terminal42 / contao-dcawizard Goto Github PK

A security audit from one of our costumers found a low security issue in notification center. It is possible to manipulate the message url so it shows all language entries. I could hunt the issue down to DcaWizard widget

Append following to the contao url (id must be an existing one): /contao?act=edit&do=nc_notifications&id=1%20or%20true&table=tl_nc_message

The result:

If the the ID exist, it passes DC_Table here: https://github.com/contao/contao/blob/9f87d568209ba12d23734ce8f1cbbefc3900abef/core-bundle/src/Resources/contao/drivers/DC_Table.php#L1757 (maybe this is an issue in the contao core to?).
Afterward it builds following query in DcaWizard: SELECT * FROM tl_nc_language WHERE tstamp>0 AND pid=1 or true ORDER BY language (DcaWizard::getRecords())

Versionen:
Contao: 4.9.33 || 4.13.6
Notification Center: 1.6.13 || 1.6.14
DcaWizard: 2.5.0
PHP 7.4 || 8.1

I remember we discussed why Contao does this in the popup.php. Now I know why...

There are save buttons visible...

In the DcaWizard::getButtonHref()
http_build_query($this->getButtonParams(), null, '&') (encoded ampersand as separator)
should be used.

Hi!
When use "listCallback" method than "hideButton" setting doesn't work.
This is caused by placing this: $objTemplate->hideButton = $this->hideButton; inside of this "if": if ($varCallback === null) {

Unfortunately I don't have time for placing pull request right now.

Please fix this :) Great ext BTW.

Can this be implemented in our new version already? Or do we have to wait for Contao 3.2?

contao/core#5985

When there's entries listed in the table dcawizard.js has code to hide the back button, but not when editing a child (so we have the option to go back to the list). This however doesn't work when the list is empty. It allows the user to hit go back and then the parent table is displayed inside of it's edit view which is odd.

// Line 278 current version src
var hideBackButton = $defined(this.element.getElement('.tl_listing_container'));

This is because when the table's empty it doesn't have a div.tl_listing_container but a div.tl_empty. Checking for that too mostly solved the problem for me:

// This would work:
var hideBackButton = $defined(this.element.getElement('.tl_listing_container')) || $defined(this.element.getElement('.tl_empty'));

I guess since Contao 4.9 the label + title of the operations do not work anymore, because the label is no array here:

A possible solution would be:

        if (is_array($def['label'])) {
            $label = $def['label'][0] ?: $operation;
            $title = sprintf($def['label'][1] ?: $operation, $id);
        } else {
            $label = $title = sprintf($def['label'] ?: $operation, $id);
        }

Hi Leute,
die Ladereihenfolge von dca Dateien in alphabetisch nachfolgenden Modulen z.B. notification_center_test, wird durch den DcaWizard 2.2.0 aufgehoben bzw. umgekehrt?!. Unter 2.0.2 ist es korrekt.
Ein Beispiel: tl_nc_gateway mit neuen Feldern erweitern etc.
notification_center_test/dca/tl_nc_gateway.php
-> wird vor notification_center/dca/tl_nc_gateway.php
ausgelöst
Ein Datenbank update löscht Felder definiert in notification_center_test/dca/tl_nc_gateway.php. Es wird die Datei also nachträglich überschrieben -> Reihenfolge umgekehrt?
Tract man in beiden Files eine Variable wird dieses Phänomen bestätigt.

Grüße,
Tim

You're using the url id parameter for the currentRecord id (see https://github.com/terminal42/contao-dcawizard/blob/master/widgets/DcaWizard.php#L90).

I am using the dcawizard for the extension isotope_simple_stockmanagement. When editing isotope products in the mode "editAll", the url structure is the following:

http://localhost/contao/main.php?do=iso_products&id=5610&act=editAll&fields=1

(In this case I selected variants to edit and 5610 is the id of the variant's parent product). What happens? Instead of loading the correct dcawizard widget for each item, the dcawizard widget of the parent item is generated for all items.
But in most cases, the id param is not present in the url at all when editing in the mode editAll and it turns into an error, as the currentRecord can not be set:

Query error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY tstamp ASC' at line 1 (SELECT * FROM tl_iso_bonus_points WHERE tstamp>0 AND pid= ORDER BY tstamp ASC) 

Do not show records with tstamp=0

bei Nachrichten editieren (Isotope) "Short-Icon" zum Bearbeiten der Nachricht/E-Mail wäre eine "Abkürzung" prima

siehe isotope/core#1245

How about an additional option 'template' in the DCA, so that you could use for example a customized 'be_widget_dcawizard'.

There is the listCallback, but there you have to take care of the display for the most part yourself (even if the widget is present as a parameter).

UseCase

We have a larger project in which we use the dcawizard. Currently I would like to need 2 slightly different customized views.

You could maybe just add an alternative template here

An der Stelle erstmal großes Lob und vielen Dank für die super Erweiterung.

Ich habe beim Löschen von Datensätzen das Problem, das man auf den Inhalt des modal Fensters weitergeleitet wird.

Ich hätte für euch Zugang auf den DEV-Server, falls Ihr euch das mal anschauen wollt.

to implement a dcaWizard, which will be translateable, we registered a new BE_FFL which extends DcaWizard.

the concept with reflection in the DcaWizardHelper is very nice but unfortunately the base64-encoded classname can have entities. so the encoding should be changed or the line should be replaced by something like: $ajaxClass = \Input::post('class', true)

isotope/core#1819

While running the back end of contao 4.9.21 in debug mode for a custom entity with dcawizard I get the following error:
Could not find template "be_widget_dcawizard"

Here are the last lines of the callstack:

  at vendor/contao/core-bundle/src/Resources/contao/library/Contao/TemplateLoader.php:158
  at Contao\TemplateLoader::getDefaultPath('be_widget_dcawizard', 'html5')
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/TemplateLoader.php:114)
  at Contao\TemplateLoader::getPath('be_widget_dcawizard', 'html5')
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/Controller.php:80)
  at Contao\Controller::getTemplate('be_widget_dcawizard')
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/TemplateInheritance.php:324)
  at Contao\Template->getTemplatePath('be_widget_dcawizard', 'html5')
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/TemplateInheritance.php:87)
  at Contao\Template->inherit()
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/Template.php:292)
  at Contao\Template->parse()
     (vendor/contao/core-bundle/src/Resources/contao/classes/BackendTemplate.php:34)
  at Contao\BackendTemplate->parse()
     (vendor/terminal42/dcawizard/widgets/DcaWizard.php:197)
  at DcaWizard->generate()
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/Widget.php:651)
  at Contao\Widget->generateWithError(true)
     (vendor/contao/core-bundle/src/Resources/contao/templates/backend/be_widget.html5:3)
  at include('/app/vendor/contao/core-bundle/src/Resources/contao/templates/backend/be_widget.html5')
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/TemplateInheritance.php:100)
  at Contao\Widget->inherit()
     (vendor/contao/core-bundle/src/Resources/contao/library/Contao/Widget.php:598)
...

Is there something wrong with the template inheritance or are there some updates required for the template loading?

I'm using the dcawizard to show a Mode 4 DCA. In the ListView is the header_back-Button visible, but it isn't usable here, because it links to the backend root.
Is it possible to disable the button in the ListView?

Hallo,

Beispiel beim NC:

• E-Mail-Konfiguration A öffnen
• Button "Sprachen verwalten" => eine Sprache editieren
• alles schließen
• E-Mail-Konfiguration B öffnen
• short-cut icon für eine Sprache anlicken und Speichen + Schließen
  => nun ist man wieder im Panel von E-Mail-Konfiguration A

Klickt man bei E-Mail-Konfiguration B auf Button "Sprachen verwalten" und geht zu A das Gleiche... es der Rücksprung erfolgt immer zu dem Panel, welches als letztes per "Sprachen verwalten" geöffnet wurde.

Da in dem Panel keine weiteren Angaben sind, fällt das nur anhand der E-Mail-Inhalte auf.

Gruss

dcawizard   2.3.0   4

Hitting what seems like a PHP 8 bug with DCAwizard when using Isoptope. I'm using ISO 2.8.12. PHP 8.1, Contao 4.13.23.

When I try to make a checkbox menu attribute with Options Manager I get this error:
An exception occurred while executing a query: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'Array' in 'where clause'

Here's the stack trace:
`ErrorException:
Warning: Array to string conversion

at vendor/terminal42/dcawizard/widgets/DcaWizardMultilingual.php:31
at DcaWizardMultilingual->getForeignTableCondition()
(vendor/terminal42/dcawizard/widgets/DcaWizard.php:422)
at DcaWizard->getWhereCondition()
(vendor/terminal42/dcawizard/widgets/DcaWizard.php:377)
at DcaWizard->getRecords()
(vendor/terminal42/dcawizard/widgets/DcaWizard.php:197)
at DcaWizard->generate()
(vendor/contao/core-bundle/src/Resources/contao/library/Contao/Widget.php:660)
at Contao\Widget->generateWithError(true)
(vendor/contao/core-bundle/src/Resources/contao/templates/backend/be_widget.html5:3)
at include('/home/mossnutrition/public_html/vendor/contao/core-bundle/src/Resources/contao/templates/backend/be_widget.html5')
(vendor/contao/core-bundle/src/Resources/contao/library/Contao/TemplateInheritance.php:108)
at Contao\Widget->inherit()
(vendor/contao/core-bundle/src/Resources/contao/library/Contao/Widget.php:607)
at Contao\Widget->parse()
(vendor/contao/core-bundle/src/Resources/contao/classes/DataContainer.php:795)
at Contao\DataContainer->row('{attribute_legend},name,field_name,type,legend,customer_defined;{description_legend:hide},description;{options_legend},optionsSource,[optionsSource],optionsTable,[EOF];{config_legend},mandatory;{search_filters_legend},fe_filter,fe_sorting,be_filter')
(vendor/contao/core-bundle/src/Resources/contao/drivers/DC_Table.php:1979)
at Contao\DC_Table->edit()
(vendor/isotope/isotope-core/system/modules/isotope/library/Isotope/BackendModule/BackendOverview.php:245)
at Isotope\BackendModule\BackendOverview->getModule('attributes')
(vendor/isotope/isotope-core/system/modules/isotope/library/Isotope/BackendModule/BackendOverview.php:84)
at Isotope\BackendModule\BackendOverview->generate()
(vendor/contao/core-bundle/src/Resources/contao/classes/Backend.php:439)
at Contao\Backend->getBackendModule('iso_setup', null)
(vendor/contao/core-bundle/src/Resources/contao/controllers/BackendMain.php:168)
at Contao\BackendMain->run()
(vendor/contao/core-bundle/src/Controller/BackendController.php:49)
at Contao\CoreBundle\Controller\BackendController->mainAction()
(vendor/symfony/http-kernel/HttpKernel.php:163)
at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), 1)
(vendor/symfony/http-kernel/HttpKernel.php:75)
at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), 1, true)
(vendor/symfony/http-kernel/Kernel.php:202)
at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
(web/index.php:44) `

Here's the error with Debug enabled:
Uncaught PHP Exception ErrorException: "Warning: Array to string conversion" at /home/mossnutrition/public_html/vendor/terminal42/dcawizard/widgets/DcaWizardMultilingual.php line 31

It's happening on two different sites we're building.

The method \DcaWizard::getButtonHref uses \Contao\StringUtil::ampersand, which unfortunately does not exist in Contao 4.4.

Instead, Contao 4.4 has the function ampersand for the same purpose (same code within the function too).

According to your composer.json, the plugin still supports Contao 4.4?
Is this something you could (or were willing) to fix?
I understand if you won't, 4.4 is end of life after all.

Anyway, I had someone else come across this problem.
I will ask them to update to at least Contao 4.9 in either case.

Cheers!

There is no close button at all. The only way to close the wizard is to click outside the window?

@Toflar @qzminski

I use the dcawizard together with the configuration example from the README.md under sf 6.4.3 & PHP 8.1.10 & Contao 5.3.0-RC3 .

If I use the key

'eval' => [
  ...
  //Show operations next to every row (disabled by default)
  'showOperations' => true,
  ...
]

then I get the following exception

The operations are also not displayed next to the individual data records. The array

'operations' => ['edit', 'delete', 'new' /* for tables with sorting like tl_content */],

does not seem to work.

Any suggestions?
Best Reagrds
cmette