Commit graph

33217 commits

Author SHA1 Message Date
Grzegorz Sadowski
21ba431ea9
Change application's version to v1.14.14 2025-12-16 15:19:37 +01:00
Grzegorz Sadowski
c287be3507
[RFC] Add telemetry feature 1.14 (#18635)
| Q               | A
|-----------------|-----
| Branch?         | 1.14 <!-- see the comment below -->
| Bug fix?        | no
| New feature?    | yes
| BC breaks?      | no
| License         | MIT

<!--
 - Bug fixes must be submitted against the 1.14 or 2.1 branch
 - Features and deprecations must be submitted against the 2.2 branch
 - Make sure that the correct base branch is set

To be sure you are not breaking any Backward Compatibilities, check the
documentation:

https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->

For details, this PR follows the design described in the RFC:
https://github.com/Sylius/Sylius/issues/18588
2025-12-16 14:23:56 +01:00
TheMilek
233a83b1f1
Add telemetry feature 2025-12-16 11:49:25 +01:00
Grzegorz Sadowski
14d25f6256
Change application's version to v1.14.14-dev 2025-11-27 13:03:48 +01:00
Grzegorz Sadowski
bc5dc0814a
Generate changelog for v1.14.13 2025-11-27 13:03:29 +01:00
Grzegorz Sadowski
30d464ab06
Change application's version to v1.14.13 2025-11-27 13:02:10 +01:00
Rafał Jaskulski
caf3fed403
Fix twice calculation rating review (#18567)
This is connected with https://github.com/Sylius/Sylius/pull/18574
| Q               | A
|-----------------|-----
| Branch?         | 1.14 
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | https://github.com/Sylius/Sylius/issues/16120
| License         | MIT


The \Sylius\Bundle\ReviewBundle\EventListener\ReviewChangeListener
(registered as Doctrine event listener) already handles rating
recalculation for all review changes (postPersist, postUpdate,
preRemove), making the
  state machine callback redundant.

  Solution

Disable the sylius_update_rating callback by adding disabled: true
instead of removing it entirely.

  Why disabled: true instead of removal?

1. No BC break - the updateFromReview() method called by this callback
remains intact, preserving the ReviewableRatingUpdaterInterface and
service definitions
2. Flexibility - users who rely on this callback (e.g., for custom
priority ordering with their own callbacks) can re-enable it in their
configuration with disabled: false
3. Transparency - the callback definition remains visible in
configuration, documenting what was disabled and why, which helps with
debugging and understanding the system's
  history
2025-11-26 10:57:38 +01:00
Michal Kaczmarek
0dcbc5efc4 Fix after review 2025-11-26 10:53:58 +01:00
Michal Kaczmarek
9f02085d5d Add info about disabled callback to upgrade file 2025-11-26 10:45:53 +01:00
Rafał Jaskulski
47b4f82f8f
[CS][DX] Refactor (#18577)
This PR has been generated automatically.
For more details see
[refactor.yaml](/Sylius/Sylius/blob/2.1/.github/workflows/refactor.yaml).
2025-11-26 09:47:07 +01:00
Sylius Bot
a4d17db879 [CS][DX] Refactor 2025-11-26 02:34:56 +00:00
Rafał Jaskulski
78ab2121ec
Validate product's channel eligibility when finalizing an order (#18445)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Related tickets | https://github.com/Sylius/Sylius/issues/17568
| License         | MIT

When finalizing an order, while checking whether products and variants
are "isEnabled," a check has also been added to see if they are assigned
to the current channel.
2025-11-25 13:42:23 +01:00
Tomasz Kaliński
a062a250c1
Add channel eligibility validation during order completion 2025-11-24 17:39:32 +01:00
Michal Kaczmarek
fbb68dd58a Fix twice calculation rating review 2025-11-24 15:59:54 +01:00
Rafał Jaskulski
c7cb75f310
Add md file with description ignored CVE and fix format (#18553)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | #18549
| License         | MIT

Details in file AUDIT-IGNORE.md
2025-11-17 14:18:56 +01:00
Michal Kaczmarek
97fdc9f544 Add md file with description ignored CVE and fix format 2025-11-17 13:05:07 +01:00
Rafał Jaskulski
afca44fa93
Add filtering cve (#18549)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | 
| License         | MIT

Fix build CI through added a few cve to ignore section in file
composer.json.
  
1. PKSA-yhcn-xrg3-68b1 (Twig - CVE-2024-45411)

Sandbox bypass - Attackers can execute dangerous code in Twig templates
by bypassing sandbox security restrictions.
  - Fixed in: Twig 1.44.8, 2.16.1, 3.14.0

2. PKSA-2wrf-1xmk-1pky (Twig - CVE-2024-51755)

Access to protected data - Using the ?? operator and array access allows
reading private data without security policy checks.
  - Fixed in: Twig 3.11.2, 3.14.1

3. PKSA-gs8r-6kz6-pp56 (likely API Platform)

GraphQL data exposure - Improper caching in GraphQL allows access to
other users' data or bypassing operation security.
  - Related to API Platform GraphQL security issues
  - Fixed in: API Platform 3.4.17, 4.0.22

4. PKSA-gnn4-pxdg-q76m (likely API Platform or Twig)

Exception details disclosure - Error messages may contain sensitive
system information visible in JSON responses.
  - Related to API Platform error handling
  - Fixed in: API Platform 3.2.5+

Details:


https://www.cvedetails.com/vulnerability-list/vendor_id-19033/product_id-48690/Symfony-Twig.html
https://api-platform.com/docs/extra/security/
2025-11-14 17:38:50 +01:00
Michal Kaczmarek
5ecf8c421f Add filtering cve 2025-11-14 14:13:55 +01:00
Grzegorz Sadowski
0141759798
Add conflict for broken Doctrine ORM version 2.20.7 (#18479)
| Q | A |

|-----------------|--------------------------------------------------------------|
| Branch? | 1.14 |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Related tickets | https://github.com/doctrine/orm/issues/12245 |
| License | MIT |

## Summary

Doctrine ORM versions 2.20.7 and 3.5.3 contain a regression that breaks
queries with empty arrays, causing SQL syntax errors like `WHERE t0.id
IN ()`.

This PR adds these versions to the `conflict` section of composer.json
to prevent them from being installed until the upstream issue is fixed.
2025-10-29 09:43:48 +01:00
Rafikooo
1bfa928797
Add conflict for broken Doctrine ORM versions 2025-10-29 08:58:38 +01:00
Grzegorz Sadowski
8f3a0e5594
[CI] Fix Panther tests Chrome user data directory conflict (#18469)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | #18459 (it introduced step-based chrome run)
| License         | MIT

## Description

This PR resolves the "user data directory is already in use" error that
causes all Panther tests to fail on Symfony 5.4 matrix jobs after
upgrading to BuildTestAppAction v3.0.1.

The issue occurs because BuildTestAppAction v3.0.1 starts a background
Chrome process (for Chromedriver on port 9222) without specifying a
user-data-dir, which conflicts with Panther's Chrome instance attempting
to use the same default directory.

## Root Cause

The Sylius behat.yml.dist configuration was incorrectly placing Chrome
arguments under `options.browser_arguments`, which is **completely
ignored** by the behat-panther-extension. The correct configuration path
is `manager_options.capabilities.goog:chromeOptions.args`.

This configuration error was introduced in commit 04a222ba67 and went
unnoticed because it only manifested when BuildTestAppAction v3.0.1
removed the default Chrome installation (which was already running with
a user-data-dir).

## Changes

- **behat.yml.dist**: Fixed Chrome arguments configuration to use the
correct path:
- Moved arguments from
`sessions.panther.panther.options.browser_arguments` (ignored)
- To
`sessions.panther.panther.manager_options.capabilities.goog:chromeOptions.args`
(correct)
- Added `--user-data-dir=/tmp/panther-chrome-data` to prevent conflicts
with Chromedriver's Chrome instance

This ensures Panther's Chrome process uses a unique user data directory,
allowing it to run alongside BuildTestAppAction's Chrome instance
without conflicts.

## Technical Details

- BuildTestAppAction's Chrome uses default user-data-dir (or will use
`/tmp/chrome-chromedriver-behat` in future versions)
- Panther's Chrome now explicitly uses `/tmp/panther-chrome-data`
- The fix resolves the issue on both Symfony 5.4 (Panther v2.1.1) and
Symfony 6.4 (Panther v2.2.0)
2025-10-23 13:27:18 +02:00
Rafikooo
40aa27605f
Fix Panther Chrome arguments configuration 2025-10-23 12:51:21 +02:00
Grzegorz Sadowski
076fe107eb
Change application's version to v1.14.13-dev 2025-10-22 14:28:02 +02:00
Grzegorz Sadowski
60e27d23a2
Generate changelog for v1.14.12 2025-10-22 14:27:48 +02:00
Grzegorz Sadowski
4bbcee52cb
Change application's version to v1.14.12 2025-10-22 14:27:06 +02:00
Grzegorz Sadowski
444031b258
Update BuildTestAppAction to v3.0.1 (#18459)
Update SyliusLabs/BuildTestAppAction from v2.3 to v3.0 across all E2E
and frontend CI workflows
2025-10-22 12:17:38 +02:00
Rafikooo
c04f26ece7
Remove legacy_postgresql_setup parameter from BuildTestAppAction 2025-10-21 12:37:48 +02:00
Rafikooo
c87e30c0ad
[Behat] Change base URL from HTTPS to HTTP 2025-10-20 14:50:12 +02:00
Rafikooo
621df47b20
Update BuildTestAppAction to v3.0.1 2025-10-20 14:31:56 +02:00
Rafał Jaskulski
4a089c4a6a
[CS][DX] Refactor (#18444)
This PR has been generated automatically.
For more details see
[refactor.yaml](/Sylius/Sylius/blob/2.1/.github/workflows/refactor.yaml).
2025-10-17 08:59:46 +02:00
Sylius Bot
452142ff9e [CS][DX] Refactor 2025-10-17 02:31:16 +00:00
Rafał Jaskulski
f4bc1da4d4
Fix: Admin taxon update: Cannot set child as parent to node (#18406)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | fixes #11793
| License         | MIT

<!--
 - Bug fixes must be submitted against the 1.14 or 2.0 branch
 - Features and deprecations must be submitted against the 2.1 branch
 - Make sure that the correct base branch is set

To be sure you are not breaking any Backward Compatibilities, check the
documentation:

https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->
2025-10-16 09:27:07 +02:00
Rafał Jaskulski
f1d2aa0adb
Bugfix/wrong assertion in class zone eligible checker (#18411)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | fixes https://github.com/Sylius/Sylius/issues/18397
| License         | MIT
2025-10-08 13:50:02 +02:00
Norbert Glanc
171a5b23fd Fix: Admin taxon update: Cannot set child as parent to node 2025-10-08 12:43:25 +02:00
Michal Kaczmarek
266ba905f0 Fix assertion wrong eligible checker 2025-10-08 12:26:33 +02:00
Rafał Jaskulski
e1b56b4a8d
Bugfix/invalid credentials message is not translated during ajax login (#18419)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | https://github.com/Sylius/Sylius/issues/12738
| License         | MIT
2025-10-07 16:12:19 +02:00
Michal Kaczmarek
5a52a232b1 Fix after review 2025-10-07 15:19:39 +02:00
Michal Kaczmarek
6e6a596f83 fix after review 2025-10-07 11:37:30 +02:00
Rafał Jaskulski
604df20c2b
Fix invalid property types for 'translations' (#18399)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | no
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no 
| Related tickets | https://github.com/Sylius/Sylius/issues/14879
| License         | MIT

Issue was present in 1.14. Updated files from old array-based
translations schema to the proper object-based schema with additional
properties support.
<!--
 - Bug fixes must be submitted against the 1.14 or 2.0 branch
 - Features and deprecations must be submitted against the 2.1 branch
 - Make sure that the correct base branch is set

To be sure you are not breaking any Backward Compatibilities, check the
documentation:

https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->
2025-10-06 19:19:21 +02:00
Michal Kaczmarek
b58b5db5c3 Fix translation statement about invalid password 2025-10-06 17:07:25 +02:00
Rafał Jaskulski
ac5b1b5477
Revert "[AdminBundle] Hide Impersonate button when user shop account is locked" (#18418)
I’m reverting this as it introduced a soft BC break.  
Ref: https://github.com/Sylius/Sylius/pull/18378#issuecomment-3371108297
2025-10-06 15:25:59 +02:00
Rafał Jaskulski
618477f99f
Revert "[AdminBundle] Hide Impersonate button when user shop account is locked" 2025-10-06 13:43:41 +02:00
Michal Kaczmarek
3db200f106 debug wrong translation 2025-10-03 17:45:16 +02:00
Norbert Glanc
0a0a862db6
Update src/Sylius/Bundle/AdminBundle/Resources/views/Taxon/_treeWithButtons.html.twig
Co-authored-by: crydotsnake <simonkrull@mailbox.org>
2025-10-03 09:50:42 +02:00
Norbert Glanc
2519a88fec Fix: Admin taxon update: Cannot set child as parent to node 2025-10-02 12:26:35 +02:00
Rafał Jaskulski
f43a51e664
Remove product images duplication (#18380)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | fixes #16771
| License         | MIT

<!--
 - Bug fixes must be submitted against the 1.14 or 2.0 branch
 - Features and deprecations must be submitted against the 2.1 branch
 - Make sure that the correct base branch is set

To be sure you are not breaking any Backward Compatibilities, check the
documentation:

https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->
2025-10-02 09:45:48 +02:00
Mateusz
5da6a937e9 Fix invalid property types for 'translations' 2025-09-29 14:46:00 +02:00
Rafał Jaskulski
dd8c81499c
Update validation group in checkout complete (#18371)
| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | no
| New feature?    | no
| BC breaks?      | no
| Related tickets | https://github.com/Sylius/Sylius/issues/16151
| License         | MIT

- Removed validation group from route file;
- Added validation group to parameters.
2025-09-29 08:50:06 +02:00
Norbert Glanc
444230c62d Update code after code review 2025-09-26 10:00:05 +02:00
Norbert Glanc
6b47bc2252 Fix code after code review 2025-09-26 09:54:11 +02:00