Merge branch 'release/1.6.30'

.github/workflows/tests.yml

@@ -0,0 +1,66 @@
+name: PHP Tests
+
+on:
+  push:
+    branches: [ develop ]
+  pull_request:
+    branches: [ develop ]
+
+jobs:
+  test:
+
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        php: [ 7.4, 7.3, 7.2 ]
+        os: [ubuntu-latest]
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: opcache, gd
+          coverage: none      
+
+      - name: Validate composer.json and composer.lock
+        run: composer validate
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "::set-output name=dir::$(composer config cache-files-dir)"
+
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-  
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress
+
+      - name: Run test suite
+        run: vendor/bin/codecept run
+
+      - name: Slack Notification
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          fields: workflow,job,commit,repo,ref,author,took
+          custom_payload: |
+            {
+              username: 'action-slack',
+              icon_emoji: ':octocat:',
+              attachments: [{
+                color: '${{ job.status }}' === 'success' ? 'good' : '${{ job.status }}' === 'failure' ? 'danger' : 'warning',
+                text: `${process.env.AS_WORKFLOW}\n${process.env.AS_JOB} (${process.env.AS_COMMIT}) of ${process.env.AS_REPO}@${process.env.AS_REF} by ${process.env.AS_AUTHOR} succeeded in ${process.env.AS_TOOK}`,
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} # required
+        if: always() # Pick up events even if the job fails or is canceled.
+        

CHANGELOG.md

@@ -1,3 +1,9 @@
+# v1.6.30
+## 12/03/2020
+
+1. [](#bugfix)
+    * Rollback `samesite` cookie logic as it causes issues with PHP < 7.3 [#309](https://github.com/getgrav/grav/issues/3089)
+
 # v1.6.29
 ## 12/02/2020
 

composer.json

@@ -57,8 +57,7 @@
         "phpstan/phpstan": "^0.11",
         "phpstan/phpstan-deprecation-rules": "^0.11.0",
         "phpunit/php-code-coverage": "~6.0",
-        "fzaninotto/faker": "^1.8",
-        "victorjonsson/markdowndocs": "dev-master"
+        "fzaninotto/faker": "^1.8"
     },
     "suggest": {
         "ext-zend-opcache": "Recommended for better performance",

system/blueprints/config/system.yaml

@@ -1223,12 +1223,6 @@ form:
                             label: PLUGIN_ADMIN.SESSION_PATH
                             help: PLUGIN_ADMIN.SESSION_PATH_HELP
 
-                        session.samesite:
-                            type: text
-                            size: small
-                            label: PLUGIN_ADMIN.SESSION_SAMESITE
-                            help: PLUGIN_ADMIN.SESSION_SAMESITE_HELP
-                            
                         session.split:
                             type: toggle
                             label: PLUGIN_ADMIN.SESSION_SPLIT

system/config/system.yaml

@@ -161,7 +161,6 @@ session:
   uniqueness: path                               # Should sessions be `path` based or `security.salt` based
   secure: false                                  # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS
   httponly: true                                 # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.
-  samesite:                                      # Set session SameSite. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
   split: true                                    # Sessions should be independent between site and plugins (such as admin)
   path:
 

system/defines.php

@@ -8,7 +8,7 @@
 
 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.6.29');
+define('GRAV_VERSION', '1.6.30');
 define('GRAV_TESTING', false);
 define('DS', '/');
 

system/src/Grav/Common/Service/SessionServiceProvider.php

@@ -36,7 +36,6 @@ class SessionServiceProvider implements ServiceProviderInterface
             $cookie_httponly = (bool)$config->get('system.session.httponly', true);
             $cookie_lifetime = (int)$config->get('system.session.timeout', 1800);
             $cookie_path = $config->get('system.session.path');
-            $cookie_samesite = $config->get('system.session.samesite');
             if (null === $cookie_path) {
                 $cookie_path = '/' . trim(Uri::filterPath($uri->rootUrl(false)), '/');
             }
@@ -88,14 +87,8 @@ class SessionServiceProvider implements ServiceProviderInterface
                 'cookie_path' => $cookie_path,
                 'cookie_domain' => $cookie_domain,
                 'cookie_secure' => $cookie_secure,
-                'cookie_httponly' => $cookie_httponly,
-            ];
-
-            if ($cookie_samesite) {
-                $options['cookie_samesite'] = $cookie_samesite;
-            }
-
-            $options += (array) $config->get('system.session.options');
+                'cookie_httponly' => $cookie_httponly
+            ] + (array) $config->get('system.session.options');
 
             $session = new Session($options);
             $session->setAutoStart($enabled);

system/src/Grav/Framework/Session/Session.php

@@ -135,7 +135,6 @@ class Session implements SessionInterface
             'use_strict_mode' => true,
             'use_cookies' => true,
             'use_only_cookies' => true,
-            'cookie_samesite' => true,
             'referer_check' => true,
             'cache_limiter' => true,
             'cache_expire' => true,
@@ -212,19 +211,14 @@ class Session implements SessionInterface
         if ($sessionExists) {
             $params = session_get_cookie_params();
 
-            $cookie_options = array (
-                'expires'  => time() + $params['lifetime'],
-                'path'     => $params['path'],
-                'domain'   => $params['domain'],
-                'secure'   => $params['secure'],
-                'httponly' => $params['httponly'],
-                'samesite' => $params['samesite']
-            );
-
             setcookie(
                 $sessionName,
                 session_id(),
-                $cookie_options
+                time() + $params['lifetime'],
+                $params['path'],
+                $params['domain'],
+                $params['secure'],
+                $params['httponly']
             );
         }
 
@@ -237,20 +231,14 @@ class Session implements SessionInterface
     public function invalidate()
     {
         $params = session_get_cookie_params();
-
-        $cookie_options = array (
-            'expires'  => time() - 42000,
-            'path'     => $params['path'],
-            'domain'   => $params['domain'],
-            'secure'   => $params['secure'],
-            'httponly' => $params['httponly'],
-            'samesite' => $params['samesite']
-        );
-
         setcookie(
             session_name(),
             '',
-            $cookie_options
+            time() - 42000,
+            $params['path'],
+            $params['domain'],
+            $params['secure'],
+            $params['httponly']
         );
 
         if ($this->isSessionStarted()) {