silverstripe-framework/docs/en/04_Changelogs/3.0.6.md

# 3.0.6

## Overview

 * Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
 ([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
 * API: Disable discontinued Google Spellcheck in TinyMCE. Replaced by browser-based spellchecking if available (Chrome, Firefox)

## Details

### Security: Require ADMIN for ?flush=1 (SS-2013-001)

See [announcement](http://www.silverstripe.org/ss-2013-001-require-admin-for-flush1/)

### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)

### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)

### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)

### Security: Information disclosure in Versioned.php (SS-2013-006)

See [announcement](http://www.silverstripe.org/ss-2013-006-information-disclosure-in-versioned/)

### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)

### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)

### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)

## Upgrading

 * If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
   an object (usually DataObject) as well as an array.
 * If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web
   request, you should ensure that you limit use of the flush parameter
 * Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format. 
 * Translation entities defined in templates now use their fully qualified entity name without dots.
   Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
   files or uses of those entities in custom code.
 * If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
   to ensure correct operation (it has changed its locale identifier)
3.0.6 changelog 2013-09-26 11:33:27 +02:00			`# 3.0.6`
NEW: Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. These changes provide a 15% - 20% performance improvement, and as such justify an small API change in the 3.0 branch. It will likely affect anyone who has created their own composite fields, which is fortunately not all that common. 2013-04-21 03:18:18 +02:00
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00			`## Overview`

			* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
			`([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))`
API Disable discontinued Google Spellcheck in TinyMCE Replaced by browser-based spellchecking if available (Chrome, Firefox), with instructions on how to use PSpell as an alternative. 2013-08-03 16:15:52 +02:00			`* API: Disable discontinued Google Spellcheck in TinyMCE. Replaced by browser-based spellchecking if available (Chrome, Firefox)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
			`## Details`

FIX Privilege escalation through Group hierarchy setting (SS-2013-003) See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/ 2013-08-30 13:58:37 +02:00			`### Security: Require ADMIN for ?flush=1 (SS-2013-001)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
Linking to older security issue in change log Mainly for consistency with the newer format 2013-08-30 14:39:46 +02:00			`See [announcement](http://www.silverstripe.org/ss-2013-001-require-admin-for-flush1/)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
FIX Privilege escalation through Group hierarchy setting (SS-2013-003) See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/ 2013-08-30 13:58:37 +02:00			`### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)`

			`See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)`
FIX Privilege escalation through Group and Member CSV upload (SS-2013-004) See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/ 2013-08-30 13:59:05 +02:00
			`### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)`

			`See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00			`### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
Merge remote-tracking branch 'origin/3.0' into 3.1 Conflicts: admin/code/SecurityAdmin.php css/AssetUploadField.css docs/en/topics/configuration.md security/PermissionRole.php 2013-09-12 17:26:52 +02:00			`See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
Update 3.0.6.md Add reference to information disclosure in Versioned.php (SS-2013-006) 2013-09-13 00:34:51 +02:00			`### Security: Information disclosure in Versioned.php (SS-2013-006)`

			`See [announcement](http://www.silverstripe.org/ss-2013-006-information-disclosure-in-versioned/)`

FIX Privilege escalation through Group hierarchy setting (SS-2013-003) See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/ 2013-08-30 13:58:37 +02:00			`### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)`

			`See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)`
FIX Privilege escalation through Group and Member CSV upload (SS-2013-004) See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/ 2013-08-30 13:59:05 +02:00
			`### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)`

			`See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
			`### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)`

			`See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)`

NEW: Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. These changes provide a 15% - 20% performance improvement, and as such justify an small API change in the 3.0 branch. It will likely affect anyone who has created their own composite fields, which is fortunately not all that common. 2013-04-21 03:18:18 +02:00			`## Upgrading`

FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00			`* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of`
			`an object (usually DataObject) as well as an array.`
			`* If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web`
			`request, you should ensure that you limit use of the flush parameter`
Translations: Switch to Transifex format - Based on new (last) translation download from getlocalization.com - Removed untranslated strings. Getlocalization started including those at some point which is highly annoying, unnecessary and breaks the new transfix system, since it'll mark all of the english strings as actual translations - Avoid dots in entities. It confuses the Transifex YML parser - Removed some locales unknown to Transifex which didn't have any translations anyway - Removed "lolcat" locale, uses custom notation (en@lolcal) which SilverStripe's i18n system can't handle (needs mapping from SS naming to Zend naming) - Renamed "Te Reo/Maori" locale from "mi_NZ" to "mi" (Transifex/CLDR notation) - Namespaced all entities used in templates (deprecated usage) - Converted dots to underscores where template filenames are used for namespaces, since Transifex YML parsing handles them as separate YML keys otherwise - Removed whitespace in entity names, SilverStripe i18n can't handle it - Only allow selection of locales registered through i18n::$all_locales to avoid issues with unknown locales in Zend's CLDR database 2013-08-03 20:18:06 +02:00			`* Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.`
			`* Translation entities defined in templates now use their fully qualified entity name without dots.`
			Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
			`files or uses of those entities in custom code.`
			* If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
Update 3.0.6.md Add reference to information disclosure in Versioned.php (SS-2013-006) 2013-09-13 00:34:51 +02:00			`to ensure correct operation (it has changed its locale identifier)`