2013-10-01 13:47:06 +13:00
|
|
|
# 3.1.0
|
2012-07-05 11:39:59 +02:00
|
|
|
|
|
|
|
## Overview ##
|
|
|
|
|
2012-12-17 00:36:23 +01:00
|
|
|
### CMS
|
|
|
|
|
|
|
|
* "Split view" editing with side-by-side preview of the edited website
|
|
|
|
* Resizing of preview to common screen widths ("desktop", "tablet" and "smartphone")
|
|
|
|
* Decluttered "Edit Page" buttons by moving minor actions into a "more options" panel
|
|
|
|
* Auto-detect CMS changes and highlight the save button for better informancy
|
2013-04-18 18:27:54 +02:00
|
|
|
* New context action "Show children as list" on tree for better management on large sites
|
2012-12-17 00:36:23 +01:00
|
|
|
* CMS form fields now support help text through `setDescription()`, both inline and as tooltips
|
|
|
|
* Removed SiteTree "MetaTitle" and "MetaKeywords" fields
|
|
|
|
* More legible and simplified tab and menu styling in the CMS
|
2013-03-18 14:32:19 +01:00
|
|
|
* Dropped support for Internet Explorer 7
|
2013-06-13 10:27:19 +02:00
|
|
|
* Added support for Internet Explorer 10 (in "classic"/desktop mode)
|
2012-12-17 00:36:23 +01:00
|
|
|
|
|
|
|
### Framework
|
|
|
|
|
2013-07-19 14:18:49 +12:00
|
|
|
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
|
|
|
|
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
|
2013-04-09 13:36:39 +02:00
|
|
|
* Static properties are immutable and private, you must use Config API
|
|
|
|
* Statics in custom Page classes need to be "private"
|
|
|
|
* `$default_cast` is now `Text` instead of `HTMLText`, to secure templates from XSS by default
|
2013-09-26 10:33:11 +02:00
|
|
|
* Shortcodes are no longer supported in template files (still works in DB fields and through HTMLText casting)
|
2012-12-17 00:36:23 +01:00
|
|
|
* `DataList` and `ArrayList` are now immutable, they'll return cloned instances on modification
|
|
|
|
* Removed legacy table APIs (e.g. `TableListField`), use GridField instead
|
2013-02-18 14:53:33 +13:00
|
|
|
* Deny URL access if `Controller::$allowed_actions` is undefined
|
|
|
|
* Removed support for "*" rules in `Controller::$allowed_actions`
|
|
|
|
* Removed support for overriding rules on parent classes through `Controller::$allowed_actions`
|
2013-02-18 15:59:15 +01:00
|
|
|
* `RestfulService` verifies SSL peers by default
|
2013-09-26 10:33:11 +02:00
|
|
|
* UploadField functions on new records
|
2012-12-17 00:36:23 +01:00
|
|
|
* Editing of relation table data (`$many_many_extraFields`) in `GridField`
|
|
|
|
* Optional integration with ImageMagick as a new image manipulation backend
|
|
|
|
* Support for PHP 5.4's built-in webserver
|
|
|
|
* Support for [Composer](http://getcomposer.org) dependency manager (also works with 3.0)
|
2016-01-14 23:59:53 +13:00
|
|
|
* Added support for filtering incoming HTML from TinyMCE (disabled by default, see [security](/developer_guides/security))
|
2013-09-26 10:33:11 +02:00
|
|
|
* Behaviour testing support through [Behat](http://behat.org), with CMS test coverage
|
|
|
|
(see the [SilverStripe Behat Extension]() for details)
|
2012-12-17 00:36:23 +01:00
|
|
|
|
2013-07-19 14:18:49 +12:00
|
|
|
## Details
|
|
|
|
|
|
|
|
### Security: Require ADMIN for ?flush=1
|
|
|
|
|
|
|
|
Flushing the various manifests (class, template, config) is performed through a GET
|
|
|
|
parameter (`flush=1`). Since this action requires more server resources than normal requests,
|
|
|
|
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
|
|
|
|
|
|
|
|
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
|
|
|
|
|
2016-01-14 23:59:53 +13:00
|
|
|
* The [environment](/getting_started/environment_management) is in "dev mode"
|
2013-07-19 14:18:49 +12:00
|
|
|
* A user is logged in with ADMIN permissions
|
|
|
|
* An error occurs during startup
|
|
|
|
|
|
|
|
This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
|
|
|
|
but only through web requests made through main.php - CLI requests, or any other request that goes through
|
|
|
|
a custom start up script will still process all flush requests as normal.
|
|
|
|
|
2012-07-05 11:39:59 +02:00
|
|
|
## Upgrading
|
|
|
|
|
2013-04-18 18:27:54 +02:00
|
|
|
### Statics in custom Page classes need to be "private"
|
|
|
|
|
|
|
|
**Requires action on every SilverStripe installation.**
|
|
|
|
|
|
|
|
Typical error message: `Access level to ErrorPage::$db must be public`
|
|
|
|
|
|
|
|
Related to the configuration change described above, many statics in core are now
|
|
|
|
marked with `private` visibility. While PHP allows making variables more visible
|
|
|
|
(e.g. from "private" to "public"), it complains if you try to restrict visibility in subclasses.
|
|
|
|
The core framework extends from the `Page` class in your own codebase (`mysite/`),
|
|
|
|
which means you need to change those statics to `private` yourself.
|
|
|
|
The same rules apply to controllers subclassd from `Page_Controller`.
|
|
|
|
|
|
|
|
Before:
|
|
|
|
|
|
|
|
:::php
|
|
|
|
<?php
|
2017-08-03 15:57:29 +12:00
|
|
|
class Page extends SiteTree
|
|
|
|
{
|
2013-04-18 18:27:54 +02:00
|
|
|
static $db = array('MyVar' => 'Text');
|
|
|
|
}
|
2017-08-03 15:57:29 +12:00
|
|
|
class Page_Controller extends ContentController
|
|
|
|
{
|
2013-04-18 18:27:54 +02:00
|
|
|
static $allowed_actions = array('myaction');
|
|
|
|
}
|
|
|
|
|
|
|
|
After:
|
|
|
|
|
|
|
|
:::php
|
|
|
|
<?php
|
2017-08-03 15:57:29 +12:00
|
|
|
class Page extends SiteTree
|
|
|
|
{
|
2013-04-18 18:27:54 +02:00
|
|
|
private static $db = array('MyVar' => 'Text');
|
|
|
|
}
|
2017-08-03 15:57:29 +12:00
|
|
|
class Page_Controller extends ContentController
|
|
|
|
{
|
2013-04-18 18:27:54 +02:00
|
|
|
private static $allowed_actions = array('myaction');
|
|
|
|
}
|
|
|
|
|
|
|
|
Most statics defined in `SiteTree` and `DataObject` are affected, for example:
|
|
|
|
`$db`, `$has_one`, `$has_many`, `$many_many`, `$defaults`, `$allowed_children`.
|
|
|
|
The same goes for statics defined in `ContentController`, e.g. `$allowed_actions`.
|
|
|
|
|
|
|
|
Classes which are not further extended by the core (e.g. all custom `DataObject` subclasses)
|
|
|
|
are not affected by this change, although we recommend to mark those inherited statics
|
|
|
|
as `private` as well, to make it clear that they should be accessed through the Config API.
|
|
|
|
|
|
|
|
### default_cast is now Text
|
|
|
|
|
|
|
|
In order to reduce the chance of accidentally allowing XSS attacks, the value of default_cast
|
|
|
|
has been changed in 3.1 from HTMLText to Text. This means that any values used in a template
|
|
|
|
that haven't been explicitly cast as safe will be escaped (`<` replaced with `<` etc).
|
|
|
|
|
|
|
|
When upgrading, if methods return HTML fragments they need to explicitly cast them
|
|
|
|
as such. This can either be done by returning an HTMLText object, like:
|
|
|
|
|
|
|
|
:::php
|
|
|
|
return DBField::create_field('HTMLText', '<div></div>');
|
|
|
|
|
|
|
|
or by defining the casting of the accessor method, like:
|
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class Page extends SiteTree
|
|
|
|
{
|
2013-04-18 18:27:54 +02:00
|
|
|
private static $casting = array(
|
|
|
|
'MyDiv' => 'HTMLText'
|
|
|
|
)
|
|
|
|
|
|
|
|
function MyDiv() {
|
|
|
|
return '<div></div>';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
SSViewer#process (and as a result ViewableData#renderWith) have been changed to already return
|
|
|
|
explicitly cast HTMLText instances, so functions that return the result of these methods won't
|
|
|
|
have to do any additional casting.
|
|
|
|
|
|
|
|
Note that this change means that if code was testing the result via is_string, that is no longer
|
|
|
|
reliable.
|
|
|
|
|
2013-03-26 19:01:11 +01:00
|
|
|
### Static properties are immutable and private, you must use Config API.
|
2013-03-13 11:22:41 +13:00
|
|
|
|
|
|
|
A common SilverStripe pattern is to use a static variable on a class to define a configuration parameter.
|
|
|
|
The configuration system added in SilverStripe 3.0 builds on this by using this static variable as a way
|
|
|
|
of defining the default value.
|
|
|
|
|
|
|
|
In SilverStripe 3.0, it was possible to edit this value at run-time and have the change propagate into the
|
2013-03-25 09:52:55 +01:00
|
|
|
configuration system. This is no longer the case, for performance reasons. We've marked all "configurable"
|
|
|
|
statics as `private`, so you can't set or retrieve their value directly.
|
2013-03-21 19:48:54 +01:00
|
|
|
When using static setters or getters, the system throws a deprecation warning.
|
|
|
|
Notable exceptions to this rule are all static setters which accept objects, such as `SS_Cache::add_backend()`.
|
2013-03-13 11:22:41 +13:00
|
|
|
|
|
|
|
Please change all run-time manipulation of configuration to use `Config::inst()->update()` or
|
2013-03-21 19:48:54 +01:00
|
|
|
`$this->config()->update()`. You can keep using procedural configuration through `_config.php`
|
|
|
|
through this new notation, although its encouraged to use the (faster) YAML config wherever possible.
|
|
|
|
For this purpose, we have added a `mysite/_config/config.yml` file.
|
|
|
|
|
|
|
|
Here's an example on how to rewrite a common `_config.php` configuration:
|
|
|
|
|
|
|
|
:::php
|
|
|
|
<?php
|
|
|
|
global $project;
|
|
|
|
$project = 'mysite';
|
|
|
|
|
|
|
|
global $database;
|
|
|
|
$database = 'SS_mydb';
|
2013-03-25 09:52:55 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
require_once('conf/ConfigureFromEnv.php');
|
|
|
|
SSViewer::set_theme('simple');
|
2013-03-25 09:52:55 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
if(class_exists('SiteTree')) SiteTree::enable_nested_urls();
|
2013-03-25 09:52:55 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
if(Director::isLive()) Email::setAdminEmail('support@mydomain.com');
|
|
|
|
|
|
|
|
if(is_defined('MY_REDIRECT_EMAILS')) Email::send_all_emails_to('developer@mydomain.com');
|
|
|
|
|
|
|
|
SS_Log::add_writer(new SS_LogFileWriter(BASE_PATH . '/mylog.log'), SS_Log::WARN);
|
|
|
|
|
|
|
|
if(strpos('Internet Explorer', $_SERVER['HTTP_USER_AGENT']) !== false) {
|
|
|
|
SSViewer::set_theme('basic');
|
|
|
|
}
|
|
|
|
|
2013-03-26 19:01:11 +01:00
|
|
|
Object::add_extension('Member', 'MyMemberExtension');
|
|
|
|
|
2013-06-15 02:49:52 +03:00
|
|
|
The upgraded `_config.php`:
|
2013-03-21 19:48:54 +01:00
|
|
|
|
|
|
|
:::php
|
|
|
|
<?php
|
|
|
|
global $project;
|
|
|
|
$project = 'mysite';
|
|
|
|
|
|
|
|
global $database;
|
|
|
|
$database = 'SS_mydb';
|
2013-03-25 09:52:55 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
require_once('conf/ConfigureFromEnv.php');
|
2013-03-25 09:52:55 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
// Removed SiteTree::enable_nested_urls() since its configured by default
|
2013-03-25 09:52:55 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
// Requires PHP objects, keep in PHP config
|
|
|
|
SS_Log::add_writer(new SS_LogFileWriter(BASE_PATH . '/mylog.log'), SS_Log::WARN);
|
|
|
|
// Non-trivial conditional, keep in PHP config
|
|
|
|
if(strpos('Internet Explorer', $_SERVER['HTTP_USER_AGENT']) !== false) {
|
|
|
|
// Overwrites any earlier YAML config
|
|
|
|
Config::inst()->update('SSViewer'. 'theme', 'basic');
|
|
|
|
}
|
|
|
|
|
2013-03-25 09:52:55 +01:00
|
|
|
The upgraded `config.yml`:
|
2013-03-21 19:48:54 +01:00
|
|
|
|
|
|
|
:::yml
|
|
|
|
---
|
|
|
|
Name: mysite
|
|
|
|
After: 'framework/*','cms/*'
|
|
|
|
---
|
|
|
|
SSViewer:
|
|
|
|
theme: 'simple'
|
2013-03-26 19:01:11 +01:00
|
|
|
Member:
|
|
|
|
extensions:
|
2013-06-17 14:21:46 +05:30
|
|
|
- MyMemberExtension
|
2013-03-21 19:48:54 +01:00
|
|
|
---
|
|
|
|
Only:
|
|
|
|
environment: 'live'
|
|
|
|
---
|
|
|
|
Email:
|
|
|
|
admin_email: 'support@mydomain.com'
|
|
|
|
|
|
|
|
Some examples of changed notations (not exhaustive, there's over a hundred in total):
|
|
|
|
|
|
|
|
* `SSViewer::set_theme()`: Use `SSViewer.theme` instead
|
|
|
|
* `SecurityAdmin::$hidden_permissions`: Use `Permission.hidden_permissions` instead
|
|
|
|
* `Director::setBaseFolder`: Use `Director.alternate_base_folder` instead
|
|
|
|
* `Director::setBaseURL`: Use `Director.alternate_base_url` instead
|
|
|
|
* `SSViewer::setOption('rewriteHashlinks', ...)`: Use `SSViewer.rewrite_hashlinks` instead
|
2013-03-21 00:16:21 +01:00
|
|
|
|
2013-03-26 19:01:11 +01:00
|
|
|
<div class="warning" markdown='1'>
|
|
|
|
Please remember to upgrade the installer project as well, particularly
|
2013-03-25 09:52:55 +01:00
|
|
|
your `.htaccess` or `web.config` files. Web access to these sensitive YAML configuration files
|
|
|
|
needs to be explicitly denied through these configuration files (see the [3.0.5 security release](/changelogs/3.0.4))
|
|
|
|
for details.
|
2013-03-26 19:01:11 +01:00
|
|
|
</div>
|
2013-03-25 22:08:57 +01:00
|
|
|
|
2016-01-14 23:59:53 +13:00
|
|
|
For more information about how to use the config system, see the ["Configuration" topic](/developer_guides/configuration).
|
2013-03-13 11:22:41 +13:00
|
|
|
|
2013-02-18 14:53:33 +13:00
|
|
|
### Deny URL access if `Controller::$allowed_actions` is undefined or empty array
|
|
|
|
|
|
|
|
In order to make controller access checks more consistent and easier to
|
|
|
|
understand, the routing will require definition of `$allowed_actions`
|
2013-06-20 11:40:55 +02:00
|
|
|
on your own `Controller` subclasses if they contain any actions accessible through URLs.
|
2013-02-18 14:53:33 +13:00
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class MyController extends Controller
|
|
|
|
{
|
2013-02-18 14:53:33 +13:00
|
|
|
// This action is now denied because no $allowed_actions are specified
|
2017-08-03 16:25:49 +12:00
|
|
|
public function myaction($request)
|
|
|
|
{}
|
2013-02-18 14:53:33 +13:00
|
|
|
}
|
|
|
|
|
2013-06-20 11:40:55 +02:00
|
|
|
You can overwrite the default behaviour on undefined `$allowed_actions` to allow all actions,
|
|
|
|
by setting the `RequestHandler.require_allowed_actions` config value to `false` (not recommended).
|
|
|
|
|
|
|
|
This applies to anything extending `RequestHandler`, so please check your `Form` and `FormField`
|
|
|
|
subclasses as well. Keep in mind, action methods as denoted through `FormAction` names should NOT
|
|
|
|
be mentioned in `$allowed_actions` to avoid CSRF issues.
|
2016-01-14 23:59:53 +13:00
|
|
|
Please review all rules governing allowed actions in the ["controller" topic](/developer_guides/controllers/access_control/#allowed-actions).
|
2013-02-18 14:53:33 +13:00
|
|
|
|
|
|
|
### Removed support for "*" rules in `Controller::$allowed_actions`
|
|
|
|
|
|
|
|
The wildcard ('*') character allowed to define fallback rules
|
|
|
|
in case they weren't explicitly defined. This caused a lot of confusion,
|
|
|
|
particularly around inherited rules. We've decided to remove the feature,
|
|
|
|
you'll need to specificy each accessible action individually.
|
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class MyController extends Controller
|
|
|
|
{
|
2013-02-18 14:53:33 +13:00
|
|
|
public static $allowed_actions = array('*' => 'ADMIN');
|
|
|
|
// Always denied because not explicitly listed in $allowed_actions
|
2017-08-03 16:25:49 +12:00
|
|
|
public function myaction($request)
|
|
|
|
{}
|
2013-02-18 14:53:33 +13:00
|
|
|
// Always denied because not explicitly listed in $allowed_actions
|
2017-08-03 16:25:49 +12:00
|
|
|
public function myotheraction($request)
|
|
|
|
{}
|
2013-02-18 14:53:33 +13:00
|
|
|
}
|
|
|
|
|
|
|
|
Please review all rules governing allowed actions in the
|
2016-01-14 23:59:53 +13:00
|
|
|
["controller" topic](/developer_guides/controllers/access_control/#allowed-actions).
|
2013-02-18 14:53:33 +13:00
|
|
|
|
|
|
|
### Removed support for overriding rules on parent classes through `Controller::$allowed_actions`
|
|
|
|
|
|
|
|
Since 3.1, the `$allowed_actions` definitions only apply
|
|
|
|
to methods defined on the class they're also defined on.
|
|
|
|
Overriding inherited access definitions is no longer possible.
|
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class MyController extends Controller
|
|
|
|
{
|
2013-02-18 14:53:33 +13:00
|
|
|
public static $allowed_actions = array('myaction' => 'ADMIN');
|
2017-08-03 16:25:49 +12:00
|
|
|
public function myaction($request)
|
|
|
|
{}
|
2013-02-18 14:53:33 +13:00
|
|
|
}
|
2017-08-03 15:57:29 +12:00
|
|
|
class MySubController extends MyController
|
|
|
|
{
|
2013-02-18 14:53:33 +13:00
|
|
|
// No longer works
|
|
|
|
public static $allowed_actions = array('myaction' => 'CMS_ACCESS_CMSMAIN');
|
|
|
|
}
|
|
|
|
|
|
|
|
This also applies for custom implementations of `handleAction()` and `handleRequest()`,
|
|
|
|
which now have to be listed in the `$allowed_actions` specifically.
|
|
|
|
It also restricts `Extension` classes applied to controllers, which now
|
|
|
|
can only grant or deny access or methods they define themselves.
|
|
|
|
|
2016-01-14 23:59:53 +13:00
|
|
|
New approach with the [Config API](/developer_guides/configuration/configuration)
|
2013-02-18 14:53:33 +13:00
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class MySubController extends MyController
|
|
|
|
{
|
2017-08-03 16:25:49 +12:00
|
|
|
public function init()
|
|
|
|
{
|
2013-02-18 14:53:33 +13:00
|
|
|
parent::init();
|
|
|
|
|
|
|
|
Config::inst()->update('MyController', 'allowed_actions',
|
|
|
|
array('myaction' => 'CMS_ACCESS_CMSMAIN')
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
Please review all rules governing allowed actions in the
|
2016-01-14 23:59:53 +13:00
|
|
|
["controller" topic](/developer_guides/controllers/access_control/#allowed-actions).
|
2013-02-18 14:53:33 +13:00
|
|
|
|
2012-12-14 01:53:36 +01:00
|
|
|
### Grouped CMS Buttons
|
|
|
|
|
|
|
|
The CMS buttons are now grouped, in order to hide minor actions by default and declutter the interface.
|
|
|
|
This required changing the form field structure from a simple `FieldList`
|
|
|
|
to a `FieldList` which contains a `CompositeField` for all "major actions",
|
|
|
|
and a `TabSet` with a single tab for all "minor actions".
|
|
|
|
If you have previously added, removed or altered built-in CMS actions in any way,
|
|
|
|
you'll need to adjust your code.
|
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class MyPage extends Page
|
|
|
|
{
|
2012-12-14 01:53:36 +01:00
|
|
|
function getCMSActions() {
|
|
|
|
$actions = parent::getCMSActions();
|
|
|
|
|
|
|
|
// Inserting a new toplevel action (old)
|
|
|
|
$actions->push(new FormAction('MyAction'));
|
|
|
|
|
|
|
|
// Inserting a new toplevel action (new)
|
|
|
|
$actions->insertAfter(new FormAction('MyAction'), 'MajorActions');
|
|
|
|
|
|
|
|
// Removing an action, both toplevel and nested (no change required)
|
|
|
|
$actions->removeByName('action_unpublish');
|
|
|
|
|
|
|
|
// Inserting a new minor action (new)
|
|
|
|
$actions->addFieldToTab(
|
|
|
|
'Root.ActionMenus.MoreOptions',
|
|
|
|
new FormAction('MyMinorAction')
|
|
|
|
);
|
|
|
|
|
|
|
|
// Finding a toplevel action (no change required)
|
|
|
|
$match = $actions->dataFieldByName('action_save');
|
|
|
|
|
|
|
|
// Finding a nested action (new)
|
|
|
|
$match = $actions->fieldByName('ActionMenus.MoreOptions')
|
|
|
|
->fieldByName('action_MyMinorAction');
|
|
|
|
|
|
|
|
return $actions;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-12-17 00:46:51 +01:00
|
|
|
### GridField and ModelAdmin Permission Checks
|
|
|
|
|
|
|
|
`GridFieldDetailForm` now checks for `canEdit()` and `canDelete()` permissions
|
|
|
|
on your model. `GridFieldAddNewButton` checks `canCreate()`.
|
|
|
|
The default implementation requires `ADMIN` permissions.
|
|
|
|
You'll need to loosen those permissions if you want other users with CMS
|
|
|
|
access to interact with your data.
|
|
|
|
Since `GridField` is used in `ModelAdmin`, this change will affect both classes.
|
|
|
|
|
|
|
|
Example: Require "CMS: Pages section" access
|
|
|
|
|
|
|
|
:::php
|
2017-08-03 15:57:29 +12:00
|
|
|
class MyModel extends DataObject
|
|
|
|
{
|
2017-08-03 16:25:49 +12:00
|
|
|
public function canView($member = null)
|
|
|
|
{
|
2012-12-17 00:46:51 +01:00
|
|
|
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
|
|
|
|
}
|
2017-08-03 16:25:49 +12:00
|
|
|
public function canEdit($member = null)
|
|
|
|
{
|
2012-12-17 00:46:51 +01:00
|
|
|
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
|
|
|
|
}
|
2017-08-03 16:25:49 +12:00
|
|
|
public function canDelete($member = null)
|
|
|
|
{
|
2012-12-17 00:46:51 +01:00
|
|
|
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
|
|
|
|
}
|
2017-08-03 16:25:49 +12:00
|
|
|
public function canCreate($member = null)
|
|
|
|
{
|
2012-12-17 00:46:51 +01:00
|
|
|
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
|
|
|
|
}
|
|
|
|
|
2016-01-14 23:59:53 +13:00
|
|
|
You can also implement [custom permission codes](/developer_guides/security/permissions).
|
2012-12-17 00:46:51 +01:00
|
|
|
For 3.1.0 stable, we aim to further simplify the permission definitions,
|
|
|
|
in order to reduce the boilerplate code required to get a model editable in the CMS.
|
|
|
|
|
|
|
|
Note: GridField is already relying on the permission checks performed
|
|
|
|
through the CMS controllers, providing a simple level of security.
|
|
|
|
|
2013-02-18 15:59:15 +01:00
|
|
|
### RestfulService verifies SSL peers by default
|
|
|
|
|
|
|
|
This makes the implementation "secure by default", by removing
|
|
|
|
the call to `curl_setopt(CURLOPT_SSL_VERIFYPEER, false)`.
|
|
|
|
Failing to validate SSL peers makes HTTP requests vulnerable to man in the middle attacks.
|
|
|
|
The underlying `curl` library relies on the operating system for the resulting CA certificate
|
|
|
|
verification. On some systems (mainly Windows), these certificates are not available on
|
|
|
|
a standard PHP installation, and need to be added manually through `CURLOPT_CAINFO`.
|
|
|
|
Although it is not recommended, you can restore the old insecure behaviour with
|
|
|
|
the following configuration: `RestfulService::set_default_curl_option(CURLOPT_SSL_VERIFYPEER, false)`.
|
|
|
|
|
2013-03-20 10:28:39 +01:00
|
|
|
### Deprecation API {#deprecation}
|
|
|
|
|
2017-07-03 13:22:12 +12:00
|
|
|
The `[Deprecation](api:SilverStripe\Dev\Deprecation)` API generates deprecation notices to help you future-proof your code.
|
2013-03-20 10:28:39 +01:00
|
|
|
Calls to ceprecated methods will only produce errors if the API was deprecated in the
|
|
|
|
release equal to or earlier than the "notification version" (currently set to "3.1.0").
|
2013-10-01 00:15:52 +02:00
|
|
|
|
2013-03-20 10:28:39 +01:00
|
|
|
If you change the notification version to 3.1.0-dev, then only methods deprecated in older versions
|
|
|
|
(e.g. 3.0) will trigger notices, and the other methods will silently pass. This can be useful if
|
|
|
|
you don't yet have time to remove all calls to deprecated methods.
|
|
|
|
|
|
|
|
Deprecation::notification_version('3.1.0-dev');
|
|
|
|
|
|
|
|
On the other hand, if you want to identify which APIs will be removed in the next minor release (3.2.0),
|
|
|
|
you can enable those warnings and future-proof your code already.
|
|
|
|
|
|
|
|
Deprecation::notification_version('3.2.0');
|
|
|
|
|
2012-12-14 01:53:36 +01:00
|
|
|
### Other
|
|
|
|
|
2013-05-27 15:42:10 +12:00
|
|
|
* `TableListField`, `ComplexTableField`, `TableField`, `HasOneComplexTableField`, `HasManyComplexTableField`
|
|
|
|
and `ManyManyComplexTableField` have been removed from the core and placed into a module called
|
|
|
|
"legacytablefields" located at https://github.com/silverstripe-labs/legacytablefields
|
|
|
|
* `prototype.js` and `behaviour.js` have been removed from the core, they are no longer used. If you
|
|
|
|
have custom code relying on these two libraries, please update your code to include the files yourself
|
|
|
|
* Removed `SiteTree.MetaKeywords` since they are irrelevant in terms of SEO
|
|
|
|
([seomoz article](http://www.mattcutts.com/blog/keywords-meta-tag-in-web-search/)) and general page informancy
|
2016-03-30 13:17:28 +13:00
|
|
|
* Removed `SiteTree.MetaTitle` as a means to customise the window title, use `SiteTree.Title` instead
|
2012-07-05 11:39:59 +02:00
|
|
|
* Deprecated `Profiler` class, use third-party solutions like [xhprof](https://github.com/facebook/xhprof/)
|
|
|
|
* Removed defunct or unnecessary debug GET parameters:
|
2012-10-08 15:02:01 +13:00
|
|
|
`debug_profile`, `debug_memory`, `profile_trace`, `debug_javascript`, `debug_behaviour`
|
2012-10-08 17:01:53 +02:00
|
|
|
* Removed `Member_ProfileForm`, use `CMSProfileController` instead
|
2012-10-12 15:37:07 +02:00
|
|
|
* `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.
|
2013-05-27 15:42:10 +12:00
|
|
|
* Removed CMS permission checks from `File->canEdit()` and `File->canDelete()`. If you have unsecured
|
|
|
|
controllers relying on these permissions, please override them through a `DataExtension`.
|
|
|
|
* Moved email bounce handling to new
|
|
|
|
["emailbouncehandler" module](https://github.com/silverstripe-labs/silverstripe-emailbouncehandler),
|
2012-12-03 01:03:18 +01:00
|
|
|
including `Email_BounceHandler` and `Email_BounceRecord` classes,
|
|
|
|
as well as the `Member->Bounced` property.
|
2013-05-27 15:42:10 +12:00
|
|
|
* Deprecated global email methods `htmlEmail()` and `plaintextEmail`, as well as various email helper
|
|
|
|
methods like `encodeMultipart()`. Use the `Email` API, or the `Mailer` class where applicable.
|
2012-12-13 16:22:58 +01:00
|
|
|
* Removed non-functional `$inlineImages` option for sending emails
|
2012-12-03 01:03:18 +01:00
|
|
|
* Removed support for keyed arrays in `SelectionGroup`, use new `SelectionGroup_Item` object
|
2017-07-03 13:22:12 +12:00
|
|
|
to populate the list instead (see [API docs](api:SilverStripe\Forms\SelectionGroup)).
|
2013-05-27 15:42:10 +12:00
|
|
|
* `FormField->setDescription()` now renders in a `<span class="description">` by default, rather
|
|
|
|
than a `title` attribute * Removed `Form->Name()`: Use getName()
|
2012-12-14 01:05:11 +01:00
|
|
|
* Removed `FormField->setContainerFieldSet()`: Use setContainerFieldList()
|
|
|
|
* Removed `FormField->rootFieldSet()`: Use rootFieldList()
|
|
|
|
* Removed `Group::map()`: Use DataList::("Group")->map()
|
2013-05-27 15:42:10 +12:00
|
|
|
* Removed `Member->generateAutologinHash()`: Tokens are no longer saved directly into the database in
|
|
|
|
plaintext. Use the return value of the Member::generateAutologinTokenAndHash to get the token
|
2012-12-14 01:05:11 +01:00
|
|
|
* Removed `Member->sendInfo()`: use Member_ChangePasswordEmail or Member_ForgotPasswordEmail directly
|
|
|
|
* Removed `SQLMap::map()`: Use DataList::("Member")->map()
|
|
|
|
* Removed `SQLMap::mapInGroups()`: Use Member::map_in_groups()
|
2012-12-12 17:22:45 +13:00
|
|
|
* Removed `PasswordEncryptor::register()/unregister()`: Use config system instead
|
2013-05-27 15:42:10 +12:00
|
|
|
* Methods on DataList and ArrayList that used to both modify the existing list & return a new version
|
|
|
|
now just return a new version. Make sure you change statements like `$list->filter(...)` to
|
|
|
|
$`list = $list->filter(...)` for these methods:
|
2012-12-12 17:22:45 +13:00
|
|
|
- `ArrayList#reverse`
|
|
|
|
- `ArrayList#sort`
|
|
|
|
- `ArrayList#filter`
|
|
|
|
- `ArrayList#exclude`
|
|
|
|
- `DataList#where`
|
|
|
|
- `DataList#limit`
|
|
|
|
- `DataList#sort`
|
|
|
|
- `DataList#addFilter`
|
|
|
|
- `DataList#applyFilterContext`
|
|
|
|
- `DataList#innerJoin`
|
|
|
|
- `DataList#leftJoin`
|
|
|
|
- `DataList#find`
|
|
|
|
- `DataList#byIDs`
|
|
|
|
- `DataList#reverse`
|
2013-05-27 15:42:10 +12:00
|
|
|
* `DataList#dataQuery` has been changed to return a clone of the query, and so can't be used to modify the
|
|
|
|
list's query directly. Use `DataList#alterDataQuery` instead to modify dataQuery in a safe manner.
|
2013-02-18 14:01:15 +01:00
|
|
|
* `ScheduledTask`, `QuarterHourlyTask`, `HourlyTask`, `DailyTask`, `MonthlyTask`, `WeeklyTask` and
|
2013-10-01 00:15:52 +02:00
|
|
|
`YearlyTask` are deprecated, please extend from `BuildTask` or `CliController`,
|
|
|
|
and invoke them in self-defined frequencies through Unix cronjobs etc.
|
2013-05-27 15:42:10 +12:00
|
|
|
* `i18n::$common_locales` and `i18n::$common_languages` are now accessed via the Config API, and contain
|
|
|
|
associative rather than indexed arrays.
|
|
|
|
Before: `array('de_DE' => array('German', 'Deutsch'))`,
|
|
|
|
After: `array('de_DE' => array('name' => 'German', 'native' => 'Deutsch'))`.
|
2013-03-27 10:13:24 +01:00
|
|
|
* `SSViewer::current_custom_theme()` has been replaced with the `SSViewer.theme_enabled` configuration setting.
|
|
|
|
Please use it to toggle theme behaviour rather than relying on the custom theme being set in the
|
2013-04-08 19:38:50 +12:00
|
|
|
(now deprecated) `SSViewer::set_theme()` call.
|
|
|
|
* Scaffolded `DateField`, `TimeField` and `DatetimeField` form field instances automatically include
|
|
|
|
formatting hints as placeholders and description text below the field itself.
|
|
|
|
If you change the date/time format of those fields, you need to adjust the hints.
|
|
|
|
To remove the hints, use `setDescription(null)` and `setAttribute('placeholder', null)`.
|
2013-05-27 15:42:10 +12:00
|
|
|
* Changed the way FreeStrings in `SSTemplateParser` are recognized, they will now also break on inequality
|
|
|
|
operators (`<`, `>`). If you use inequality operators in free strings in comparisions like
|
2013-04-07 09:46:50 +02:00
|
|
|
`<% if Some<String == Some>Other>String %>...<% end_if %>`
|
|
|
|
you have to replace them with explicitly markes strings like
|
2013-10-01 00:15:52 +02:00
|
|
|
`<% if "Some<String" == "Some>Other>String" %>...<% end_if %>`.
|
2013-03-19 22:26:48 +01:00
|
|
|
This change was necessary in order to support inequality operators in comparisons in templates
|
|
|
|
* Hard limit displayed pages in the CMS tree to `500`, and the number of direct children to `250`,
|
|
|
|
to avoid excessive resource usage. Configure through `Hierarchy.node_threshold_total` and `
|
|
|
|
Hierarchy.node_threshold_leaf`. Set to `0` to show tree unrestricted.
|
2013-05-16 10:34:45 +12:00
|
|
|
* `Object` now has `beforeExtending` and `afterExtending` to inject behaviour around method extension.
|
|
|
|
`DataObject` also has `beforeUpdateCMSFields` to insert fields between automatic scaffolding and extension
|
2016-01-14 23:59:53 +13:00
|
|
|
by `updateCMSFields`. See the [DataExtension Reference](/developer_guides/model/extending_dataobjects) for more information.
|
2013-05-25 19:58:53 +12:00
|
|
|
* Magic quotes is now deprecated. Will trigger user_error on live sites, as well as an error on new installs
|
2013-05-25 20:07:54 +12:00
|
|
|
* Support for Apache 1.x is removed.
|
2013-05-10 15:00:13 +02:00
|
|
|
* Forms created in the CMS should now be instances of a new `CMSForm` class,
|
|
|
|
and have the CMS controller's response negotiator passed into them.
|
2013-06-18 14:41:51 -07:00
|
|
|
Example: `$form = new CMSForm(...); $form->setResponseNegotiator($this->getResponseNegotiator());`
|
2013-10-01 00:15:52 +02:00
|
|
|
|