Merge branch '5.9' into lupe/pt-2223-the-orientation-fieldset-doesnt-have-a-visual-group-label

# Conflicts:
#	src/web/assets/cp/dist/css/cp.css
#	src/web/assets/cp/dist/css/cp.css.map

Author: brandonkelly

CHANGELOG.md

@@ -2,11 +2,44 @@
 
 ## Unreleased
 
+- Fixed a bug where reference tags that only referenced an entry’s slug weren’t resolving.
+- Fixed an error that could occur when installing Craft with existing project config data. ([#17587](https://github.com/craftcms/cms/issues/17587))
+
+## 5.8.12 - 2025-07-29
+
+- Added support for passing a hashed `returnUrl` param to standalone Live Preview URLs. ([#17684](https://github.com/craftcms/cms/discussions/17684))
+- Improved the performance of fetching nested values within content block fields. ([#17677](https://github.com/craftcms/cms/issues/17677))
+- Fixed a bug where embedded element indexes were manipulating the window title. ([#17679](https://github.com/craftcms/cms/issues/17679))
+- Fixed an error that could occur when rendering an Entries field. ([#17686](https://github.com/craftcms/cms/issues/17686))
+- Fixed a bug where element selection modals weren’t rendering elements in a structure view when they should have. ([#17678](https://github.com/craftcms/cms/issues/17678))
+
+## 5.8.11 - 2025-07-25
+
+- Fixed a JavaScript error that occurred when applying a draft that had a percent sign in its name. ([#17674](https://github.com/craftcms/cms/issues/17674))
+- Fixed a bug where custom source headings could have IDs that conflicted with other control panel components. ([#17632](https://github.com/craftcms/cms/issues/17632))
+- Fixed a potential session leakage vulnerability.
+
+## 5.8.10 - 2025-07-24
+
+- Added `craft\helpers\User::getLoginFailureInfo()`.
+- Deprecated `craft\helpers\User::getLoginFailureMessage()`.
+- Fixed a potential user account enumeration bug when `preventUserEnumeration` was enabled.
+
+## 5.8.9 - 2025-07-24
+
 - Element index and edit pages now include the selected site’s name in the window title, on multi-site installs. ([#17626](https://github.com/craftcms/cms/pull/17626))
 - Entry type handles are now automatically incremented when duplicating an entry type, if the handle wasn’t edited. ([#17641](https://github.com/craftcms/cms/issues/17641))
+- JSON fields now have a max height of 550px. ([#17667](https://github.com/craftcms/cms/issues/17667))
+- Fixed a SQL error that could occur when applying a draft that belonged to fewer sites than the canonical element. ([#17644](https://github.com/craftcms/cms/issues/17644))
+- Fixed an error that could occur when applying project config changes. ([#17625](https://github.com/craftcms/cms/issues/17625))
+- Fixed a bug where the password reset form could incorrectly have `newUser` set to `true`. ([#17659](https://github.com/craftcms/cms/issues/17659))
+- Fixed an error that could occur when exporting elements as XML. ([#17668](https://github.com/craftcms/cms/issues/17668))
 - Fixed a bug where element indexes in structure view weren’t switching to table/card view when searching.
 - Fixed a bug where Assets fields’ “Show the search input” setting wasn’t always visible when “Restrict assets to a single location” was enabled. ([#17628](https://github.com/craftcms/cms/issues/17628))
 - Fixed a bug where relational fields were showing the search input if “All” sources were selected, but there was only one available source. ([#17628](https://github.com/craftcms/cms/issues/17628))
+- Fixed a bug where top-level element sources’ expanded/collapsed states were stored as cookies rather than in local storage. ([#17649](https://github.com/craftcms/cms/issues/17649))
+- Fixed a bug where entry authors could be set to the current user when resaved in bulk. ([#17654](https://github.com/craftcms/cms/pull/17654))
+- Fixed a bug where generated fields were showing up within card views even if they weren’t selected. ([#17662](https://github.com/craftcms/cms/issues/17662))
 
 ## 5.8.8 - 2025-07-18
 

src/base/Element.php

@@ -28,6 +28,7 @@
 use craft\elements\actions\View as ViewAction;
 use craft\elements\conditions\ElementCondition;
 use craft\elements\conditions\ElementConditionInterface;
+use craft\elements\ContentBlock;
 use craft\elements\db\EagerLoadPlan;
 use craft\elements\db\ElementQuery;
 use craft\elements\db\ElementQueryInterface;
@@ -5237,7 +5238,7 @@ public function setFieldValues(array $values): void
     private function clonedFieldValue(string $fieldHandle): mixed
     {
         $value = $this->getFieldValue($fieldHandle);
-        if (is_object($value) && !$value instanceof UnitEnum) {
+        if (is_object($value) && !$value instanceof UnitEnum && !$value instanceof ContentBlock) {
             return clone $value;
         }
         return $value;

src/config/app.php

@@ -3,7 +3,7 @@
 return [
     'id' => 'CraftCMS',
     'name' => 'Craft CMS',
-    'version' => '5.8.8',
+    'version' => '5.8.12',
     'schemaVersion' => '5.8.0.3',
     'minVersionRequired' => '4.5.0',
     'basePath' => dirname(__DIR__), // Defines the @app alias

src/controllers/ElementIndexesController.php

@@ -412,7 +412,7 @@ public function actionExport(): Response
                     break;
                 case Response::FORMAT_XML:
                     Craft::$app->language = 'en-US';
-                    $this->response->formatters[Response::FORMAT_XML]['rootTag'] = $this->elementType::pluralLowerDisplayName();
+                    $this->response->formatters[Response::FORMAT_XML]['rootTag'] = StringHelper::toCamelCase($this->elementType::pluralLowerDisplayName());
                     break;
             }
         } elseif (

src/controllers/ElementsController.php

@@ -534,12 +534,16 @@ public function actionPreview(int $elementId): Response
 
         $this->element = $element;
 
+        // Screen prep
+        $redirectUrl = $this->request->getValidatedQueryParam('returnUrl') ?? ElementHelper::postEditUrl($element);
+
         $this->getView()->registerJsWithVars(fn(
             $elementType,
             $elementId,
             $draftId,
             $revisionId,
             $siteId,
+            $redirectUrl,
         ) => <<<JS
 (() => {
   const preview = new Craft.Preview({
@@ -549,6 +553,7 @@ public function actionPreview(int $elementId): Response
     revisionId: $revisionId,
     siteId: $siteId,
     standaloneMode: true,
+    redirectUrl: $redirectUrl,
   });
   preview.open();
 })();
@@ -558,6 +563,7 @@ public function actionPreview(int $elementId): Response
             !$element->isProvisionalDraft ? $element->draftId : null,
             $element->revisionId,
             $element->siteId,
+            $redirectUrl,
         ], View::POS_END);
 
         [$docTitle, $title] = $this->_editElementTitles($element);

src/controllers/UpgradeController.php

@@ -0,0 +1,71 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace craft\controllers;
+
+use Craft;
+use craft\helpers\Json;
+use craft\utilities\Upgrade;
+use craft\web\Controller;
+use yii\web\ForbiddenHttpException;
+use yii\web\Response;
+
+/**
+ * @author Pixel & Tonic, Inc. <[email protected]>
+ * @internal
+ */
+class UpgradeController extends Controller
+{
+    public function beforeAction($action): bool
+    {
+        if (!parent::beforeAction($action)) {
+            return false;
+        }
+
+        if (Craft::$app->getUtilities()->checkAuthorization(Upgrade::class) === false) {
+            throw new ForbiddenHttpException(sprintf('User not permitted to access the “%s” utility.', Upgrade::displayName()));
+        }
+
+        return true;
+    }
+
+    public function actionPrepComposerJson(): Response
+    {
+        $versions = $this->request->getBodyParam('versions');
+        $composerService = Craft::$app->getComposer();
+        $jsonPath = $composerService->getJsonPath();
+        $json = file_get_contents($jsonPath);
+        $config = Json::decode($json);
+
+        $config['require']['craftcms/cms'] = $versions['craft'];
+
+        if (isset($versions['php'], $config['config']['platform']['php'])) {
+            $config['config']['platform']['php'] = $versions['php'];
+        }
+
+        if (!empty($versions['plugins'])) {
+            $pluginsService = Craft::$app->getPlugins();
+            foreach ($versions['plugins'] as $handle => $version) {
+                $info = $pluginsService->getPluginInfo($handle);
+                $config['require'][$info['packageName']] = $version;
+                unset($config['require-dev'][$info['packageName']]);
+            }
+        }
+
+        if ($config['config']['sort-packages'] ?? false) {
+            $composerService->sortPackages($config['require']);
+        }
+
+        $json = Json::encode($config, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
+        $indent = Json::detectIndent(file_get_contents($jsonPath));
+        $json = Json::reindent($json, $indent);
+
+        return $this->asJson([
+            'json' => $json,
+        ]);
+    }
+}

src/controllers/UsersController.php

@@ -846,7 +846,11 @@ public function actionSetPassword(): Response
         // POST request. They've just set the password.
         $code = $this->request->getRequiredBodyParam('code');
         $uid = $this->request->getRequiredParam('id');
-        $user = Craft::$app->getUsers()->getUserByUid($uid);
+        $user = User::find()
+            ->uid($uid)
+            ->status(null)
+            ->addSelect(['users.password'])
+            ->one();
 
         if (!$user) {
             throw new BadRequestHttpException("Invalid user UUID: $uid");
@@ -2418,7 +2422,7 @@ public function actionVerifyPassword(): ?Response
      */
     private function _handleLoginFailure(?string $authError = null, ?User $user = null): ?Response
     {
-        $message = UserHelper::getLoginFailureMessage($authError, $user);
+        [$authError, $message] = UserHelper::getLoginFailureInfo($authError, $user);
 
         // Fire a 'loginFailure' event
         if ($this->hasEventHandlers(self::EVENT_LOGIN_FAILURE)) {
@@ -2431,7 +2435,6 @@ private function _handleLoginFailure(?string $authError = null, ?User $user = nu
             $message = $event->message;
         }
 
-
         return $this->asFailure(
             $message,
             data: [

src/controllers/UtilitiesController.php

@@ -116,7 +116,7 @@ public function actionShowUtility(string $id): Response
         }
 
         if ($utilitiesService->checkAuthorization($class) === false) {
-            throw new ForbiddenHttpException('User not permitted to access the "' . $class::displayName() . '".');
+            throw new ForbiddenHttpException(sprintf('User not permitted to access the “%s” utility.', $class::displayName()));
         }
 
         $this->getView()->registerAssetBundle(UtilitiesAsset::class);

src/elements/Entry.php

@@ -2809,6 +2809,11 @@ public function beforeSave(bool $isNew): bool
      */
     private function maybeSetDefaultAttributes(): void
     {
+        // if we're resaving, we shouldn't be setting the defaults
+        if ($this->resaving) {
+            return;
+        }
+
         if (
             (!isset($this->_authorIds) || empty($this->_authorIds)) &&
             !isset($this->fieldId) &&

src/elements/NestedElementManager.php

@@ -231,7 +231,7 @@ private function setOwnerOnNestedElements(ElementInterface $owner, array $elemen
     {
         foreach ($elements as $element) {
             $element->setOwner($owner);
-            if ($element->id === $element->getPrimaryOwnerId()) {
+            if ($owner->id === $element->getPrimaryOwnerId()) {
                 $element->setPrimaryOwner($owner);
             }
         }