merge master into branch

.env

@@ -64,6 +64,7 @@
 # - "deleteRecord"
 # - "editRecord"
 # - "exportMail"
+# - "downloadAsync"
 # - "exposeUpload"
 # - "exportFtp"
 # - "mainQueue"
@@ -105,7 +106,7 @@
 # Example with all profiles:
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
 # - COMPOSE_PROFILES=app,setup,gateway-classic,db,elasticsearch,redis,redis-session,rabbitmq,pma,mailhog,assetsInjest,createRecord,deleteRecord,editRecord,
-#                    exportMail,exposeUpload,exportFtp,mainQueue,populateIndex,pullAssets,recordsActions,subdefCreation,
+#                    exportMail,downloadAsync,exposeUpload,exportFtp,mainQueue,populateIndex,pullAssets,recordsActions,subdefCreation,
 #                    validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
 #
 
@@ -145,9 +146,11 @@ STACK_NAME=
 # Phrasea network Name, the name of Phrasea network and see by traefik
 # @run
 PHRASEA_NETWORK_NAME=ps_internal
-
+# @run
 PHRASEA_DOMAIN=phrasea.local
+# @run
 PHRASEA_GATEWAY_IP=172.30.0.1
+# @run
 PHRASEA_COMPOSE_PROJECT_NAME=ps
 
 
@@ -180,13 +183,15 @@ PHRASEANET_MAINTENANCE=0
 # Activate restrictions
 # restrictions can be based 
 # on IP and/or password
-# @run
 # configuration exemple :
 # GATEWAY_ALLOWED_IPS=10.0.0.1,10.0.1.1
 # GATEWAY_DENIED_IPS=172.1.0.1,172.1.0.2
 # GATEWAY_USERS="user1:password1,user2:password2"
+# @run
 GATEWAY_ALLOWED_IPS=
+# @run
 GATEWAY_DENIED_IPS=
+# @run
 GATEWAY_USERS=
 
 # https and reverse proxy (on/off)
@@ -196,8 +201,8 @@ GATEWAY_FASTCGI_HTTPS=off
 
 # Content Security Policy (CSP)
 # security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting
-## @run 
-GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com  data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com ; img-src 'self'  data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"
+# @run
+GATEWAY_CSP="default-src 'self' 127.0.0.1 https://sockjs-eu.pusher.com:443 wss://ws-eu.pusher.com https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443;img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 ; object-src 'self';frame-ancestors 'self'"
 
 # --- RabbitMQ settings ------------------------------------------------------------------------------------------------
 
@@ -291,46 +296,54 @@ PHP_LOG_LEVEL=warning
 
 # PHP Handler used to store/retrieve data.
 # http://php.net/session.save-handler
-# session handler can be "files" and path must be than 
+# session handler can be "files" and path must be than
+# @run
 SESSION_SAVE_HANDLER=redis
+# @run
 SESSION_SAVE_PATH=tcp://redis-session:6379
 
 # PHP session cookies to be secured 
-#only works if the application is under ssl protection
+# only works if the application is under ssl protection
+# @run
 COOKIE_SECURE=false
 
 # FPM
 # Choose how the process manager will control the number of child processes.
 # Possible Values:
 # static  - a fixed number (pm.max_children) of child processes;
 # dynamic - the number of child processes are set dynamically based on the
+# @run
 FPM_PM_TYPE=dynamic
 
 # FPM
 # The number of child processes to be created when pm is set to 'static' and the
 # maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+# @run
 FPM_MAXCHILDREN=9
 
 # FPM
 # The number of child processes created on startup.
 # Note: Used only when pm is set to 'dynamic'
-
+# @run
 FPM_STARTSERVERS=3
 
 # FPM
 # The desired minimum number of idle server processes.
 # Note: Used only when pm is set to 'dynamic'
 # Note: Mandatory when pm is set to 'dynamic'
+# @run
 FPM_MINSPARESERVER=2
 
 # FPM
 # The desired maximum number of idle server processes.
 # Note: Used only when pm is set to 'dynamic'
 # Note: Mandatory when pm is set to 'dynamic'
+# @run
 FPM_MAXSPARESERVER=4
 
 # FPM 
 # The number of requests each child process should execute before respawning.
+# @run
 FPM_MAX_REQUESTS=1000
 
 # --- MySQL settings ---------------------------------------------------------------------------------------------------
@@ -414,14 +427,31 @@ DB_BACKUP_CRON_TIME=
 DB_BACKUP_GZIP_LEVEL=9
 
 
+# --- Pusher settings --------------------------------------------------------------------------------------
+
+# Pusher settings used when PHRASEANET_DOWNLOAD_ASYNC=true (configuration.yml: download_async / enabled=true)
+
+#  pusher key
+# @run
+PUSHER_AUTH_KEY
+
+# pusher secret
+# @run
+PUSHER_SECRET
+
+# pusher app_id
+# @run
+PUSHER_APP_ID
+
+
 # --- Application cache settings ---------------------------------------------------------------------------------------------------
 
 # Cache setting type can be "redis" or "arraycache"
 # @run
-# @install
-
 PHRASEANET_CACHE_TYPE=redis
+# @run
 PHRASEANET_CACHE_HOST=redis
+# @run
 PHRASEANET_CACHE_PORT=6379
 
 # --- Phraseanet general settings --------------------------------------------------------------------------------------
@@ -445,9 +475,10 @@ PHRASEANET_PROJECT_NAME=Phraseanet
 # An non declarative variable is generated for other uses needed for deploiment (helm for exemple)
 # Domain name used by traefik in Phrasea stack
 # @run
-# @install
 PHRASEANET_HOSTNAME=phraseanet.phrasea.local
+# @run
 PHRASEANET_SCHEME=http
+# @run
 PHRASEANET_APP_PORT=8082
 
 # Variables below used to define the first user / email couple :
@@ -463,6 +494,9 @@ [email protected]
 # @run
 PHRASEANET_ADMIN_ACCOUNT_PASSWORD=iJRqXU0MwbyJewQLBbra6IWHsWly
 
+# Use Pusher to enable async download.
+# @run
+PHRASEANET_DOWNLOAD_ASYNC=false
 
 
 # --- Phraseanet MySQL settings ----------------------------------------------------------------------------------------
@@ -548,22 +582,34 @@ PHRASEANET_RABBITMQ_VHOST=/
 PHRASEANET_RABBITMQ_HEARTBEAT=30
 
 # --- Phraseanet Elasticsearch  settings -------------------------------------------------------------------------------------
-
-# @setup
-
+# They env variables are only used during installation process, edit configuration.yml file or use phraseanet admin GUI to modify them
+# @install
 PHRASEANET_ELASTICSEARCH_HOST=elasticsearch
+# @install
 PHRASEANET_ELASTICSEARCH_PORT=9200
+# @install
 PHRASEANET_ELASTICSEARCH_INDEX=null
+# @install
 PHRASEANET_ELASTICSEARCH_SHARD=3
+# @install
 PHRASEANET_ELASTICSEARCH_REPLICAS=0
+# @install
 PHRASEANET_ELASTICSEARCH_MINSCORE=2
+# @install
 PHRASEANET_ELASTICSEARCH_HIGHLIGHT=true
+# @install
 PHRASEANET_ELASTICSEARCH_MAXRESULTWINDOW=500000
-PHRASEANET_ELASTICSEARCH_POPULATEORDER=MODIFICATION_DATE
+# @install
+PHRASEANET_ELASTICSEARCH_POPULATEORDER=RECORD_ID
+# @install
 PHRASEANET_ELASTICSEARCH_ACTIVETAB=null
+# @install
 PHRASEANET_ELASTICSEARCH_FACET_BASE=10
+# @install
 PHRASEANET_ELASTICSEARCH_FACET_COLLECTION=10
+# @install
 PHRASEANET_ELASTICSEARCH_FACET_DOCTYPE=10
+# @install
 PHRASEANET_ELASTICSEARCH_FACET_ORIENTATION=10
 
 
@@ -686,6 +732,9 @@ PHRASEANET_WORKER_editRecord=2
 # @run
 PHRASEANET_WORKER_exportMail=2
 
+# @run
+PHRASEANET_WORKER_downloadAsync=2
+
 # @run
 PHRASEANET_WORKER_exposeUpload=2
 
@@ -905,22 +954,30 @@ PHRASEANET_FTP_DIR=./datas/ftp
 #
 
 # For dev who don't have SSH_AUTH_SOCK (avoid an empty volume name)
+# @run
 SSH_AUTH_SOCK=/dev/null
 
 # Kubernet context needs full pod hosname on nginx reverse proxing 
 # This is need for PHraseanet  SAML context on K8S
+# @run
 PHRASEANET_K8S_NAMESPACE=
 
 #
 # SAML Service provider setting 
 # simplesamlphp as service provider for Phraseanet
 # must be associated to a plugin
 # on docker-compose staxk add the profile phraseanet-saml-sp
-
+# @run
 SAML_ALLOW_DEBUG=true
+# @run
 SAML_PHRASEANET_HOST=http://127.0.0.1:8082
+# @run
 SAML_SP_CONFIG_DIR=./saml-config/
+# @run
 SAML_SP_AUTHSOURCES=
+# @run
 SAML_SP_CERT_DIR=./saml-cert/
+# @run
 SAML_IDP_METADATA_CONFIG=
+# @run
 SAML_IDP_METADATA_LOCAL_CONFIG_DIR=./saml-metadata/

CHANGELOG.md

@@ -1,30 +1,85 @@
 # CHANGELOG
 
+## 4.1.8-rc7
+
+### Update instructions
+
+- Migration patch: 
+  - Migration script for configuration file, (backup it is  recommended).
+  - Doctrine migration for updating databases scheme, (backup it is  recommended). 
+
+`bin/setup system:upgrade`, run by setup container with docker if env `PHRASEANET_UPGRADE=1 ` 
+
+### Version summary
+
+ - Matomo Media metrics integration.
+ - Phrasea Expose client improvements. 
+ - CSRF Security fix.
+ - Substitution is now available for all sub definitions.
+ - SMTP, TLS 1.0 deprecation, TLS is now the version by default in version 1.2.
+ - When image contains transparency, background color can be forced to a specific color.
+
+### Stack (docker compose)
+
+   -  It is not possible to define Custom CSP
+
+### What's Changed
+
+* PHRAS-3914 Lightbox - mobile fix matomo url by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4377
+* PHRAS-3892 set content security policies (csp) as env vars by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4375
+* PHRAS-3852_tiff-background-color by @jygaulier in https://github.com/alchemy-fr/Phraseanet/pull/4376
+* PHRAS-3909 : Prod - Expose cli - load more publications - add pagination by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4379
+* PHRAS-3416 phraseanet-localization by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4380
+* PHRAS-3913 Prod - Shared Baskets - validation - Need to apply rights twice by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4378
+* PHRAS-3857 Check CSRF token on Prod and Admin forms by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4361
+* PHRAS-3061 Admin - subview definition - missmatch error between value set in form and slider limit by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4389
+* PHRAS-3894 : bin/maintenance clean: - Removing BETA prefix and Memory leak by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4391
+* PHRAS-3921 prod - expose-cli - became compatible with Phrasea V3 keycloak and fix by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4384
+* PHRAS-3929  Compose Set redis version For SAML container by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4390
+* PHRAS-3930 matomo media tracking by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4393
+* PHRAS-3921 expose-cli oauth token uri compatibility v2 v3 and asset title set  by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4392
+* PHRAS-3933 prod - 403 "invalide search token" - after "video tools" openning by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4394
+* PHRAS-3922 show the button stop on phraseanet service pull process and feedback reminder by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4397
+* PHRAS-3928_download_async by @jygaulier in https://github.com/alchemy-fr/Phraseanet/pull/4386
+* PHRAS-3939 : fix order create basket by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4401
+* PHRAS-3900 Check TLS version use for email SMTP sending - TLS 1.0 of 1.1 deprecation by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4382
+* PHRAS-3931_phraseanet_local_id_in_api by @jygaulier in https://github.com/alchemy-fr/Phraseanet/pull/4400
+* PHRAS-3934 fix videotools subtitle timeline by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4398
+* PHRAS-3935 :  phraseanet_local_id became instance_id by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4396
+* PHRAS-3918_subdef-substituable-setting by @jygaulier in https://github.com/alchemy-fr/Phraseanet/pull/4381
+
+
+**Full Changelog**: https://github.com/alchemy-fr/Phraseanet/compare/4.1.8-rc6...4.1.8-rc7
+
 ## 4.1.8-rc6
 
 ### Update instructions
 
-- Migration patch: no patch to play, just run upgrade for bump version 
-- Elasticsearch index action : a "drop", "create", "populate" of elasticsearch index can be useful.
+- Migration patch: yes, so primary datastore require a backup before performing an update
+- Elasticsearch index action : a "drop", "create", "populate" of elasticsearch index can be usefull.
 
 ### Version summary
 
- - Improvement and bugfix
+ - bugfix an minor improvement (todo)
 
 ### Stack (docker compose)
 
  - PHP setting improvement 
  - FPM setting improvement 
 
-## What's Changed
+### What's Changed
+
 * PHRAS-3893 prod - advanced search - control calendar missing for created_on and updated_on by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4360
 * PHRAS-3785 update composer dependencies for imagine by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4362
 * PHRAS-3252 Prod - Export - The captions are not being sent when doing an export by email by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4363
 * PHRAS-3387 php fpm optimization by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4364
 * PHRAS-3890: Admin - add "auth failure" - display and purge auth failure - only for super U by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4368
 * PHRAS-3903 Admin - object inspector - record index debug tools by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4369
-* PHRAS-3904 Add server port on fastcgi - SAML multi provider support https conf by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4370
+* PHRAS-3904 Add server port on fastcgi https conf by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4370
+* PHRAS-3416 phraseanet localization by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4371
+* PHRAS-3826 add mask password argument by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4372
 * PHRAS-3889 Worker - metadata write - mime/type whitelist - write metadatas only on whitelisted files by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4366
+* PHRAS-3901 release version 4.1.8-rc6 by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4365
 * PHRAS-3910 fix redis php extension build by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4373
 
 

Phraseanet-production-client/config/config.js

@@ -13,5 +13,5 @@ module.exports = {
     setupDir: _root + 'tests/setup/node.js',
     karmaConf: _root + 'config/karma.conf.js',
     // change this version when you change JS file for lazy loading
-    assetFileVersion: 96
+    assetFileVersion: 98
 };

Phraseanet-production-client/dist/authenticate.js

@@ -96,7 +96,7 @@ return /******/ (function(modules) { // webpackBootstrap
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=96";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=98";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {

Phraseanet-production-client/dist/authenticate.min.js

@@ -96,7 +96,7 @@ return /******/ (function(modules) { // webpackBootstrap
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=96";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=98";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {

Phraseanet-production-client/dist/commons.js

@@ -91,7 +91,7 @@
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=96";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=98";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {

Phraseanet-production-client/dist/commons.min.js

@@ -91,7 +91,7 @@
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=96";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=98";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {