#### What type of PR is this?
/kind improvement
#### What this PR does / why we need it:
过期的Spring @Component API
#### Which issue(s) this PR fixes:
Fixes#7431
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes Argon2 password encoder as default to remove password limit of 72.
Please note that there is no compatibility issue for old passwords.
#### Which issue(s) this PR fixes:
Fixes#7405
#### Special notes for your reviewer:
1. Try to login as admin
2. Create a password having the length of 73 or more for a new user
3. See the result
#### Does this PR introduce a user-facing change?
```release-note
修复无法设置长度超过72个字符的密码的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds therapi-runtime-javadoc dependency and annotationProcessor for api and application projects. After doing that, SpringDoc will introspect Javadoc annotations and comments. See https://springdoc.org/#javadoc-support for more.
For support in plugin, just add an annotationProcessor like below:
```gradle
dependencies {
implementation platform('run.halo.tools.platform:plugin:2.20.8-SNAPSHOT')
compileOnly 'run.halo.app:api'
annotationProcessor 'com.github.therapi:therapi-runtime-javadoc-scribe:0.13.0'
}
```
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复 Unstructured Metadata 的 equals hashcode 排除 version,这可能是之前误操作提交的
ed50a0224d/api/src/main/java/run/halo/app/extension/Unstructured.java (L75)
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors UserScopedPatHandlerImpl with PAT service to make PAT operations flexible.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adjusts the order of checking instance of ExecutorService and AutoCloseable interfaces. Because the ExecutorService extends AutoCloseable in Java 21. As a result, unit tests against the method won't be passed in Java 21.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
支持禁用主题预览功能,但拥有主题管理权限的用户不受此功能影响
#### Which issue(s) this PR fixes:
Fixes#7204
#### Does this PR introduce a user-facing change?
```release-note
支持禁用主题预览功能,但拥有主题管理权限的用户不受此功能影响
```
#### What type of PR is this?
/kind cleanup
#### What this PR does / why we need it:
Replaces deprecated functions (`String defaultString(final String str, final String nullDefault)`) with its recommended alternatives
See 29ccc7665f/src/main/java/org/apache/commons/lang3/StringUtils.java (L1635) for more.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
自动生成摘要仅对内容变更时生效
see https://github.com/halo-dev/halo/issues/7193#issuecomment-2581699190 for more details
避免对资源造成浪费如 AI 摘要生成
#### Which issue(s) this PR fixes:
Fixes#7193
#### Does this PR introduce a user-facing change?
```release-note
自动生成摘要仅对内容发生变更时生效
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复文件类型限制能通过混合文件类型绕过检测的问题
参考:https://github.com/halo-dev/halo/security/advisories/GHSA-99mc-ch53-pqh9
#### Does this PR introduce a user-facing change?
```release-note
修复文件类型限制能通过混合文件类型绕过检测的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
隐藏关键通知项设置以避免用户意外禁用而无法收到通知
#### Which issue(s) this PR fixes:
Fixes#6967
#### Does this PR introduce a user-facing change?
```release-note
隐藏关键通知项设置以避免用户意外禁用而无法收到通知
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds support for hooking user creating. Plugin developers can define extension points of `UserPreCreatingHandler` and `UserPostCreatingHandler` to do something else.
#### Does this PR introduce a user-facing change?
```release-note
支持在插件中定义用户创建的前置和后置处理器
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复索引比较会因为全是 0 的字符串与其他字符串可能相等的问题
原因是遇到了全是 0 的字符串会因为跳过前导 0 的逻辑导致全部忽略了
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors sign up data binding using internal `bind` method in `ServerRequest` instead of binding my hand. It's more convenient and simpler.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
This PR exposes user and role services into plugins. Some authentication plugins may interact with users and users' roles.
#### Does this PR introduce a user-facing change?
```release-note
允许在插件中使用 UserService 和 RoleService
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
恢复 https://github.com/halo-dev/halo/pull/6846 中删除的 SystemSetting.AuthProvider#enabled 字段避免插件应用到了它可能会发生错误,将其标记为过时
#### Does this PR introduce a user-facing change?
```release-note
None
```
* refactor: auth provider sorting logic for better maintainability and clarity
* Refine UI
* chore: remove other auth type
* Remove other auth providers
---------
Co-authored-by: Ryan Wang <i@ryanc.cc>
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复竖向图片生成缩略图后会丢失方向信息展示为横向图片的问题
#### Which issue(s) this PR fixes:
Fixes#6802
#### Does this PR introduce a user-facing change?
```release-note
修复竖向图片生成缩略图后会丢失方向信息展示为横向图片的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR prevents caching from cache plugin for pre-auth pages and logout page.
#### Which issue(s) this PR fixes:
Fixes#6826
#### Special notes for your reviewer:
1. Install `Page Cache Plugin` from <https://www.halo.run/store/apps/app-BaamQ>.
2. Open a private browser window
3. Access login page twice
4. Try to login
5. See the result
#### Does this PR introduce a user-facing change?
```release-note
解决因缓存插件缓存登录页面导致无法登录的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
优化文件类型检测并支持根据文件名作为决策依据
#### Does this PR introduce a user-facing change?
```release-note
优化文件类型检测并支持根据文件名作为决策依据
```
#### What type of PR is this?
/kind feature
/milestone 2.20.x
/area core
#### What this PR does / why we need it:
支持用户在个人中心管理自己的附件(需要具有对应权限)
Fixes https://github.com/halo-dev/halo/issues/5278
#### Does this PR introduce a user-facing change?
```release-note
支持用户在个人中心管理自己的附件(需要具有对应权限)
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds [a Gradle plugin ](https://github.com/ben-manes/gradle-versions-plugin)to discover dependency updates.
```bash
❯ ./gradlew dependencyUpdates -Drevision=release
> Task :api:dependencyUpdates
------------------------------------------------------------
:api Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest release version:
- com.github.ben-manes.caffeine:caffeine:3.1.8
- com.github.java-json-tools:json-patch:1.13
- com.j256.two-factor-auth:two-factor-auth:1.3
- io.asyncer:r2dbc-mysql:1.3.0
- io.github.java-diff-utils:java-diff-utils:4.12
- io.github.resilience4j:resilience4j-reactor:2.2.0
- io.github.resilience4j:resilience4j-spring-boot3:2.2.0
- io.projectreactor:reactor-test:3.7.0-M6
- io.r2dbc:r2dbc-h2:1.0.0.RELEASE
- io.seruco.encoding:base62:0.1.3
- org.apache.commons:commons-lang3:3.17.0
- org.imgscalr:imgscalr-lib:4.2
- org.jacoco:org.jacoco.agent:0.8.12
- org.jacoco:org.jacoco.ant:0.8.12
- org.mariadb:r2dbc-mariadb:1.2.2
- org.openapi4j:openapi-schema-validator:1.0.7
- org.pf4j:pf4j:3.12.0
- org.postgresql:postgresql:42.7.4
- org.postgresql:r2dbc-postgresql:1.0.5.RELEASE
- org.projectlombok:lombok:1.18.30
- org.springdoc:springdoc-openapi-starter-webflux-ui:2.6.0
- org.springframework.boot:spring-boot-starter-actuator:3.4.0-M3
- org.springframework.boot:spring-boot-starter-cache:3.4.0-M3
- org.springframework.boot:spring-boot-starter-data-jpa:3.4.0-M3
- org.springframework.boot:spring-boot-starter-data-r2dbc:3.4.0-M3
- org.springframework.boot:spring-boot-starter-mail:3.4.0-M3
- org.springframework.boot:spring-boot-starter-security:3.4.0-M3
- org.springframework.boot:spring-boot-starter-test:3.4.0-M3
- org.springframework.boot:spring-boot-starter-thymeleaf:3.4.0-M3
- org.springframework.boot:spring-boot-starter-validation:3.4.0-M3
- org.springframework.boot:spring-boot-starter-webflux:3.4.0-M3
- org.springframework.integration:spring-integration-core:6.4.0-M3
- org.springframework.security:spring-security-oauth2-client:6.4.0-M4
- org.springframework.security:spring-security-oauth2-jose:6.4.0-M4
- org.springframework.security:spring-security-oauth2-resource-server:6.4.0-M4
- org.springframework.security:spring-security-test:6.4.0-M4
- org.springframework.session:spring-session-core:3.4.0-M2
- org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.2.RELEASE
The following dependencies have later release versions:
- com.google.guava:guava [32.0.1-jre -> 33.3.1-jre]
https://github.com/google/guava
- net.bytebuddy:byte-buddy [1.15.1 -> 1.15.3]
https://bytebuddy.net
- org.apache.lucene:lucene-analysis-common [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-backward-codecs [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-core [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-highlighter [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-queryparser [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.tika:tika-core [2.9.2 -> 3.0.0-BETA2]
https://tika.apache.org/
- org.jsoup:jsoup [1.15.3 -> 1.18.1]
https://jsoup.org/
Gradle release-candidate updates:
- Gradle: [8.10.2: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
> Task :application:dependencyUpdates
------------------------------------------------------------
:application Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest release version:
- com.puppycrawl.tools:checkstyle:9.3
- io.projectreactor:reactor-test:3.7.0-M6
- org.jacoco:org.jacoco.agent:0.8.12
- org.jacoco:org.jacoco.ant:0.8.12
- org.springframework:spring-context-indexer:6.2.0-RC1
- org.springframework.boot:spring-boot-configuration-processor:3.4.0-M3
- org.springframework.boot:spring-boot-starter-test:3.4.0-M3
- org.springframework.security:spring-security-test:6.4.0-M4
- org.webjars.npm:jsencrypt:3.3.2
- org.webjars.npm:normalize.css:8.0.1
The following dependencies have later release versions:
- org.projectlombok:lombok [1.18.30 -> 1.18.34]
https://projectlombok.org
Gradle release-candidate updates:
- Gradle: [8.10.2: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.10.2/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD SUCCESSFUL in 1s
9 actionable tasks: 2 executed, 7 up-to-date
```
#### Does this PR introduce a user-facing change?
<!--
如果当前 Pull Request 的修改不会造成用户侧的任何变更,在 `release-note` 代码块儿中填写 `NONE`。
否则请填写用户侧能够理解的 Release Note。如果当前 Pull Request 包含破坏性更新(Break Change),
Release Note 需要以 `action required` 开头。
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
-->
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR provides an endpoint for disconnecting user connection. After the user connection is disconnected, an event `UserConnectionDisconnectedEvent` will be published for plugins.
Now, OAuth2 plugin can simplify the authentication, binding and unbinding logic, please see the AuthProvider configuration snippet below:
```diff
spec:
authenticationUrl: /oauth2/authorization/github
- bindingUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/connect/github
+ bindingUrl: /oauth2/authorization/github
- unbindUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/disconnect/github
+ unbindUrl: /apis/uc.api.auth.halo.run/v1alpha1/user-connections/github/disconnect
```
Please note that, OAuth2 plugin can also define binding and unbinding endpoints by self.
#### Special notes for your reviewer:
OAuth2 test plugin:
[plugin-oauth2-1.0.4-SNAPSHOT.zip](https://github.com/user-attachments/files/17184215/plugin-oauth2-1.0.4-SNAPSHOT.zip)
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR add support for binding OAuth2 user automatically. So we can remove the user-binding page.
Please note that those changes may break the OAuth2 and SocialLogin plugins.
#### Special notes for your reviewer:
Build OAuth2 plugin from <https://github.com/halo-sigs/plugin-oauth2/pull/64> or use [plugin-oauth2-1.0.4-SNAPSHOT.zip](https://github.com/user-attachments/files/17177592/plugin-oauth2-1.0.4-SNAPSHOT.zip) I built.
- Bind after logging in
1. Log in Halo with username and password method
2. Try to unbind OAuth2 user
3. Bind OAuth2 user again
- Initially bind without logging in
1. Go to login page
2. Log in with OAuth2 method and you will be redirected to login page
3. Log in with username and password method
4. See the result of binding
- Log in with OAuth2 method after binding
1. Go to login page
2. Log in with OAuth2 method and you will be redirected to uc page directly
#### Does this PR introduce a user-facing change?
```release-note
支持自动绑定 OAuth2 登录用户
```
#### What type of PR is this?
/kind feature
/area plugin
#### What this PR does / why we need it:
This PR provides an interface ElementTagProcessor to make plugin handle element tag easily. e.g.:
```java
public class ImgTagProcessor implements ElementTagPostProcessor {
@Override
public Mono<Void> process(ITemplateContext context, IProcessableElementTag tag,
IElementTagStructureHandler structureHandler) {
var elementName = tag.getElementDefinition().getElementName();
if (!Objects.equals("img", elementName.getElementName())) {
return Mono.empty();
}
var srcAttr = tag.getAttribute("src");
if (srcAttr == null) {
return Mono.empty();
}
var newSrc = srcAttr.getValue();
// TODO rewrite src
structureHandler.setAttribute("src", newSrc);
return Mono.empty();
}
}
```
After PR merged, plugins https://github.com/webp-sh/halo-plugin-webp-cloud and https://github.com/guqing/plugin-cloudinary can be refined with new method.
#### Does this PR introduce a user-facing change?
```release-note
支持在插件中操作渲染结果
```
#### What type of PR is this?
/kind feature
/area core
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
Currently, we are refactoring login and logout pages to make them extensible. If plugins want to realize a new authentication method, the CryptoService and RateLimiterRegistry may be used to authenticate.
So this PR exposes the two beans to plugins. No side effect will be introduced.
#### Does this PR introduce a user-facing change?
```release-note
【开发相关】允许在插件使用 CryptoService 和 RateLimiterRegistry
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.19.x
#### What this PR does / why we need it:
重构 KeyComparator 并通过更多的测试用例来确保排序功能的正确性
同时修复了可能存在溢出导致比较结果不正确的问题,目前:
1. 字符串长度比较:在 compareStrings 方法中,字符串的长度比较使用 Integer.compare,这部分代码不会产生整数溢出问题。
2. 数字部分的比较:在 compareNumbers 方法中,数字的比较是基于字符比较的(即逐位比较每个数字字符),没有涉及到将数3. 字字符串转化为 int 或 long 类型的操作,所以不会存在整数溢出问题。
4. 处理小数部分的比较:在 compareDecimalNumbers 方法中,类似地,比较操作也是基于字符的,不涉及到数值转换,因此也不存在整数溢出问题
#### Which issue(s) this PR fixes:
Fixes#6466
#### Does this PR introduce a user-facing change?
```release-note
修复由于索引比较时可能出现整数溢出导致文章偶尔无法访问的问题
```
#### What type of PR is this?
/kind cleanup
/kind improvement
/area core
/milestone 2.19.0
#### What this PR does / why we need it:
This PR refactors some requests with sort parameter by reusing SortableRequest, and refactors some queries with indexer.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind api-change
/kind feature
/area core
#### What this PR does / why we need it:
see #2335
增加将第三方资源转存为附件资源的接口。
`/apis/api.console.halo.run/v1alpha1/attachments/-/upload-from-url`
UC:
`/apis/uc.api.content.halo.run/v1alpha1/attachments/-/upload-from-url`
其中参数为
```json
{
"url": "string",
"filename": "string",
"groupName": "string",
"policyName": "string"
}
```
#### How to test it?
测试能否将第三方接口的资源保存至附件中。
测试各类附件,例如图片、视频、文本等。
#### Does this PR introduce a user-facing change?
```release-note
增加通过链接转存第三方资源至附件库的接口
```
#### What type of PR is this?
/kind improvement
/area core
#### What this PR does / why we need it:
This PR refactors searching roles by using index mechanism to speed up every request and fix the problem of not being able to grant roles to users sometimes.
#### Which issue(s) this PR fixes:
Fixes#5807
Fixes https://github.com/halo-dev/halo/issues/4954
Fixes https://github.com/halo-dev/halo/issues/5057
#### Does this PR introduce a user-facing change?
```release-note
修复有时无法给用户赋权限的问题
```
#### What type of PR is this?
/kind improvement
/area core
#### What this PR does / why we need it:
This PR allows users to filter search result by types, owner names, category names and tag names.
#### Does this PR introduce a user-facing change?
```release-note
完善搜索引擎过滤功能
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.18.x
#### What this PR does / why we need it:
新增文章摘要生成扩展点用于扩展自动生成摘要的方式
#### Does this PR introduce a user-facing change?
```release-note
新增文章摘要生成扩展点用于扩展自动生成摘要的方式
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.18.x
#### What this PR does / why we need it:
在 https://github.com/halo-dev/halo/pull/6244 中移除了过时的 `QueryParamBuildUtil.buildParametersFromType` 方法,但是由于留给插件适配的时间不够,很多官方提供的插件也要和 2.18 一起发版这样会导致使用了此方法的插件无法启动,因此留下方法声明并输出日志等到后续版本在删除,这样可以给出一些时间给用户先升级插件而不是挂掉。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.18.x
#### What this PR does / why we need it:
通过将 ExtensionGetter Bean 共享到给插件的 ApplicationContext,插件能够方便地使用该 Bean 来获取扩展。此更改确保插件具有可靠的扩展访问方式,从而促进系统内更好的模块化和可扩展性。
#### Which issue(s) this PR fixes:
Fixes#6357
#### Does this PR introduce a user-facing change?
```release-note
将 ExtensionGetter Bean 共享给插件使用,以便插件可以通过它来获取扩展
```
#### What type of PR is this?
/kind feature
/kind api-change
/area core
/area plugin
#### What this PR does / why we need it:
This PR adds `BeforeSecurityWebFilter` and `AfterSecurityWebFilter` extension points. See https://github.com/halo-sigs/plugin-page-cache/issues/4#issuecomment-2216677891 for more.
Now, we can do something before and after authenticating.
#### Does this PR introduce a user-facing change?
```release-note
添加认证授权的前置和后置处理器扩展点
```
#### What type of PR is this?
/milestone 2.18.x
#### What this PR does / why we need it:
将 BasePlugin 的 PluginWrapper 构造函数标记为过时并输出警告日志提示
#### Does this PR introduce a user-facing change?
```release-note
在 BasePlugin 的 PluginWrapper 构造函数输出过时警告日志以提醒开发者尽快适配
```
#### What type of PR is this?
/area core
/milestone 2.18.x
#### What this PR does / why we need it:
为了平滑升级先保留 PluginWrapper 的 Bean
#### Does this PR introduce a user-facing change?
```release-note
None
```
mwwcdk