Merge branch '4.x' into feature/where-has-relationships

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -45,8 +45,8 @@ body:
       label: Antlers Parser
       description: If using 3.3+, which Antlers Parser are you using?
       options:
-        - regex (default)
-        - runtime (new)
+        - Runtime (default)
+        - Regex (legacy)
     validations:
       required: false
   - type: textarea

.github/workflows/tests.yml

@@ -40,7 +40,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v36
+        uses: tj-actions/changed-files@v41
         with:
           files: |
             config
@@ -108,7 +108,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v36
+        uses: tj-actions/changed-files@v41
         with:
           files: |
             **.{js,vue,ts}

CHANGELOG.md

@@ -1,5 +1,92 @@
 # Release Notes
 
+## 4.43.0 (2024-01-09)
+
+### What's new
+- Add deleting events. [#9227](https://github.com/statamic/cms/issues/9227) by @ryanmitchell
+- Add `saveQuietly` to `LocalizedTerm`. [#9278](https://github.com/statamic/cms/issues/9278) by @joshuablum
+- Presets are regenerated after updating focal point. [#9019](https://github.com/statamic/cms/issues/9019) by @duncanmcclean
+- Allow removal of scopes. [#9264](https://github.com/statamic/cms/issues/9264) by @ryanmitchell
+
+### What's fixed
+- Fix disabled save button when creating term inside term inside stack. [#9152](https://github.com/statamic/cms/issues/9152) by @duncanmcclean
+- Fix `metaPath` for root assets. [#9287](https://github.com/statamic/cms/issues/9287) by @duncanmcclean
+- Prevent corrupt submission file from causing errors. [#9282](https://github.com/statamic/cms/issues/9282) by @duncanmcclean
+- Clear selections when navigating pagination. [#9286](https://github.com/statamic/cms/issues/9286) by @duncanmcclean
+- Avoid custom exception handler for API requests. [#9275](https://github.com/statamic/cms/issues/9275) by @duncanmcclean
+- Fix usage of children tag with multisite and specified url. [#9280](https://github.com/statamic/cms/issues/9280) by @MedRochon
+- Fix mobile issues with Fieldset Listing & Field Settings stack. [#9250](https://github.com/statamic/cms/issues/9250) by @duncanmcclean
+- Prevent updating a term's slug resulting in two Stache terms. [#9260](https://github.com/statamic/cms/issues/9260) by @ryanmitchell
+- Change asset unlink icon. [#9204](https://github.com/statamic/cms/issues/9204) by @edalzell
+- Fix error from static caching invalidator when deleting entries. [#9191](https://github.com/statamic/cms/issues/9191) by @duncanmcclean
+- Throw 404 exception on Taxonomy Term Entries endpoint when term doesn't exist. [#9273](https://github.com/statamic/cms/issues/9273) by @duncanmcclean
+- Replace problematic JSON directive. [#9271](https://github.com/statamic/cms/issues/9271) by @JohnathonKoster
+- Use authenticated user in Git events even when queued. [#9225](https://github.com/statamic/cms/issues/9225) by @duncanmcclean
+- Fix "Update All" in search utility. [#9269](https://github.com/statamic/cms/issues/9269) by @duncanmcclean
+- Prevent users without "edit" permission editing navs. [#9265](https://github.com/statamic/cms/issues/9265) by @duncanmcclean
+- Localize revision dates. [#9266](https://github.com/statamic/cms/issues/9266) by @jasonvarga
+- Use the site locale when auto generating titles. [#9261](https://github.com/statamic/cms/issues/9261) by @ryanmitchell
+- Bump axios from 0.21.4 to 1.6.4 [#8974](https://github.com/statamic/cms/issues/8974) by @dependabot
+
+
+
+## 4.42.1 (2024-01-04)
+
+### What's fixed
+- Ensure error message is displayed when uploading large file. [#9258](https://github.com/statamic/cms/issues/9258) by @duncanmcclean
+- Prevent Bard augmentation error after enabling "Save HTML" option. [#9198](https://github.com/statamic/cms/issues/9198) by @duncanmcclean
+- Avoid compiling certain user defined strings. [#9256](https://github.com/statamic/cms/issues/9256) by @jasonvarga
+- Fix an issue with short interpolated variables in Antlers. [#9253](https://github.com/statamic/cms/issues/9253) by @JohnathonKoster
+- Fix issue with AuthServiceProvider and Laravel Octane. [#9240](https://github.com/statamic/cms/issues/9240) by @nadinengland
+- Allow CP Nav to be created each request under Laravel Octane. [#9241](https://github.com/statamic/cms/issues/9241) by @nadinengland
+- Fix Link Fieldtype inside nested Bard. [#9252](https://github.com/statamic/cms/issues/9252) by @duncanmcclean
+- Clear permission cache when setting or removing permissions from a role. [#9244](https://github.com/statamic/cms/issues/9244) by @aerni
+- Bump tj-actions/changed-files from 36 to 41. [#9247](https://github.com/statamic/cms/issues/9247) by @dependabot
+
+
+
+## 4.42.0 (2023-12-18)
+
+### What's improved
+- Submission date now uses localized date format [#9215](https://github.com/statamic/cms/issues/9215) by @mmodler
+- French translations [#9218](https://github.com/statamic/cms/issues/9218) by @ebeauchamps
+
+### What's fixed
+- Fix nested JSON field handles not passing validation [#9217](https://github.com/statamic/cms/issues/9217) by @caseydwyer
+- Fix null values not being filtered on front-end forms [#9212](https://github.com/statamic/cms/issues/9212) by @ryanmitchell
+- Fix `{{ children }}` tag for collections other than Pages [#9210](https://github.com/statamic/cms/issues/9210) by @MedRochon
+- Use `setTimeout` to fix dirty state issue [#9213](https://github.com/statamic/cms/issues/9213) by @duncanmcclean
+
+
+
+## 4.41.0 (2023-12-14)
+
+### What's new
+- Ability to configure templates & layouts for taxonomies [#8372](https://github.com/statamic/cms/issues/8372) by @ryanmitchell
+- Add `query_scopes` option to the Assets fieldtype [#8459](https://github.com/statamic/cms/issues/8459) by @jacksleight
+
+### What's improved
+- Entries and terms are now provided lazily in search [#9171](https://github.com/statamic/cms/issues/9171) by @ryanmitchell
+- When an entry has an origin, the mount will now be fetched from the origin [#9063](https://github.com/statamic/cms/issues/9063) by @ryanmitchell
+
+### What's fixed
+- Fix dirty state issue on the entry publish form [#9203](https://github.com/statamic/cms/issues/9203) by @vluijkx
+- Fix error when a navigation's tree file is missing [#9032](https://github.com/statamic/cms/issues/9032) by @duncanmcclean
+- Asset field now supports mixed permissions [#9156](https://github.com/statamic/cms/issues/9156) by @edalzell
+- Prevent precognitive validation on asset fields [#9170](https://github.com/statamic/cms/issues/9170) by @ryanmitchell
+- Fix stack hover offset on close [#9201](https://github.com/statamic/cms/issues/9201) by @jacksleight
+- Prevent configuring multiple conditions for the same field [#9199](https://github.com/statamic/cms/issues/9199) by @duncanmcclean
+- Fix section showing without any visible fields [#9137](https://github.com/statamic/cms/issues/9137) by @aerni
+- Fix tabs showing without any visible fields [#9135](https://github.com/statamic/cms/issues/9135) by @edalzell
+- Fix template selector on Windows [#9197](https://github.com/statamic/cms/issues/9197) by @duncanmcclean
+- Fix previewing revisions via the Relationship Fieldtype [#9190](https://github.com/statamic/cms/issues/9190) by @duncanmcclean
+- Update the bug report template [#9195](https://github.com/statamic/cms/issues/9195) by @jelleroorda
+- Fix issue with meta being updated wrongly in Link Fieldtype [#9189](https://github.com/statamic/cms/issues/9189) by @duncanmcclean
+- Fix Read Only icon when viewing revisions [#9188](https://github.com/statamic/cms/issues/9188) by @duncanmcclean
+- Fix Global Set without a blueprint breaking the Fieldsets page [#9187](https://github.com/statamic/cms/issues/9187) by @duncanmcclean
+
+
+
 ## 4.40.0 (2023-12-11)
 
 ### What's new

SECURITY.md

@@ -11,7 +11,7 @@ While working to identify potential security vulnerabilities in Statamic, we ask
 ## Scope
 We are only interested in vulnerabilities that affect Statamic itself, tested against **your own local installation** of the software, running the latest version. You can install a local copy of Statamic by following these [installation instructions](https://statamic.dev/installing). Do not test against any Statamic installation that you don’t own, including [statamic.com](https:/statamic.com) or [statamic.dev](https://statamic.dev).
 
-### Qualifying Vulnerabilities
+### Potentially Qualifying Vulnerabilities
 
 - [Cross-Site Scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting)
 - [Cross-Site Request Forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery)
@@ -22,19 +22,19 @@ We are only interested in vulnerabilities that affect Statamic itself, tested ag
 
 ### Non-Qualifying Vulnerabilities
 
+- XSS vectors or bugs that rely on an unlikely user interaction (i.e. a privileged user attacking themselves or their own site)
 - Reports from automated tools or scanners
 - Theoretical attacks without actual proof of exploitability
 - Attacks that can be guarded against by following our security recommendations.
 - Server configuration issues outside of Statamic’s control
 - [Denial of Service](https://en.wikipedia.org/wiki/Denial-of-service_attack) attacks
-- [Brute force attacks](https://en.wikipedia.org/wiki/Brute-force_attack) (e.g. on password or
+- [Brute force attacks](https://en.wikipedia.org/wiki/Brute-force_attack) (e.g. on password or email address)
 - Username or email address enumeration
-- Social engineering of Wilderborn staff or users of Statamic installations
+- Social engineering of Statamic staff or users of Statamic installations
 - Physical attacks against Statamic installations
 - Attacks involving physical access to a user’s device, or involving a device or network that is already seriously compromised (e.g. [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack))
 - Attacks that are the result of a 3rd party Statamic addon should be reported to the addon’s author
 - Attacks that are the result of a 3rd party library should be reported to the library maintainers
-- Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves)
 - Disclosure of tools or libraries used by Statamic and/or their versions
 - Issues that are the result of a user doing something silly (like sharing their password publicly)
 - Missing security headers which do not lead directly to a vulnerability via proof of concept

package.json

@@ -47,7 +47,7 @@
     "@tiptap/vue-2": "^2.0.2",
     "alpinejs": "^3.1.1",
     "autosize": "~3.0.12",
-    "axios": "^0.21.2",
+    "axios": "^1.6.0",
     "body-scroll-lock": "^4.0.0-beta.0",
     "codemirror": "^5.58.2",
     "cookies-js": "^1.2.2",

resources/js/components/DirtyState.js

@@ -29,8 +29,7 @@ const vm = new Vue({
         },
 
         remove(name) {
-            const i = this.names.indexOf(name);
-            this.names.splice(i, 1);
+            this.names = this.names.filter(n => n !== name);
         },
 
         enableWarning() {

resources/js/components/assets/Browser/Browser.vue

@@ -325,6 +325,7 @@ export default {
         restrictFolderNavigation: Boolean,  // Whether to restrict to a single folder and prevent navigation.
         selectedAssets: Array,
         maxFiles: Number,
+        queryScopes: Array,
         initialEditingAssetId: String,
         autoselectUploads: Boolean,
         autofocusSearch: Boolean,
@@ -402,6 +403,7 @@ export default {
                 sort: this.sortColumn,
                 order: this.sortDirection,
                 search: this.searchQuery,
+                queryScopes: this.queryScopes,
             }
         },
 

resources/js/components/assets/Selector.vue

@@ -11,6 +11,7 @@
                     :restrict-container-navigation="restrictContainerNavigation"
                     :restrict-folder-navigation="restrictFolderNavigation"
                     :max-files="maxFiles"
+                    :query-scopes="queryScopes"
                     :autoselect-uploads="true"
                     :autofocus-search="true"
                     @selections-updated="selectionsUpdated"
@@ -57,6 +58,7 @@ export default {
         folder: String,
         selected: Array,
         maxFiles: Number,
+        queryScopes: Array,
         restrictContainerNavigation: {
             type: Boolean,
             default() {

resources/js/components/assets/Uploader.vue

@@ -176,7 +176,14 @@ export default {
             const id = upload.id;
 
             upload.instance.upload().then(response => {
-                const json = JSON.parse(response.data);
+                let json = null;
+
+                try {
+                    json = JSON.parse(response.data);
+                } catch (error) {
+                    // If it fails, it's probably because the response is HTML.
+                }
+
                 response.status === 200
                     ? this.handleUploadSuccess(id, json)
                     : this.handleUploadError(id, status, json);
@@ -190,7 +197,7 @@ export default {
 
         handleUploadError(id, status, response) {
             const upload = this.findUpload(id);
-            let msg = response.message;
+            let msg = response?.message;
             if (! msg) {
                 if (status === 413) {
                     msg = __('Upload failed. The file is larger than is allowed by your server.');

resources/js/components/data-list/HasPagination.js

@@ -45,10 +45,12 @@ export default {
 
         selectPage(page) {
             this.page = page;
+            this.$events.$emit('clear-selections');
         },
 
         resetPage() {
             this.page = 1;
+            this.$events.$emit('clear-selections');
         },
 
     }

resources/js/components/entries/PublishForm.vue

@@ -16,7 +16,7 @@
             </dropdown-list>
 
             <div class="pt-px text-2xs text-gray-600 flex mr-4" v-if="readOnly">
-                <svg-icon name="lock" class="w-4 mr-1 -mt-1" /> {{ __('Read Only') }}
+                <svg-icon name="light/lock" class="w-4 mr-1 -mt-1" /> {{ __('Read Only') }}
             </div>
 
             <div class="hidden md:flex items-center">
@@ -565,7 +565,10 @@ export default {
                 .then(() => {
                     // If revisions are enabled, just emit event.
                     if (this.revisionsEnabled) {
+                        clearTimeout(this.trackDirtyStateTimeout)
+                        this.trackDirtyState = false
                         this.values = this.resetValuesFromResponse(response.data.data.values);
+                        this.trackDirtyStateTimeout = setTimeout(() => (this.trackDirtyState = true), 350)
                         this.$nextTick(() => this.$emit('saved', response));
                         return;
                     }
@@ -586,7 +589,10 @@ export default {
                     // the hooks are resolved because if this form is being shown in a stack, we only
                     // want to close it once everything's done.
                     else {
+                        clearTimeout(this.trackDirtyStateTimeout);
+                        this.trackDirtyState = false;
                         this.values = this.resetValuesFromResponse(response.data.data.values);
+                        this.trackDirtyStateTimeout = setTimeout(() => (this.trackDirtyState = true), 350);
                         this.initialPublished = response.data.data.published;
                         this.activeLocalization.published = response.data.data.published;
                         this.activeLocalization.status = response.data.data.status;
@@ -667,6 +673,7 @@ export default {
                 this.site = localization.handle;
                 this.localizing = false;
                 this.initialPublished = data.values.published;
+                this.readOnly = data.readOnly;
 
                 this.trackDirtyStateTimeout = setTimeout(() => this.trackDirtyState = true, 300); // after any fieldtypes do a debounced update
             })

resources/js/components/field-conditions/Builder.vue

@@ -134,7 +134,7 @@ export default {
 
         fieldOptions() {
             return this.normalizeInputOptions(
-                _.reject(this.suggestableFields, field => field === this.config.handle)
+                _.reject(this.suggestableFields, field => field === this.config.handle || this.conditions.map(condition => condition.field).includes(field))
             );
         },
 

resources/js/components/fields/Settings.vue

@@ -1,6 +1,6 @@
 <template>
 
-    <div class="h-full overflow-auto bg-gray-300 h-full">
+    <div class="h-full bg-gray-300 h-full overflow-scroll">
 
         <div v-if="loading" class="absolute inset-0 z-200 flex items-center justify-center text-center ">
             <loading-graphic />