From 99ab3c642135a8fd5e9ee8f342afc681b15f010c Mon Sep 17 00:00:00 2001
From: Aaron Carlino <unclecheese@leftandmain.com>
Date: Mon, 19 Aug 2019 10:41:50 +1200
Subject: [PATCH] DOCS: Add FileShortcodeProvider change to changelog

---
 docs/en/04_Changelogs/4.3.5.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 docs/en/04_Changelogs/4.3.5.md

diff --git a/docs/en/04_Changelogs/4.3.5.md b/docs/en/04_Changelogs/4.3.5.md
new file mode 100644
index 000000000..a5b18d451
--- /dev/null
+++ b/docs/en/04_Changelogs/4.3.5.md
@@ -0,0 +1,22 @@
+# 4.3.5
+
+Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
+by default. This is because it has the potential to escalate file access
+to users who otherwise should not have viewing permissions for the file.
+
+There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
+images that are in a draft state or have custom viewing permissions, it adds an extra database
+query for each embedded image. With session grants enabled, the first permission check persists
+the grant into the session, meaning there is no need to query the database on every single file.
+
+Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
+this setting is best left to its default value of `false`.
+
+To revert to the old behaviour:
+
+```
+SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
+  allow_session_grant: true
+```
+
+<!--- Changes below this line will be automatically regenerated -->