Security researchers frequently report CSV formula injection as a security vulnerability in Wagtail, but that's the responsibility of the software consuming the CSV, not creating it. Hopefully this explanation will stop them from doing that (or at least give us a ready-made response to point at when they do).
- The modeladmin folder needs to be inside the templates folder of the relevant app.
- The way it was written makes it seem like /modeladmin/ should be placed in the project root directory.
- instead of a separate table containing all discrete permissions for each object, show these in the object's table
- Wagtail admin access will still show inside 'other permissions'
- resolves#5482
Currently, the label shown for a StructBlock's collapsed representation takes its content from the first sub-block of the StructBlock, which isn't always what you want. Add a new `label_format` meta option to StructBlock to allow customising this - e.g. `label_format = "Profile for {first_name} {surname}"`
Update sample code in the section
Extending Wagtail -> Adding new Task types -> Adding notifications
The previous example did not work because of changes in
`wagtail.admin.mail`
`EmailNotifier` doesn't exist, so we need to import
`EmailNotificationMixin` and `Notifier` instead, and
update `BaseUserApprovalTaskStateEmailNotifier`
accordingly
Tabbing (navigation using Tab or Shift + Tab keys) will now close
the menu and move to the next focusable element on the page instead
of focusing the next menu item.
The previous behaviour was a deviation from the ARIA menu practices:
https://w3c.github.io/aria-practices/#menu
Further changes / cleanup:
* Consume keyboard events like arrow down to prevent the browser
from interpreting them.
* Refactor repeated setTimeout and `.focus()` calls into single
`focusElement(el)` function. Let's keep it DRY!
Fixes#7290
Closes#2768
Issue #2768 was created because a way how to limit a page to be only
available under the root page was unknown.
The implementation has allowed this for a while now, but the issue was
not closed (presumably due to missing documentation).
The documentation of the `parent_page_types` filed now includes this
"special" case.
- Due to how high-contrast mode works, there was no visual separation between the sidebar and the main content, adding a transparent border resolves this without having any visual impact in non-high contrast mode
- fixes#7456
Attempting to call get_image_model or get_document_model at the top level of a models.py file currently fails with "Models aren't loaded yet". This can be avoided by passing `require_ready=False` to apps.get_model.
This change makes it possible for third-party apps to define abstract models with foreign key references to the possibly-custom image or document model (which can then be subclassed into concrete models in the project itself - defining concrete models in the third-party app probably still isn't safe, as the model will end up being baked into the third-party app's migrations).
* Make more panels type collapsible
* Remove duplicate js in homepage template
* Move collapsible code into its own js file
* Change $li to $target in collapsible.js, as in #6342 Closes #7364, #6342, #6187, #2123
Co-authored by: Fabien Le Frapper <contact@fabienlefrapper.me>
Co-authored-by: Robbie Mackay <rm@robbiemackay.com>
Co-authored-by: Scott Cranfill <scott.cranfill@jpl.nasa.gov>
The "Page models" documentation page in the Wagtail usage guide has
several broken links (see current page at
https://docs.wagtail.io/en/stable/topics/pages.html).
These links work when developing the documentation locally, but not when
served on ReadTheDocs (docs.wagtail.io)
The broken links are all of the form /some/page.html#anchor - somehow
this format doesn't translate properly to get the necessary RTD prefix
(for example /en/stable/).
I've modified these links to use RST references, which will also make
them more robust to future changes.
Documentation examples of `Page.get_context` and `Page.get_template`
lack `*args` and `**kwargs` parameters (which were added way back in
8c4c268641).
This commit adds those missing parameters.
This allows insight into which images are taking the longest to generate, which fail to render at all, and potentially which images are causing crashes (as in they start, but never stop).
The logging is intentionally only on DEBUG level, so it's opt-in, and is also reasonably quiet so it doesn't bloat logs.
* Pulling in _editor_js.html is unnecessary - the only JS dependency that isn't in form media is now modal_workflow.js. (So close to being able to ditch the template override entirely!)
* Omit the 'clear' button, as this is a required field.
These were previously added at Daniele Procida's recommendation so that 'how to' pages could easily be identified in a future reorganisation that splits them out from other modes of documentation. Since 'Extending Wagtail' as a whole is expressly a 'how to' section, this is no longer required.
* Update title of documentation page
The title of this page mentioned videos because in the original version of this document it _did_ cover adding embedded videos. However, this page no longer mentions videos aside from the title.
* Fix length of underline
* Converts inline panel anchor to button to make keyboard focusable.
* Adds type='button' and undoes change to expanding_formset.js.
* Release notes for #7346
Co-authored-by: Storm Heg <storm@stormheg.co>
* Update references to branches now named `main`
* Change unnecessary use of `master`
* Change link to be to specific ES docs version
Old release notes should link to contemporaneous docs when possible
Currently, when a user copies a page for translation, the 'copy' log action is used.
This adds a more specific 'copy_for_translation' operation to be used instead when the user is translating.
Using `re_path` for the page serve view is unnecessary (the project template doesn't do it) and will be increasingly unfamiliar to new Django devs as `path` becomes more widespread.
Fixes#4602 as per https://github.com/wagtail/wagtail/issues/4602#issuecomment-479539444 (option 2).
Previously, given HTML input such as:
<p>
<i>a bunch of text before <embed alt="somepic" embedtype="image" format="fullwidth" id="1"/> after</i>
</p>
the `<embed>` would start a new block, but the converter would keep hold of references to currently-open tags such as the `<i>`, so that when the corresponding `</i>` tag was encountered, it could match it up to the opening tag and fill in the 'length' field on the resulting InlineStyleRange object. However, since the span length is calculated based on the text content of the _current_ block (which is now "after"), it would obtain the wrong result - or, when there is no content between the embed and the closing tag (and thus no current block), would throw the exception `'NoneType' object has no attribute 'text'`.
In this new approach, when the embed is encountered, the current block is closed _along with all of its styles and entities_, causing the lengths of those spans to be filled in correctly. After inserting the embed, the current block is then set to a replica of the previous block with all those styles and entities reopened, so that when the closing tag is finally encountered, the span length is correctly set based on the new 'after' block.
This replaces several US English dialectical uses of _regular_ with
British English equivalents _normal_ or _standard_. This is the result
of a search of the docs for the string 'regular', rather than due to any
US English seen in the user interface.
This search also found one use of _regularly_ where _often_ was closer
to the intended meaning, a change which is less about dialect than about
word choice.
Some edit handlers, such as the 'unofficial' PerUserContentPanels recipe from #4749, vary their field list according to the current request/instance by hooking into bind_to. This was not being called on the comparison view, meaning that when these edit handlers are in use, the field list was never getting populated and so the view was wrongly reporting no changes.
Note that the bind_to method also allows binding a form, which we do still skip (since the comparison view doesn't construct one).
This means we're not artificially forcing four different entity types into the same code path, and makes it possible to define new entity types outside of this module.
Also relax the eslint no-unused-vars to allow unused function parameters - having multiple classes following the same interface is a legitimate use of this.
Since Wagtail 2.7, this is no longer true by default when using remote storage - only when `WAGTAILDOCS_SERVE_METHOD` is explicitly set to `serve_view`.
Improve the generation of `<title>` tags as follows:
* use `page` in preference to `self` (self has been semi-deprecated ever since we added jinja2 support)
* Retrieve current site with `{% wagtail_site %}` rather than page.get_site so that it works on non-pages such as 404s
* Fill in the 'title' block on 404.html
This prevents duplicated headings in places where the second-level index page has intro blurbs for each subsection (and also means we're not listing out long multi-section pages in full in the index, but given how big these indexes are that's probably not a bad thing).
Previously, this would fail, as `user_can_copy_obj` doesn't handle root
pages. Root pages also are special in a number of ways, and handling
copying is tricky and non-obvious.
If someone needs to show root pages (for some reason), they'll have to
special case them themselves.
LB Johnston