Across workflow 'show - sectionedit - save/cancel' explicitly
transmit header id to the server. So the server can always redirect to
the correct section even if headings have the same name. Fixes #1364.

This also removes duplicated code from ajax.php

* master:
  fix error in config manager caused by changes visibility
  Continue if there are no attributes
  avoid dependency tests being marked as risky
  replaced some more each calls
  remove deprecated each() call
  test constructors need to call parent constructor
  use dataprovider in password tests
  removed deprecated blowfish class
  replace some var keywords
  translation update
  PassHash.class.php: in case of brcrypt, use the most recent variant $2y$
  translation update
  Fix Typo in remote API (#1938)
  translation update
  translation update
  translation update
  use 403 response on bad logins. closes #1937

The internal lang and localized variables of a plugin are no longer
accessible from the outside. This adds a proper setter and also fixes
the type hinting in the config plugin.

If an entry in the loop at `_tpl_metaheaders_action` has no content, skip this entry.

There are still some left in the DifferenceEngine code

this fixes another problem with our tests and phpunit 6.1

This fixes a problem with those tests in the most recent version of
phpunit. I thought it was caused by the use of the deprecated var
keyword, but some other weirdness was going on. This way it's more
proper anyway.

This should fix some tests on PHP 7.1. The work is far from done, we
still have a lot of variables without proper accessibility defined.

This change breaks compatibility with php 5.3.7, but a standing
requirement for at least php 5.6 is declared in composer.json.

If the php documentation is to be believed, this change increases
security against pass-the-hash type attacks. (I do not have the knowledge
to assess the security differences between $2a$ and $2y$).

As a Sidenote: htpasswd shipped with apache2 2.4.10 (and probably,
other versions), when used with the -B (=bcrypt) option, produces hashes
marked with $2y$.

Nonewithstanding the actual support or non-support of $2a$ by the
apache2 'AuthUserFile' directive, the apache 2.4 documentation only
asserts support for the $2y$ bcrypt variant.
Therefore, this commit would make it possible for dokuwiki and apache2
basic authentication to share the same password file, in the case when
bcrypt is used.

* Updated remote.php

Updated remote.php for retrieving all the acl details.

* Updated remote.php

By mistake changed in addAcl instead of listAcls.

the $from != $to check is handled further up already and throws an
exception.

loadAction() and checkAction() are now public and could be used within
actionOK(). However some weird circular references prevent that. In
addition, actionOK is also used to check for things that aren't Actions
(yet) like 'rss' and 'top'.

also fixes the tests

Now underscores can be used to have sub actions. The loader will try to
find an exact match first, then begin removing parts from the end until
a matching action is found.

This is just a quick and dirty hack to try and see if the router
actually behaves as it should. I renamed the old methods to XXX_* and
implemented new ones calling the router. This has to be cleaned up
later.

It should now catch any circular loops (by having a maxiumum recursion
depth) and it handles the automatic redirect after save (and others)

This is not how integration of plugins would ideally be done in this new
system. Ideally an action plugin would actually implement an instance of
AbstractAction and would just fall into the normal flow of actions here.

However to not break a gazillion of existing plugins, this is just add
the existing two events into the new system through the use of a Plugin
action.

Maybe we could add "new" action plugins later.