Commit Graph

7254 Commits

Author SHA1 Message Date
dependabot[bot]
dc0685bec1 chore(deps-dev): bump the eslint group across 1 directory with 3 updates
Bumps the eslint group with 3 updates in the / directory: [eslint](https://github.com/eslint/eslint), [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) and [globals](https://github.com/sindresorhus/globals).


Updates `eslint` from 9.39.4 to 10.6.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v9.39.4...v10.6.0)

Updates `@eslint/js` from 9.39.4 to 10.0.1
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js)

Updates `globals` from 17.4.0 to 17.7.0
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](https://github.com/sindresorhus/globals/compare/v17.4.0...v17.7.0)

---
updated-dependencies:
- dependency-name: "@eslint/js"
  dependency-version: 10.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: eslint
- dependency-name: eslint
  dependency-version: 10.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: eslint
- dependency-name: globals
  dependency-version: 17.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: eslint
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-01 18:52:46 +00:00
Inverle
6984c22b5c Fix feed dropdown bugs due to hash desync (#8949)
Fixes regression caused by https://github.com/FreshRSS/FreshRSS/pull/8335
To reproduce it, open any dropdown in the aside, reload the page, and try to open the same dropdown - it will disappear

To explain the issue more clearly, the dropdown menu wouldn't show because earlier its opacity is set to 0%, and after clicking the same dropdown after a page reload, the hashchange event wouldn't trigger to restore the previous opacity, and also the second listener would trigger to remove the dropdown if you opened it again.

Maybe https://github.com/FreshRSS/FreshRSS/issues/6156 is relevant here

Also a CSS change to stop showing the dropdown toggle icon of the previously opened dropdown after a page reload while the dropdown was open.
2026-06-28 21:38:37 +02:00
Inverle
dcec27c69d Add SSRF mitigations using filter_var and CURLOPT_RESOLVE (#8400)
* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.

Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

https://github.com/FreshRSS/simplepie/pull/76
https://github.com/FreshRSS/simplepie/pull/78

* Add allowlist setting in Web UI

* make readme

* Update app/i18n/fr/admin.php

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* make readme again

* make readme

* Further work

Still WIP and needs testing etc.

* Readd previous if check for domain combination allowlist

* Turn POST to GET after redirect

* Improve

* Update config.default.php

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* make readme

* Skip SSRF check if `CURLOPT_PROXY` is set

* make readme

* Fix `!empty()` mistake

* Respect max redirects feed option when fetching with `httpGet()`

* Respect max redirects during SimplePie fetching + fix bypass

bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.

* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980

* Corrected hook code

* phpdoc wrong return type

* Add CIDR support in allowlist

* Implement simple DNS caching

* Suppress `dns_get_record()` warnings

* A bit of proof-reading

* Minor typo

* Fix proxy logic

* Fix HTTP POST redirect logic

* Proofread checkCIDR
Add fixes for several situations

* Remove credentials from URL in logs

* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end

* Fix codesniffer long line

* Fix potential bypass due to wrong return value

If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.

* Put the URL at the end in logs

* Add documentation and environment variable support

* make readme

* Fix wrong behavior in case of IP

* Fix duplicate selector in CSS

* Minor type check change

* i18n fr, en

* Minor type check change

* Fix whitespace i18n fr

* make fix-all

* Fix `$ips_ok` not being returned after domain records were cached

* make readme

* PHPStan fix

* make readme

* Minor syntax in SimplePie

* Only return `null` if no allowed IPs were found

* Add wildcard *, help message

* Consistent docs with help message

* i18n: pl

* SimplePie compatibility PHP 7.2

* make fix-all

* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76

* 💥 Breaking change in the Changelog

* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs

* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect

* Minor whitespace
And same comment convention than below

* Remove authentication headers and change POST to GET on redirect in SimplePie

* Remove .local in Docker example

* Fill in default ports when comparing URL origins

* Remove .local from other places than the Docker example

* Rewrite WebSub subscribe to use `httpGet()`

* make fix-all

* Also unset `CURLOPT_USERPWD` during redirects

* phpcs fix

* Always unset `CURLOPT_FOLLOWLOCATION`

* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78

* Update logic for CURLOPT_FOLLOWLOCATION

* Fix PHPStan

* Changelog fix security section

* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge

* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-28 18:51:04 +02:00
Alexandre Alapetite
d9dc140a11 Minor bump SimplePie (#8947) 2026-06-27 22:14:25 +02:00
Thomas Vermeer
3161fd1333 fix: move disable button before remove button in user management (#8944)
* fix: move disable button before remove button in user management

The order of action buttons when modifying a user was inconsistent.
The "disable" button appeared after the "remove" button, which is
counterintuitive since disabling a user is a less destructive action
than removing one.

This commit reorders the buttons in `details.phtml` to reflect the
severity of each action, from least to most destructive:
update → purge → promote/demote → disable/enable → delete

Closes #8877

* Remove blank lines

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-27 14:29:48 +02:00
Inverle
931d62ab08 Use timing safe comparison for tokens everywhere (#8945)
I already changed some places that were using normal string comparison to hash_equals before, but didn't check other places.

Now the checks should be consistent.
2026-06-27 14:02:20 +02:00
dependabot[bot]
69eff07d92 chore(deps): bump concurrent-ruby (#8940)
Bumps the bundler group with 1 update in the /docs directory: [concurrent-ruby](https://github.com/ruby-concurrency/concurrent-ruby).


Updates `concurrent-ruby` from 1.3.6 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ruby-concurrency/concurrent-ruby/compare/v1.3.6...v1.3.7)

---
updated-dependencies:
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 22:00:22 +02:00
dependabot[bot]
6f1b66eb2b chore(deps-dev): bump faraday (#8939)
Bumps the bundler group with 1 update in the /docs directory: [faraday](https://github.com/lostisland/faraday).


Updates `faraday` from 2.14.2 to 2.14.3
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](https://github.com/lostisland/faraday/compare/v2.14.2...v2.14.3)

---
updated-dependencies:
- dependency-name: faraday
  dependency-version: 2.14.3
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 21:45:35 +02:00
Nathan
521981a96a Document PHP-FPM write restrictions for data path (#8936)
Closes #8882
- avoid recommending `/usr/share/` for writable FreshRSS data in the general install docs
- update the Debian/Ubuntu git install path and symlink example to `/var/www/FreshRSS`
- add an FAQ entry for PHP-FPM hardening that can make `/usr/` read-only despite correct Unix permissions
2026-06-22 12:25:06 +02:00
Salvador Castro
80d1db8dc7 docs: mention THIRDPARTY_EXTENSIONS_PATH override in extension install instructions (#8930)
Closes #8927
2026-06-21 19:09:42 +02:00
Antonio Santos
bcf536290d Revert "fix(themes): keep article nav bar pinned to bottom in iOS standalone PWAs (#8933)" (#8934)
This reverts commit 5c5b0b9e66 (PR #8933).

The `transform: translateZ(0)` added to #nav_entries promotes the element to
its own compositor layer, but a non-`none` transform also makes the element a
containing block for `position: fixed` descendants and establishes a new
stacking context. That side effect introduced a regression, so this restores
the previous behaviour while a less invasive fix for #8829 is worked out.

Reverting the whole PR (CSS + CREDITS.md) for a clean rollback.
2026-06-21 18:07:42 +02:00
Antonio Santos
5c5b0b9e66 fix(themes): keep article nav bar pinned to bottom in iOS standalone PWAs (#8933)
* fix(themes): keep article nav bar pinned to bottom in iOS standalone PWAs

On iOS standalone PWAs, WebKit fails to repaint `position: fixed` elements
after a programmatic scroll, so the article navigation bar (#nav_entries)
drifts to the middle of the screen after tapping the prev/next buttons
(which scroll the article container in JS). This does not happen in regular
Safari, where the browser chrome provides repaint hooks the standalone shell
lacks.

Promote #nav_entries to its own compositor layer (transform: translateZ(0))
so WebKit keeps it pinned to the viewport across programmatic scrolls.

This supersedes #8833, whose `top: auto` was a no-op: nothing in the
stylesheet ever sets a `top` value on #nav_entries, so it could not affect
positioning.

Fixes #8829

* Add Antonio Santos to CREDITS.md

* fix(themes): drop redundant will-change on #nav_entries

The compositor layer that keeps #nav_entries pinned in iOS standalone PWAs
comes entirely from transform: translateZ(0). The accompanying
will-change: transform was redundant — it only hints at upcoming changes and
adds nothing to an element already promoted to its own layer.

Removing it leaves the bar pinned across programmatic scrolls (verified on an
iOS standalone PWA), with no behavioural change.

Based on maintainer feedback on #8933.
2026-06-20 21:41:44 +02:00
Jeremy Nguyen
7c4929439d chore: Fix README CLI typos (#8932) 2026-06-20 08:31:46 +02:00
dependabot[bot]
d257166acb chore(deps): bump markdown-it and markdownlint-cli (#8926)
Bumps [markdown-it](https://github.com/markdown-it/markdown-it) to 14.2.0 and updates ancestor dependency [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli). These dependencies need to be updated together.


Updates `markdown-it` from 14.1.1 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](https://github.com/markdown-it/markdown-it/compare/14.1.1...14.2.0)

Updates `markdownlint-cli` from 0.48.0 to 0.49.0
- [Release notes](https://github.com/igorshubovych/markdownlint-cli/releases)
- [Commits](https://github.com/igorshubovych/markdownlint-cli/compare/v0.48.0...v0.49.0)

---
updated-dependencies:
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: indirect
- dependency-name: markdownlint-cli
  dependency-version: 0.49.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-17 23:13:10 +02:00
Mohammad Lashkari
9db1ea42fe Update credits (#8924)
* update credits.md

* Fix sort

* fix website url

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-15 11:34:30 +02:00
Alexandre Alapetite
c33356c3d7 Changelog 2026-06-14 21:34:02 +02:00
Mohammad Lashkari
53ca983ef2 Complete the Persian translation (#8923)
Translate remaining TODO and DIRTY entries in the Persian locale.
2026-06-14 21:30:56 +02:00
Inverle
1349c7c1a9 SimplePie: Disallow javascript: URI protocol (#8263)
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/7924
https://github.com/FreshRSS/simplepie/pull/80
https://github.com/FreshRSS/simplepie/pull/65

* SimplePie: Disallow `javascript:` URI protocol

* Sync SimplePie

* Update code to work with SimplePie again

* Partial revert previous commit

* Bump SimplePie

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-13 21:15:36 +02:00
Fripix
0d5cc039cb Self-hosted web frontend for FreshRSS (Google Reader API), as discussed in #8917. (#8921)
Changes proposed in this pull request:

- Add FriRSS to the list of compatible clients (APIs & native apps table) in the README.

How to test the feature manually:

1. Render the README and check the new FriRSS row displays correctly in the table.
2. FriRSS itself (a working GReader client): https://github.com/Fripix/frirss

Pull request checklist:

- [x] clear commit messages
- [ ] code manually tested (N/A — documentation only)
- [ ] unit tests written (N/A — documentation only)
- [x] documentation updated
2026-06-13 20:09:39 +02:00
Fripix
2578befbf6 Add FriRSS to the list of clients (#8920)
Self-hosted web frontend for FreshRSS (GReader API), as discussed in #8917.
2026-06-13 19:58:21 +02:00
Alexandre Alapetite
941f30b24d Fix PHPStan 2.2.2 in CLI (#8911) 2026-06-11 22:19:55 +02:00
Alexandre Alapetite
8e27fb1c09 Docker Alpine 3.24.0 (#8916)
https://alpinelinux.org/posts/Alpine-3.24.0-released.html
Revert to using default PHP version, which is now PHP 8.5.7
2026-06-11 22:17:16 +02:00
Alexandre Alapetite
d40917b6d8 Bump SimplePie (fix PHP 8.5 bug) (#8918)
* https://github.com/simplepie/simplepie/pull/979
2026-06-11 22:16:33 +02:00
Inverle
5e18e96887 Set limits for regex during search (#8913)
Prevents regex searches from running for too long
2026-06-05 23:12:59 +02:00
Inverle
bf2de1baea Fix access control in rss and opml actions (#8912)
Due to missing `return` statement while using `redirect: false`, no `exit()` is done during `Minz_Error::error()`

Regression from https://github.com/FreshRSS/FreshRSS/pull/8434
2026-06-05 22:38:17 +02:00
Frans de Jonge
aaae9ee388 Always jump article to top when header is offscreen, also when 'Stick the article to the top when opened' is disabled (#8870)
* Always jump article to top when header is offscreen

Closes #4069.

How to test the feature manually:

1. Disable 'Stick the article to the top when opened'
2. Open a very long article
3. No scrolling will occur if you close it again while the header is still onscreen
4. If the header left the screen, opening another article will scroll to it to top 
5. Same for collapsing the current article, but then it'll put the current header at the top

* Compensate for layout shift

* Fix going back to previous article above viewport

* clarify variable name: header_off_screen → header_above_viewport
2026-06-05 15:31:42 +02:00
Alexandre Alapetite
48cf86eaec Apache condition mod_remoteip (#8890)
Fix https://github.com/FreshRSS/FreshRSS/issues/8887
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/5549
2026-06-05 13:26:16 +02:00
Satyam
10a976efbe fix(themes): padding for .nav_menu in Alternative-Dark, Flat, and Nord themes (#8901)
Closes #8898

Changes proposed in this pull request:

- Removed position: static, and update the .nav_menu padding.
- Generated RTL CSS.

Tested the feature manually:

1. Flat
<img width="1351" height="73" alt="image" src="https://github.com/user-attachments/assets/f7627d6b-7816-4344-9b26-db0892b76d1e" />

2. Alternative Dark
<img width="1391" height="57" alt="image" src="https://github.com/user-attachments/assets/239d7e77-9b9f-46c2-8d25-c37fd603ea5d" />

4. Nord
<img width="1367" height="100" alt="nord" src="https://github.com/user-attachments/assets/5ec36e94-6ee5-448c-8321-809c288741d1" />

Co-authored-by: Satyam <>
2026-06-04 08:35:42 +02:00
dependabot[bot]
7d7e502603 chore(deps): update phpmailer/phpmailer requirement from 7.0.2 to 7.1.1 in /lib (#8907)
* chore(deps): update phpmailer/phpmailer requirement in /lib

Updates the requirements on [phpmailer/phpmailer](https://github.com/PHPMailer/PHPMailer) to permit the latest version.
- [Release notes](https://github.com/PHPMailer/PHPMailer/releases)
- [Changelog](https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md)
- [Commits](https://github.com/PHPMailer/PHPMailer/compare/v7.0.2...v7.1.1)

---
updated-dependencies:
- dependency-name: phpmailer/phpmailer
  dependency-version: 7.1.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump PHPMailer
https://github.com/PHPMailer/PHPMailer/releases/tag/v7.1.0

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-03 13:06:28 +02:00
dependabot[bot]
f04788cb3a chore(deps-dev): bump phpstan/phpstan from 2.1.55 to 2.2.1 (#8906)
* chore(deps-dev): bump phpstan/phpstan from 2.1.55 to 2.2.1

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-version: 2.2.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix bug in URL unserialize, json_decode

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-03 12:52:45 +02:00
dependabot[bot]
232eee3341 chore(deps-dev): bump the stylelint group with 2 updates (#8904)
Bumps the stylelint group with 2 updates: [stylelint](https://github.com/stylelint/stylelint) and [@stylistic/stylelint-plugin](https://github.com/stylelint-stylistic/stylelint-stylistic).


Updates `stylelint` from 17.9.1 to 17.12.0
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/17.9.1...17.12.0)

Updates `@stylistic/stylelint-plugin` from 5.1.0 to 5.2.0
- [Release notes](https://github.com/stylelint-stylistic/stylelint-stylistic/releases)
- [Changelog](https://github.com/stylelint-stylistic/stylelint-stylistic/blob/main/CHANGELOG.md)
- [Commits](https://github.com/stylelint-stylistic/stylelint-stylistic/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: stylelint
  dependency-version: 17.12.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: stylelint
- dependency-name: "@stylistic/stylelint-plugin"
  dependency-version: 5.2.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: stylelint
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 08:30:23 +02:00
dependabot[bot]
7d1a76da6b chore(deps): bump ruby/setup-ruby from 1.306.0 to 1.310.0 (#8905)
Bumps [ruby/setup-ruby](https://github.com/ruby/setup-ruby) from 1.306.0 to 1.310.0.
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](c4e5b13161...afeafc3d1a)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.310.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 08:29:39 +02:00
Mass Krdjn
6592f45163 i18n: complete Spanish (es) translation (#8878)
* i18n: complete Spanish (es) translation

* Apply suggestions from pe1uca

Co-authored-by: pe1uca <15692727+pe1uca@users.noreply.github.com>

* make fix-all

---------

Co-authored-by: Mass Krdjn <172580248+masskrdjn@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: pe1uca <15692727+pe1uca@users.noreply.github.com>
2026-06-01 16:31:25 +02:00
Alexandre Alapetite
c5d3954989 Update security policy due to many duplicated AI reports (#8900)
Inspired by <https://lkml.org/lkml/2026/5/17/896>
2026-06-01 01:33:32 +02:00
Kidd Lee
7cbf597585 Add Kidd Lee to CREDITS.md (#8895)
Asked in https://github.com/FreshRSS/FreshRSS/pull/8710#issuecomment-4548630996
2026-05-27 08:11:25 +02:00
Alexandre Alapetite
3996c8fca0 Changelog 2026-05-26 22:47:21 +02:00
Alexandre Alapetite
a499778e12 SimplePie: XML_OPTION_PARSE_HUGE (#8894)
* https://github.com/FreshRSS/FreshRSS/pull/8710
* https://github.com/simplepie/simplepie/pull/977

Fix https://github.com/FreshRSS/FreshRSS/issues/8516

Co-authored-by: Kidd Lee <LeeXiaolan@users.noreply.github.com>
2026-05-26 22:28:59 +02:00
Alexandre Alapetite
ff2add14a2 SimplePie: Fix wrong player_parent logic leading to invalid type (#8893)
```
PHP Fatal error: Uncaught TypeError:
SimplePie\Enclosure::__construct(): Argument #20 ($player) must be of type ?string, array given
in /opt/freshrss/lib/simplepie/simplepie/src/Enclosure.php:199
```

This happens when there is no`url` parameter.

Example of feed:
* https://feeds.feedburner.com/crunchyroll/rss/anime?lang=deDE

fix https://github.com/FreshRSS/FreshRSS/issues/8892

Upstream PR:
* https://github.com/simplepie/simplepie/pull/978
2026-05-26 22:16:01 +02:00
Mass Krdjn
159894f9f6 i18n: complete Italian (it) translation (#8880)
* i18n: complete Italian (it) translation

* make fix-all

---------

Co-authored-by: Mass Krdjn <172580248+masskrdjn@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-05-25 16:59:49 +02:00
Julien Herr
f910dce35c Add Julien Herr to CREDITS.md (#8885)
As asked: https://github.com/FreshRSS/FreshRSS/pull/8873#issuecomment-4528363148
2026-05-24 23:23:28 +02:00
Alexandre Alapetite
8aa1b0a648 Changelog 2026-05-24 22:07:30 +02:00
Alexandre Alapetite
542f4920e7 Fix lost elements while parsing search query (#8884)
Fix https://github.com/FreshRSS/FreshRSS/issues/8876
2026-05-24 20:23:58 +02:00
Mass Krdjn
63b106595d docs: add masskrdjn to credits (#8883)
* docs: add masskrdjn to credits

* docs: update contributor name format for masskrdjn

---------

Co-authored-by: Mass Krdjn <172580248+masskrdjn@users.noreply.github.com>
2026-05-24 17:26:19 +02:00
Mass Krdjn
803f92e6d3 i18n: complete Hungarian (hu) translation (#8879)
* i18n: complete Hungarian (hu) translation

* make fix-all

---------

Co-authored-by: Mass Krdjn <172580248+masskrdjn@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-05-24 13:26:31 +02:00
Julien Herr
5bddc6bed5 feat(cli): add reconfigure-user.php to read/write per-user config attributes (#8873)
* feat(cli): add reconfigure-user.php to read/write per-user config attributes

Closes #8869.

Adds `cli/reconfigure-user.php`, a first-class CLI for per-user configuration attributes — the user-level equivalent of the existing `reconfigure.php` (system config).

### Usage

```sh
# List all attributes (sensitive keys redacted by default)
./cli/reconfigure-user.php --user alice --list
./cli/reconfigure-user.php --user alice --list --show-secrets

# Read a single attribute (exit 2 if key not found)
./cli/reconfigure-user.php --user alice --key language

# Set an attribute (type inferred from existing value: bool, int, string)
./cli/reconfigure-user.php --user alice --key language --set --value fr

# Set from stdin (recommended for secrets — keeps value out of shell history / ps)
./cli/reconfigure-user.php --user alice --key some_token --set --value-stdin < token.txt

# Create a new key, e.g. for an extension (unknown keys rejected by default)
./cli/reconfigure-user.php --user alice --key my_ext_setting --set --value hello --force

# Delete an attribute (exit 2 if key not found)
./cli/reconfigure-user.php --user alice --key some_token --unset
```

### Changes

- `cli/reconfigure-user.php` — new command
- `lib/Minz/Configuration::toArray()` — exposes the full config array (used by `--list`)
- `cli/README.md` — documents the new command
- `tests/cli/UserConfigOptionsParserTest.php` — PHPUnit tests for the options parser, following the existing `CliOptionsParserTest` pattern (shared `cli-parser-test.php` helper)

### Test plan

- `make test-all` passes
- Tested manually against a local FreshRSS instance: `--list`, `--key` (get), `--set` (bool/int/string inference), `--value-stdin`, `--unset`, `--force`, error paths (unknown key without `--force`, wrong type)

* unserialize allowed_classes

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-05-24 13:25:04 +02:00
polybjorn
c222a8463c refactor(themes): convert article-row inner layout to CSS Grid (#8824)
Replace absolute positioning inside `.titleAuthorSummaryDate` with CSS Grid. Title, date, and summary use `grid-area` instead of `position: absolute` + `margin-top: 2.25rem`.

Drops magic numbers that had to stay in sync:
- Three uses of `155px` (date width, title min, title padding) all describing the same column
- `2.25rem` margin-top on summary that had to clear the absolute title
- `90%` summary max-width to keep it off the date

Truncated-title hover-extend now uses `grid-column: 1 / -1` instead of `padding-right: 0.5rem`.

Depends on #8823: grid inside `display: table` mis-sizes in older Gecko, causing summary to misbehave. With the flex base from that PR, the grid sizes correctly in SeaMonkey 2.53.

## Test plan
- `make test-all` passes
- Verified in LibreWolf and SeaMonkey 2.53 with Nord and Origine themes
- Wide, narrow, and mobile viewports
- Toggle combinations: date on/off, summary on/off, hover-extend on truncated titles

Co-authored-by: Bjørn A. Andersen <polybjorn@users.noreply.github.com>
2026-05-21 00:54:16 +02:00
Alexandre Alapetite
2a35723533 Changelog 2026-05-21 00:43:01 +02:00
Alexandre Alapetite
4b019ab697 New option to hide badges showing number of unread articles (#8844)
Inspired by @Dan-Q's  *Reducing Phantom Obligation in FreshRSS* https://danq.me/2026/02/06/phantom-obligation-vs-freshrss/

<img width="512" height="105" alt="image" src="https://github.com/user-attachments/assets/df93118b-36f3-4175-a681-b3f81fe63ff2" />

Results in:

<img width="306" height="181" alt="image" src="https://github.com/user-attachments/assets/1c8ccaa6-4fcf-48a4-bf98-0ace43a68861" />

Can be overridden at category and feed levels.
2026-05-20 20:25:20 +02:00
polybjorn
be3606102a refactor(themes): convert .horizontal-list from display:table to flex (#8823)
Convert `.horizontal-list` from `display: table` to `display: flex`. The title item gets `flex: 1; min-width: 0; align-self: stretch` to match the implicit sizing it got from table-cell.

Class name kept so `main.js` `.closest('.horizontal-list')` calls and theme overrides still match. No `gap` or logical properties, so it works back to Firefox 28 / SeaMonkey 2.53.

Prep for #8824 which converts article rows to CSS Grid (#6776). Grid inside `display: table` mis-sizes in older Gecko, so the outer table has to go first.

## Test plan
- `make test-all` passes
- Verified in LibreWolf and SeaMonkey 2.53 with Nord and Origine themes
- Wide, narrow, and mobile viewports
- Bundled themes (Ansum, Origine-compact, Mapco, Swage) checked: no overrides depend on `display: table`

Co-authored-by: Bjørn A. Andersen <polybjorn@users.noreply.github.com>
2026-05-20 20:11:25 +02:00
Frans de Jonge
93f989b977 Add a warning message to the API password section, add a log warning when a client uses GET, use POST in sample curl API usage (#8845)
* Add a warning message to the API password section, add a log warning when a client uses GET, use POST in sample curl API usage

References #8834.

* Apply suggestion from @Inverle

Co-authored-by: Inverle <inverle@proton.me>

* Apply suggestion from @Inverle (Polish translation)

Co-authored-by: Inverle <inverle@proton.me>

* French translation

* Dutch translation

* German

* Apply suggestion from @Inverle api via post

Co-authored-by: Inverle <inverle@proton.me>

* Apply suggestion from @Inverle via POST (French)

Co-authored-by: Inverle <inverle@proton.me>

* Add user-agent

* update translation info in README

* avoid phpcs line too long

* also trigger on email as suggested by @Inverle

* i18n: fr typography

* make fix-all

---------

Co-authored-by: Inverle <inverle@proton.me>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-05-20 20:09:02 +02:00