feat:use composer for autoloading libraries#1683
Conversation
…t to test thoroughly
…omposer, but that is not yet implemented for HTMLPurifier
Co-authored-by: Raimondas Rimkevičius <github@mekdrop.name>
…unused dev dependencies, and clean up scripts
no license info than the wrong info
the autoloader in the vendor folder.
Review Summary by QodoComposer integration with vendor directory security relocation
WalkthroughsDescription• Implements Composer-based autoloading for ImpressCMS libraries, replacing bundled PHP libraries with Composer dependencies • Moves HTMLPurifier, SimplePie, and WideImage libraries to Composer management, removing 300+ bundled library files • Adds moveVendorToTrust() functionality to securely relocate Composer vendor directory from web root to trust path during installation • Integrates new vendor move installation wizard page with comprehensive error handling and user feedback • Updates autoloader chain in icms.php and installation bootstrap to support both trust path and root path vendor locations • Implements Composer-based module and theme discovery via InstalledVersions instead of filesystem scanning • Adds composer.json with PSR-4/PSR-0 autoloading configuration for Icms\* and icms_* namespaces • Standardizes codebase to PSR-12 formatting: array syntax [], double quotes, proper brace placement • Updates SimplePie and HTMLPurifier references to use namespaced class constants from Composer packages • Increments database version to 49 and system version to 2.1.0 beta • Fixes minor bugs: undefined array index in theme blocks, array indentation inconsistencies Diagramflowchart LR
A["Bundled Libraries<br/>htmlpurifier, simplepie,<br/>wideimage"] -->|"Migrate to Composer"| B["composer.json<br/>Dependencies"]
B -->|"Install via Composer"| C["vendor/ Directory<br/>in Web Root"]
C -->|"moveVendorToTrust()"| D["Trust Path<br/>vendor/"]
E["Autoloader Chain"] -->|"Load from"| D
F["Module/Theme Discovery"] -->|"Query via"| B
G["Installation Wizard"] -->|"Execute"| C
G -->|"Trigger"| D
File Changes1. htdocs/libraries/icms/core/Filesystem.php
|
Code Review by Qodo
1.
|
| onclick="location.href='<?php echo $wizard->pageURI("+1"); ?>'" class="next"> | ||
| <?php } ?> | ||
| <?php if ($_POST['mod'] != 1) { ?> | ||
| <?php if ($_POST["mod"] != 1) { ?> | ||
| <img src="img/right-arr.png" alt="<?php echo BUTTON_NEXT; ?>" width="16"/> |
There was a problem hiding this comment.
5. $_post[mod] unchecked 📘 Rule violation ⛯ Reliability
The installer template reads $_POST["mod"] directly without checking it exists, and uses a loose comparison (!= 1), which can trigger notices and type-juggling behavior. This violates the requirement to check array indices before access and to use strict comparisons.
Agent Prompt
## Issue description
The installer template reads `$_POST["mod"]` without an existence check and compares loosely.
## Issue Context
Installer pages should not emit notices/warnings due to missing POST fields.
## Fix Focus Areas
- htdocs/install/install_tpl.php[162-165]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Use === to compare $entry against '.' and '..' to avoid type coercion and ensure exact string matches.
Return success from copyRecursive and add a recursive flag to getFileCount. When validating vendor copies, verify autoload.php SHA-1 and compare recursive file counts; remove partial copies and return a descriptive error if verification fails.
Apply coding-style cleanup (short array syntax, spacing, brace placement, normalized quotes) and replace the legacy SIMPLEPIE_LOCATOR_NONE with \SimplePie\SimplePie::LOCATOR_NONE.
Determine protocol from HTTPS, default HTTP_HOST to 'localhost' when absent, and examine PHP_SELF, REQUEST_URI (path only), and SCRIPT_NAME for the script path. Sanitize values with htmlentities and fall back to an empty base if no path info is available.
Ensure multi_login is set and equals 1 before writing online. Read $_SERVER['REMOTE_ADDR'] into a safe variable (default empty string) to avoid undefined index notices.
Log when REMOTE_ADDR is empty to help identify environments where it's absent (CLI, proxies, tests). Include uid and uname in the error_log message for easier correlation.
There was a problem hiding this comment.
- The minimum PHP requirements need to be >=8.2 because of the dependency on symfony
- The installer does copy the vendor folder to the trust path, but it was still present after the install. The install folder was removed because the permissions had been updated after the files copied to the server. composer was run as root (probably not a good idea), so the permissions on the var and vendors folder prevented them from being removed. Update: I did start again and set the privileges on the root folder to not require sudo to run composer. After the install, the var and vendor folders were still there, with me as the owner (the rest of the files/folders are assigned to www-data, the user apache runs as. The var and vendor folders are set to 0775 for permissions - the apache user should have been able to remove the folders, like it did for the install folder
- I'm not sure how the autoloading for IPF modules is working with the changes made, but they are. I installed imblogging and imtagging after completing the ImpressCMS install and they both worked.
also bumping the version_build to 130, so that we can release a 2.0.2 in the meantime if needed.
this was changed. |
This introduces Composer-based autoloading for libraries. No new functionality, just the base framework to start extricating bundled PHP libraries from the core.
To test : execute a 'composer install' to get the necessary files in the vendor folder. This will have been done already in the release archive.