So that authentication can suspend it. There are cases,
e.g. cube, where authentication is required in run.php.
During bootstrapping loading modules is mostly required
to load libraries, register routes and hooks. Most of the
time authentication is not required for these, but if
it is, evaluation is now interrupted and continued
after authentication has actually been performed.
I don't see a real risk for any breaking change here,
since authentication happens shortly after. It actually
avoids a breaking change, since without this, cube's
Icinga DB support would break or at least malfunction.
And cube is only a single example.
refs #5265
Since authentication is now performed even for static
resources, there's no reason anymore to support implicit
authentication. This also limits authentication attempts
to a single one, previously failed attempts were repeated.
Requiring authentication during bootstrapping, i.e. before
authentication has been performed, will now trigger a
deprecation notice.
refs #5265
It is nowadays no exception that stylesheet may be dependent
on who's using the app. So to avoid race conditions like
in #5385 authentication is an explicit step during bootstrap
now.
fixes#5385
Providing a user or user group backend in configuration.php
now has no effect anymore. They are expected to be announced
in run.php, just like hooks. A warning appears in the log
for cases where a configuration.php still attempts it. Should
help with troubleshooting since it will appear after an error
that a specific backend has not been found.
refs #5265
in ApplicationBootstrap#setupErrorHandling(). In webrouter.php disable
them unconditionally (until ApplicationBootstrap#setupErrorHandling())
not to duplicate the check. ApplicationBootstrap#setupErrorHandling())
is called pretty early, so we won't miss much.
fixes#5117
* In addition, this provides #5269 and mitigates #5152 in production
where ICINGAWEB_ENVIRONMENT isn't set.
Trusted in this case means, it was Icinga Web that
rendered a link and the user followed it. Whether
a source is trustworthy or not is detected by use
of the user's session id to hash it combined with
the source similar to how CSRF tokens are assembled.
Partial because the helper method is not the preferred way
anymore to create an icon. So I simplified the detection
to only check whether the given icon is a legacy one, as
those are smaller in number. Though, this leads to some fa
icons being identified as legacy, as the names equal. But,
it's the legacy helper after all... Anyone wanting to make
sure to get fontawesome icons, must add the `fa-` prefix.
When performing a str_replace, subject should always be a string. If
passing a non-existent column or empty column, subject may be null
This ensure str_replace is called when subject is actually a string (not
NULL)
ldap_connect() in php >= 8.1 returns `LDAP\Connection` instead of `resource` and all ldap_*() methods expects the returned type. But function defined return type and $ds type confuses phpstan, so i removed the hardcoded type hint.
For mysql it's just enough to check whether the privileges are granted
at database or table label, but for PostgreSQL it's necessary that the
privileges are granted at database and at table level.
This ensures that, if CSP is enabled, the newly created token on the
login is accepted by the browser. A small, but IMHO desired, side
effect is that the login now always appears in the default theme.
fixes#5126
