Merge pull request #35 from monkenWu/dev

v4.1.5 T1 更新

.github/workflows/deploy-userguide-latest.yml

@@ -0,0 +1,50 @@
+# When changes are pushed to the develop branch,
+# build the current version of the User Guide
+# with Sphinx and deploy it to the gh-pages branch.
+#
+# @todo Consolidate checkouts
+name: Deploy User Guide (latest)
+
+on:
+  push:
+    branches: [ dev ]
+
+jobs:
+  build:
+    name: Deploy to gh-pages
+    # if: (github.repository == 'codeigniter4/CodeIgniter4')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Build the latest User Guide
+      - name: Build with Sphinx
+        uses: ammaraskar/[email protected]
+        with:
+          docs-folder: ./
+
+      # Create an artifact of the html output
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: HTML Documentation
+          path: ./build/html/
+
+      # Commit changes to the gh-pages branch
+      - name: Commit changes
+        run: |
+          git clone https://github.com/monkenWu/codeIgniter4-taiwan-User-Guide.git --branch gh-pages --single-branch gh-pages
+          cp -r ./build/html/* gh-pages/
+          cd gh-pages
+          git config --local user.email "[email protected]"
+          git config --local user.name "${GITHUB_ACTOR}"
+          git add .
+          # Ignore failures due to lack of changes
+          git commit -m "Update User Guide" -a || true
+      - name: Push changes
+        uses: ad-m/[email protected]
+        with:
+          branch: gh-pages
+          directory: gh-pages
+          github_token: ${{ secrets.ACCESS_TOKEN }}

.github/workflows/deploy-userguide-website.yml

@@ -0,0 +1,58 @@
+# When changes are pushed to the develop branch,
+# build the current version of the User Guide
+# with Sphinx and deploy it to the gh-pages branch.
+#
+# @todo Consolidate checkouts
+name: Deploy User Guide (website)
+
+on:
+  push:
+    branches: [ master ]
+
+jobs:
+  build:
+    name: Deploy to taiwan website
+    # if: (github.repository == 'codeigniter4/CodeIgniter4')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Build the latest User Guide
+      - name: Build with Sphinx
+        uses: ammaraskar/[email protected]
+        with:
+          docs-folder: ./
+
+      # Create an artifact of the html output
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: HTML Documentation
+          path: ./build/html/
+
+      # 壓縮產出檔案
+      - name: Run a multi-line script
+        run: |
+          sudo apt-get install zip -y
+          zip -r user_guide_deploy.zip ./build/html
+
+      # 透過 SSH 複製檔案
+      - name: copy file via ssh
+        uses: appleboy/scp-action@master
+        with:
+          host: ${{ secrets.SSH_KNOWN_HOSTS }}
+          username: ${{ secrets.SSH_USERNAME }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SSH_PORT }}
+          source: "user_guide_deploy.zip"
+          target: "/home/cd"
+      # 透過 SSH 執行部屬指令檔案
+      - name: executing remote ssh commands using ssh key
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.SSH_KNOWN_HOSTS }}
+          username: ${{ secrets.SSH_USERNAME }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SSH_PORT }}
+          script: bash /home/cd/user_guide_deploy.sh

security.rst

@@ -0,0 +1,148 @@
+##############
+安全性類別
+##############
+
+安全性類別包含許多方法，有助於保護你的網站免於遭到跨站請求偽造（Cross-Site Request Forgery）攻擊。
+
+.. contents::
+    :local:
+    :depth: 2
+
+*******************
+載入程式庫
+*******************
+
+如果你載入這個程式庫是為了處理 CSRF 保護，那麼你將永遠不需要載入它，因為它已作為一個過濾器運作，不需要手動操作。
+
+如真的有需要直接呼叫這個類別的情況發生，你可以透過 Services 檔案載入它：
+
+::
+
+    $security = \Config\Services::security();
+
+*********************************
+跨站請求偽造（CSRF）
+*********************************
+
+.. warning:: The CSRF Protection is only available for **POST/PUT/PATCH/DELETE** requests.
+    Requests for other methods are not protected.
+
+CSRF Protection Methods
+=======================
+
+By default, the Cookie based CSRF Protection is used. It is
+`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
+on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
+
+You can also use Session based CSRF Protection. It is
+`Synchronizer Token Pattern <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern>`_.
+
+You can set to use the Session based CSRF protection by editing the following config parameter value in
+**app/Config/Security.php**::
+
+    public $csrfProtection = 'session';
+
+Enable CSRF Protection
+======================
+
+你可以透過修改 **app/Config/Filters.php** 開啟 CSRF 的保護功能。並在全域啟用 `CSRF` 過濾器：
+
+::
+
+    public $globals = [
+        'before' => [
+            //'honeypot'
+            'csrf'
+        ]
+    ];
+
+你所選擇的 URI 將會進入 CSRF 保護的白名單（例如：API 端點期待外部 POST 的內容）。你可以在過濾器中添加這些 URI 作為例外狀況::
+
+    public $globals = [
+        'before' => [
+            'csrf' => ['except' => ['api/record/save']]
+        ]
+    ];
+
+也支援輸入正規表示式（與大小寫無關）：
+
+::
+
+    public $globals = [
+        'before' => [
+            'csrf' => ['except' => ['api/record/[0-9]+']]
+        ]
+    ];
+
+HTML 表單
+==========
+
+如果你使用 :doc:`表單輔助函數 <../helpers/form_helper>`，那麼
+:func:`form_open()` 會自動在你的表單中插入一個隱藏的 csrf 欄位。
+
+.. note:: To use auto-generation of CSRF field, you need to turn CSRF filter on to the form page.
+    In most cases it is requested using the ``GET`` method.
+
+如果沒有，你可以使用 ``csrf_token()`` 和 ``csrf_hash()`` 函數。
+
+::
+
+    <input type="hidden" name="<?= csrf_token() ?>" value="<?= csrf_hash() ?>" />
+
+此外，你可以使用 ``csrf_field()`` 方法來產生隱藏的輸入欄位::
+
+    // Generates: <input type="hidden" name="{csrf_token}" value="{csrf_hash}" />
+    <?= csrf_field() ?>
+
+當發送一個 JSON 請求時， CSRF 權杖也可以作為被傳遞的參數之一。
+下一個傳遞 CSRF 權杖的方法是一個特殊的 Http 標頭，它的名稱可以透過函數 ``csrf_header()`` 來實現。
+
+此外，你可以使用 ``csrf_meta()`` 方法便捷地產生 meta 標籤::
+
+    // Generates: <meta name="{csrf_header}" content="{csrf_hash}" />
+    <?= csrf_meta() ?>
+
+The Order of Token Sent by Users
+================================
+
+檢查 CSRF 權杖可用性的順序如下:
+
+1. ``$_POST`` 陣列
+2. Http 標頭
+3. ``php://input`` （JSON 請求） - 請記得，這種方法是最慢的，因為我們必須先對 JSON 進行解碼，然後再進行編碼
+
+Token Regeneration
+===================
+
+權杖可以在每次提交時重新產生（預設），也可以在 CSRF cookie 整個生命週期中保持不變。預設將重新產生權杖，這將提供了更好的安全性，但也可能導致可用性問題，例如：其他權杖會變得無效（導覽歷程記錄上一頁或下一頁、多個分頁視窗、非同步操作等）。你可以透過編輯以下設定參數來改變此特性。
+
+::
+
+    public $regenerate  = true;
+
+Redirection on Failure
+======================
+
+當請求沒有通過 CSRF 驗證檢查時，預設情況下將會重新導向上一頁，你可以設定一個 ``error`` 的即時訊息，向終端使用者顯示該訊息，這提供了比瀏覽器崩潰更好的使用者體驗。這個功能可以透過編輯 **app/Config/App.php** 中的 ``$CSRFRedirect`` 值來關閉：
+
+::
+
+    public $redirect = false;
+
+即使重新導向值為  **true**，AJAX 呼叫也不會重新導向，但是會引發錯誤。
+
+*********************
+其他實用方法
+*********************
+
+你不需要直接使用安全性類別中大部分的方法。以下是一些與 CSRF 無關的方法。
+
+**sanitizeFilename()**
+
+嘗試將檔案名稱消毒，以防止「企圖遍歷目錄」和其他安全性問題，這對於經由使用者輸入所提供的檔案特別有用。第一個參數是路徑消毒。
+
+如果允許使用者輸入相對路徑，例如： file/in/some/approved/folder.txt ，可以將第二個可選參數 $relative_path 傳入 true。
+
+::
+
+    $path = $security->sanitizeFilename($request->getVar('filepath'));

source/changelogs/index.rst

@@ -10,25 +10,28 @@ Version |version|
 See all the changes.
 
 .. toctree::
-        :titlesonly:
+    :titlesonly:
 
-        v4.1.2
-        v4.1.1
-        v4.1.0
-        v4.0.5
-        v4.0.4
-        v4.0.3
-        v4.0.0
-        v4.0.0-rc.4
-        v4.0.0-rc.3
-        v4.0.0-rc.2
-        v4.0.0-rc.1
-        v4.0.0-beta.4
-        v4.0.0-beta.3
-        v4.0.0-beta.2
-        v4.0.0-beta.1
-        v4.0.0-alpha.5
-        v4.0.0-alpha.4
-        v4.0.0-alpha.3
-        v4.0.0-alpha.2
-        v4.0.0-alpha.1
+    v4.1.5
+    v4.1.4
+    v4.1.3
+    v4.1.2
+    v4.1.1
+    v4.1.0
+    v4.0.5
+    v4.0.4
+    v4.0.3
+    v4.0.0
+    v4.0.0-rc.4
+    v4.0.0-rc.3
+    v4.0.0-rc.2
+    v4.0.0-rc.1
+    v4.0.0-beta.4
+    v4.0.0-beta.3
+    v4.0.0-beta.2
+    v4.0.0-beta.1
+    v4.0.0-alpha.5
+    v4.0.0-alpha.4
+    v4.0.0-alpha.3
+    v4.0.0-alpha.2
+    v4.0.0-alpha.1

source/changelogs/v4.1.3.rst

@@ -0,0 +1,25 @@
+Version 4.1.3
+=============
+
+Release Date: June 6, 2021
+
+**4.1.3 release of CodeIgniter4**
+
+Enhancements:
+
+- New functions in the File Helper: ``directory_mirror()`` and ``same_file()``
+- Implemented NexusPHP's ``Tachycardia`` for slow test identification
+- Added a new ``$ttl`` option to ``Cache`` config for future use
+
+Changes:
+
+- Added MySQL 8.0 to the test matrix
+- Improved environment detection from ``$_SERVER``
+- Numerous sweeping code improvements via Rector and analysis
+
+Bugs Fixed:
+
+- Fixed a bug where ``CURLRequest`` would try to use a project URI instead of its base
+- Fixed a bug where CLI mode was not detected under ``cgi-fcgi``
+- Fixed a logic bug in Cookie construction
+- Fixed numerous issues in SQLite3's ``Forge`` class related to an incorrect attribute name

source/changelogs/v4.1.4.rst

@@ -0,0 +1,54 @@
+Version 4.1.4
+=============
+
+Release Date: September 6, 2021
+
+**4.1.4 release of CodeIgniter4**
+
+This release focuses on code style. All changes (except those noted below) are cosmetic to bring the code in line with the new
+`CodeIgniter Coding Standard <https://github.com/CodeIgniter/coding-standard>`_ (based on PSR-12).
+
+Breaking Changes:
+
+- The following methods were changed from "public" to "protected" to match their parent class methods and better align with their uses:
+
+    * ``CodeIgniter\Database\MySQLi\Connection::execute()``
+    * ``CodeIgniter\Database\MySQLi\Connection::_fieldData()``
+    * ``CodeIgniter\Database\MySQLi\Connection::_indexData()``
+    * ``CodeIgniter\Database\MySQLi\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Database\Postgre\Builder::_like_statement()``
+    * ``CodeIgniter\Database\Postgre\Connection::execute()``
+    * ``CodeIgniter\Database\Postgre\Connection::_fieldData()``
+    * ``CodeIgniter\Database\Postgre\Connection::_indexData()``
+    * ``CodeIgniter\Database\Postgre\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::execute()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::_fieldData()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::_indexData()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Database\SQLite3\Connection::execute()``
+    * ``CodeIgniter\Database\SQLite3\Connection::_fieldData()``
+    * ``CodeIgniter\Database\SQLite3\Connection::_indexData()``
+    * ``CodeIgniter\Database\SQLite3\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Images\Handlers\GDHandler::_flatten()``
+    * ``CodeIgniter\Images\Handlers\GDHandler::_flip()``
+    * ``CodeIgniter\Images\Handlers\ImageMagickHandler::_flatten()``
+    * ``CodeIgniter\Images\Handlers\ImageMagickHandler::_flip()``
+    * ``CodeIgniter\Test\Mock\MockIncomingRequest::detectURI()``
+    * ``CodeIgniter\Test\Mock\MockSecurity.php::sendCookie()``
+
+- To be compatible with the strict inheritance checks of PHP 8.1, the following method signatures were added return types to match their parents' signatures whenever possible:
+
+    * ``CodeIgniter\Cookie\Cookie::offsetExists()``
+    * ``CodeIgniter\Cookie\Cookie::offsetSet()``
+    * ``CodeIgniter\Cookie\Cookie::offsetUnset()``
+    * ``CodeIgniter\Cookie\CookieStore::getIterator()``
+    * ``CodeIgniter\I18n\Time::__wakeup()``
+    * ``CodeIgniter\Test\Filters\CITestStreamFilter::filter()``
+
+- Related to the strict inheritance checks of PHP 8.1, the following session handlers implementing ``SessionHandlerInterface`` have their public methods modified to match the interface:
+
+    * ``CodeIgniter\Session\Handlers\ArrayHandler``
+    * ``CodeIgniter\Session\Handlers\DatabaseHandler``
+    * ``CodeIgniter\Session\Handlers\FileHandler``
+    * ``CodeIgniter\Session\Handlers\MemcachedHandler``
+    * ``CodeIgniter\Session\Handlers\RedisHandler``