#### What type of PR is this?
/kind bug
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
- Remove route when single pages become unpublished
- Add some unit tests against the change.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4309
#### Special notes for your reviewer:
1. Create a single page with slug name `about.html` and publish it.
2. Create a static file `about.html` into static folder`${halo.work-dir}/static/`.
3. Try to request <http://localhost:8090/about.html> and check the result.
4. Unpublish the single page and then do the step 3 again.
#### Does this PR introduce a user-facing change?
```release-note
修复页面取消发布后访问仍然出现页面未找到错误。
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
- Suppress compilation warnings.
- Remove deprecated methods and classes.
- Remove unused methods.
- Before
```bash
❯ ./gradlew compileJava compileTestJava
> Task :application:compileJava
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/core/extension/reconciler/ThemeReconciler.java:48: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
private final ThemePathPolicy themePathPolicy;
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/core/extension/reconciler/ThemeReconciler.java:48: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
private final ThemePathPolicy themePathPolicy;
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/core/extension/reconciler/ThemeReconciler.java:48: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
private final ThemePathPolicy themePathPolicy;
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/core/extension/reconciler/ThemeReconciler.java:48: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
private final ThemePathPolicy themePathPolicy;
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/core/extension/reconciler/ThemeReconciler.java:48: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
private final ThemePathPolicy themePathPolicy;
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/core/extension/reconciler/ThemeReconciler.java:60: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
themePathPolicy = new ThemePathPolicy(haloProperties.getWorkDir());
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java:64: warning: [removal] authorizeExchange() in ServerHttpSecurity has been deprecated and marked for removal
.authorizeExchange().anyExchange()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java:65: warning: [removal] and() in ServerHttpSecurity.AuthorizeExchangeSpec has been deprecated and marked for removal
.access(new RequestInfoAuthorizationManager(roleService)).and()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java:88: warning: [removal] authorizeExchange() in ServerHttpSecurity has been deprecated and marked for removal
.authorizeExchange().anyExchange().permitAll().and()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java:88: warning: [removal] and() in ServerHttpSecurity.AuthorizeExchangeSpec has been deprecated and marked for removal
.authorizeExchange().anyExchange().permitAll().and()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java:90: warning: [removal] headers() in ServerHttpSecurity has been deprecated and marked for removal
.headers()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java💯 warning: [removal] cache() in ServerHttpSecurity.HeaderSpec has been deprecated and marked for removal
.cache().disable().and()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java💯 warning: [removal] and() in ServerHttpSecurity.HeaderSpec has been deprecated and marked for removal
.cache().disable().and()
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/security/CsrfConfigurer.java:24: warning: [removal] csrf() in ServerHttpSecurity has been deprecated and marked for removal
http.csrf().csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java:58: warning: [removal] visitRulesFor(UserDetails,RuleAccumulator) in AuthorizationRuleResolver has been deprecated and marked for removal
public void visitRulesFor(UserDetails user, RuleAccumulator visitor) {
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java:43: warning: [removal] rulesFor(UserDetails) in AuthorizationRuleResolver has been deprecated and marked for removal
public PolicyRuleList rulesFor(UserDetails user) {
^
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: /Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/extension/ReactiveExtensionClientImpl.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
16 warnings
> Task :application:compileTestJava
/Users/johnniang/workspaces/halo-dev/halo/application/src/test/java/run/halo/app/core/extension/reconciler/ThemeReconcilerTest.java:90: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
final ThemePathPolicy themePathPolicy = new ThemePathPolicy(testWorkDir);
^
/Users/johnniang/workspaces/halo-dev/halo/application/src/test/java/run/halo/app/core/extension/reconciler/ThemeReconcilerTest.java:90: warning: [removal] ThemePathPolicy in run.halo.app.theme has been deprecated and marked for removal
final ThemePathPolicy themePathPolicy = new ThemePathPolicy(testWorkDir);
^
Note: /Users/johnniang/workspaces/halo-dev/halo/application/src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: /Users/johnniang/workspaces/halo-dev/halo/application/src/test/java/run/halo/app/migration/BackupReconcilerTest.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
2 warnings
```
- After
```bash
❯ ./gradlew clean compileJava compileTestJava
> Task :api:compileJava
/Users/johnniang/workspaces/halo-dev/halo/api/src/main/java/run/halo/app/extension/Unstructured.java:69: warning: This field does not exist, or would have been excluded anyway.
@EqualsAndHashCode(exclude = "version")
^
Note: /Users/johnniang/workspaces/halo-dev/halo/api/src/main/java/run/halo/app/extension/Unstructured.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
1 warning
> Task :application:compileJava
Note: /Users/johnniang/workspaces/halo-dev/halo/application/src/main/java/run/halo/app/plugin/SpringExtensionFactory.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
> Task :api:compileTestJava
Note: /Users/johnniang/workspaces/halo-dev/halo/api/src/test/java/run/halo/app/infra/utils/JsonUtilsTest.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
BUILD SUCCESSFUL in 7s
22 actionable tasks: 15 executed, 7 up-to-date
```
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
#### What this PR does / why we need it:
解决 #4253 所导致的用户旧头像被删除的问题。
#### Special notes for your reviewer:
1. 使用 2.7.x 之前的 Halo 版本,新建用户并设置其头像。
2. 升级 Halo 至 2.8.0-rc.1
3. 头像还存在即可。
4. 测试头像上传、移除功能是否正常可用。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area theme
/milestone 2.8.x
#### What this PR does / why we need it:
升级默认主题版本至 1.5.0
https://github.com/halo-dev/theme-earth/releases/tag/v1.5.0
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.8.x
/area theme
#### What this PR does / why we need it:
按条件渲染评论组件以简化主题端对评论组件是否显示的条件控制
使用了评论标签的模板页面都能直接使用 `${haloCommentEnabled}` 取值能得到评论组件是否可见的结果为`true/false` 用于在需要级联条件渲染的组件上使用,如:
```html
<!-- 评论组件不可见时不渲染标题 -->
<p th:if="${haloCommentEnabled}">评论</p>
<halo:comment />
```
how to test it?
在主题端未加渲染条件时:
1. 测试全局评论组件是否开启的设置是否有效
2. 测试文章和自定义页面是否开启评论的设置是否有效
3. 测试评论组件启用和停止时评论组件的渲染是否正确
4. 测试 `${haloCommentEnabled}` 结果是否正确
#### Which issue(s) this PR fixes:
Fixes#4137
#### Does this PR introduce a user-facing change?
```release-note
按条件渲染评论组件以简化主题端对评论组件是否显示的条件控制
```
#### What type of PR is this?
/kind feature
/area core
/area plugin
#### What this PR does / why we need it:
Plugin developers are able to define own UsernamePasswordAuthenticationManager to take charge of username password authentication.
1. If the manager fails to handle, the default authentication manager will be used.
2. If the manager returns `Mono.empty()`, the default authentication manager will be used.
For example:
```java
@Component
public class LdapAuthenticationManager
extends UserDetailsRepositoryReactiveAuthenticationManager
implements UsernamePasswordAuthenticationManager {
public LdapAuthenticationManager(ReactiveUserDetailsService userDetailsService) {
super(userDetailsService);
}
@Override
protected Mono<UserDetails> retrieveUser(String username) {
return super.retrieveUser(username);
}
}
```
#### Which issue(s) this PR fixes:
See https://github.com/halo-dev/halo/issues/4207#issuecomment-1643042348 for more.
#### Does this PR introduce a user-facing change?
```release-note
提供用户名密码认证扩展
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
If content is terminated with an error, the file already wrote partially into attachment folder won't be cleaned.
Imagine a scenario where we check that the content size is not larger than 2MB when we write content to the attachments folder. Once the limit is reached, files that have been partially written should be cleaned instead of being kept.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
Bump plugin preset. See https://github.com/halo-sigs/plugin-comment-widget/releases/tag/v1.7.0 for more.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
Support resolving static resources at halo work directory `${halo.work-dir}/static/`.
Please note that we only support adding static resources at hand by logging in the server.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4087
#### Special notes for your reviewer:
1. Create a file `index.html` at `${halo.work-dir}/static`
2. Edit the file with any content
3. Browse with `http://localhost:8090/index.html`
#### Does this PR introduce a user-facing change?
```release-note
支持静态资源映射
```
#### What type of PR is this?
/kind improvement
/area console
/area core
#### What this PR does / why we need it:
此 PR 对用户头像上传的方式进行了重构,移除了原有的头像链接及上传至附件库的方案。允许具有用户管理权限的用户对其他用户的头像进行修改和移除。
Core:
新增了 `/apis/api.console.halo.run/v1alpha1/users/-/avatar` 的 `POST` 以及 `DELETE` 接口,用来上传用户的头像及删除当前用户的头像。
Console:
新增对用户头像进行裁剪的功能,并调用上传接口保存用户头像。
需等待 #4247 合并
#### Which issue(s) this PR fixes:
Fixes#2688
See #4251
See #4247
#### Special notes for your reviewer:
1. 测试上传、删除头像接口是否能够正常执行。
2. 查看当前用户的头像是否能够设置成功。
3. 查看附件库中,当前用户的头像文件是否为 0 或 1 个。
#### Does this PR introduce a user-facing change?
```release-note
支持裁剪、上传和删除用户头像。
```
#### What type of PR is this?
/kind feature
/area core
#### What this PR does / why we need it:
Currently, we cannot pass a sort parameter into extensions' list API, so the result of the API is unsortable.
This PR add the support for that API. e.g.:
```bash
curl -X 'GET' \
'http://localhost:8090/api/v1alpha1/annotationsettings?sort=metadata.name,desc' \
-H 'accept: */*'
```
#### Does this PR introduce a user-facing change?
```release-note
Extension 查询接口支持排序参数。
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
Upgrade Spring Boot 3.1.2. See https://github.com/spring-projects/spring-boot/releases/tag/v3.1.2 for more.
#### Does this PR introduce a user-facing change?
```release-note
升级 Spring Boot 至 3.1.2。
```
#### What type of PR is this?
/kind improvement
/area core
/area plugin
/milestone 2.8.x
#### What this PR does / why we need it:
修复由于多线程环境下导致的插件卸载时的路由异常问题
改动描述:
为了确保在多线程环境下访问 ExtensionContextRegistry 类的注册表时的线程安全。通过添加读写锁,可以保证在读取和写入PluginApplicationContext 时只有一个线程可以访问,从而避免了多个线程同时访问注册表时可能出现的竞态条件和数据不一致的问题。同时,更新了 register、remove、getByPluginId、containsContext 和 getPluginApplicationContexts 方法,以在访问注册表时获取和释放适当的锁,从而确保了线程安全。
问题原因:
当插件卸载时,卸载动作在 Reconciler 线程中执行而路由访问是在 reactor 的 NonBlockingThread 线程执行,当 PluginCompositeRouterFunction 的 routerFunctions() 方法从 ExtensionContextRegistry 中获取所有 PluginApplicationContext 并持有还未处理完成时由于 PluginReconciler 中执行了卸载插件逻辑而将某个 PluginApplicationContext 关闭从而让 PluginCompositeRouterFunction 中持有到的对象引用发生变化出现数据不一致问题导致出现 `PluginApplicationContext@14971c8e has been closed already` 异常。
解决方案:
所以此修改让读取和写入PluginApplicationContext 时只有一个线程可以访问来解决此问题
how to test it?
测试开发模式下卸载插件时是否会出现如 #4242 中所描述的异常信息
#### Which issue(s) this PR fixes:
Fixes#4242
#### Does this PR introduce a user-facing change?
```release-note
修复由于多线程环境下导致的插件卸载时的路由异常问题
```
#### What type of PR is this?
/kind bug
/kind improvement
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
修复插件被卸载时 delete 生命周期方法不会被触发的问题
how to test it?
1. 测试开发模式下卸载插件,delete 生命周期方法被触发且不会误删项目目录
2. 测试生产模式下插件卸载,文件正确被删除且触发 delete 生命生命周期方法
#### Which issue(s) this PR fixes:
Fixes#4238
#### Does this PR introduce a user-facing change?
```release-note
修复插件被卸载时 delete 生命周期方法不会被触发的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
优化评论扩展点的使用方式
how to test it?
测试评论插件是否正常可用
#### Does this PR introduce a user-facing change?
```release-note
优化评论扩展点的使用方式
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.8.x
#### What this PR does / why we need it:
优化去除 Html Meta 重复标签的正则表达式
see #4234 for more details.
#### Which issue(s) this PR fixes:
Fixes#4234
#### Does this PR introduce a user-facing change?
```release-note
优化去除 Html Meta 重复标签的正则表达式
```
#### What type of PR is this?
/kind feature
/area core
#### What this PR does / why we need it:
为附件库增加过滤条件,过滤 labels 中包含 `halo.run/hidden` 的分组及其附件。
#### Which issue(s) this PR fixes:
Fixes#4251
#### Special notes for your reviewer:
保证默认情况下附件能够正常访问即可。
或者为分组增加 `halo.run/hidden` label,之后查看接口中是否不包含具有目标分组及其附件。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/area plugin
/milestone 2.7.x
#### What this PR does / why we need it:
修复生产模式下插件安装时的位置信息为绝对路径会影响迁移的问题
how to test it?
1. 生产模式下安装插件看 annotation 中 `plugin.halo.run/plugin-path` 的值是否为相对于 pluginsRoot 的相对路径
2. 在生产模式下在 main 分支启动后安装的插件切换到此 PR 后 `plugin.halo.run/plugin-path` 是否变为相对路径
#### Which issue(s) this PR fixes:
Fixes#4178
#### Does this PR introduce a user-facing change?
```release-note
修复生产模式下插件安装时的位置信息为绝对路径会影响迁移的问题
```
#### What type of PR is this?
/area plugin
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
Update preset plugins version
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
Add role template for managing cache. Anyone with role `role-template-manage-cache` can see the `Refresh Page Cache` button.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4143
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
支持通过 ExternalUrlSupplier 获取 externalUrl 配置
#### Which issue(s) this PR fixes:
Fixes#4149
#### Does this PR introduce a user-facing change?
```release-note
支持通过 ExternalUrlSupplier 获取 externalUrl 配置
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
Refactor configuration properties to configure caching with separate names, so that we can enable / disable cache with name.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4144
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/milestone 2.7.x
/area core
/area theme
#### What this PR does / why we need it:
主题端支持获取最新评论
可能存在的问题:
主题端如果想展示评论所属的具体的主体比如 Moment 可能不好展示
how to test it?
通过 list 方法获取评论看排序和数据是否正确
```html
<p th:each="result : ${commentFinder.list(null,1,10)}">
<span th:text="${result.spec.raw}"></span>
-> <span th:text="${#temporals.format(result.spec.creationTime, 'yyyy-MM-dd HH:mm:ss')}"></span>
-> <span th:text="${result.spec.subjectRef}"></span>
</p>
```
#### Which issue(s) this PR fixes:
Fixes#4088
#### Does this PR introduce a user-facing change?
```release-note
主题端支持获取最新评论
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
Add rate limiter for signing up. We only allow 3 registrations within 1 hour by default, despite registration failure.
#### Special notes for your reviewer:
1. Start Halo and console.
2. Try to enable registration for public users.
3. Browse <http://localhost:8090/console/login?type=signup>
4. Input duplicate username for 4 times and see the result.
5. Or input valid username for 4 times and see the result.
#### Does this PR introduce a user-facing change?
```release-note
限制注册接口的请求速率
```
#### What type of PR is this?
/kind feature
/milestone 2.7.x
/area core
#### What this PR does / why we need it:
为主题端的文章和自定义页面内容添加扩展点
插件可以通过实现扩展点来干预文章和自定义页面的内容显示,如修改内容的 html 结构,改变特定样式等
使用方式参考:[docs/extension-points/content.md](9b2b9f1837)
#### Which issue(s) this PR fixes:
Fixes#4003
#### Does this PR introduce a user-facing change?
```release-note
为主题端的文章和自定义页面内容添加扩展点
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
修复文章页 HTML Meta 标签重复问题
see #4049 for more details.
#### Which issue(s) this PR fixes:
Fixes#4049
#### Does this PR introduce a user-facing change?
```release-note
修复文章页 Meta Description 标签重复问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
In some special situations, Halo can not obtain client IP address from request headers and socket address is unresolved, so that `java.lang.NullPointerException: Cannot invoke "java.net.InetAddress.getHostAddress()" because the return value of "java.net.InetSocketAddress.getAddress()" is null` will happen.
This PR will resolve the problem by checking `X-Real-IP` header and checking if remote address is unresolved.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4134
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
Upgrade Spring Boot to 3.1.1. See https://github.com/spring-projects/spring-boot/releases/tag/v3.1.1 for more.
#### Does this PR introduce a user-facing change?
```release-note
升级 Spring Boot 至 3.1.1
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
Apply rate limiter for replying a comment as well. This feature is supplement of <https://github.com/halo-dev/halo/pull/4084>.
#### Special notes for your reviewer:
Try to reply any comments 11 times within 1 minute.
#### Does this PR introduce a user-facing change?
```release-note
对评论回复添加频率限制
```
#### What type of PR is this?
/kind feature
/area core
#### What this PR does / why we need it:
This PR adds dependency [spring-boot-starter-cache](https://docs.spring.io/spring-boot/docs/current/reference/html/io.html#io.caching) as cache framework and [caffeine](https://github.com/ben-manes/caffeine/wiki) as cache implementation to cache template rendering result.
By default, we disable the cache feature. If you want to enable it, please try to configure properties like this:
```yaml
halo:
cache:
disabled: false
```
#### Which issue(s) this PR fixes:
Fixes#2827
#### Special notes for your reviewer:
1. Start Halo
2. Browse any page twice
3. See the difference in request times
#### Does this PR introduce a user-facing change?
```release-note
支持模板渲染结果缓存
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.7.x
/kind api-change
#### What this PR does / why we need it:
统一主题和插件描述文件的部分字段
1. 统一网站字段为 homepage,将主题的 website 标记为过时并兼容为 homepage
2. 主题添加 license 字段
3. 插件添加 repo
#### Which issue(s) this PR fixes:
Fixes#4011
#### Does this PR introduce a user-facing change?
```release-note
统一主题和插件描述文件的部分字段
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
插件的 Controllers 支持自定义 API Group
如:
```java
@RestController
@ApiVersion("fake.halo.run/v1")
@RequestMapping("/fake")
public class DemoController {
}
```
则生成路由为 `/apis/fake.halo.run/v1/fake`
如果没有 group 默认兼容以前的为 `/apis/api.plugin.halo.run/{version}/plugins/{pluginName}/**`
```java
@RestController
@ApiVersion("v1alpha1")
@RequestMapping("/fake")
public class DemoController {
}
```
#### Which issue(s) this PR fixes:
Fixes#4053
#### Does this PR introduce a user-facing change?
```release-note
插件的 Controllers 支持自定义 API Group
```
#### What type of PR is this?
/kind improvement
/area core
/area plugin
#### What this PR does / why we need it:
插件的 ApplicationContext 刷新之后在注册到 Registry 中
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
#### What this PR does / why we need it:
Catch UserNotFoundException instead of ExtensionNotFoundException to map correctly to BadCredentialsException.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4057
#### Special notes for your reviewer:
1. Start Halo
2. Login with an username which does not exist
3. Check the response
#### Does this PR introduce a user-facing change?
```release-note
修复登录时出现用户名不存在的问题。
```
#### What type of PR is this?
/kind feature
/kind core
#### What this PR does / why we need it:
This PR limited comment creation at a rate of 10 per minute.
See https://github.com/halo-dev/halo/issues/4044 for more.
#### Special notes for your reviewer:
1. Start Halo.
2. Create 11 new comments
3. Check the response.
#### Does this PR introduce a user-facing change?
```release-note
增加发表评论频率限制功能
```
#### What type of PR is this?
/kind improvement
/area core
#### What this PR does / why we need it:
Define a global map to mapping exception to problem detail type.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
#### What this PR does / why we need it:
This PR excludes WebSocket request when serving console index and remove request predicate accept in ConsoleProxyFilter.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4083
#### Special notes for your reviewer:
1. Start Console with dev environment
2. Start Halo with dev profile
3. Try to browse <http://localhost:8090/console> and check the log
#### Does this PR introduce a user-facing change?
```release-note
修复开发环境下访问 Console 出现错误的问题
```
#### What type of PR is this?
/kind bug
/area core
#### What this PR does / why we need it:
This is a bug introduced from https://github.com/halo-dev/halo/pull/4062. I have overridden onAuthenticationSuccess to create rate limiter in advance instead of invoking `securityContextRepository#save` before.
See https://github.com/halo-dev/halo/pull/4099#issuecomment-1598074131 for more.
#### Special notes for your reviewer:
1. Try to log in with incorrect password three times
2. Log in with correct password and check if the response headers contain `Set-Cookie`
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
#### What this PR does / why we need it:
This PR introduces https://github.com/resilience4j/resilience4j to archive the feature. The login endpoint has limited login failures at a rate of 3 per minute.
See https://github.com/halo-dev/halo/issues/4044 for more.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4044
#### Special notes for your reviewer:
1. Start Halo.
2. Try to login with incorrect credential 4 times
3. Check the response.
#### Does this PR introduce a user-facing change?
```release-note
增加登录失败次数限制功能
```
#### What type of PR is this?
/kind improvement
/kind bug
/area core
/area plugin
/milestone 2.6.x
#### What this PR does / why we need it:
修复插件重启后 MainClass 对象缓存未清除的问题
how to test it?
下载此插件:
[plugin-starter-1.0.0-SNAPSHOT.jar.zip](https://github.com/halo-dev/halo/files/11620847/plugin-starter-1.0.0-SNAPSHOT.jar.zip)
安装并启动插件,会看到类似如下日志:
```
测试从 [/var/folders/1z/3hlt62691tx63dxx6y0mryw00000gn/T/halo-plugin3709893537121269748.txt] 文件读取内容
插件启动成功!
```
修改日志中给出的文件的内容后 reload 插件会看到`插件启动成功!` 后会跟随最新的文件内容则表示 MainClass 是最新的状态没有缓存。
#### Which issue(s) this PR fixes:
Fixes#4016
#### Does this PR introduce a user-facing change?
```release-note
修复插件重启后 MainClass 对象缓存未清除的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.7.x
#### What this PR does / why we need it:
修复主题和插件静态资源的文件遍历漏洞
漏洞描述:
攻击者可以通过`/plugins/{name}/assets/console/{*resource}` 和 `/themes/{themeName}/assets/{*resource}` 的 resource 参数部分添加特殊字符(如 ../ 或 ..\)来绕过应用程序的访问控制,访问他们没有权限访问的文件或目录。
修复方法:
访问文件之前检查文件路径是否在被限制的目录下,如:
resource = /themes/default/templates/../../test
简化路径为 /themes/test
想限制路径在 `/themes/default/templates` 则已经越权拒绝访问
how to test it?
1. 访问例如 `localhost:8090/themes/theme-earth/assets/dist/../../../../../keys/id_rsa` 来检查获取上级目录,上上级目录是否可以访问到,必须只能访问到 themes/assets下的文件即为合理
2. 类似步骤 1 可以尝试`../`, `..\` 来访问 `localhost:8090/plugins/{name}/assets/console/{*resource}`,必须只能访问到插件的 `classpath:console/` 下的文件即为合理
#### Does this PR introduce a user-facing change?
```release-note
修复主题和插件静态资源的路径遍历漏洞
```
<!-- Thanks for sending a pull request! Here are some tips for you:
1. 如果这是你的第一次,请阅读我们的贡献指南:<https://github.com/halo-dev/halo/blob/master/CONTRIBUTING.md>。
1. If this is your first time, please read our contributor guidelines: <https://github.com/halo-dev/halo/blob/master/CONTRIBUTING.md>.
2. 请根据你解决问题的类型为 Pull Request 添加合适的标签。
2. Please label this pull request according to what type of issue you are addressing, especially if this is a release targeted pull request.
3. 请确保你已经添加并运行了适当的测试。
3. Ensure you have added or ran the appropriate tests for your PR.
-->
#### What type of PR is this?
/kind bug
<!--
添加其中一个类别:
Add one of the following kinds:
/kind bug
/kind cleanup
/kind documentation
/kind feature
/kind improvement
适当添加其中一个或多个类别(可选):
Optionally add one or more of the following kinds if applicable:
/kind api-change
/kind deprecation
/kind failing-test
/kind flake
/kind regression
-->
#### What this PR does / why we need it:
Fix AttachmentReconciler repeated execution.
#### Which issue(s) this PR fixes:
<!--
PR 合并时自动关闭 issue。
Automatically closes linked issue when PR is merged.
用法:`Fixes #<issue 号>`,或者 `Fixes (粘贴 issue 完整链接)`
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->
Fixes#3746
#### Special notes for your reviewer:
The reconile method in run.halo.app.core.extension.reconciler.attachment.AttachmentReconciler will be executed repeatedly, uploading an attachment will be executed twice, because updating the finalizers property will be in onUpdate of run.halo.app.extension.controller.ExtensionWatcher Will request duplicate addition, I provide a fix for you to review
#### Does this PR introduce a user-facing change?
<!--
如果当前 Pull Request 的修改不会造成用户侧的任何变更,在 `release-note` 代码块儿中填写 `NONE`。
否则请填写用户侧能够理解的 Release Note。如果当前 Pull Request 包含破坏性更新(Break Change),
Release Note 需要以 `action required` 开头。
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
-->
```release-note
修复 AttachmentReconciler 重复执行
```
#### What type of PR is this?
/kind feature
/area core
/area plugin
#### What this PR does / why we need it:
This PR adds property sources into PluginApplicationContext environment to support configuration properties mechanism.
See https://github.com/halo-dev/halo/issues/4015 for more.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/4015
#### Special notes for your reviewer:
You can verify the mechanism in [plugin-starter](https://github.com/halo-dev/plugin-starter) according to documentation `docs/developer-guide/plugin-configuration-properties.md`.
I've only tested it on macOS, looking forward to feedback on Windows.
#### Does this PR introduce a user-facing change?
```release-note
支持在插件中定义 @ConfigurationProperties 注解
```
<!-- Thanks for sending a pull request! Here are some tips for you:
1. 如果这是你的第一次,请阅读我们的贡献指南:<https://github.com/halo-dev/halo/blob/master/CONTRIBUTING.md>。
1. If this is your first time, please read our contributor guidelines: <https://github.com/halo-dev/halo/blob/master/CONTRIBUTING.md>.
2. 请根据你解决问题的类型为 Pull Request 添加合适的标签。
2. Please label this pull request according to what type of issue you are addressing, especially if this is a release targeted pull request.
3. 请确保你已经添加并运行了适当的测试。
3. Ensure you have added or ran the appropriate tests for your PR.
-->
#### What type of PR is this?
<!--
添加其中一个类别:
Add one of the following kinds:
/kind bug
/kind cleanup
/kind documentation
/kind feature
/kind improvement
适当添加其中一个或多个类别(可选):
Optionally add one or more of the following kinds if applicable:
/kind api-change
/kind deprecation
/kind failing-test
/kind flake
/kind regression
-->
/kind bug
/area core
#### What this PR does / why we need it:
Fix the problem that the meta description with special characters causes the page to display abnormally.
Use htmlEscape in org.springframework.web.util.HtmlUtils to escape the special characters contained in the original description.
see #4000
#### Which issue(s) this PR fixes:
<!--
PR 合并时自动关闭 issue。
Automatically closes linked issue when PR is merged.
用法:`Fixes #<issue 号>`,或者 `Fixes (粘贴 issue 完整链接)`
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->
Fixes#4000
#### Special notes for your reviewer:
#### Does this PR introduce a user-facing change?
<!--
如果当前 Pull Request 的修改不会造成用户侧的任何变更,在 `release-note` 代码块儿中填写 `NONE`。
否则请填写用户侧能够理解的 Release Note。如果当前 Pull Request 包含破坏性更新(Break Change),
Release Note 需要以 `action required` 开头。
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
-->
```release-note
NONE
```
John Niang