silverstripe-framework/docs/en/04_Changelogs/3.1.9.md

# 3.1.9

<<<<<<< HEAD
# Overview

This release replaces the 3.1.8 release, and resolves an issue where basic authentication would not work when PHP is running under CGI mode with Apache.

## Upgrading
 * Add the rule ```	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]``` to the .htacces file in your sites root directory after the line ```RewriteEngine On```.  

### Bugfixes


## Changelog

=======
## Upgrading

### File permissions

This release makes an important change to File DataObject permissions in order to close a vulnerability in
file modification privileges.

By default the minimum necessary permission required by any user to modify files has been changed
to CMS_ACCESS_AssetAdmin. If you need unauthenticated users, or users with other rights, to edit certain
files, then you will need to customise this.

E.g.

	:::php
	<?php
	class FileSecurityExtension extends DataExtension {
		public function canEdit($member) {
			return Permission::checkMember($member, 'MyCustomPermission');
		}
	}

An example use case is when you want to use UploadField on the frontend, where files could be uploaded
by non-admin users, and your above logic will need to ensure that those users can edit their own files
after they have uploaded it.

## Security

This release includes an important security fix.

 * 2015-01-12 [c49f164](https://github.com/silverstripe/silverstripe-framework/commit/c49f164) Fix file and uploadfield permissions [SS-2014-018](http://www.silverstripe.org/software/download/security-releases/ss-2014-018-open-file-permissions).

### Features and Enhancements

 * 2014-11-21 [31b5a9d](https://github.com/silverstripe/sapphire/commit/31b5a9d) Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)
 * 2014-12-10 [fba6880](https://github.com/silverstripe/sapphire/commit/fba6880) Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)
 * 2014-11-13 [d7eb275](https://github.com/silverstripe/sapphire/commit/d7eb275) Make the record count in GridFieldFooter optional (Jeremy Shipman)

### Bugfixes

 * 2015-01-08 [a02adf6](https://github.com/silverstripe/sapphire/commit/a02adf6) Uneccessary class replacement (Michael Strong)
 * 2014-12-18 [5637431](https://github.com/silverstripe/sapphire/commit/5637431) The method 'name' does not exist on 'Form' (Elvinas L)
 * 2014-12-15 [6582162](https://github.com/silverstripe/sapphire/commit/6582162) How to folder on forms (Cam Findlay)
 * 2014-12-11 [b5c361a](https://github.com/silverstripe/sapphire/commit/b5c361a) GD - check file exists before getimagesize (Will Morgan)
 * 2014-12-09 [6bdd30c](https://github.com/silverstripe/sapphire/commit/6bdd30c) Fix gridfield storing duplicate data in session (Damian Mooyman)
 * 2014-12-09 [3ac705f](https://github.com/silverstripe/sapphire/commit/3ac705f) Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)
 * 2014-12-09 [e9fd03b](https://github.com/silverstripe/sapphire/commit/e9fd03b) use GFMD code blocks to fix code formatting consistency. (Cam Findlay)
 * 2014-11-25 [01989aa](https://github.com/silverstripe/sapphire/commit/01989aa) Manifest flushing (Jonathon Menz)
 * 2014-11-24 [7384d01](https://github.com/silverstripe/sapphire/commit/7384d01) DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)
 * 2014-11-18 [2bdfd65](https://github.com/silverstripe/sapphire/commit/2bdfd65) Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)
 * 2014-11-10 [85b4ba1](https://github.com/silverstripe/sapphire/commit/85b4ba1) DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)
 * 2014-10-03 [9d888d5](https://github.com/silverstripe/silverstripe-cms/commit/9d888d5) Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)
 * 2014-09-02 [1f4f5e6](https://github.com/silverstripe/sapphire/commit/1f4f5e6) Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)

## Changelog

 * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.9)
 * [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.1.9)
 * [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.1.9)
>>>>>>> composer/3.1
Rebased on 3.1 - moved new change logs into place. 2014-12-08 21:44:24 +01:00			`# 3.1.9`

Merge remote-tracking branch 'composer/3.1' into 3 Conflicts: .editorconfig docs/en/00_Getting_Started/00_Server_Requirements.md docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_IIS7.md docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_Platform_Installer.md docs/en/00_Getting_Started/04_Directory_Structure.md docs/en/00_Getting_Started/index.md docs/en/01_Tutorials/01_Building_A_Basic_Site.md docs/en/01_Tutorials/02_Extending_A_Basic_Site.md docs/en/01_Tutorials/03_Forms.md docs/en/01_Tutorials/04_Site_Search.md docs/en/01_Tutorials/05_Dataobject_Relationship_Management.md docs/en/01_Tutorials/index.md docs/en/02_Developer_Guides/00_Model/01_Data_Model_and_ORM.md docs/en/02_Developer_Guides/00_Model/11_Scaffolding.md docs/en/02_Developer_Guides/01_Templates/06_Themes.md docs/en/02_Developer_Guides/03_Forms/How_Tos/Simple_Contact_Form.md docs/en/02_Developer_Guides/05_Extending/05_Injector.md docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md docs/en/02_Developer_Guides/10_Email/index.md docs/en/02_Developer_Guides/11_Integration/01_RestfulService.md docs/en/02_Developer_Guides/12_Search/01_Searchcontext.md docs/en/02_Developer_Guides/14_Files/index.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/03_CMS_Layout.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/06_Javascript_Development.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_CMS_Tree.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_Site_Reports.md docs/en/02_Developer_Guides/18_Cookies_And_Sessions/01_Cookies.md docs/en/04_Changelogs/3.1.9.md docs/en/05_Contributing/00_Issues_and_Bugs.md docs/en/05_Contributing/02_Release_Process.md docs/en/05_Contributing/03_Documentation.md filesystem/File.php filesystem/GD.php model/DataDifferencer.php model/Versioned.php security/BasicAuth.php security/Member.php tests/filesystem/FileTest.php tests/forms/uploadfield/UploadFieldTest.php tests/model/VersionedTest.php tests/security/BasicAuthTest.php 2015-01-15 06:52:46 +01:00			`<<<<<<< HEAD`
Rebased on 3.1 - moved new change logs into place. 2014-12-08 21:44:24 +01:00			`# Overview`

			`This release replaces the 3.1.8 release, and resolves an issue where basic authentication would not work when PHP is running under CGI mode with Apache.`

			`## Upgrading`
			* Add the rule ``` RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]``` to the .htacces file in your sites root directory after the line ```RewriteEngine On```.

			`### Bugfixes`


			`## Changelog`

Merge remote-tracking branch 'composer/3.1' into 3 Conflicts: .editorconfig docs/en/00_Getting_Started/00_Server_Requirements.md docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_IIS7.md docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_Platform_Installer.md docs/en/00_Getting_Started/04_Directory_Structure.md docs/en/00_Getting_Started/index.md docs/en/01_Tutorials/01_Building_A_Basic_Site.md docs/en/01_Tutorials/02_Extending_A_Basic_Site.md docs/en/01_Tutorials/03_Forms.md docs/en/01_Tutorials/04_Site_Search.md docs/en/01_Tutorials/05_Dataobject_Relationship_Management.md docs/en/01_Tutorials/index.md docs/en/02_Developer_Guides/00_Model/01_Data_Model_and_ORM.md docs/en/02_Developer_Guides/00_Model/11_Scaffolding.md docs/en/02_Developer_Guides/01_Templates/06_Themes.md docs/en/02_Developer_Guides/03_Forms/How_Tos/Simple_Contact_Form.md docs/en/02_Developer_Guides/05_Extending/05_Injector.md docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md docs/en/02_Developer_Guides/10_Email/index.md docs/en/02_Developer_Guides/11_Integration/01_RestfulService.md docs/en/02_Developer_Guides/12_Search/01_Searchcontext.md docs/en/02_Developer_Guides/14_Files/index.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/03_CMS_Layout.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/06_Javascript_Development.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_CMS_Tree.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_Site_Reports.md docs/en/02_Developer_Guides/18_Cookies_And_Sessions/01_Cookies.md docs/en/04_Changelogs/3.1.9.md docs/en/05_Contributing/00_Issues_and_Bugs.md docs/en/05_Contributing/02_Release_Process.md docs/en/05_Contributing/03_Documentation.md filesystem/File.php filesystem/GD.php model/DataDifferencer.php model/Versioned.php security/BasicAuth.php security/Member.php tests/filesystem/FileTest.php tests/forms/uploadfield/UploadFieldTest.php tests/model/VersionedTest.php tests/security/BasicAuthTest.php 2015-01-15 06:52:46 +01:00			`=======`
Updated changelog 2015-01-14 23:45:41 +01:00			`## Upgrading`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
Updated changelog 2015-01-14 23:45:41 +01:00			`### File permissions`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
Updated changelog 2015-01-14 23:45:41 +01:00			`This release makes an important change to File DataObject permissions in order to close a vulnerability in`
Reword upgrading notes 2015-01-14 23:56:46 +01:00			`file modification privileges.`
Updated changelog 2015-01-14 23:45:41 +01:00
			`By default the minimum necessary permission required by any user to modify files has been changed`
Reword upgrading notes 2015-01-14 23:56:46 +01:00			`to CMS_ACCESS_AssetAdmin. If you need unauthenticated users, or users with other rights, to edit certain`
			`files, then you will need to customise this.`
Updated changelog 2015-01-14 23:45:41 +01:00
			`E.g.`

			`:::php`
			`<?php`
			`class FileSecurityExtension extends DataExtension {`
			`public function canEdit($member) {`
			`return Permission::checkMember($member, 'MyCustomPermission');`
			`}`
			`}`

Reword upgrading notes 2015-01-14 23:56:46 +01:00			`An example use case is when you want to use UploadField on the frontend, where files could be uploaded`
			`by non-admin users, and your above logic will need to ensure that those users can edit their own files`
			`after they have uploaded it.`

Updated changelog 2015-01-14 23:45:41 +01:00			`## Security`

			`This release includes an important security fix.`

			`* 2015-01-12 [c49f164](https://github.com/silverstripe/silverstripe-framework/commit/c49f164) Fix file and uploadfield permissions [SS-2014-018](http://www.silverstripe.org/software/download/security-releases/ss-2014-018-open-file-permissions).`

			`### Features and Enhancements`

			`* 2014-11-21 [31b5a9d](https://github.com/silverstripe/sapphire/commit/31b5a9d) Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)`
			`* 2014-12-10 [fba6880](https://github.com/silverstripe/sapphire/commit/fba6880) Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)`
			`* 2014-11-13 [d7eb275](https://github.com/silverstripe/sapphire/commit/d7eb275) Make the record count in GridFieldFooter optional (Jeremy Shipman)`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
			`### Bugfixes`

Updated changelog 2015-01-14 23:45:41 +01:00			`* 2015-01-08 [a02adf6](https://github.com/silverstripe/sapphire/commit/a02adf6) Uneccessary class replacement (Michael Strong)`
			`* 2014-12-18 [5637431](https://github.com/silverstripe/sapphire/commit/5637431) The method 'name' does not exist on 'Form' (Elvinas L)`
			`* 2014-12-15 [6582162](https://github.com/silverstripe/sapphire/commit/6582162) How to folder on forms (Cam Findlay)`
			`* 2014-12-11 [b5c361a](https://github.com/silverstripe/sapphire/commit/b5c361a) GD - check file exists before getimagesize (Will Morgan)`
			`* 2014-12-09 [6bdd30c](https://github.com/silverstripe/sapphire/commit/6bdd30c) Fix gridfield storing duplicate data in session (Damian Mooyman)`
			`* 2014-12-09 [3ac705f](https://github.com/silverstripe/sapphire/commit/3ac705f) Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)`
			`* 2014-12-09 [e9fd03b](https://github.com/silverstripe/sapphire/commit/e9fd03b) use GFMD code blocks to fix code formatting consistency. (Cam Findlay)`
			`* 2014-11-25 [01989aa](https://github.com/silverstripe/sapphire/commit/01989aa) Manifest flushing (Jonathon Menz)`
			`* 2014-11-24 [7384d01](https://github.com/silverstripe/sapphire/commit/7384d01) DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)`
			`* 2014-11-18 [2bdfd65](https://github.com/silverstripe/sapphire/commit/2bdfd65) Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)`
			`* 2014-11-10 [85b4ba1](https://github.com/silverstripe/sapphire/commit/85b4ba1) DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)`
			`* 2014-10-03 [9d888d5](https://github.com/silverstripe/silverstripe-cms/commit/9d888d5) Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)`
			`* 2014-09-02 [1f4f5e6](https://github.com/silverstripe/sapphire/commit/1f4f5e6) Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
			`## Changelog`

Updated changelog 2015-01-14 23:45:41 +01:00			`* [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.9)`
			`* [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.1.9)`
			`* [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.1.9)`
Merge remote-tracking branch 'composer/3.1' into 3 Conflicts: .editorconfig docs/en/00_Getting_Started/00_Server_Requirements.md docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_IIS7.md docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_Platform_Installer.md docs/en/00_Getting_Started/04_Directory_Structure.md docs/en/00_Getting_Started/index.md docs/en/01_Tutorials/01_Building_A_Basic_Site.md docs/en/01_Tutorials/02_Extending_A_Basic_Site.md docs/en/01_Tutorials/03_Forms.md docs/en/01_Tutorials/04_Site_Search.md docs/en/01_Tutorials/05_Dataobject_Relationship_Management.md docs/en/01_Tutorials/index.md docs/en/02_Developer_Guides/00_Model/01_Data_Model_and_ORM.md docs/en/02_Developer_Guides/00_Model/11_Scaffolding.md docs/en/02_Developer_Guides/01_Templates/06_Themes.md docs/en/02_Developer_Guides/03_Forms/How_Tos/Simple_Contact_Form.md docs/en/02_Developer_Guides/05_Extending/05_Injector.md docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md docs/en/02_Developer_Guides/10_Email/index.md docs/en/02_Developer_Guides/11_Integration/01_RestfulService.md docs/en/02_Developer_Guides/12_Search/01_Searchcontext.md docs/en/02_Developer_Guides/14_Files/index.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/03_CMS_Layout.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/06_Javascript_Development.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_CMS_Tree.md docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_Site_Reports.md docs/en/02_Developer_Guides/18_Cookies_And_Sessions/01_Cookies.md docs/en/04_Changelogs/3.1.9.md docs/en/05_Contributing/00_Issues_and_Bugs.md docs/en/05_Contributing/02_Release_Process.md docs/en/05_Contributing/03_Documentation.md filesystem/File.php filesystem/GD.php model/DataDifferencer.php model/Versioned.php security/BasicAuth.php security/Member.php tests/filesystem/FileTest.php tests/forms/uploadfield/UploadFieldTest.php tests/model/VersionedTest.php tests/security/BasicAuthTest.php 2015-01-15 06:52:46 +01:00			`>>>>>>> composer/3.1`