Merge pull request #6305 from getkirby/release/4.1.1

4.1.1

.gitattributes

@@ -26,7 +26,7 @@ panel/public export-ignore
 panel/README.md export-ignore
 panel/scripts export-ignore
 panel/src export-ignore
-panel/vite.config.js export-ignore
+panel/vite.config.mjs export-ignore
 panel/vitest.setup.js export-ignore
 
 # other

.github/workflows/backend.yml

@@ -57,7 +57,7 @@ jobs:
     timeout-minutes: 5
     strategy:
       matrix:
-        php: ["8.1", "8.2", "8.3"]
+        php: [ "8.1", "8.2", "8.3" ]
     env:
       extensions: mbstring, ctype, curl, gd, apcu, memcached
       ini: apc.enabled=1, apc.enable_cli=1, pcov.directory=., "pcov.exclude=\"~(vendor|tests)~\""
@@ -79,21 +79,21 @@ jobs:
 
       - name: Setup PHP cache environment
         id: ext-cache
-        uses: shivammathur/cache-extensions@d776e47f06e6e567f0c77a43f9054fb0753993d7 # pin@v1
+        uses: shivammathur/cache-extensions@a167dc27e7329e600b4fffbbbc8b01b9221ab923 # pin@v1
         with:
           php-version: ${{ matrix.php }}
           extensions: ${{ env.extensions }}
           key: php-v1
 
       - name: Cache PHP extensions
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
         with:
           path: ${{ steps.ext-cache.outputs.dir }}
           key: ${{ steps.ext-cache.outputs.key }}
           restore-keys: ${{ steps.ext-cache.outputs.key }}
 
       - name: Setup PHP environment
-        uses: shivammathur/setup-php@7fdd3ece872ec7ec4c098ae5ab7637d5e0a96067 # pin@v2
+        uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d # pin@v2
         with:
           php-version: ${{ matrix.php }}
           extensions: ${{ env.extensions }}
@@ -108,7 +108,7 @@ jobs:
 
       - name: Cache analysis data
         id: finishPrepare
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
         with:
           path: ~/.cache/psalm
           key: backend-analysis-${{ matrix.php }}
@@ -130,7 +130,7 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           PHP: ${{ matrix.php }}
         if: env.token != ''
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # pin@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }} # for better reliability if the GitHub API is down
           fail_ci_if_error: true
@@ -140,7 +140,7 @@ jobs:
 
       - name: Upload code scanning results to GitHub
         if: always() && steps.finishPrepare.outcome == 'success' && github.repository == 'getkirby/kirby'
-        uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # pin@v2
+        uses: github/codeql-action/upload-sarif@4a8f20f6b9b5114f354129a1e2f391d75bfd640a # pin@v2
         with:
           sarif_file: sarif
 
@@ -179,22 +179,22 @@ jobs:
 
       - name: Setup PHP cache environment
         id: ext-cache
-        uses: shivammathur/cache-extensions@d776e47f06e6e567f0c77a43f9054fb0753993d7 # pin@v1
+        uses: shivammathur/cache-extensions@a167dc27e7329e600b4fffbbbc8b01b9221ab923 # pin@v1
         with:
           php-version: ${{ env.php }}
           extensions: ${{ env.extensions }}
           key: php-analysis-v1
 
       - name: Cache PHP extensions
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
         with:
           path: ${{ steps.ext-cache.outputs.dir }}
           key: ${{ steps.ext-cache.outputs.key }}
           restore-keys: ${{ steps.ext-cache.outputs.key }}
 
       - name: Setup PHP environment
         id: finishPrepare
-        uses: shivammathur/setup-php@7fdd3ece872ec7ec4c098ae5ab7637d5e0a96067 # pin@v2
+        uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d # pin@v2
         with:
           php-version: ${{ env.php }}
           extensions: ${{ env.extensions }}
@@ -221,7 +221,7 @@ jobs:
 
       - name: Upload code scanning results to GitHub
         if: always() && steps.finishPrepare.outcome == 'success' && github.repository == 'getkirby/kirby'
-        uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # pin@v2
+        uses: github/codeql-action/upload-sarif@4a8f20f6b9b5114f354129a1e2f391d75bfd640a # pin@v2
         with:
           sarif_file: sarif
 
@@ -255,31 +255,19 @@ jobs:
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
 
       - name: Setup PHP environment
-        uses: shivammathur/setup-php@7fdd3ece872ec7ec4c098ae5ab7637d5e0a96067 # pin@v2
+        uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d # pin@v2
         with:
           php-version: ${{ env.php }}
           coverage: none
           tools: php-cs-fixer:3.13.0
 
       - name: Cache analysis data
         id: finishPrepare
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
         with:
           path: ~/.php-cs-fixer
           key: coding-style
 
       - name: Check for PHP coding style violations
         if: always() && steps.finishPrepare.outcome == 'success'
-        # Use the --dry-run flag in push builds to get a failed CI status
-        run: >
-          php-cs-fixer fix --diff
-          ${{ github.event_name != 'pull_request' && '--dry-run' || '' }}
-
-      - name: Create code suggestions from the coding style changes (on PR only)
-        if: >
-          always() && steps.finishPrepare.outcome == 'success' &&
-          github.event_name == 'pull_request'
-        uses: reviewdog/action-suggester@3f60d0e826f0873905e0eeca522d562a6e67afbd # pin@v1
-        with:
-          tool_name: PHP-CS-Fixer
-          fail_on_error: "true"
+        run: php-cs-fixer fix --diff --dry-run

.github/workflows/frontend.yml

@@ -93,10 +93,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # pin@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
 
       - name: Set up Node.js problem matchers and cache npm dependencies
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # pin@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3
         with:
           cache: "npm"
           cache-dependency-path: panel/package-lock.json
@@ -108,34 +108,10 @@ jobs:
 
       - name: Check for JavaScript coding style violations (ESLint)
         if: always() && steps.finishPrepare.outcome == 'success'
-        # Use the --no-fix flag in push builds to get a failed CI status
-        run: >
-          npm run lint -- --max-warnings 0 --format stylish
-          ${{ github.event_name != 'pull_request' && '--no-fix' || '' }}
+        run: npm run lint -- --max-warnings 0 --format stylish --no-fix
         working-directory: panel
 
-      - name: Create code suggestions from the coding style changes (on PR only)
-        if: >
-          always() && steps.finishPrepare.outcome == 'success' &&
-          github.event_name == 'pull_request'
-        uses: reviewdog/action-suggester@3f60d0e826f0873905e0eeca522d562a6e67afbd # pin@v1
-        with:
-          tool_name: ESLint
-          fail_on_error: "true"
-
       - name: Check for JavaScript coding style violations (Prettier)
         if: always() && steps.finishPrepare.outcome == 'success'
-        # Use the --check flag in push builds to get a failed CI status
-        run: >
-          npm run format --
-          ${{ github.event_name != 'pull_request' && '--check' || '--write' }}
+        run: npm run format --check
         working-directory: panel
-
-      - name: Create code suggestions from the coding style changes (on PR only)
-        if: >
-          always() && steps.finishPrepare.outcome == 'success' &&
-          github.event_name == 'pull_request'
-        uses: reviewdog/action-suggester@3f60d0e826f0873905e0eeca522d562a6e67afbd # pin@v1
-        with:
-          tool_name: Prettier
-          fail_on_error: "true"

SECURITY.md

@@ -19,4 +19,9 @@ You can also use the [security advisory form on GitHub](https://github.com/getki
 
 We will send you a response as soon as possible and will keep you informed on our progress towards a fix and announcement.
 
-**Please do not write to us publicly, e.g. in the forum, on Discord or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed. By letting us know directly and coordinating the disclosure with us, you can help to protect other Kirby users from such attacks.**
+> [!IMPORTANT]
+> Please do not write to us publicly, e.g. in the forum, on Discord or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed.
+> 
+> By letting us know directly and coordinating the disclosure with us, you can help to protect other Kirby users from such attacks.
+> 
+> Also please do *not* request a CVE ID from organizations like MITRE. The responsible CVE Numbering Authority (CNA) for Kirby is GitHub. We can and will request a CVE ID for each confirmed vulnerability and will provide it to you in advance of the coordinated release.

composer.json

@@ -3,7 +3,7 @@
 	"description": "The Kirby core",
 	"license": "proprietary",
 	"type": "kirby-cms",
-	"version": "4.1.0",
+	"version": "4.1.1",
 	"keywords": [
 		"kirby",
 		"cms",

config/api/routes/users.php

@@ -1,6 +1,8 @@
 <?php
 
+use Kirby\Exception\Exception;
 use Kirby\Filesystem\F;
+use Kirby\Toolkit\Str;
 
 /**
  * User Routes
@@ -79,10 +81,27 @@
 		],
 		'method'  => 'POST',
 		'action'  => function (string $id) {
-			$this->user($id)->avatar()?->delete();
-
 			return $this->upload(
 				function ($source, $filename) use ($id) {
+					$type = F::type($filename);
+					if ($type !== 'image') {
+						throw new Exception([
+							'key'  => 'file.type.invalid',
+							'data' => compact('type')
+						]);
+					}
+
+					$mime = F::mime($source);
+					if (Str::startsWith($mime, 'image/') !== true) {
+						throw new Exception([
+							'key'  => 'file.mime.invalid',
+							'data' => compact('mime')
+						]);
+					}
+
+					// delete the old avatar
+					$this->user($id)->avatar()?->delete();
+
 					$props = [
 						'filename' => 'profile.' . F::extension($filename),
 						'template' => 'avatar',

config/fields/link.php

@@ -22,8 +22,7 @@
 				'file',
 				'email',
 				'tel',
-				'anchor',
-				'custom'
+				'anchor'
 			];
 		},
 		'value' => function (string|null $value = null) {

config/sections/stats.php

@@ -8,7 +8,7 @@
 	],
 	'props' => [
 		/**
-		 * Array or query string for reports. Each report needs a `label` and `value` and can have additional `info`, `link` and `theme` settings.
+		 * Array or query string for reports. Each report needs a `label` and `value` and can have additional `info`, `link`, `icon` and `theme` settings.
 		 */
 		'reports' => function ($reports = null) {
 			if ($reports === null) {

i18n/translations/de.json

@@ -347,7 +347,7 @@
 	"file": "Datei",
 	"file.blueprint": "Du kannst zusätzliche Felder und Bereiche für diese Datei in <strong>/site/blueprints/files/{blueprint}.yml</strong> anlegen",
 	"file.changeTemplate": "Vorlage ändern",
-	"file.changeTemplate.notice": "Das Ändern der Dateivoralge wird alle Inhalte von Feldern entfernen, deren Feldtypen nicht übereinstimmen. Wenn die neue Vorlage bestimmte Regeln definiert, z.B. Bildabmessungen, werden diese unwiderruflich angewandt. Benutze diese Funktion mit Vorsicht.",
+	"file.changeTemplate.notice": "Das Ändern der Dateivorlage wird alle Inhalte von Feldern entfernen, deren Feldtypen nicht übereinstimmen. Wenn die neue Vorlage bestimmte Regeln definiert, z.B. Bildabmessungen, werden diese unwiderruflich angewandt. Benutze diese Funktion mit Vorsicht.",
 	"file.delete.confirm": "Willst du die Datei <strong>{filename}</strong> <br>wirklich löschen?",
 	"file.focus.placeholder": "Fokuspunkt setzen",
 	"file.focus.reset": "Fokuspunkt entfernen",

i18n/translations/ru.json

@@ -135,7 +135,7 @@
 
 	"error.license.domain": "Лицензия на этот домен отсутствует",
 	"error.license.email": "Пожалуйста, введите правильный Email",
-	"error.license.format": "Please enter a valid license code",
+	"error.license.format": "Пожалуйста, введите правильный лицензионный код",
 	"error.license.verification": "Лицензия не подтверждена",
 
 	"error.login.totp.confirm.invalid": "Неверный код",
@@ -417,16 +417,16 @@
 	"license.activate": "Активировать сейчас",
 	"license.activate.label": "Пожалуйста, активируйте Вашу лицензию",
 	"license.activate.domain": "Ваша лицензия будет активирована на {host}.",
-	"license.activate.local": "Вы собираетесьактивировать лицензию на локальный домен {host}. Если этот сайт будет размещен на общедоступном домене, то, пожалуйста, укажите его вместо {host}.",
+	"license.activate.local": "Вы собираетесь активировать лицензию на локальный домен {host}. Если этот сайт будет размещен на общедоступном домене, то, пожалуйста, укажите его вместо {host}.",
 	"license.activated": "Активировано",
 	"license.buy": "Купить лицензию",
 	"license.code": "Код",
 	"license.code.help": "Вставьте код лицензии, который вы получили Email после покупки.",
 	"license.code.label": "Пожалуйста вставьте код лицензии",
 	"license.status.active.info": "Включает обновления до {date}",
 	"license.status.active.label": "Действительная лицензия",
-	"license.status.demo.info": "This is a demo installation",
-	"license.status.demo.label": "Demo",
+	"license.status.demo.info": "Это демонстрационная установка",
+	"license.status.demo.label": "Демо",
 	"license.status.inactive.info": "Обновите лицензию для перехода на новые версии",
 	"license.status.inactive.label": "Нет новых обновлений",
 	"license.status.legacy.bubble": "Вы готовы обновить вашу лицензию?",

panel/.prettierignore

@@ -0,0 +1,2 @@
+
+src/components/Text/Highlight.vue

panel/lab/components/buttons/4_groups/index.vue

@@ -47,5 +47,24 @@
 				</k-dropdown-content>
 			</k-button-group>
 		</k-lab-example>
+		<k-lab-example label="layout: collapsed wrap test">
+			<k-bar style="max-width: 23rem">
+				<k-label>Alonglabelshouldnotbreakthebuttongroup</k-label>
+				<k-button-group layout="collapsed">
+					<k-button variant="filled" icon="edit">Edit</k-button>
+					<k-button
+						variant="filled"
+						icon="dots"
+						@click="$refs.dropdown.toggle()"
+					/>
+					<k-dropdown-content ref="dropdown" align-x="end">
+						<k-dropdown-item icon="edit">Edit</k-dropdown-item>
+						<k-dropdown-item icon="copy">Duplicate</k-dropdown-item>
+						<hr />
+						<k-dropdown-item icon="trash">Delete</k-dropdown-item>
+					</k-dropdown-content>
+				</k-button-group>
+			</k-bar>
+		</k-lab-example>
 	</k-lab-examples>
 </template>

panel/lab/components/fieldpreviews/date/index.vue

@@ -19,6 +19,14 @@
 			</k-lab-table-cell>
 		</k-lab-example>
 
+		<k-lab-example label="Invalid date">
+			<k-lab-table-cell>
+				<!-- @code -->
+				<k-date-field-preview value="Not a date" />
+				<!-- @code-end -->
+			</k-lab-table-cell>
+		</k-lab-example>
+
 		<k-lab-example label="Time">
 			<k-lab-table-cell>
 				<!-- @code -->