Merge branch '1.2'

* 1.2:
  Change application's version to v1.2.3-DEV
  Generate changelog for v1.2.2
  Change application's version to v1.2.2
  Change application's version to v1.1.10-DEV
  Generate changelog for v1.1.9
  Change application's version to v1.1.9
  Change application's version to v1.0.18-DEV
  Generate changelog for v1.0.17
  Change application's version to v1.0.17
  Fix CSRF vulnerability

CHANGELOG-1.0.md

@@ -1,5 +1,22 @@
 # CHANGELOG FOR `1.0.X`
 
+## v1.0.17 (2018-07-08)
+
+#### TL;DR
+
+- **SECURITY FIX:** Added CSRF protection for the following action:
+
+ - marking order's payment as completed
+ - marking order's payment as refunded
+ - marking product review as accepted
+ - marking product review as rejected
+
+#### Details
+
+- [#9475](https://github.com/Sylius/Sylius/pull/9475) Make Stalebot less annoying (@Zales0123)
+- [#9515](https://github.com/Sylius/Sylius/pull/9515) [Documentation] Fix typos (@adrienlucas)
+- [#9491](https://github.com/Sylius/Sylius/pull/9491) [Documentation] Document Forum in the support section (@CoderMaggie)
+
 ## v1.0.16 (2018-06-12)
 
 #### TL;DR

CHANGELOG-1.1.md

@@ -1,5 +1,23 @@
 # CHANGELOG FOR `1.1.X`
 
+## v1.1.9 (2018-07-08)
+
+#### TL;DR
+
+- **SECURITY FIX:** Added CSRF protection for the following action:
+
+ - marking order's payment as completed
+ - marking order's payment as refunded
+ - marking product review as accepted
+ - marking product review as rejected
+
+#### Details
+
+- [#9475](https://github.com/Sylius/Sylius/pull/9475) Make Stalebot less annoying (@Zales0123)
+- [#9491](https://github.com/Sylius/Sylius/pull/9491) [Documentation] Document Forum in the support section (@CoderMaggie)
+- [#9515](https://github.com/Sylius/Sylius/pull/9515) [Documentation] Fix typos (@adrienlucas)
+- [#9558](https://github.com/Sylius/Sylius/pull/9558) Use ...Prototype() instead of prototype('...') in Symfony configuration (@pamil)
+
 ## v1.1.8 (2018-07-05)
 
 #### TL;DR

CHANGELOG-1.2.md

@@ -1,5 +1,24 @@
 # CHANGELOG FOR `1.2.X`
 
+## v1.2.2 (2018-07-08)
+
+#### TL;DR
+
+- **SECURITY FIX:** Added CSRF protection for the following action:
+
+ - marking order's payment as completed
+ - marking order's payment as refunded
+ - marking product review as accepted
+ - marking product review as rejected
+
+#### Details
+
+- [#9475](https://github.com/Sylius/Sylius/pull/9475) Make Stalebot less annoying (@Zales0123)
+- [#9491](https://github.com/Sylius/Sylius/pull/9491) [Documentation] Document Forum in the support section (@CoderMaggie)
+- [#9515](https://github.com/Sylius/Sylius/pull/9515) [Documentation] Fix typos (@adrienlucas)
+- [#9558](https://github.com/Sylius/Sylius/pull/9558) Use ...Prototype() instead of prototype('...') in Symfony configuration (@pamil)
+
+
 ## v1.2.1 (2018-07-05)
 
 #### TL;DR

UPGRADE-1.0.md

@@ -1,3 +1,9 @@
+# UPGRADE FROM `v1.0.16` TO `v1.0.17`
+
+* `Sylius\Bundle\ResourceBundle\Controller::applyStateMachineTransitionAction` method now includes CSRF token checks due 
+ to security reasons. If you used it for REST API, these checks can be disabled by adding 
+ `csrf_protection: false` to your routing configuration. 
+
 # UPGRADE FROM `v1.0.8` TO `v1.0.9`
 
 * `Sylius\Bundle\CoreBundle\Templating\Helper\VariantResolverHelper`'s `resolveVariant(ProductInterface $product): ProductVariantInterface`

src/Sylius/Bundle/AdminApiBundle/Resources/config/routing/order.yml

@@ -56,4 +56,5 @@ sylius_admin_api_order_payment_complete:
  graph: sylius_payment
  transition: complete
  section: admin_api
+ csrf_protection: false
  return_content: false

src/Sylius/Bundle/AdminBundle/Resources/views/Order/Show/_payment.html.twig

@@ -17,6 +17,7 @@
  {% if sm_can(payment, 'complete', 'sylius_payment') %}
  <div class="ui segment">
  <form action="{{ path('sylius_admin_order_payment_complete', {'orderId': order.id, 'id': payment.id}) }}" method="post" novalidate>
+ <input type="hidden" name="_csrf_token" value="{{ csrf_token(payment.id) }}" />
  <input type="hidden" name="_method" value="PUT">
  <button type="submit" class="ui icon labeled tiny blue fluid loadable button"><i class="check icon"></i> {{ 'sylius.ui.complete'|trans }}</button>
  </form>
@@ -25,6 +26,7 @@
  {% if sm_can(payment, 'refund', 'sylius_payment') %}
  <div class="ui segment">
  <form action="{{ path('sylius_admin_order_payment_refund', {'orderId': order.id, 'id': payment.id}) }}" method="post" novalidate>
+ <input type="hidden" name="_csrf_token" value="{{ csrf_token(payment.id) }}" />
  <input type="hidden" name="_method" value="PUT">
  <button type="submit" class="ui icon labeled tiny yellow fluid loadable button"><i class="reply all icon"></i> {{ 'sylius.ui.refund'|trans }}</button>
  </form>

src/Sylius/Bundle/ResourceBundle/Controller/ResourceController.php

@@ -543,6 +543,10 @@ public function applyStateMachineTransitionAction(Request $request): Response
  $this->isGrantedOr403($configuration, ResourceActions::UPDATE);
  $resource = $this->findOr404($configuration);
 
+ if ($configuration->isCsrfProtectionEnabled() && !$this->isCsrfTokenValid($resource->getId(), $request->request->get('_csrf_token'))) {
+ throw new HttpException(Response::HTTP_FORBIDDEN, 'Invalid CSRF token.');
+ }
+
  $event = $this->eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource);
 
  if ($event->isStopped() && !$configuration->isHtmlRequest()) {

src/Sylius/Bundle/UiBundle/Resources/views/Grid/Action/applyTransition.html.twig

@@ -1,5 +1,6 @@
 {% if sm_can(data, options.transition, options.graph) %}
  <form action="{{ path(options.link.route, options.link.parameters) }}" method="post">
+ <input type="hidden" name="_csrf_token" value="{{ csrf_token(data.id) }}">
  <input type="hidden" name="_method" value="PUT">
  <button class="ui loadable {{ options.class }} labeled icon button" type="submit"><i class="{{ action.icon }} icon"></i> {{ action.label|trans }}</button>
  </form>