Merge remote-tracking branch 'origin/6.x' into frontend-two-factor

Author: jasonvarga

config/users.php

@@ -176,12 +176,15 @@
     | Users may be required to reauthorize before performing certain
     | sensitive actions. This is called an elevated session. Here
     | you may configure the duration of the session in minutes.
+    | You may also disable the elevated session entirely.
     |
     */
 
+    'elevated_sessions_enabled' => env('STATAMIC_ELEVATED_SESSIONS_ENABLED', true),
+
     'elevated_session_duration' => 15,
 
-    'elevated_session_url' => null,
+    'elevated_sessions_url' => null,
 
     /*
     |--------------------------------------------------------------------------

resources/js/components/elevated-sessions/index.js

@@ -1,6 +1,8 @@
 import axios from 'axios';
 
 export async function requireElevatedSession() {
+    if (!Statamic.$config.get('elevatedSessionsEnabled')) return;
+
     const response = await axios.get(cp_url('elevated-session'));
 
     if (response.data.elevated) return;

routes/cp.php

@@ -443,11 +443,13 @@
 
     Route::get('session-timeout', SessionTimeoutController::class)->name('session.timeout');
 
-    Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password');
-    Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status');
-    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys');
-    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth');
-    Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+    if (config('statamic.users.elevated_sessions_enabled')) {
+        Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password');
+        Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status');
+        Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys');
+        Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth');
+        Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+    }
 
     Route::get('playground', PlaygroundController::class)->name('playground');
 

routes/web.php

@@ -55,12 +55,14 @@
             Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset');
             Route::post('password/reset', [ResetPasswordController::class, 'reset'])->middleware('throttle:statamic.auth')->name('password.reset.action');
 
-            Route::middleware('auth')->group(function () {
-                Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]);
-                Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth');
-                Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys');
-                Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
-            });
+            if (config('statamic.users.elevated_sessions_enabled')) {
+                Route::middleware('auth')->group(function () {
+                    Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]);
+                    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth');
+                    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys');
+                    Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+                });
+            }
 
             Route::group(['prefix' => 'passkeys'], function () {
                 Route::middleware('throttle:statamic.passkeys')->group(function () {

src/Auth/Eloquent/User.php

@@ -303,7 +303,11 @@ public function remove($key)
 
     public function merge($data)
     {
-        $this->data($this->data()->merge(collect($data)->filter(fn ($v) => $v !== null)->all()));
+        $merged = $this->data()
+            ->except(['roles', 'groups'])
+            ->merge(collect($data)->filter(fn ($v) => $v !== null)->all());
+
+        $this->data($merged->all());
 
         return $this;
     }

src/CP/Navigation/NavBuilder.php

@@ -998,7 +998,7 @@ protected function ensureUrlCachesAreUpToDate()
         $updated = collect($this->items)
             ->filter(fn ($item) => collect($this->itemsWithChildrenClosures)->contains($item->id()))
             ->filter(fn ($item) => $item->isActive() || $this->withHidden)
-            ->mapWithKeys(fn ($item) => [$item->id() => $item->children()?->map->url()->all() ?? []])
+            ->mapWithKeys(fn ($item) => [$item->id() => $item->resolveChildren()->children()?->map->url()->all() ?? []])
             ->filter(fn ($urls, $id) => $this->urlsUnresolvedChildren->get($id) != $urls)
             ->each(fn ($urls, $id) => $this->trackChangedChildren($id, $urls))
             ->isNotEmpty();

src/Http/Controllers/Auth/ElevatedSessionController.php

@@ -17,7 +17,7 @@ class ElevatedSessionController extends Controller
 {
     public function showForm(Request $request)
     {
-        if ($customUrl = config('statamic.users.elevated_session_url')) {
+        if ($customUrl = config('statamic.users.elevated_sessions_url')) {
             return redirect()->to($customUrl);
         }
 

src/Http/Controllers/CP/CpController.php

@@ -72,7 +72,7 @@ public function authorizeProIf($condition)
 
     public function requireElevatedSession(): void
     {
-        if (! request()->hasElevatedSession()) {
+        if (config('statamic.users.elevated_sessions_enabled') && ! request()->hasElevatedSession()) {
             throw new ElevatedSessionAuthorizationException;
         }
     }

src/Http/Middleware/RequireElevatedSession.php

@@ -9,7 +9,7 @@ class RequireElevatedSession
 {
     public function handle($request, Closure $next)
     {
-        if (! $request->hasElevatedSession()) {
+        if (config('statamic.users.elevated_sessions_enabled') && ! $request->hasElevatedSession()) {
             throw new ElevatedSessionAuthorizationException;
         }
 

src/Http/View/Composers/JavascriptComposer.php

@@ -64,6 +64,7 @@ private function protectedVariables()
             'ajaxTimeout' => config('statamic.system.ajax_timeout'),
             'googleDocsViewer' => config('statamic.assets.google_docs_viewer'),
             'focalPointEditorEnabled' => config('statamic.assets.focal_point_editor'),
+            'elevatedSessionsEnabled' => config('statamic.users.elevated_sessions_enabled'),
             'user' => $this->user($user),
             'defaultPreferences' => Preference::default()->all(),
             'paginationSize' => config('statamic.cp.pagination_size'),