  }
+
   /**
    * CRM-11782 - Get rid of VALUE_SEPARATOR character in saved search form values
    *
@@ -753,6 +786,8 @@ public function dashboardSchemaUpdate(CRM_Queue_TaskContext $ctx) {
       CRM_Core_DAO::executeQuery('DELETE c1 FROM civicrm_dashboard_contact c1, civicrm_dashboard_contact c2 WHERE c1.contact_id = c2.contact_id AND c1.dashboard_id = c2.dashboard_id AND c1.id > c2.id');
       CRM_Core_DAO::executeQuery('ALTER TABLE civicrm_dashboard_contact ADD UNIQUE INDEX index_dashboard_id_contact_id (dashboard_id, contact_id);');
     }
+    $domain = new CRM_Core_DAO_Domain();
+    $domain->find(TRUE);
     CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard_contact', 'content');
     CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard_contact', 'is_minimized');
     CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard_contact', 'is_fullscreen');
@@ -765,7 +800,12 @@ public function dashboardSchemaUpdate(CRM_Queue_TaskContext $ctx) {
     CRM_Core_DAO::executeQuery('UPDATE civicrm_dashboard SET url = REPLACE(url, "&snippet=5", ""), fullscreen_url = REPLACE(fullscreen_url, "&snippet=5", "")');
 
     if (!CRM_Core_BAO_SchemaHandler::checkIfFieldExists('civicrm_dashboard', 'cache_minutes')) {
-      CRM_Core_DAO::executeQuery('ALTER TABLE civicrm_dashboard ADD COLUMN cache_minutes int unsigned NOT NULL DEFAULT 60 COMMENT "Number of minutes to cache dashlet content in browser localStorage."');
+      CRM_Core_DAO::executeQuery('ALTER TABLE civicrm_dashboard ADD COLUMN cache_minutes int unsigned NOT NULL DEFAULT 60 COMMENT "Number of minutes to cache dashlet content in browser localStorage."',
+         array(), TRUE, NULL, FALSE, FALSE);
+    }
+    if ($domain->locales) {
+      $locales = explode(CRM_Core_DAO::VALUE_SEPARATOR, $domain->locales);
+      CRM_Core_I18n_Schema::rebuildMultilingualSchema($locales, NULL);
     }
 
     CRM_Core_DAO::executeQuery('UPDATE civicrm_dashboard SET cache_minutes = 1440 WHERE name = "blog"');

CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl

@@ -14,6 +14,13 @@ UPDATE civicrm_dashboard SET name = 'myCases' WHERE (name IS NULL OR name = '')
 UPDATE civicrm_dashboard SET name = 'allCases' WHERE (name IS NULL OR name = '') AND url LIKE "civicrm/dashlet/allCases?%";
 UPDATE civicrm_dashboard SET name = 'casedashboard' WHERE (name IS NULL OR name = '') AND url LIKE "civicrm/dashlet/casedashboard?%";
 
+-- CRM-19291 Fix names on dashlets where name is an empty string
+{if $multilingual}
+UPDATE civicrm_dashboard SET name = label_{$locales.0} WHERE name = '';
+{else}
+UPDATE civicrm_dashboard SET name = label WHERE name = '';
+{/if}
+
 -- CRM-18508 Display State/Province in event address in registration emails
 {include file='../CRM/Upgrade/4.7.11.msg_template/civicrm_msg_template.tpl'}
 

CRM/Utils/Check/Component/Security.php

@@ -256,6 +256,28 @@ public function checkFilesAreNotPresent() {
     return $messages;
   }
 
+  /**
+   * Discourage use of remote profile forms.
+   */
+  public function checkRemoteProfile() {
+    $messages = array();
+
+    if (Civi::settings()->get('remote_profile_submissions')) {
+      $messages[] = new CRM_Utils_Check_Message(
+        __FUNCTION__,
+        ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in <a href="%1">system settings</a>. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.',
+          array(1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1'))
+        ),
+        ts('Remote Profiles Enabled'),
+        \Psr\Log\LogLevel::WARNING,
+        'fa-lock'
+      );
+    }
+
+    return $messages;
+  }
+
+
   /**
    * Check that the sysadmin has not modified the Cxn
    * security setup.