Merge remote-tracking branch 'origin/4.0' into 4

# Conflicts:
#	src/Control/SimpleResourceURLGenerator.php
#	tests/php/Control/SimpleResourceURLGeneratorTest.php

docs/en/04_Changelogs/4.0.2.md

@@ -0,0 +1,72 @@
+# 4.0.2
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829](https://github.com/silverstripe/silverstripe-framework/commit/6ba00e829a9fb360dfe5cb0bc3d4544016c82357) Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [db54112f3](https://github.com/silverstripe/silverstripe-framework/commit/db54112f3cca012e33257c782dffd7154bf663a5) user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f](https://github.com/silverstripe/silverstripe-framework/commit/22ccf3e2f9092f51e7f7288ce108598c6f17b49c) Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d](https://github.com/silverstripe/silverstripe-framework/commit/0f2049d4d466e05f5d7f07fc63580836de8c6bff) SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Features and Enhancements
+
+ * 2018-01-16 [b46c8ba](https://github.com/silverstripe/silverstripe-assets/commit/b46c8ba6ba91a45e00885e78cc05953577c051a1) Add DBFile::Link() alias for DBFile::getURL() so that it matches File::Link() (Damian Mooyman)
+ * 2017-12-21 [4d60f01](https://github.com/silverstripe/silverstripe-installer/commit/4d60f01d2dd17febcf15c08ecdc07af7380694d0) add test for a `--no-dev` build (Christopher Joe)
+
+### Bugfixes
+
+ * 2018-01-24 [6fafce766](https://github.com/silverstripe/silverstripe-framework/commit/6fafce766ec8535be034a182cb617e777795dd9b) ed Rfc3339 implementation of Date and Datetime (Roman Schmid)
+ * 2018-01-23 [f26ecdc](https://github.com/silverstripe/silverstripe-admin/commit/f26ecdcc00ad6157a1bf79a2317131c35f893e86) Badge component test: convert to Component and add truthy test (Robbie Averill)
+ * 2018-01-23 [9c3feb4ab](https://github.com/silverstripe/silverstripe-framework/commit/9c3feb4ab4c1b62f2dc6551d34a0d0f42221e4a0) Allow absolute URLs be use as resources (Dylan Wagstaff)
+ * 2018-01-23 [a62dabc](https://github.com/silverstripe/silverstripe-graphql/commit/a62dabc84d7983486ce65a8531400ea18a076793) Remove dependency on Doctrine module breaking with --prefer-dist (Damian Mooyman)
+ * 2018-01-23 [bdc3530](https://github.com/silverstripe/silverstripe-graphql/commit/bdc3530260adda629876008d9fbd67e677d7b3ec) Fix cors breaking if referer header is present (Damian Mooyman)
+ * 2018-01-23 [b44273d1d](https://github.com/silverstripe/silverstripe-framework/commit/b44273d1d6454568b150a5bab4ea0a5ceda81211) Better upload error message (Damian Mooyman)
+ * 2018-01-23 [99b9198](https://github.com/silverstripe/silverstripe-assets/commit/99b9198e734b05da91399160a3b09fd5ef92931b) Fix invalid name generation on windows (Damian Mooyman)
+ * 2018-01-22 [06c4c0e](https://github.com/silverstripe/silverstripe-admin/commit/06c4c0e8dbadd7ab443887c167465f12da57dec8) Non-required fields failing when empty (Damian Mooyman)
+ * 2018-01-22 [d49edf4](https://github.com/silverstripe/silverstripe-admin/commit/d49edf45b040229613915895f4d863f33a6f7f06) booting and store initialisation so that initial state is not triggered too early in the process (Christopher Joe)
+ * 2018-01-22 [e83cb91](https://github.com/silverstripe/silverstripe-admin/commit/e83cb91bb07d18c58ce1f1636ee1418e14e7a2e1) remove onDrillDown prop from td element (Christopher Joe)
+ * 2018-01-22 [60fa7558d](https://github.com/silverstripe/silverstripe-framework/commit/60fa7558d3fa691cba6ef9b682348bb4d737bbb7) Fix double casting in login authenticator name (Damian Mooyman)
+ * 2018-01-18 [16ad7e8fe](https://github.com/silverstripe/silverstripe-framework/commit/16ad7e8feaa395c2406323ed3a87d7d3fd6966a3) Make GridFieldConfig less susceptible to error when versioned isn't installed (Damian Mooyman)
+ * 2018-01-17 [f282df89](https://github.com/silverstripe/silverstripe-cms/commit/f282df89eaca9c375c1f9cd0264b4e79eba20d72) Add bootstrap styles to url segment field (Sacha Judd)
+ * 2018-01-16 [db610aaf3](https://github.com/silverstripe/silverstripe-framework/commit/db610aaf3bef897a1f3b5c60a307ee72a5d2a499) ing string concat CS issues (Daniel Hensby)
+ * 2018-01-16 [cc90cb012](https://github.com/silverstripe/silverstripe-framework/commit/cc90cb012583abd675b8c5e41044603f0b9e39cb) HTTPResponse::removeHeader incorrectly converts header name to lowercase (Robbie Averill)
+ * 2018-01-16 [f86b855c9](https://github.com/silverstripe/silverstripe-framework/commit/f86b855c909d683af4ddf0c8121e694094917ea8) Prevent basic-auth from disallowing logout (Damian Mooyman)
+ * 2018-01-15 [dc96862ca](https://github.com/silverstripe/silverstripe-framework/commit/dc96862cac39d3e439f0f9b9269b627afcfdc6aa) Forms run through FormHandler rather than Controllers now have access to current Request (Daniel Hensby)
+ * 2018-01-12 [634faa2](https://github.com/silverstripe/silverstripe-admin/commit/634faa2ec37a39cb78d66c37152983488b43f558) Prevent GridField autocomplete triggering change tracker (Damian Mooyman)
+ * 2018-01-11 [7d6634249](https://github.com/silverstripe/silverstripe-framework/commit/7d66342496698f7ab329e38c0a980ede851c105e) Allow extension instances to be overridden by injector (Daniel Hensby)
+ * 2018-01-11 [e4bfa53c](https://github.com/silverstripe/silverstripe-siteconfig/commit/e4bfa53c669d7bac5c1029911bb9007a73eee1bd) Fix incorrect ORM usage when saving siteconfig (Damian Mooyman)
+ * 2018-01-09 [2ef4a2d4e](https://github.com/silverstripe/silverstripe-framework/commit/2ef4a2d4ee86577b00311e65bbeb0439f7aaa1fc) , adding a missing return statement. (Nathan)
+ * 2018-01-09 [7649dfe](https://github.com/silverstripe/silverstripe-versioned/commit/7649dfe84faecbf821e99bafaa0e013fb6ca6c3f) Provide expected argument to onBefore/AfterPublish hooks (Daniel Hensby)
+ * 2018-01-08 [157aef8e](https://github.com/silverstripe/silverstripe-cms/commit/157aef8eb7c4455703c143463a3e8ccf5480fc89) Implement correct subsites namespace in File extension (Robbie Averill)
+ * 2018-01-08 [0fe3f6bf](https://github.com/silverstripe/silverstripe-siteconfig/commit/0fe3f6bfab7b99e07632ebb86ca374bc6e482a35) Remove classmap for folder that doesn't have classes (Damian Mooyman)
+ * 2017-12-21 [0bc26fe](https://github.com/silverstripe/silverstripe-admin/commit/0bc26feef7c388b4a26fa26302150fe1b1154b61) Update input-group-addon-bg variable (Sacha Judd)
+ * 2017-12-21 [44930f211](https://github.com/silverstripe/silverstripe-framework/commit/44930f211be3f658fc92f2d5318255de03078701) Allow HTML 5 input tags in FunctionalTest form submissions (Daniel Hensby)
+ * 2017-12-20 [f885101a1](https://github.com/silverstripe/silverstripe-framework/commit/f885101a1b7d6a439b51615e566d4fc1879d1017) Fix basic auth in PHP-CGI (Damian Mooyman)
+ * 2017-12-19 [dd75e68](https://github.com/silverstripe/silverstripe-installer/commit/dd75e68f86a041e17624590f332804cee4c5e00e) travis OS build version so that behat will function (Christopher Joe)
+ * 2017-12-19 [2fb05ee](https://github.com/silverstripe/silverstripe-asset-admin/commit/2fb05ee7fad729c25fe7c1286de2b0b58541bbc3) issue when deleting a recently uploaded files (Saophalkun Ponlu)
+ * 2017-12-19 [1f6c1b0](https://github.com/silverstripe/silverstripe-asset-admin/commit/1f6c1b08256ec4edc4315d143a202581c8d66af2) mouse multi-section prevent buttons from working (Saophalkun Ponlu)
+ * 2017-12-18 [1e93f1eb](https://github.com/silverstripe/silverstripe-siteconfig/commit/1e93f1ebb5bff620f90c32ff7888ca51097cd945) Require branch alias for silverstripe/serve to ensure SS4 compatibility (Robbie Averill)
+ * 2017-12-17 [249e33a](https://github.com/silverstripe/silverstripe-admin/commit/249e33a56d53b68392b6dc2d3b4d93179dec3387) Ensure testLeftAndMainSubclasses test runs some assertions (Robbie Averill)
+ * 2017-12-17 [ea8ed5067](https://github.com/silverstripe/silverstripe-framework/commit/ea8ed5067d3c4e0b98e1bf8ef30461b6d3d5d7ff) Allow Requirements::block to handle module resource paths (Robbie Averill)
+ * 2017-12-15 [369653b5d](https://github.com/silverstripe/silverstripe-framework/commit/369653b5dfcc3e0ed08a49a68b74b1d3da92aa96) Ensure last GridField column when non sortable has its title displayed (Raissa North)
+ * 2017-12-14 [81150c592](https://github.com/silverstripe/silverstripe-framework/commit/81150c59225dbf1e95bb0b4dbcfbe18346f2bdff) Use PHP 5.3 array syntax (Daniel Hensby)
+ * 2017-12-14 [ce07e4781](https://github.com/silverstripe/silverstripe-framework/commit/ce07e4781e8fbb5d46b2ff4d9d9115fb37be36dc) Do database migrations before default records (Damian Mooyman)
+ * 2017-12-14 [ed6561d9f](https://github.com/silverstripe/silverstripe-framework/commit/ed6561d9f52dbe0eec30576b48c2eeb28b0329fd) Fix incorrect merge of associative / non-associative summary fields (Damian Mooyman)
+ * 2017-12-13 [ad066ba](https://github.com/silverstripe/silverstripe-asset-admin/commit/ad066ba55d8e47858de281c79e5514bccb17a9ba) server error responses not displaying in UI (Aaron Carlino)
+ * 2017-12-12 [4ed1fb1](https://github.com/silverstripe/silverstripe-assets/commit/4ed1fb13f3422520a364c311311597bea739abf5) Less restrictive arguments for image resize (Damian Mooyman)
+ * 2017-12-12 [eb6c1fc6d](https://github.com/silverstripe/silverstripe-framework/commit/eb6c1fc6de2e4863198ce5d1f96bfb3e32ae2b8d) Allow the current controller as well as injectable HTTPRequest objects (Robbie Averill)
+ * 2017-12-12 [097d0697c](https://github.com/silverstripe/silverstripe-framework/commit/097d0697c5603889f871fa7767e1eddc91809b42) Use Injector to retrieve the current session (Robbie Averill)
+ * 2017-12-12 [165dd7b](https://github.com/silverstripe/silverstripe-asset-admin/commit/165dd7b1b0e2f24655009b25c9aff6db60c55e73) UploadField to be injectable (Christopher Joe)
+ * 2017-12-12 [6c5f1a8](https://github.com/silverstripe/silverstripe-admin/commit/6c5f1a83e97a2290947c02e5cce1b510eb0bf337) TreeDropdownField layout (Christopher Joe)
+ * 2017-12-11 [6b43dd5](https://github.com/silverstripe/silverstripe-campaign-admin/commit/6b43dd56ad1ad752518e8d8f4448fd2da1d1e147) travis build (Christopher Joe)
+ * 2017-12-11 [2391af5ba](https://github.com/silverstripe/silverstripe-framework/commit/2391af5ba7f6851bbefa71bd835ed64e73ac198f) literal linting (Damian Mooyman)
+ * 2017-12-11 [0e1753f33](https://github.com/silverstripe/silverstripe-framework/commit/0e1753f33d855dd1567a4ac416d6031aa5e994e2) Only show table_name warning on dev/build (Loz Calver)
+ * 2017-12-10 [69decdf3a](https://github.com/silverstripe/silverstripe-framework/commit/69decdf3a408769abb4cccec744901864e661579) Don't warn on table name for classes without tables (Damian Mooyman)
+ * 2017-12-05 [8477de15](https://github.com/silverstripe/silverstripe-siteconfig/commit/8477de15203c4c80ca55365200fa3c7c031d70d8) Remove unused Behat tests from 3.6 branch (Robbie Averill)
+ * 2017-11-30 [84d7afb34](https://github.com/silverstripe/silverstripe-framework/commit/84d7afb3477885e9d69f2ac10838179efc1d3b91) Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d](https://github.com/silverstripe/silverstripe-framework/commit/2ad3cc07d583041e23a5dca0d53ffbdf8c9cd0d0) Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-16 [e4b1fb2](https://github.com/silverstripe/silverstripe-campaign-admin/commit/e4b1fb2e88d50810631c590f832be9e552c5a3e7) issue where there's no error for duplicate name (Saophalkun Ponlu)
+ * 2016-03-20 [805c38f10](https://github.com/silverstripe/silverstripe-framework/commit/805c38f107e7e332d2846407e0a89cade1d33ed1) don't try and switch out of context of the tab system (Stevie Mayhew)

lang/en.yml

@@ -271,7 +271,7 @@ en:
     ERRORWRONGCRED: 'The provided details don''t seem to be correct. Please try again.'
     NoPassword: 'There is no password on this member.'
   SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
-    AUTHENTICATORNAME: 'E-mail & Password'
+    AUTHENTICATORNAME: 'E-mail & Password'
   SilverStripe\Security\MemberPassword:
     PLURALNAME: 'Member Passwords'
     PLURALS:

lang/eo.yml

@@ -100,6 +100,8 @@ eo:
     Save: Konservi
   SilverStripe\Forms\GridField\GridFieldEditButton_ss:
     EDIT: Redakti
+  SilverStripe\Forms\GridField\GridFieldGroupDeleteAction:
+    UnlinkSelfFailure: 'Ne povas forigi vin el ĉi tiu grupo; vi perdus administrajn rajtojn'
   SilverStripe\Forms\GridField\GridFieldPaginator:
     OF: de
     Page: Paĝo
@@ -209,6 +211,7 @@ eo:
     many_many_Members: Membroj
   SilverStripe\Security\LoginAttempt:
     Email: 'Retpoŝta adreso'
+    EmailHashed: 'Retpoŝta adreso (haketa)'
     IP: IP-Adreso
     PLURALNAME: 'Provoj ensaluti'
     PLURALS:
@@ -250,6 +253,7 @@ eo:
     SUBJECTPASSWORDCHANGED: 'Via pasvorto estas ŝanĝita'
     SUBJECTPASSWORDRESET: 'Via pasvorto reagordis ligilon'
     SURNAME: 'Familia nomo'
+    VALIDATIONADMINLOSTACCESS: 'Ne povas forigi ĉiujn administrajn grupojn el via profilo'
     ValidationIdentifierFailed: 'Ne povas anstataŭigi ekzistantan membron #{id} per sama identigilo ({name} = {value}))'
     WELCOMEBACK: 'Bonvenon denove, {firstname}'
     YOUROLDPASSWORD: 'Vian malnovan pasvorton'
@@ -266,6 +270,8 @@ eo:
   SilverStripe\Security\MemberAuthenticator\MemberAuthenticator:
     ERRORWRONGCRED: 'La donitaj detaloj ŝajnas malĝustaj. Bonvole reprovu.'
     NoPassword: 'Mankas pasvorto por ĉi tiu membro.'
+  SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
+    AUTHENTICATORNAME: 'Retpoŝto & pasvorto'
   SilverStripe\Security\MemberPassword:
     PLURALNAME: 'Membraj pasvortoj'
     PLURALS:

src/Control/SimpleResourceURLGenerator.php

@@ -69,6 +69,9 @@ class SimpleResourceURLGenerator implements ResourceURLGenerator
         $query = '';
         if ($relativePath instanceof ModuleResource) {
             list($exists, $absolutePath, $relativePath) = $this->resolveModuleResource($relativePath);
+        } elseif (Director::is_absolute_url($relativePath)) {
+            // Path is not relative, and probably not of this site
+            return $relativePath;
         } else {
             // Save querystring for later
             if (strpos($relativePath, '?') !== false) {

src/Forms/FileUploadReceiver.php

@@ -294,7 +294,8 @@ trait FileUploadReceiver
         }
 
         if ($tmpFile['error']) {
-            $error = $tmpFile['error'];
+            $this->getUpload()->validate($tmpFile);
+            $error = implode(' ' . PHP_EOL, $this->getUpload()->getErrors());
             return null;
         }
 

src/ORM/ArrayList.php

@@ -153,8 +153,8 @@ class ArrayList extends ViewableData implements SS_List, Filterable, Sortable, L
     /**
      * Get a sub-range of this dataobjectset as an array
      *
-     * @param int $offset
      * @param int $length
+     * @param int $offset
      * @return static
      */
     public function limit($length, $offset = 0)

src/ORM/FieldType/DBDate.php

@@ -322,19 +322,7 @@ class DBDate extends DBField
      */
     public function Rfc3339()
     {
-        $date = $this->Format('y-MM-dd\\THH:mm:ss');
-        if (!$date) {
-            return null;
-        }
-
-        $matches = array();
-        if (preg_match('/^([\-+])(\d{2})(\d{2})$/', date('O', $this->getTimestamp()), $matches)) {
-            $date .= $matches[1] . $matches[2] . ':' . $matches[3];
-        } else {
-            $date .= 'Z';
-        }
-
-        return $date;
+        return date('c', $this->getTimestamp());
     }
 
     /**

src/Security/MemberAuthenticator/MemberLoginForm.php

@@ -224,6 +224,6 @@ class MemberLoginForm extends BaseLoginForm
      */
     public function getAuthenticatorName()
     {
-        return _t(self::class . '.AUTHENTICATORNAME', "E-mail & Password");
+        return _t(self::class . '.AUTHENTICATORNAME', "E-mail & Password");
     }
 }

tests/php/Control/SimpleResourceURLGeneratorTest.php

@@ -99,4 +99,12 @@ class SimpleResourceURLGeneratorTest extends SapphireTest
         $url = @$generator->urlForResource('doesnotexist.jpg');
         $this->assertEquals('/doesnotexist.jpg', $url);
     }
+
+    public function testAbsoluteResource()
+    {
+        /** @var SimpleResourceURLGenerator $generator */
+        $generator = Injector::inst()->get(ResourceURLGenerator::class);
+        $fakeExternalAsset = 'https://cdn.example.com/some_library.css';
+        $this->assertEquals($fakeExternalAsset, $generator->urlForResource($fakeExternalAsset));
+    }
 }

tests/php/ORM/DBDateTest.php

@@ -330,4 +330,11 @@ class DBDateTest extends SapphireTest
 
         DBDatetime::clear_mock_now();
     }
+
+    public function testRfc3999()
+    {
+        // Dates should be formatted as: 2018-01-24T14:05:53+00:00
+        $date = DBDate::create_field('Date', '2010-12-31');
+        $this->assertEquals('2010-12-31T00:00:00+00:00', $date->Rfc3339());
+    }
 }

tests/php/ORM/DBDatetimeTest.php

@@ -204,4 +204,11 @@ class DBDatetimeTest extends SapphireTest
 
         DBDatetime::clear_mock_now();
     }
+
+    public function testRfc3999()
+    {
+        // Dates should be formatted as: 2018-01-24T14:05:53+00:00
+        $date = DBDatetime::create_field('Datetime', '2010-12-31 16:58:59');
+        $this->assertEquals('2010-12-31T16:58:59+00:00', $date->Rfc3339());
+    }
 }