Merge branch 'develop' into bug-entity

Author: maniaba

system/Autoloader/FileLocator.php

@@ -330,19 +330,7 @@ public function listFiles(string $path): array
         helper('filesystem');
 
         foreach ($this->getNamespaces() as $namespace) {
-            $fullPath     = $namespace['path'] . $path;
-            $resolvedPath = realpath($fullPath);
-            $fullPath     = $resolvedPath !== false ? $resolvedPath : $fullPath;
-
-            if (! is_dir($fullPath)) {
-                continue;
-            }
-
-            $tempFiles = get_filenames($fullPath, true, false, false);
-
-            if ($tempFiles !== []) {
-                $files = array_merge($files, $tempFiles);
-            }
+            $files = array_merge($files, get_filenames($namespace['path'] . $path, true, false, false));
         }
 
         return $files;

system/CodeIgniter.php

@@ -208,6 +208,29 @@ public function resetForWorkerMode(): void
         // Reset timing
         $this->startTime = null;
         $this->totalTime = 0;
+
+        $this->resetKintForWorkerMode();
+    }
+
+    /**
+     * Resets Kint request-specific state for worker mode.
+     */
+    private function resetKintForWorkerMode(): void
+    {
+        if (! CI_DEBUG || ! class_exists(Kint::class, false)) {
+            return;
+        }
+
+        $csp = service('csp');
+        if ($csp->enabled()) {
+            RichRenderer::$js_nonce  = $csp->getScriptNonce();
+            RichRenderer::$css_nonce = $csp->getStyleNonce();
+        } else {
+            RichRenderer::$js_nonce  = null;
+            RichRenderer::$css_nonce = null;
+        }
+
+        RichRenderer::$needs_pre_render = true;
     }
 
     /**

tests/system/CodeIgniterTest.php

@@ -30,6 +30,7 @@
 use Config\Filters as FiltersConfig;
 use Config\Modules;
 use Config\Routing;
+use Kint\Renderer\RichRenderer;
 use PHPUnit\Framework\Attributes\BackupGlobals;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
@@ -1273,6 +1274,15 @@ public function testRouteAttributesDisabledInConfig(): void
 
     public function testResetForWorkerMode(): void
     {
+        $this->resetServices();
+
+        $appConfig             = config(App::class);
+        $appConfig->CSPEnabled = true;
+
+        RichRenderer::$js_nonce         = 'stale-script-nonce';
+        RichRenderer::$css_nonce        = 'stale-style-nonce';
+        RichRenderer::$needs_pre_render = false;
+
         $config      = new App();
         $codeigniter = new MockCodeIgniter($config);
 
@@ -1292,5 +1302,11 @@ public function testResetForWorkerMode(): void
         $this->assertNull($this->getPrivateProperty($codeigniter, 'controller'));
         $this->assertNull($this->getPrivateProperty($codeigniter, 'method'));
         $this->assertNull($this->getPrivateProperty($codeigniter, 'output'));
+
+        $csp = service('csp');
+
+        $this->assertSame($csp->getScriptNonce(), RichRenderer::$js_nonce);
+        $this->assertSame($csp->getStyleNonce(), RichRenderer::$css_nonce);
+        $this->assertTrue(RichRenderer::$needs_pre_render);
     }
 }

user_guide_src/source/_static/js/version_switcher.js

@@ -0,0 +1,119 @@
+/*
+ * Version switcher for the user guide sidebar.
+ *
+ * Injects the sphinx_rtd_theme's native ".switch-menus > .version-switch"
+ * scaffolding above the search box in the left sidebar, containing a <select>
+ * so readers can jump between:
+ *   - stable:               https://codeigniter.com/user_guide/
+ *   - latest (in-progress): https://codeigniter4.github.io/userguide/
+ *   - local build:          file:// or localhost, etc. (only shown when not on a deployed host)
+ */
+(() => {
+	const VERSIONS = [
+		{
+			slug: 'stable',
+			label: 'Stable',
+			host: 'codeigniter.com',
+			pathPrefix: '/user_guide/',
+		},
+		{
+			slug: 'latest (in-progress)',
+			label: 'Latest (in-progress)',
+			host: 'codeigniter4.github.io',
+			pathPrefix: '/userguide/',
+		},
+	];
+
+	const LOCAL = Object.freeze({
+		slug: 'local build',
+		label: 'Local build',
+		host: null,
+		pathPrefix: null,
+	});
+
+	const detect_current = () =>
+		VERSIONS.find((version) => version.host === window.location.hostname) ?? LOCAL;
+
+	/*
+	 * Derive the absolute URL of the documentation root by inspecting the
+	 * <script> tag Sphinx always injects for documentation_options.js. Its
+	 * resolved .src is absolute, so we can back out the directory that
+	 * contains _static/, which is the doc root. This works identically for
+	 * http(s), file://, and localhost.
+	 */
+	const doc_root_url = () => {
+		const opts = document.querySelector('script[src*="documentation_options.js"]');
+
+		if (!opts) {
+			return null;
+		}
+
+		const idx = opts.src.lastIndexOf('/_static/');
+
+		return idx < 0 ? null : opts.src.slice(0, idx + 1);
+	};
+
+	const current_page_path = () => {
+		const root = doc_root_url();
+
+		if (!root) {
+			return '';
+		}
+
+        const here = window.location.href.split('#')[0].split('?')[0];
+
+        return here.startsWith(root) ? here.slice(root.length) : '';
+	};
+
+	const url_for = ({ host, pathPrefix }) =>
+		`https://${host}${pathPrefix}${current_page_path()}${window.location.hash}`;
+
+	const build = () => {
+		const searchArea = document.querySelector('.wy-side-nav-search');
+		const searchForm = searchArea?.querySelector('[role="search"]');
+
+		if (!searchArea || !searchForm) {
+			return;
+		}
+
+        if (searchArea.querySelector('.switch-menus')) {
+			return;
+		}
+
+		const current = detect_current();
+		const entries = current === LOCAL ? [LOCAL, ...VERSIONS] : VERSIONS;
+
+		const select = document.createElement('select');
+		select.setAttribute('aria-label', 'Select documentation version');
+
+		for (const entry of entries) {
+			const option = document.createElement('option');
+			option.value = entry.host ? url_for(entry) : '';
+			option.textContent = entry.label;
+			option.selected = entry.slug === current.slug;
+			select.append(option);
+		}
+
+		select.addEventListener('change', () => {
+			if (select.value) {
+				window.location.href = select.value;
+			}
+		});
+
+		const versionSwitch = document.createElement('div');
+		versionSwitch.className = 'version-switch';
+		versionSwitch.append(select);
+
+		const switchMenus = document.createElement('div');
+		switchMenus.className = 'switch-menus';
+		switchMenus.append(versionSwitch);
+
+		searchArea.insertBefore(switchMenus, searchForm);
+	};
+
+	if (document.readyState === 'loading') {
+		document.addEventListener('DOMContentLoaded', build, { once: true });
+	} else {
+		build();
+	}
+})();

user_guide_src/source/changelogs/v4.7.3.rst

@@ -41,6 +41,7 @@ Bugs Fixed
 - **Commands:** Fixed a bug in the ``env`` command where passing options only would cause the command to throw a ``TypeError`` instead of showing the current environment.
 - **Common:** Fixed a bug where the ``command()`` helper function did not properly clean up output buffers, which could lead to risky tests when exceptions were thrown.
 - **Entity:** Fixed a bug where ``Entity::normalizeValue()`` did not handle ``UnitEnum`` before checking for ``toArray()``, causing enums implementing ``toArray()`` to be incorrectly normalized as generic objects instead of enums.
+- **Kint:** Fixed a bug where stale Content Security Policy nonces were reused in worker mode, causing browser CSP violations for Debug Toolbar assets.
 - **Validation:** Fixed a bug where ``Validation::getValidated()`` dropped fields whose validated value was explicitly ``null``.
 
 See the repo's

user_guide_src/source/conf.py

@@ -111,7 +111,8 @@
 # A list of JS files.
 html_js_files = [
 	'js/citheme.js',
-	'js/carbon.js'
+	'js/carbon.js',
+	'js/version_switcher.js'
 ]
 
 # -- Options for LaTeX output --------------------------------------------------