DOCS: Add FileShortcodeProvider change to changelog

2024-10-22 12:05:37 +00:00 · 2019-08-19 10:41:50 +12:00 · 2019-08-19 10:41:50 +12:00 · 1f92b21a04
commit 1f92b21a04
parent 3659f2888d
1 changed files with 22 additions and 0 deletions
--- a/docs/en/04_Changelogs/4.3.5.md
+++ b/docs/en/04_Changelogs/4.3.5.md
@ -0,0 +1,22 @@
+# 4.3.5
+
+Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
+by default. This is because it has the potential to escalate file access
+to users who otherwise should not have viewing permissions for the file.
+
+There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
+images that are in a draft state or have custom viewing permissions, it adds an extra database
+query for each embedded image. With session grants enabled, the first permission check persists
+the grant into the session, meaning there is no need to query the database on every single file.
+
+Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
+this setting is best left to its default value of `false`.
+
+To revert to the old behaviour:
+
+```
+SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
+  allow_session_grant: true
+```
+
+<!--- Changes below this line will be automatically regenerated -->