Choose the correct protocol in route::link when force https is disabled#24089
Choose the correct protocol in route::link when force https is disabled#24089HLeithner merged 11 commits intojoomla:stagingfrom
Conversation
|
It's not documented anymore, but joomla-cms/administrator/components/com_menus/models/forms/item_component.xml Lines 133 to 142 in 7515081 Basing protocol on request would require another option, I think. |
|
Value 2 is forcing http and that should still works. |
|
Value |
|
The API for route::link is different then the https force options. We convert it before we call route::link |
|
So it's technically correct that |
|
-1 doesn't force it, -1 uses the current protocol. It's used because it's int and not 0 but don't ask me why not NULL is used. |
|
Without patch value -1 forces HTTP and this is fine. Changing this is going to break A B/C safe solution is to introduce another value to replace -1 wherever we want to use protocol from request. |
|
To be more clear, behavior with both -1 and 2 is exactly the same and it must remain so. |
|
So I rewrote route::_ and route::link to support absolute parameter. And also deprecated -1 and added constants to the route class. |
| * @since 1.7.0 | ||
| */ | ||
| public static function _($url, $xhtml = true, $ssl = null) | ||
| public static function _($url, $xhtml = true, $tls = self::TLS_IGNORE, $absolute = false) |
There was a problem hiding this comment.
Do we really need an $absolute param here?
There was a problem hiding this comment.
yes, route::_ is now a short cut to the current client router so should have the same features as route::link
There was a problem hiding this comment.
New parameter is not necessary. Just have 4 acceptable values for $ssl. I.e. 0 keep relative URL, 1 force HTTPS, 2 force HTTP, 3 use protocol from request.
There was a problem hiding this comment.
Thats not true, its a pain everytime you try to create a link that can't be relative (like all I added true in this PR) or if you create a link for an external system (api, json, mail you name it)
There was a problem hiding this comment.
What I mean is you just need another constant/value for absolute URL with protocol from request, e.g.:
RELATIVE = 0;
HTTPS = 1;
HTTP = 2;
REQUEST = 3;
And then in the code use:
$linkMode = $config->get('force_ssl', 0) == 2 ? Route::HTTPS : Route::REQUEST;
There was a problem hiding this comment.
In my opinion this are 2 complete different things. Thats the reason for an extra parameter.
There was a problem hiding this comment.
Having another constant would be cleaner, in my opinion. A separate parameter won't have any effect when $tls is 1 or 2. But you're the lead, you decide. If you do go with a parameter, please add a note that it only takes effect when $tls = 0.
Now fix the conflicts please and let's have this tested.
|
Thank you all for your work. The test was not successful but it is the first time I have tested a Joomla patch so please bear with me if it was my fault: Steps to test the patch In Joomla "staging" from https://github.com/joomla/joomla-cms Users: Options: Allow User Registration: Yes Users: Options: New User Account Activation: Administrators include {loadmodule mod_login} in an article link a published menu module to a visible menu publish a single article menu item for the article in the visible menu create a hidden menu not linked to any menu module publish a menu item alias menu item for the single article menu item in the hidden menu publish a users registration form menu item with the menu item alias menu item as owner set all the above menu items Metadata Secure = On select the single article menu item and select Create an account note that registration links emailed to users and administrators do not honour the security setting but instead use http: apply patch 24089 clear Joomla cache and expired cache and browser cache select the single article menu item and select Create an account Expected result registration links emailed to users and administrators honour the security setting by using https: Actual result https://localhost/joomla-cms-staging/index.php/registration-form?task=registration.register |
|
@chrisxchrisxchrisx please mark your test as unsuccessfully > https://docs.joomla.org/Testing_Joomla!_patches#Recording_test_results |
|
I have tested this item 🔴 unsuccessfully on bb54c76 Steps to test the patch In Joomla "staging" from https://github.com/joomla/joomla-cms Users: Options: Allow User Registration: Yes Users: Options: New User Account Activation: Administrators include {loadmodule mod_login} in an article link a published menu module to a visible menu publish a single article menu item for the article in the visible menu create a hidden menu not linked to any menu module publish a menu item alias menu item for the single article menu item in the hidden menu publish a users registration form menu item with the menu item alias menu item as owner set all the above menu items Metadata Secure = On select the single article menu item, select Create an account, complete form and submit note that registration links emailed to users and administrators do not honour the security setting but instead use http: apply patch 24089 clear Joomla cache and expired cache and browser cache select the single article menu item, select Create an account, complete form and submit Expected result registration links emailed to users and administrators honour the security setting by using https: Actual result at index.php/registration-form?task=registration.register This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24089. |
# Conflicts: # administrator/components/com_actionlogs/helpers/actionlogs.php
|
thx @chrisxchrisxchrisx fixed now |
|
I have tested this item ✅ successfully on 4610fe4 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24089. |
|
I have tested this item ✅ successfully on 4610fe4 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24089. |
|
Status "Ready To Commit". |
| { | ||
| // Before 3.9.0 this method failed silently on router error. This B/C will be removed in Joomla 4.0. | ||
| // @deprecated 4.0 Before 3.9.0 this method failed silently on router error. This B/C will be removed in Joomla 4.0. | ||
| return null; |
There was a problem hiding this comment.
Any suggestion how todo this without flooding the log?
There was a problem hiding this comment.
hmm in case of an error i would expect an log, else we can't blame extension devs not seeing this deprecation? IIRC we only collect the logs in case there is debug enabled right?
| 'index.php?option=com_users&task=registration.activate&token=' . $data['activation'], | ||
| false, | ||
| $linkMode, | ||
| true |
There was a problem hiding this comment.
just to be sure here. We now force JRoute::link to be called with $absolute = ture in order to work like before that patch here? If yes isn't that a B/C change?
There was a problem hiding this comment.
The original request was -1 or 1 to $ssl this means it always returned the full url
if ((int) $ssl || $uri->isSsl())
{
...
$scheme = array_merge($scheme, array('host', 'port', 'scheme'));
}
$url = $uri->toString($scheme);
So this should not change anything.
Pull Request for Issue #23046 .
Summary of Changes
Use the correct http schema.
Testing Instructions
Test user registration with and without forced https on http and https
Expected result
Actual result