2019-05-24 02:25:16 +02:00
|
|
|
# 4.5.0 (Unreleased)
|
|
|
|
|
|
|
|
## Overview {#overview}
|
|
|
|
|
2019-09-11 03:10:25 +02:00
|
|
|
* [Installer UI has been removed](#installer-ui) and offered as a separate module.
|
2019-07-16 00:11:37 +02:00
|
|
|
* [Generic login form styling](#login-forms)
|
2019-09-12 04:34:06 +02:00
|
|
|
* Removed `use_gzip` option on `HtmlEditorField` which used to compress the rich text editor dependency.
|
2019-06-20 23:27:48 +02:00
|
|
|
No longer required since compression is performed as part of the CMS build automatically.
|
|
|
|
See (#832)(https://github.com/silverstripe/silverstripe-admin/issues/832)
|
2019-05-24 02:25:16 +02:00
|
|
|
|
2019-09-11 03:10:25 +02:00
|
|
|
## Installer UI has been removed
|
|
|
|
|
|
|
|
Until now, core releases of SilverStripe would put drop an `install.php` file in the
|
|
|
|
public root that, when accessed with a browser, would offer an installation
|
|
|
|
UI prompting the user for all the necessary configuration of your project
|
|
|
|
and environment, and validating it before performing the installation.
|
|
|
|
|
|
|
|
While this may be an important part of the onboarding experience for newcomers
|
|
|
|
to SilverStripe, it is an unnecessary artefact and potential security risk
|
|
|
|
for the vast majority of developers who install SilverStripe with composer
|
|
|
|
and their own environment files.
|
|
|
|
|
|
|
|
The installer UI will continue to live on under the name "installer-wizard" in a
|
|
|
|
[separate package](https://github.com/silverstripe/silverstripe-installer-wizard), which
|
|
|
|
can be added incrementally to core recipe installation, using `composer require silverstripe/installer-wizard`.
|
|
|
|
It is no longer a commercially supported module.
|
|
|
|
|
2019-07-16 00:11:37 +02:00
|
|
|
## Generic login form styling {#login-forms}
|
|
|
|
|
|
|
|
Login forms in SilverStripe are traditionally embedded in your page template.
|
|
|
|
This often requires style adjustments in your website, for example to cover variations
|
|
|
|
such as error messages and validation feedback. It also complicates
|
|
|
|
more advanced login flows such as multi-factor authentication.
|
|
|
|
|
|
|
|
Starting with this release, new installations include the
|
|
|
|
[silverstripe/login-forms](https://github.com/silverstripe/silverstripe-login-forms)
|
|
|
|
module. It provides generic styles which look great without any adjustments.
|
|
|
|
You can choose to add your own logo, or customise the templates.
|
|
|
|
The URLs to login functionality have not changed (e.g. `Security/login`).
|
|
|
|
|
|
|
|
Existing SilverStripe websites upgrading to this release can opt in to using
|
|
|
|
login forms via composer:
|
|
|
|
|
|
|
|
```
|
|
|
|
composer require silverstripe/login-forms
|
|
|
|
```
|
|
|
|
|
|
|
|
Note that any customisations you might have in `Page.ss` or `Layout/Security.ss`
|
|
|
|
no longer apply when this module is installed. If you have customised the login process
|
|
|
|
by adding form fields, or through custom handlers such as SAML or LDAP,
|
2019-09-12 04:34:06 +02:00
|
|
|
you'll need to review those before starting to use the module.
|
|
|
|
|
|
|
|
|
|
|
|
## New PasswordExpirationMiddleware now proactively invalidates members with expired passwords
|
|
|
|
|
|
|
|
A new PasswordExpirationMiddleware has been implemented.
|
|
|
|
It checks passwords of authenticated users for expiration and either enforces a redirection
|
|
|
|
to a change password form, or resets the user for a request being processed (sets current user to null).
|
|
|
|
|
|
|
|
This is considered to be a security enhancement, but potentially might interfere with some custom logic
|
|
|
|
around password expiration if you have it implemented.
|
|
|
|
|
|
|
|
Ideally you should test your setup when upgrading if you use the password expiration functionality.
|
|
|
|
|
|
|
|
If you'd like to deactivate the middleware, you can unregister it in your application config like this:
|
|
|
|
|
|
|
|
```yml
|
|
|
|
---
|
|
|
|
Name: disable-passwordExpirationMiddleware
|
|
|
|
After:
|
|
|
|
- '#coresecurity'
|
|
|
|
---
|
|
|
|
SilverStripe\Core\Injector\Injector:
|
|
|
|
SilverStripe\Control\Director:
|
|
|
|
properties:
|
|
|
|
Middlewares:
|
|
|
|
PasswordExpirationMiddleware: null
|
|
|
|
```
|
2019-07-16 00:11:37 +02:00
|
|
|
|
2019-05-24 02:25:16 +02:00
|
|
|
## Deprecation
|
|
|
|
|
2019-06-20 23:27:48 +02:00
|
|
|
* `PasswordValidator` methods `minLength`, `characterStrength`, and `checkHistoricalPasswords` are now deprecated from
|
2019-05-24 02:25:16 +02:00
|
|
|
4.5.0 onwards (previously 5.0).
|