tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-06-27 15:09:30 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch '4.4' into 4

Browse Source
This commit is contained in:
Serge Latyntcev 2019-09-24 17:29:06 +12:00
commit 88fde6e7c3
3 changed files with 57 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
docs/en/04_Changelogs/4.3.6.md Normal file
View File

@ -0,0 +1,51 @@
# 4.3.6
## Change Log
### Security
* 2019-09-23 [5af205993](https://github.com/silverstripe/silverstripe-framework/commit/5af205993d24b4bafc00dea94efc2c31305bca83) Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See [cve-2019-12617](https://www.silverstripe.org/download/security-releases/cve-2019-12617)
* 2019-09-16 [569237c0f](https://github.com/silverstripe/silverstripe-framework/commit/569237c0f4d16ac6f927aeb0ed8c9b8787490080) Session fixation in "change password" form (Serge Latyntcev) - See [cve-2019-12203](https://www.silverstripe.org/download/security-releases/cve-2019-12203)
* 2019-08-20 [f98a59de](https://github.com/silverstripe/silverstripe-cms/commit/f98a59deb58d3c9c739f5b32de16472f6ef4a69c) install.php warning does not account for public dir (Aaron Carlino) - See [cve-2019-12204](https://www.silverstripe.org/download/security-releases/cve-2019-12204)
* 2019-08-17 [fddf889](https://github.com/silverstripe/silverstripe-assets/commit/fddf889917c4e58d32a3e6f476bddaf3fa595e41) Broken access control on files due to session grant (Aaron Carlino) - See [cve-2019-14273](https://www.silverstripe.org/download/security-releases/cve-2019-14273)
* 2019-05-21 [73e0cc6](https://github.com/silverstripe/silverstripe-assets/commit/73e0cc69dc499c24aa706af9eddd8a2db2ac93e0) Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See [cve-2019-12245](https://www.silverstripe.org/download/security-releases/cve-2019-12245)
### Features and Enhancements
* 2019-09-18 [1308911](https://github.com/silverstripe/silverstripe-assets/commit/13089110e7b3feea2196198fd3beda21244ceb20) Add task to remove/protect _versions folders (Aaron Carlino)
* 2019-06-16 [06beff7](https://github.com/silverstripe/silverstripe-admin/commit/06beff71a45bca0f42c88ea931f142d8bc10d008) Allow export of injected GraphQL AST alongside HOC (#889) (Aaron Carlino)
### Bugfixes
* 2019-09-23 [aa7c05742](https://github.com/silverstripe/silverstripe-framework/commit/aa7c05742242f8e2ec77f97b52839e0365ec7e1a) Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott)
* 2019-09-23 [190b2f284](https://github.com/silverstripe/silverstripe-framework/commit/190b2f28429cd870c791f689def055061665ee58) run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott)
* 2019-09-23 [efdb9cc71](https://github.com/silverstripe/silverstripe-framework/commit/efdb9cc718517c09800a47bb53374bff787b54fa) run member CMS validator when editing via groups (fixes #9184) (Loz Calver)
* 2019-09-23 [d85ff3bc4](https://github.com/silverstripe/silverstripe-framework/commit/d85ff3bc4463d47edd6b662b34569162e3861a88) Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver)
* 2019-09-23 [fc536fa](https://github.com/silverstripe/silverstripe-assets/commit/fc536faf2413683549d6b8e77400dc85e37b3a30) Update Apache .htaccess for new access directives (Dylan Wagstaff)
* 2019-09-20 [ea363fc](https://github.com/silverstripe/silverstripe-asset-admin/commit/ea363fcabd9af8d7607bac9b431171b6b94583f1) Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
* 2019-09-10 [591b88a9b](https://github.com/silverstripe/silverstripe-framework/commit/591b88a9bc05b40a7ce3604283b9b7cb684f88cc) Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
* 2019-09-03 [b0a6973](https://github.com/silverstripe/silverstripe-asset-admin/commit/b0a6973052e73652a9092e7ed9d5dd5d89e5dd42) Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
* 2019-08-29 [77ba8391c](https://github.com/silverstripe/silverstripe-framework/commit/77ba8391c40278930873301d50ee3c1168da4cef) Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
* 2019-08-28 [73f43c6f4](https://github.com/silverstripe/silverstripe-framework/commit/73f43c6f428dc92ee2c9a5f932c63ed8a04c8230) Remove placeholder text on new group form (Maxime Rainville)
* 2019-08-26 [314a906](https://github.com/silverstripe/silverstripe-admin/commit/314a9068e5a3a1a71dfc99021d6acec9b0ab5b77) Fix the jstree styles so that the selected states are more visible (bergice)
* 2019-08-23 [5845ac6](https://github.com/silverstripe/silverstripe-admin/commit/5845ac685851f8841af8d96ef6313a2cff153ba4) Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
* 2019-08-23 [94d6c80](https://github.com/silverstripe/silverstripe-admin/commit/94d6c80780430acb4e9d8786a5080a800f777792) enter to submit form not working on `Add new page` (bergice)
* 2019-08-14 [9889015](https://github.com/silverstripe/silverstripe-admin/commit/9889015eccd05c099e3d8b3d3ce52f179b5b9933) Display breadcrumb element from left to right (#925) (Guy Marriott)
* 2019-08-13 [1c548cb](https://github.com/silverstripe/silverstripe-admin/commit/1c548cb599563997687cd1062ff2a0985c43197e) jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
* 2019-08-09 [a2e98dc](https://github.com/silverstripe/silverstripe-admin/commit/a2e98dcf71353951055cb0f2da286a0455a66ebe) Display breadcrumb element from left to right (Maxime Rainville)
* 2019-08-09 [3d989a6ea](https://github.com/silverstripe/silverstripe-framework/commit/3d989a6eae979f2671889376179dfdc7085658ac) Use content generated by DataColumns component for print and csv export (Guy Marriott)
* 2019-07-29 [5c794dfcd](https://github.com/silverstripe/silverstripe-framework/commit/5c794dfcdd42b319325c867f4a807429ad93a553) Prevent setting session value when no session exists yet (Robbie Averill)
* 2019-07-25 [40cd66852](https://github.com/silverstripe/silverstripe-framework/commit/40cd66852e8d3a5d56c56b9d279cb89a98e3c16d) Fixed issue where multiple relationship sort order columns would be lost in favor of only the last relationship column in the sort order (UndefinedOffset)
* 2019-07-17 [ef25468](https://github.com/silverstripe/silverstripe-admin/commit/ef2546889ff35c2a6cf74aa956d818cae72898e0) Inline toolbar placement now works in HTMLEditorFields with less than 6 rows (Robbie Averill)
* 2019-07-12 [fcd7a1e63](https://github.com/silverstripe/silverstripe-framework/commit/fcd7a1e63e7013a9f36100a05bf723ed68382d8a) core memory limit test (Serge Latyntcev)
* 2019-06-27 [183371b](https://github.com/silverstripe/silverstripe-admin/commit/183371b28a9a1496f2a39284eb0d7d667d4b49bb) Update CSS for sitetree new page columns to use new classna… (#899) (Guy Marriott)
* 2019-06-27 [b9dcf070](https://github.com/silverstripe/silverstripe-cms/commit/b9dcf070406644f14ab9ae0eb9c22d0f3d1d10cd) Change sitetree new page column class naming to avoid conf… (#2449) (Guy Marriott)
* 2019-06-26 [b01dc580e](https://github.com/silverstripe/silverstripe-framework/commit/b01dc580e1f9b62c7b8a3a62157ad10930a80342) Protect against undefined index when using nullifyEmpty opt… (#9090) (Guy Marriott)
* 2019-06-25 [c76d3a5db](https://github.com/silverstripe/silverstripe-framework/commit/c76d3a5db10f9a56a31684354fcd89c1a88de8d4) Protect against undefined index when using nullifyEmpty option (Robbie Averill)
* 2019-06-19 [260c89fd5](https://github.com/silverstripe/silverstripe-framework/commit/260c89fd54e1c1ed68e5597ccc4592473a53e983) Fix of delimiter not used bug (Mario Sommereder)
* 2019-06-19 [4df7c21](https://github.com/silverstripe/silverstripe-admin/commit/4df7c21f3fa0ee96cc62876abe9be20720bbc0dc) Update CSS for sitetree new page columns to use new classname, fix item placement within (Mikaela Young)
* 2019-06-19 [73f4e8c8](https://github.com/silverstripe/silverstripe-cms/commit/73f4e8c8605ea28a2283a1ef96723188c0266706) Change sitetree new page column class naming to avoid conflicts with bootstrap (Mikaela Young)
* 2019-06-13 [562a8a5](https://github.com/silverstripe/silverstripe-assets/commit/562a8a523b9a50a5a7d4e40c4b4c799a66869ec8) Add FolderNameFilter class: folder names no longer allow dots, and are replaced with dashes (Robbie Averill)
* 2019-06-05 [bcc55e2](https://github.com/silverstripe/silverstripe-admin/commit/bcc55e212384cdc36728224730dbf6db320acb10) Update modal designs to match design pattern library (Guy Marriott)
* 2019-04-12 [7592db91](https://github.com/silverstripe/silverstripe-cms/commit/7592db918f269db2fd5c33d9c1259df86f15e12b) VirtualPage missing methods from target page (fixes #2408) (Loz Calver)

5
src/Forms/GridField/GridField.php
View File

@ -247,6 +247,7 @@ class GridField extends FormField
$copy = clone $this;
$copy->setReadonly(true);
$copyConfig = $copy->getConfig();
$hadEditButton = $copyConfig->getComponentByType(GridFieldEditButton::class) !== null;
// get the whitelist for allowable readonly components
$allowedComponents = $this->getReadonlyComponents();
@ -257,8 +258,8 @@ class GridField extends FormField
}
}
// As the edit button may have been removed, add a view button if it doesn't have one
if (!$copyConfig->getComponentByType(GridFieldViewButton::class)) {
// If the edit button has been removed, replace it with a view button
if ($hadEditButton && !$copyConfig->getComponentByType(GridFieldViewButton::class)) {
$copyConfig->addComponent(new GridFieldViewButton);
}

6
src/Security/Group.php
View File

@ -96,7 +96,7 @@ class Group extends DataObject
return $doSet;
}
private function getDecodedBreadcrumbs()
{
$list = Group::get()->exclude('ID', $this->ID);
@ -166,10 +166,10 @@ class Group extends DataObject
/** @var GridFieldDetailForm $detailForm */
$detailForm = $config->getComponentByType(GridFieldDetailForm::class);
$detailForm
->setValidator(Member_Validator::create())
->setItemEditFormCallback(function ($form) use ($group) {
/** @var Form $form */
$record = $form->getRecord();
$form->setValidator($record->getValidator());
$groupsField = $form->Fields()->dataFieldByName('DirectGroups');
if ($groupsField) {
// If new records are created in a group context,
@ -332,7 +332,7 @@ class Group extends DataObject
// Now set all children groups as a new foreign key
$familyIDs = $this->collateFamilyIDs();
$result = $result->forForeignID($familyIDs);
return $result->where($filter);
}