Jira issue originally created by user andreaswolf:

The constructor arguments are checked twice by code generated from independent sources:

if (!array*key*exists(0, $arguments)) $arguments[0] = NULL;
// […]
if (!array*key_exists(0, $arguments)) throw new \TYPO3\Flow\Object\Exception\UnresolvedDependenciesException('Missing required constructor argument $identifier in class ' . __CLASS_* . '. Note that constructor injection is only support for objects of scope singleton (and this is not a singleton) – for other scopes you must pass each required argument to the constructor yourself.', 1296143788);

Therefore, the exceptions are never thrown. The two lines both come from Object\DependencyInjection\ProxyClassBuilder::buildConstructorInjectionCode().

The constructor declaration in my Model looks like this:

/****
 * @param string $identifier
 * @param string $name
 * @param Election $election
 */
public function **construct($identifier, $name, Election $election) {

Jira-URL: https://jira.neos.io/browse/FLOW-50

Jira issue originally created by user kaystrobach:

Imagine the following model:

  parent
    ...
    child
      attributeOfChild
      ...

Additionally we assume, that the attribute of the child is an float value, which needs to be converted for output in a form, so we have a form like this:

<f:form action="update" object="{parent}" objectName="parent">
  <f:form.textfield property="child.attributeOfChild" value="{parent.child.attributeOfChild -> f:format.number(decimals:1, decimalSeparator:',', thousandsSeparator:'.')}"/>
  ... save button etc.
</form>

having just VH.fields of parent.child, which properties are set using value, the hidden**identity form field of child is not added to the form. So saving the form, will cause FLOW to insert a new child into parent with the new values instead of changing the existing child ...

Jira-URL: https://jira.neos.io/browse/FLOW-62

Jira issue originally created by user @aertmann:

When AccessDeniedException in the AccessDecisionVoterManager the exception message is completely useless, because it doesn't contain any information regarding what was restricted access to.

Jira-URL: https://jira.neos.io/browse/FLOW-71

Jira issue originally created by user lelepankaj:

1. Misleading documentation
   http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartII/Requirements.html says PHP functions system(), shell_exec(), escapeshellcmd() and escapeshellarg() should not be disabled.

But it should be exec(), escapeshellcmd() and escapeshellarg() should not be disabled.

1. Also there are couple of occurrences of system() that should be refactored to exec()

   Jira-URL: https://jira.neos.io/browse/FLOW-82

Jira issue originally created by user mhelmich:

Cloned doctrine entities cannot be persisted. Consider the following example code:

$objectOne = $this->repository->findOneByFoo('bar');
$objectTwo = clone $objectOne;

$this->repository->add($objectTwo);

This will result in a fatal error:

Fatal error: Call to a member function getModelType() on a non-object in /.../Data/Temporary/Development/Cache/Code/Flow*Object_Classes/TYPO3_Flow_Persistence_Doctrine*PersistenceManager.php on line 71.```

Looking into the PersistenceManager class, we can see that the `onFlush` method tries to load the class schema from the ReflectionService using the `getClassSchema` method. This method is passed the entity, and determines the entity's class name using `get_class`. However, if `$entity` is not an instance of the entity class, but a Doctrine proxy, no class schema will be loaded for this class.

I hacked a workaround for this into the ReflectionService and will push it into Gerrit shortly. It's quite QAD and I'm not really happy with it, so I'd be open to any kinds of suggestions.

 Jira-URL: https://jira.neos.io/browse/FLOW-24

Jira issue originally created by user Songyu:

In 'TYPO3\Flow\Composer\InstallerScripts::postPackageUpdateAndInstall' at lines 67, 68, 70 & 71 the variable $relativeInstallPath contains a slash at its end. The path-string it gets combined with however contains another slash at its own beginning, resulting in a path like this: 'Packages/Application/TYPO3.Neos//Resources/Private/Installer/Distribution/Defaults'. Note the two slashes between Neos & Resources.

This second, additional slash later prevents a str_replace in 'TYPO3\Flow\Utility\Files::copyDirectoryRecursively' at line 261 from returning the correct relative path for each found file, resulting in a copying of each file from its source path to a target path that is the same (except for a './' prepended to it).
Basicely nothing happens or the file just overwrites itself. Either way the feature to 'Automatically copy/overwrite files from a package to installation on composer install/update' (don't know what to call it) offered by Flows InstallerScripts is broken.

Only tested this on 2.2.x though. I checked 2.1.x source and found the excess slash there too. However I didn't test its functionality yet. Will do it this weekend though.

If needed, I can give a little more debugging information for each call & variables involved, I just don't have them at hand at the moment.

Jira-URL: https://jira.neos.io/browse/FLOW-23

Jira issue originally created by user @skurfuerst:

This issue was discovered recently at a customer, who wanted to share the same settings for development and production, and thus symlinked a folder underneath Configuration/Development/MySubContext to Configuration/Production/MySubContext (ordering does not really matter).

This had very strange effects in development context: Proxy class building was failing seemingly-random, the development context did not really work, flow:help was throwing fatal errors from time to time, etc.

Production context worked flawlessly.

Here's what happened:

** When Flow starts up in Development/MySubContext, it tries to initialize configuration very early on in the bootstrap. This is especially before* caches are initialized. (Because caches are configured using configuration...)

• Because of the symlink between development and production, Flow finds the file Development/MySubContext/IncludeCachedConfigurations.php which has been created by production context.
  ** It then loads the Production* configuration, despite being in development mode.
• The result is this odd mixture of working code and errors.

Proposed fix:

* store IncludeCachedConfigurations.php in a fixed folder Configuration/Compiled, and name it after the current context; like Production_MySubcontext_CachedConfigurations.php

Can anybody think of any drawbacks of this solution? I have the feeling it should work.

Greets,
Sebastian

Jira-URL: https://jira.neos.io/browse/FLOW-69

Jira issue originally created by user cerlestes:

Using Fluid's SelectViewHelper inside a FormViewHelper and setting the 'multiple' argument to a truthy value while providing an empty array or Collection to the 'options' argument will render the fieldname missing from the trusted properties, which means that the PropertyMapper will object to what it received when parsing the arguments for the form's target action, unless you allow the property in the PropertyMappingConfiguration for that argument.

This is because there's no case for when 'options' are provided to a 'multiple' SelectViewHelper, but are empty.

The best possible fix is for this is to invoke registerFieldNameForFormTokenGeneration() with the non-'multiple' name received via getName().

A patchfile is attached.

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-119

Jira issue originally created by user vertexvaar:

Reviving an old Ticket because the bug occured to me: https://forge.typo3.org/issues/47271

Original Text:
I have a structure with a parent class and several subclasses. I want a before advice for all set* methods of these classes.

Some methods from the parent class are invoked on objects of the subclass.
When having the advice before the set* methods, the following error occurs:

Notice: Undefined property: MyPackage\Domain\Model\MySubclass::$Flow_Aop_Proxy_targetMethodsAndGroupedAdvices in .../Data/Temporary/Development/Cache/Code/Flow_Object_Classes/MyPackage_Domain_Model_MyClass.php line 629
where MyClass is the parent class of MySubclass.

The reason seems to be that the AOP properties of a class are marked as "private", which makes them inacessible from parent (and subclass) methods. I don't know if this could/should be solved by changing the type to protected, as this might raise other issues (I'm not too deeply into the AOP code of Flow), but AFAIS this is a possible solution.

Jira-URL: https://jira.neos.io/browse/FLOW-155

Jira issue originally created by user danilobuerger:

In \TYPO3\Flow\Security\Policy\PolicyService->initializeRolesFromPolicy() it is checked if the peristence manager is already connected. If no persistence happened up to this point, isConnected() will return false, leading to no roles being written to the database, even if they could.

Jira-URL: https://jira.neos.io/browse/FLOW-53

Jira issue originally created by user jpaardekooper:

Our application has some serious problems with the performance of persisting data of large data sets. I'll try to explain it as clear as possible with a basic scenario.

Say our application has users that can be linked to one or more companies. A company is fairly large object with alot of OneToMany relations, for example Cars, Houses, Pets etc. Alot of stuff. Most of these objects have their own repository as well.

We have a UI that lets us create a Car and link it to a company. The performance of this is fine when the current user isn't link to alot of Companies that don't have alot of Cars, Houses, Pets etc. However, as soon as the data set becomes larger (say, 50 companies each with 25 Cars, Houses and Pets), it takes about 30 seconds to insert one simple Car.

The basic object model:

class Company {

    /****
     * @var string
     */
    protected $name;

    /****
     * @var \Doctrine\Common\Collections\ArrayCollection<Car>
     * @ORM\OneToMany(mappedBy="company")
     * @Flow\Lazy
     */
    protected $cars;

    // alot more fields
}

class Car {

    /****
     * @var string
     */
    $licensePlate

    /****
     * @var Company
     * @ORM\ManyToOne(inversedBy="cars")
     */
    protected $company;

    // some more fields
}

I've tracked the performance down to the TYPO3.Flow/Classes/TYPO3/Flow/Persistence/Doctrine/PersistenceManager.php file, where the Car object is triggered for validation (line 82). It then goes into the validateObject method and validates the Car. But when it validates the Car, it will also validate the Company and the Company will also validate all the Houses, Pets, etc.

A temporary solution is to add the @flow\IgnoreValidation annotation to the $company property in Car. I don't think that's a very flexible and nice solution and wonder if it could be done better.

Jira-URL: https://jira.neos.io/browse/FLOW-17

Jira issue originally created by user @albe:

Currently, nested if conditions in fluid templates become hardly readable pretty soon, either due to deep indentation or repeated opening of <f:if>:

<f:if condition="{a}">
<f:then>
A!
</f:then>
<f:else>
    <f:if condition="{b}">
    <f:then>
        B!
    </f:then>
    <f:else>
        <f:if condition="{c}">
        <f:then>
           C!
       </f:then>
       <f:else>
           D!
       </f:else>
       </f:if>
    </f:else>
    </f:if>
</f:else>
</f:if>

Hence I suggest adding a elseif condition to the if ViewHelper like this:

<f:if condition="{a}">
  <f:then>
    A!
  </f:then>
  <f:elseif condition="{b}">
    B!
  </f:elseif>
  <f:elseif condition="{c}">
    C!
  </f:elseif>
  <f:else>
    D!
  </f:else>
</f:if>

Jira-URL: https://jira.neos.io/browse/FLOW-18

Jira issue originally created by user @bwaidelich:

The security documentation still mentions "voters" even though they have been removed with FLOW-11

Apart from that we should adjust/remove the TYPO3.Flow.security.authorization.allowAccessIfAllVotersAbstain setting!

Option A: Rename to grantAccessIfAllPrivilegesAbstain and add code migration

Option B: Remove setting as its probably never used and would have unwanted effects

Jira-URL: https://jira.neos.io/browse/FLOW-125

Jira issue originally created by user cerlestes:

TYPO3\Flow\Persistence\Doctrine\Query, Line 107:
$this->queryBuilder = $entityManager->createQueryBuilder()->select('e')->from($this->entityClassName, 'e');

Because the QueryBuilder is only told to select 'e', it can happen that a query (especially with logical-or constraints and joins) fetches the same entity multiple times. This is a major bug when also a LIMIT is set for that query.
With de-duplication applied, this leads to a result set that is smaller than the desired LIMIT, as the duplicate rows are skipped.
Without de-duplication applied, this would result in a fatal double appearance of the entity in the result set.

Luckily, somewhere in Doctrine or Flow deduplication happens on the result sets (though I gave up after 30 minutes of trying to find where exactly this happens).
This leaves us with the query result that holds less than the desired amount of entities and thus breaks stuff like pagination.

The fix is very easy though: on the mentioned line 107 turn
select('e')
into
select('DISTINCT e')
as one should do, when querying for intrinsically unique datasets.

This might also benefit the overall performance of the TYPO3 Flow framework, as I'm sure there are some queries that run into the same problem, but don't experience it due to the de-duplication efforts and a missing LIMIT statement.

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-21

Jira issue originally created by user tpei:

In the Object Oriented Programming section of the Typo3 Flow 2.2 definitive guide there is a section on PHP constructors (http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartI/Object-OrientedProgramming.html#constructor). However there is no example here whatsoever. Seeing as the constructor is used in the next section on Inheritance, it should be demonstrated how a Constructor can be implemented and used.

I’m thinking of something like https://gist.github.com/TPei/7f3731c72ea2588c5dd0

Jira-URL: https://jira.neos.io/browse/FLOW-56

Jira issue originally created by user tpei:

In the second PHP snippet at http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartII/ModelAndRepository.html#blog-repository
the phpdoc indicates a second parameter $limit in the findByBlog function, but it is not present.

Shouldn’t the code look like this https://gist.github.com/TPei/3900a7fc3681c8b301d3 ?

Jira-URL: https://jira.neos.io/browse/FLOW-57

Jira issue originally created by user tpei:

Ever since version 2.0 Flow won't persist changes automatically, therefore the code snippet at
http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartII/Controller.html
requires a
$this->persistenceManager->persistAll();
to be added to the indexAction of the SetupController

Jira-URL: https://jira.neos.io/browse/FLOW-55

Jira issue originally created by user witrin:

Nesting the f:switch view helper in the following way ends with an exception:

<f:switch expression="{expression}">
    <f:case value="matching">
        <f:render partial="Partial" arguments="{argument: argument}" />
    </f:case>
</f:switch>

<f:switch expression="{expression}">
    <f:case value="matching">
        Foo
    </f:case>
</f:switch>

The thrown exception is:

#1243352249: No value found for key "TYPO3\Fluid\ViewHelpers\SwitchViewHelper->break", thus the key cannot be removed.

Jira-URL: https://jira.neos.io/browse/FLOW-165

Jira issue originally created by user pumatertion:

Lets say f.e. you send an api request in a createAction to a payment provider.
he answers with status "500". in this case you need to forward to referrer including submitted arguments. but formviewhelpers does not show the submitted arguments because there are no errors in validation results.
vh should always use submitted arguments. no deed to check for validation errors + submitted argument decission. errors can happen also external, not only in internal validation.

Jira-URL: https://jira.neos.io/browse/FLOW-109

Jira issue originally created by user pumatertion:

Changing this:
roles:
Customer: []
Press: [Customer]

to this:
roles:
Customer: []
Press: []

The Press->Customer Relation does not get removed from table: typo3_flow_security_policy_role_parentroles_join

Jira-URL: https://jira.neos.io/browse/FLOW-83

Jira issue originally created by user pumatertion:

JsonView accepts encoding options
json_encode should support multiple bitmask options
see: http://www.php.net/manual/en/json.constants.php

Jira-URL: https://jira.neos.io/browse/FLOW-157

Jira issue originally created by user @kitsunet:

CollectionInterface is currently pretty useless as it is hard to get Flow to use different implementations than the default one.
In ResourceManager::initializeCollections() the collections should be created via ObjectManager->get('CollectionInterface') to allow alternative implementations being used. Alternatively the specific Collection class used could be configurable in Settings similar to Storage and Target.

Jira-URL: https://jira.neos.io/browse/NEOS-788

Jira issue originally created by user andi:

If you create a new Flow project and try to create an account right away, e.g. by some command controller, it might happen that the roles have not yet been synchronized with the database.

To solve this the AccountFactory should call getRoles() on the PolicyService right at the beginning. This will make sure roles are correclty initialized in the database when a new account is created.

Jira-URL: https://jira.neos.io/browse/FLOW-8

Jira issue originally created by user @robertlemke:

CSS files (and probably other types of assets) may contain relative or absolute URLs pointing to other resources – such as web fonts or images. Publishing theses assets as they are will result in broken links when using a CDN. Neos / Flow must replace the URLs to correct absolute URLs pointing to the CDN servers.

Jira-URL: https://jira.neos.io/browse/FLOW-115

Jira issue originally created by user hanshoechtl:

I'm trying to render backreferences on my current page.
Nodes have references to my current page and I'd like to render them, by using this:

snippets = TYPO3.Neos:ContentCollection
snippets {
    collection = ${q(site).children('[instanceof Vendor.MySite:Snippet]').filter('[pagesToDisplay *= "'<ins>node</ins>'"]')}
}

pagesToDisplay is my property of type references.

I figured out that the value of the property pagesToDisplay is being evaluated to an array of Node-objects (which is correct)
inside the method matchesAttributeFilter:

protected function matchesAttributeFilter($element, array $attributeFilter) {
        if ($attributeFilter['Identifier'] !== NULL) {
            $value = $this->getPropertyPath($element, $attributeFilter['Identifier']);  // <- HERE
        } else {
            $value = $element;
        }
        $operand = NULL;
        if (isset($attributeFilter['Operand'])) {
            $operand = $attributeFilter['Operand'];
        }

        return $this->evaluateOperator($value, $attributeFilter['Operator'], $operand);  // <- only instanceof has special treatment in this method
    }

But because I'm not doing an "instanceof" operation, this array is being passed to the method evaluateOperator of TYPO3\Eel\FlowQuery\Operations\Object\FilterOperation which only does a strpos comparison.
So I guess this is only supposed to work on string-properties, but I suggest the contains filter-operation to work on arrays (here array of nodes) to.

Jira-URL: https://jira.neos.io/browse/FLOW-154

Jira issue originally created by user mhelmich:

I'm not sure if this behaviour is intentional; please feel free to yell if this is NOT a bug. I also noticed that it is very similar to FLOW-155 reported by [~vertexvaar] and can possibly be fixed with the same proposed solution.

I have a class hierarchy, and an advice around a method in the parent class. When calling the method (which calls it's parent method) on an instance of the subclass, the advice is called twice.

Simple example:

abstract class AbstractFoo {
    public function hello() {
        echo "Hello world.";
    }
    public function bye() {
        echo "Goodbye world.";
    }
}

class ConcreteFoo extends AbstractFoo {
    public function hello() {
        parent::hello();
        echo "Hallo Welt!";
    }
}

/****
 * @Flow\Aspect
 */
class HelloByeAspect {
    /****
     ** @Flow\Around("method(**.->hello())")
     */
    public function myHelloAspect(JoinPointInterface $joinPoint) {
        echo "called hello()";
    }
    /****
     ** @Flow\Around("method(**.->bye())")
     */
    public function myByeAspect(JoinPointInterface $joinPoint) {
        echo "called bye()";
    }
}

When calling ConcreteFoo->hello, I'd expect the advice to be invoked once; but it is actually invoked twice.
The same goes for ConcreteFoo->bye, which isn't even overwritten in ConcreteFoo, but the advice is called twice nevertheless.

My best guess is that, the Flow*Aop_Proxy*methodIsInAdviceMode property in the proxy classes is actually supposed to prevent this. However, this property is private and thus not visible in super(!)classes. Changing the visibility of this property to protected helps.

I tested with Flow 2.3, but probably occurs in earlier releases and in master, too. Will push a patch into Gerrit shortly.

Jira-URL: https://jira.neos.io/browse/FLOW-158

Jira issue originally created by user @bwaidelich:

Jira-URL: https://jira.neos.io/browse/FLOW-149

Jira issue originally created by user afoeder:

with, for example,

resources:
  entities:
    'Acme\Foobar\Domain\Model\AbstractProduct':
      [...]

all heirs of that AbstractProduct are not taken into account; hence the whole constraint does not match (because of cause there is no abstract entity at the end).

In fact this is only relevant for \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkAccessAfterFetchingAnObjectByIdentifier because in the other case, we're lucky if the table name corresponds the abstract entity itself which is the case in most... cases.

The method \TYPO3\Flow\Security\Policy\PolicyService::hasPolicyEntryForEntityType already gives false because the given entity type (the concrete one) is not in the \TYPO3\Flow\Security\Policy\PolicyService::$entityResourcesConstraints array (where only the abstract one is present).

IMO it would help to fix \TYPO3\Flow\Security\Policy\PolicyExpressionParser::parseEntityResources and also just "copy" the settings for every heir of the (abstract) class, but that would require some discussion since it's proxy=false...

Jira-URL: https://jira.neos.io/browse/FLOW-72

Jira issue originally created by user starhorst:

When selecting entities from a repository with a custom query containing statements like GROUP BY or/ and HAVING the internal count-query fails. Resulting in an misbehaviour of fluid which does no render the result.

My query causing the bug:

php$q = $this->createQuery(); $qb = ObjectAccess::getProperty($q, 'queryBuilder', TRUE); $qb ->leftJoin('e.solutions', 's') ->groupBy('e') ->having('COUNT(s) > 0');

Fixed the problem using
<f:if condition="{issues.first}">
instead of
<f:if condition="{issues}">

Jira-URL: https://jira.neos.io/browse/FLOW-104

Jira issue originally created by user @RafaelKa:

Very nice feature is not documented :/

Jira-URL: https://jira.neos.io/browse/FLOW-117

Jira issue originally created by user benjamink:

When updating a site or when the cache is empty, the user gets a short message that the service is currently not available. It would be nice to have a setting to change the default html-template file like

TYPO3.Flow.core.pathToLockedSite: 'resource://My.Package/.../MyLockedSitePage.html'

or sth. similar.

Jira-URL: https://jira.neos.io/browse/FLOW-168

Jira issue originally created by user mostwanted:

http://flow.typo3.org/documentation/guide

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-166

Jira issue originally created by user jrenggli:

Reporter: Morton Jonuschat

When using PHP in a chroot environment (php-fpm + chroot) the „detected“ absolute paths don't match the paths seen by the webserver when serving static assets.

Pre-Requisites:

1. The following directory holds the TYPO3 Neos 1.0 installation: /srv/customers/webs/user1/html/domain1.de/
2. The apache vhost ist configured with a document root: /srv/customers/webs/user1/html/domain1.de/Web/
3. PHP is chrooted to: /srv/customers/webs/user1/

What happens is that Neos/Flow publishes the static resources and creates absolute symlinks pointing to /html/domain1.de/.../, for example TYPO3.Flow -> /html/domain1.de/Packages/Framework/TYPO3.Flow/Resources/Public

These links are correct from the viewpoint of the PHP client but are wrong from the viewpoint of the Webserver. The correct symlink should be relative so that both PHP and Apache can reach the right destination independent of their starting point.
TYPO3.Flow -> ../../../../Packages/Framework/TYPO3.Flow/Resources/Public

Jira-URL: https://jira.neos.io/browse/FLOW-81

Jira issue originally created by user @daniellienert:

Username is currently "Foo".
Login is possible with "foo".

Imho Username needs exact match.

Created from Forge Issue: https://forge.typo3.org/issues/58733

Jira-URL: https://jira.neos.io/browse/NEOS-458

Jira issue originally created by user econic:

If you render an edit/delete form, you can just replace the hidden **identity input to another entity's uuid that you have read access on and voilà, you can edit this entity.

Therefore i suggest the trustedProperties to contain also the **identity's value.

Since as a developer you would expect this to be checked, i regard this bug as critical because this opens up security vulnerabilities in all flow applications with edit/delete forms.

Jira-URL: https://jira.neos.io/browse/FLOW-138

Jira issue originally created by user dogawaf:

When an exception is thrown , the DebugExceptionHandler produces a nice backtrace and some dump of the arguments passed to functions.

I have some Doctrine ArrayCollection which point to records with recursive relationships.

When the debugger try to dump an argument of this type, php reaches the max memory limit, and crashes the server.

Commenting this line [1] fixes the symptom for me, but I am not able (available) to tackle the root cause.

[1] https://git.typo3.org/Packages/TYPO3.Flow.git/blob/HEAD:/Classes/TYPO3/Flow/Error/Debugger.php#l330

Atachements:

Jira-URL: https://jira.neos.io/browse/FLOW-75

Jira issue originally created by user @radmiraal:

afaik we don't have a CGL yet about parenthesis usage in cases like below:
$a = $b === $c;
This could possibly be misread to $a = $b = $c; Should we add to the CGL that we require parenthesis like $a = ($b === $c); ?

Jira-URL: https://jira.neos.io/browse/FLOW-88

Jira issue originally created by user @hlubek:

Browser offer plenty of security related headers that can prevent many client side attacks on websites. This includes possible XSS, Clickjacking, Man-in-the-middle and other attacks.

We should offer a way to set these headers in a configurable and extensible way, especially for CSP (Content Security Policy) which allows for a pretty complex configuration.

The HTTP components could provide a good point to integrate the headers, for Neos we need to think about a TypoScript solution that can contribute to the CSP configuration.

Some inspiration can be taken from Django Security (http://ipsec.pl/django/2013/introducing-django-security.html) which offers a nice list of available middlewares.

Jira-URL: https://jira.neos.io/browse/FLOW-15

Jira issue originally created by user andreaswolf:

I think the new name would fit a lot better, as this is what the class in fact contains. The old name is not wrong, but leaves room for interpretation.

Jira-URL: https://jira.neos.io/browse/FLOW-49

Jira issue originally created by user lorenzulrich:

In https://git.typo3.org/Packages/TYPO3.Flow.git/blobdiff/e867cd66913d54d67beae30d05980f9db2619dfb..f38b3570c95f6d25906d101d3634091cc3ecf420:/Classes/TYPO3/Flow/Resource/ResourceTypeConverter.php the ResourceTypeConverter was revised. After these changes I have the following problem:

I have a form that is generated with TYPO3.Form and contains multiple (standard) File Upload fields. Before this change, if I didn't select a file, the form passed validation. After this change, if I don't select a file for uploading (it's not a mandatory field), I get the following error:

The resource manager could not create a Resource instance.

The problem seems to be in the method convertFrom. If no file is uploaded, $source['hash'] is set, but empty. convertFrom only checks for the existence of $source['hash'] and therefore assumes that a file upload did happen. But since there was none, it fails at handleHashAndData with this exception. I could solve it by changing line 129 from

to

} elseif ((isset($source['hash']) && !empty($source['hash'])) ](| isset($source['data'))) {

but I doubt that this is a clean solution.

Jira-URL: https://jira.neos.io/browse/FLOW-172

Jira issue originally created by user pumatertion:

Currently the AuthenticationManager::logout() destroys the whole session and invalidates all tokens. Its not possible to logout just a specific token.
Having logged in into neos and also with another token (external api f.e) its not possible to invalidate the login just for the api-token.

I could introduce a new AuthenticationManager wich supports such a method. But i am unsure what i have to do with the session.

Jira-URL: https://jira.neos.io/browse/FLOW-38

Jira issue originally created by user @robertlemke:

Commands which are extensible, for example by some plugin mechanism, or depend on their environment, may want to tweak the short and long description which is shown in the help screen.

One solution would be an interface which needs to be implemented by the command controller in question which allows it to tweak descriptions.

Jira-URL: https://jira.neos.io/browse/FLOW-78

Jira issue originally created by user @skurfuerst:

I think it would be very helpful to allow Split configuration Sources for Settings, Objects, Policy and Caches -- i.e. everything except Routes (which already allow for inclusion of other files).

This can be changed in ConfigurationManager::$configurationTypes.

Workaround

In case you need this feature now on Flow 2.2, you can do the following:

create a Settings.SplitSourceMarker.yaml with the following contents:

SettingsSplitSourceActive: TRUE

create the following Package.php

<?php

use TYPO3\Flow\Configuration\ConfigurationManager;
use TYPO3\Flow\Package\Package as BasePackage;

class Package extends BasePackage {

    /****
     * Invokes custom PHP code directly after the package manager has been initialized.
     *
     * @param \TYPO3\Flow\Core\Bootstrap $bootstrap The current bootstrap
     * @return void
     */
    public function boot(\TYPO3\Flow\Core\Bootstrap $bootstrap) {
        $dispatcher = $bootstrap->getSignalSlotDispatcher();

        /****
         * WORKAROUND for now to allow split sources for Settings.
         *
         * - We override the (built-in) configuration type "Settings", enabling "splitSource".
         * - Because Settings are loaded very early in the bootstrap, we need to flush the configuration cache to re-load the Settings.
         *
         * However, we must NOT CLEAR THE CACHE always; thus we have a marker setting "SettingsSplitSourceActive" which is included in Configuration/Settings.SplitSourceMarker.yaml.
         * If this is found in the Settings, we know the split source has been correctly cached; and we do not need to clear it again.
         */
        $dispatcher->connect('TYPO3\Flow\Configuration\ConfigurationManager', 'configurationManagerReady', function(ConfigurationManager $configurationManager) {
            $configurationManager->registerConfigurationType(ConfigurationManager::CONFIGURATION*TYPE_SETTINGS, ConfigurationManager::CONFIGURATION_PROCESSING_TYPE*SETTINGS, TRUE);

            if ($configurationManager->getConfiguration(ConfigurationManager::CONFIGURATION*TYPE*SETTINGS, 'SettingsSplitSourceActive') === NULL) {
                $configurationManager->flushConfigurationCache();
            }
        });
    }
}

The solution is slightly inefficient because the settings are parsed twice if they are uncached.

Jira-URL: https://jira.neos.io/browse/FLOW-42

Jira issue originally created by user @kitsunet:

Jira-URL: https://jira.neos.io/browse/FLOW-160

Jira issue originally created by user cognifloyd:

Given the following trait (as a random example of a trait that includes an imported property):

namespace Some\Package;
use TYPO3\Flow\Package\PackageManagerInterface;
trait FancyTrait {
  /****
   * @Flow\Import
   * @var PackageManagerInterface
   */
   $packageManager;
}

The following does not work:

namespace Some\Package;
use FancyTrait;
class SomeClass {
  use FancyTrait;
}

Uncaught Exception: TYPO3\Flow\Core\Booting\Exception\SubProcessException

Message

  Uncaught Exception: TYPO3\Flow\Object\Exception\UnknownObjectException

  Message
    The object "PackageManagerInterface" which was specified as a property
  in
    the object configuration of object
    "Some\Package\SomeClass"
    (automatically registered class) does not exist. Check for spelling
    mistakes and if that dependency is correctly configured.

  More Information
    Exception code 1265213849
    File          
  Packages/Framework/TYPO3.Flow/Classes/TYPO3/Flow/Object/DependencyInjection/ProxyClassBuilder.php
  line 538
    Reference code 20141231173308a299ca


More Information
  Exception code 1355480641
  File           Packages/Framework/TYPO3.Flow/Classes/TYPO3/Flow/Core/Booting/Scripts.php line 528
  Reference code 201412311733073dade3

To get around the issue, I have to use anything used in the trait in the class that uses the trait. That means that the following does not trigger the same error:

namespace Some\Package;
use FancyTrait;
use TYPO3\Flow\Package\PackageManagerInterface;
class SomeClass {
  use FancyTrait;
}

So, Flow needs to be able to look in traits while compiling. It is really ugly to import things that the file is not using, and PhpStorm helpfully offers to remove those unused references, so it's easy to end up with a broken system since Flow is not taking traits into account.

Jira-URL: https://jira.neos.io/browse/FLOW-170

Jira issue originally created by user @hlubek:

The session cache backend currently writes data back for every access (including read-only requests) at the end of each request.

For Neos this involves the following keys (individual cache entries) for each request (also in the frontend), while having an active session:

• lastVisitedNode
• TYPO3_Flow_Security_Accounts
• TYPO3_Flow_Object_ObjectManager

We could greatly optimize I/O and cache file contention by checking on a cache frontend level if the data was actually changed. The idea is to store md5 sums of the data that was fetched (get) and comparing that on subsequent set operations and doing nothing if they are equal. Doing that on the frontend layer would not require an additional serialize call.

Jira-URL: https://jira.neos.io/browse/FLOW-147

Jira issue originally created by user tstrotmann:

It would be nice if the BytesViewHelper contains a "forceLocale" parameter, analogous to the NumberViewHelper or CurrencyViewHelper

Jira-URL: https://jira.neos.io/browse/FLOW-41

Jira issue originally created by user @hlubek:

In order to provide custom translations for existing labels, Flow should have a well defined convention on how to override XLIFF definitions from other packages. The package order (by dependency) should be respected for this.

Idea

In order to override translations from another package, a file with the same name and location is created in another package. This file contains a <file> element with a product-name="PackageKey" attribute for the package that should be overwritten. This way an XLIFF file can contain definitions for more than one package in a backward compatible and consistent way.

When accessing a label the filename and package key is given to a TranslationProviderInterface implementation which will use a merged version of the partial definitions (merged by package order).

Any labels that are exported to the client-side should use the same merged XLIFF definitions for a consistent approach to localization.

Jira-URL: https://jira.neos.io/browse/FLOW-61

Jira issue originally created by user afoeder:

The WebRedirect entry point also would kick in if an AJAX request comes in and the session, for example, is expired meanwhile.

This results in the AJAX-Client, usually the Browser, getting a 301 and a 200 and a HTML resource (which is the login form), hence a totally unexpected result.

I suggest to allow Eel matchers to be defined to decide whether a particular EntryPoint should be used or not.

Jira-URL: https://jira.neos.io/browse/FLOW-7

Jira issue originally created by user @hlubek:

It is not safe to add an entry to an array setting by using "-" for the key, e.g.:

    persistence:
      doctrine:
        eventListeners:
          -
            events: ['postPersist', 'postUpdate', 'postRemove']
            listener: 'TYPO3\Neos\Domain\EventListener\AccountPostEventListener'

If a second package does the same, this will end up in only one event listener, which will be overridden by the second one. This happened at least with the phpyaml extension being used to parse YAML files.

Jira-URL: https://jira.neos.io/browse/FLOW-22