tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Added 3.0.9 changelog

Browse Source
This commit is contained in:
Ingo Schommer 2014-03-03 10:19:08 +13:00
parent 2bc62f2e71
commit b489f40866
1 changed files with 6 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
docs/en/changelogs/3.0.9.md
View File

@ -2,34 +2,11 @@
## Overview ## Overview
### Default current Versioned "stage" to "Live" rather than "Stage" * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
* Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
Previously only the controllers responsible for page and CMS display ## Changelog
(`LeftAndMain` and `ContentController`) explicitly set a stage through
`Versioned::choose_site_stage()`. Unless this method is called,
the default stage will be "Stage", showing draft content.
Any direct subclasses of `Controller` interacting with "versioned" objects
are vulnerable to exposing unpublished content, unless `choose_site_stage()`
is called explicitly in their own logic.
In order to provide more secure default behaviour, we have changed * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
`choose_site_stage()` to be called on all requests, defaulting to the "Live" stage. * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
If your logic relies on querying draft content, use `Versioned::reading_stage('Stage')`. * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
Important: The `choose_site_stage()` call only deals with setting the default stage,
and doesn't check if the user is authenticated to view it. As with any other controller logic,
please use `DataObject->canView()` to determine permissions.
:::php
class MyController extends Controller {
private static $allowed_actions = array('showpage');
public function showpage($request) {
$page = Page::get()->byID($request->param('ID'));
if(!$page->canView()) return $this->httpError(401);
// continue with authenticated logic...
}
}
### API Changes
* 2013-08-03 [0e7231f](https://github.com/silverstripe/sapphire/commit/0e7231f) Disable discontinued Google Spellcheck in TinyMCE (Ingo Schommer)