This feature stored incoming webhooks during maintenance mode and replayed them
when maintenance ended. The behavior adds unnecessary complexity without clear
value. Standard approach is to let webhooks fail during maintenance and let
senders retry.
Removes:
- Listener classes that handled maintenance mode events and webhook replay
- Maintenance mode checks from all webhook controllers (Github, Gitea, Gitlab, Bitbucket, Stripe)
- webhooks-during-maintenance filesystem disk configuration
- Feature mention from CHANGELOG
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The login and forgot-password rate limiters were vulnerable to bypass
by manipulating the X-Forwarded-For header. Attackers could rotate
this header value to circumvent the 5 attempts per minute limit.
Changed both rate limiters to use server('REMOTE_ADDR') instead of
ip() to prevent header spoofing. REMOTE_ADDR gives the actual
connecting IP before proxy headers are processed.
Also added comprehensive unit tests to verify the fix.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add WebhookNotificationSettings to the policy mappings in
AuthServiceProvider to enable authorization checks for the
webhook notification settings.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added authorization checks in Livewire components related to Docker and server management to ensure only authorized users can create, update, and manage Docker instances and server settings.
- Introduced new policies for StandaloneDocker and SwarmDocker to define access control rules based on user roles and team associations.
- Updated AuthServiceProvider to register the new policies, enhancing security and access control for Docker functionalities and server management operations.
- Added authorization checks in the Create and Show Livewire components to ensure only authorized users can create, update, and delete PrivateKey instances.
- Introduced a new PrivateKeyPolicy to define access control rules for viewing, creating, updating, and deleting PrivateKey models based on user roles and team associations.
- Updated AuthServiceProvider to register the new PrivateKeyPolicy, enhancing security and access control for PrivateKey functionalities.
- Removed the private property for application deployment queue ID in ApplicationDeploymentJob and utilized constructor property promotion.
- Added a tags method in ApplicationDeploymentJob to properly identify the worker running the job.
- Updated HorizonServiceProvider to handle cases where the deployment queue ID is blank, preventing potential errors during job processing.
- Cleaned up the isAnyDeploymentInprogress function by removing unnecessary whitespace.
- Updated HorizonServiceProvider to extend from HorizonApplicationServiceProvider for improved functionality.
- Added a call to the parent boot method to ensure proper initialization.
- Cleaned up the gate method by removing unnecessary whitespace.
- Remove unused authentik stuff
- Move things to separate functions
- Configure commands for production
- Configure modals for better error handling
- Improve password security by not allowing compromised passwords.
- Rename some things to make it clearer.
- Sort imports
