Merge pull request #11952 from firefly-iii/develop

🤖 Automatically merge the PR into the main branch.

.github/security.md

@@ -99,12 +99,10 @@ compatibility.
 ## Security scanning through automated means
 
 There is some additional guidance for security vulnerabilities or suspected security vulnerabilities that have been 
-found with the full or partial support of AI coding agents, large language models and other code-scanning tools. Many of 
-such reports the developer of Firefly III receives are not applicable. This takes time away from responding to
-actual security vulnerabilities or suspected security vulnerabilities. If you use automated means to find these in
-the Firefly III code base, please take care to:
+found with the full or partial support of AI coding agents, large language models and other code-scanning tools. These reports are often not applicable, not actually a vulnerability, or just plain wrong. This takes time away from responding to
+*actual* security vulnerabilities or suspected security vulnerabilities. If you use automated means to search for security vulnerabilities in the Firefly III code base, please take care to:
 
-1. Manually validate the results before you submit a report,
+1. manually validate the results before you submit a report,
 2. explain how the vulnerability can actually be abused by a nefarious third party, and
 3. try to limit the verbosity of your report.
 

app/Api/V1/Requests/Chart/ChartRequest.php

@@ -28,7 +28,7 @@ use FireflyIII\Enums\UserRoleEnum;
 use FireflyIII\Support\Http\Api\ValidatesUserGroupTrait;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
 
@@ -69,9 +69,9 @@ class ChartRequest extends FormRequest
         ];
     }
 
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(static function (Validator $validator): void {
+        $validator->after(static function (FireflyValidator $validator): void {
             // validate transaction query data.
             $data = $validator->getData();
             if (!array_key_exists('accounts', $data)) {

app/Api/V1/Requests/Data/Bulk/MoveTransactionsRequest.php

@@ -27,7 +27,7 @@ namespace FireflyIII\Api\V1\Requests\Data\Bulk;
 use FireflyIII\Repositories\Account\AccountRepositoryInterface;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
 
@@ -61,9 +61,9 @@ class MoveTransactionsRequest extends FormRequest
      * Configure the validator instance with special rules for after the basic validation rules.
      * TODO this is duplicate.
      */
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(function (Validator $validator): void {
+        $validator->after(function (FireflyValidator $validator): void {
             // validate start before end only if both are there.
             $data = $validator->getData();
             if (array_key_exists('original_account', $data) && array_key_exists('destination_account', $data)) {
@@ -75,7 +75,7 @@ class MoveTransactionsRequest extends FormRequest
         }
     }
 
-    private function validateMove(Validator $validator): void
+    private function validateMove(FireflyValidator $validator): void
     {
         $data                = $validator->getData();
         $repository          = app(AccountRepositoryInterface::class);

app/Api/V1/Requests/Models/Account/UpdateRequest.php

@@ -33,7 +33,7 @@ use FireflyIII\Rules\UniqueIban;
 use FireflyIII\Support\Request\AppendsLocationData;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
 
@@ -121,9 +121,9 @@ class UpdateRequest extends FormRequest
     /**
      * Configure the validator instance with special rules for after the basic validation rules.
      */
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(function (Validator $validator): void {
+        $validator->after(function (FireflyValidator $validator): void {
             // validate start before end only if both are there.
             $data       = $validator->getData();
 

app/Api/V1/Requests/Models/TransactionCurrency/CurrencyCodeRequest.php

@@ -25,7 +25,7 @@ declare(strict_types=1);
 namespace FireflyIII\Api\V1\Requests\Models\TransactionCurrency;
 
 use FireflyIII\Api\V1\Requests\ApiRequest;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 
 class CurrencyCodeRequest extends ApiRequest
 {
@@ -34,10 +34,10 @@ class CurrencyCodeRequest extends ApiRequest
         return ['code' => sprintf('exists:transaction_currencies,code|%s', $this->required)];
     }
 
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(function (Validator $validator): void {
-            if (!$validator->valid()) {
+        $validator->after(function (FireflyValidator $validator): void {
+            if (0 === count($validator->valid())) {
                 return;
             }
             $code = $this->convertString('code', '');

app/Http/Controllers/Controller.php

@@ -99,6 +99,7 @@ abstract class Controller extends BaseController
         $logoutUrl        = config('firefly.custom_logout_url');
 
         // overrule v2 layout back to v1.
+
         if ('true' === request()->get('force_default_layout') && 'v2' === config('view.layout')) {
             // config('view.layout','v1');
             Config::set('view.layout', 'v1');

app/Models/GroupMembership.php

@@ -31,6 +31,9 @@ use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
+/**
+ * @property User $user
+ */
 class GroupMembership extends Model
 {
     use ReturnsIntegerIdTrait;

app/Models/TransactionJournalMeta.php

@@ -32,6 +32,9 @@ use Illuminate\Database\Eloquent\SoftDeletes;
 use function Safe\json_decode;
 use function Safe\json_encode;
 
+/**
+ * @property TransactionJournal $transactionJournal
+ */
 class TransactionJournalMeta extends Model
 {
     use ReturnsIntegerIdTrait;

app/Repositories/Attachment/AttachmentRepositoryInterface.php

@@ -27,6 +27,8 @@ use FireflyIII\Enums\UserRoleEnum;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Models\Attachment;
 use FireflyIII\Models\UserGroup;
+use FireflyIII\User;
+use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Support\Collection;
 
 /**
@@ -37,6 +39,7 @@ use Illuminate\Support\Collection;
  * @method getUser()
  * @method checkUserGroupAccess(UserRoleEnum $role)
  * @method setUserGroupById(int $userGroupId)
+ * @method setUser(null|Authenticatable|User $user)
  */
 interface AttachmentRepositoryInterface
 {

app/Repositories/PeriodStatistic/PeriodStatisticRepository.php

@@ -25,7 +25,10 @@ declare(strict_types=1);
 namespace FireflyIII\Repositories\PeriodStatistic;
 
 use Carbon\Carbon;
+use FireflyIII\Models\Account;
+use FireflyIII\Models\Category;
 use FireflyIII\Models\PeriodStatistic;
+use FireflyIII\Models\Tag;
 use FireflyIII\Support\Repositories\UserGroup\UserGroupInterface;
 use FireflyIII\Support\Repositories\UserGroup\UserGroupTrait;
 use Illuminate\Database\Eloquent\Builder;
@@ -38,7 +41,7 @@ class PeriodStatisticRepository implements PeriodStatisticRepositoryInterface, U
 {
     use UserGroupTrait;
 
-    public function allInRangeForModel(Model $model, Carbon $start, Carbon $end): Collection
+    public function allInRangeForModel(Account|Category|Tag $model, Carbon $start, Carbon $end): Collection
     {
         return $model->primaryPeriodStatistics()->where('start', '>=', $start)->where('end', '<=', $end)->get();
     }

app/Repositories/PeriodStatistic/PeriodStatisticRepositoryInterface.php

@@ -25,13 +25,16 @@ declare(strict_types=1);
 namespace FireflyIII\Repositories\PeriodStatistic;
 
 use Carbon\Carbon;
+use FireflyIII\Models\Account;
+use FireflyIII\Models\Category;
 use FireflyIII\Models\PeriodStatistic;
+use FireflyIII\Models\Tag;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Collection;
 
 interface PeriodStatisticRepositoryInterface
 {
-    public function allInRangeForModel(Model $model, Carbon $start, Carbon $end): Collection;
+    public function allInRangeForModel(Account|Category|Tag $model, Carbon $start, Carbon $end): Collection;
 
     public function allInRangeForPrefix(string $prefix, Carbon $start, Carbon $end): Collection;
 
@@ -41,6 +44,8 @@ interface PeriodStatisticRepositoryInterface
 
     public function deleteStatisticsForPrefix(string $prefix, Collection $dates): void;
 
+    public function deleteStatisticsForType(string $class, Collection $objects, Collection $dates): void;
+
     public function findPeriodStatistic(Model $model, Carbon $start, Carbon $end, string $type): Collection;
 
     public function findPeriodStatistics(Model $model, Carbon $start, Carbon $end, array $types): Collection;

app/Support/Http/Controllers/UserNavigation.php

@@ -111,6 +111,8 @@ trait UserNavigation
 
                 return redirect(route('index'));
             }
+
+            /** @var TransactionJournal $journal */
             $journal     = $transaction->transactionJournal;
 
             /** @var null|Transaction $other */

app/Support/Request/ConvertsDataTypes.php

@@ -27,8 +27,10 @@ namespace FireflyIII\Support\Request;
 use Carbon\Carbon;
 use Carbon\Exceptions\InvalidDateException;
 use Carbon\Exceptions\InvalidFormatException;
+use FireflyIII\Models\UserGroup;
 use FireflyIII\Repositories\Account\AccountRepositoryInterface;
 use FireflyIII\Support\Facades\Steam;
+use Illuminate\Http\Request;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Log;
 
@@ -36,6 +38,8 @@ use function Safe\preg_replace;
 
 /**
  * Trait ConvertsDataTypes
+ *
+ * @method UserGroup validateUserGroup(Request $request)
  */
 trait ConvertsDataTypes
 {

app/User.php

@@ -106,9 +106,6 @@ class User extends Authenticatable
         throw new NotFoundHttpException();
     }
 
-    /**
-     * Link to accounts.
-     */
     public function accounts(): HasMany
     {
         return $this->hasMany(Account::class);

changelog.md

@@ -3,7 +3,7 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## 6.5.5 - 2026-03-15
+## v6.5.5 - 2026-03-15
 
 <!-- summary: This release takes note of some security issues, and fixes interesting bugs. -->
 
@@ -16,7 +16,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Lots of code cleanup and small quality issues fixed.
 
 ### Fixed
-
+- [Issue 11803](https://github.com/firefly-iii/firefly-iii/issues/11803) (Monthly Left budget not correct) reported by @fabienfitoussi
+- [Issue 11641](https://github.com/firefly-iii/firefly-iii/issues/11641) (Annual budget “Remaining” resets in subsequent months) reported by @maxwell5555
 - [Discussion 11879](https://github.com/orgs/firefly-iii/discussions/11879) (Searching for accounts should include inactive accounts?) started by @b-ryan
 - [Issue 11916](https://github.com/firefly-iii/firefly-iii/issues/11916) (Balance is not recalculated when multiple transactions are selected and then deleted) reported by @elp3dr0
 - [Discussion 11936](https://github.com/orgs/firefly-iii/discussions/11936) (Links in emails don't link to correct domain) started by @SamLMB
@@ -24,17 +25,14 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Security
 
+- Credits go to Igor for finding some interesting issues in Firefly III. They have been fixed.
+
 > [!NOTE] 
-> A lot of people have access to the new Claude model that has enhanced code scanning capabilities. Many new issues are being reported through (semi-)automated means. I will update the security policy to reflect this. The following security related issues no longer need reporting:
+> As AI-code scanning tools like Claude and Co-Pilot get more advanced, many (new) issues are being reported through (semi-)automated means. I have updated [the security policy](https://github.com/firefly-iii/firefly-iii/security/policy) to reflect my stance on this. The following security related issues no longer need reporting:
 
 - It is possible to point webhooks to private or internal IPs.
-- You can see all transaction link types. If you are an owner, you can also delete them.
+- You can see all transaction link types.
 - `unsafe-inline` is allowed for CSS, which means you can overrule the layout if you manage to get CSS on the page.
-- You can make the rule engine print internal enums.
-
-### API
-
-- Initial release.
 
 ## v6.5.4 - 2026-03-06
 

config/firefly.php

@@ -78,8 +78,8 @@ return [
         'running_balance_column' => (bool)envDefaultWhenEmpty(env('USE_RUNNING_BALANCE'), true), // this is only the default value, is not used.
         // see cer.php for exchange rates feature flag.
     ],
-    'version'                              => 'develop/2026-03-14',
-    'build_time'                           => 1773489235,
+    'version'                              => '6.5.5',
+    'build_time'                           => 1773558152,
     'api_version'                          => '2.1.0', // field is no longer used.
     'db_version'                           => 28, // field is no longer used.
 

package-lock.json

@@ -4135,9 +4135,9 @@
             "license": "MIT"
         },
         "node_modules/baseline-browser-mapping": {
-            "version": "2.10.7",
-            "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.7.tgz",
-            "integrity": "sha512-1ghYO3HnxGec0TCGBXiDLVns4eCSx4zJpxnHrlqFQajmhfKMQBzUGDdkMK7fUW7PTHTeLf+j87aTuKuuwWzMGw==",
+            "version": "2.10.8",
+            "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.8.tgz",
+            "integrity": "sha512-PCLz/LXGBsNTErbtB6i5u4eLpHeMfi93aUv5duMmj6caNu6IphS4q6UevDnL36sZQv9lrP11dbPKGMaXPwMKfQ==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {
@@ -4587,9 +4587,9 @@
             }
         },
         "node_modules/caniuse-lite": {
-            "version": "1.0.30001778",
-            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001778.tgz",
-            "integrity": "sha512-PN7uxFL+ExFJO61aVmP1aIEG4i9whQd4eoSCebav62UwDyp5OHh06zN4jqKSMePVgxHifCw1QJxdRkA1Pisekg==",
+            "version": "1.0.30001779",
+            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001779.tgz",
+            "integrity": "sha512-U5og2PN7V4DMgF50YPNtnZJGWVLFjjsN3zb6uMT5VGYIewieDj1upwfuVNXf4Kor+89c3iCRJnSzMD5LmTvsfA==",
             "dev": true,
             "funding": [
                 {

resources/assets/v1/src/components/transactions/CreateTransaction.vue

@@ -653,7 +653,7 @@ export default {
                                     // console.log('Upload complete!');
                                     return true;
                                 }).catch(error => {
-                                console.error('Could not upload');
+                                console.error('[b] Could not upload');
                                 console.error(error);
                                 // console.log('Uploaded attachment #' + key);
                                 uploads++;

resources/assets/v1/src/components/transactions/EditTransaction.vue

@@ -964,7 +964,7 @@ export default {
                                     // console.log('Upload complete!');
                                     return true;
                                 }).catch(error => {
-                                console.error('Could not upload file.');
+                                console.error('[c] Could not upload file.');
                                 console.error(error);
                                 uploads++;
                                 this.error_message = 'Could not upload attachment: ' + error;

resources/assets/v2/src/pages/transactions/shared/process-attachments.js

@@ -37,7 +37,7 @@ let uploadFiles = function (fileData) {
                         document.dispatchEvent(event);
                     }
                 }).catch(error => {
-                    console.error('Could not upload');
+                    console.error('[a] Could not upload');
                     console.error(error);
                     uploads++;
                     // break right away

resources/views/install/index.blade.php

@@ -83,7 +83,7 @@
                 <p>The upgrade and installation is ongoing. Please track its progress through the box below.</p>
                 <div class="row">
                     <div class="col-lg-12">
-                        <div id="status-box p-3 install-box-border">
+                        <div id="status-box" class="p-3 install-box-border">
                             <span class="fa fa-spin fa-spinner"></span> Waiting to start...
                         </div>
                     </div>