Bad config submitted
";
diff --git a/docs/en/04_Changelogs/rc/3.5.6-rc1.md b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
new file mode 100644
index 000000000..765adb95c
--- /dev/null
+++ b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
@@ -0,0 +1,31 @@
+# 3.5.6-rc1
+
+
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829]() Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [25e276cf3]() user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f]() Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+
+### Bugfixes
+
+ * 2017-11-30 [84d7afb34]() Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1]() deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d]() Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-16 [dda14e895]() HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3]() for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f]() ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec]() Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559]() Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e]() Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123]() Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c]() Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6]() Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10]() don't try and switch out of context of the tab system (Stevie Mayhew)
diff --git a/forms/Form.php b/forms/Form.php
index eee8f1b86..096e1a723 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -859,7 +859,9 @@ class Form extends RequestHandler {
$attrs = $this->getAttributes();
// Remove empty
- $attrs = array_filter((array)$attrs, create_function('$v', 'return ($v || $v === 0);'));
+ $attrs = array_filter((array)$attrs, function($v) {
+ return ($v || $v === 0);
+ });
// Remove excluded
if($exclude) $attrs = array_diff_key($attrs, array_flip($exclude));
diff --git a/forms/ListboxField.php b/forms/ListboxField.php
index bdc402b5f..f88ec4933 100644
--- a/forms/ListboxField.php
+++ b/forms/ListboxField.php
@@ -136,8 +136,10 @@ class ListboxField extends DropdownField {
public function setSource($source) {
if($source) {
$hasCommas = array_filter(array_keys($source),
- create_function('$key', 'return strpos($key, ",") !== FALSE;'));
- if($hasCommas) {
+ function($key) {
+ return strpos($key, ",") !== FALSE;
+ });
+ if(!empty($hasCommas)) {
throw new InvalidArgumentException('No commas allowed in $source keys');
}
}
diff --git a/forms/gridfield/GridFieldExportButton.php b/forms/gridfield/GridFieldExportButton.php
index 30df9f01f..9c865b6a1 100644
--- a/forms/gridfield/GridFieldExportButton.php
+++ b/forms/gridfield/GridFieldExportButton.php
@@ -30,6 +30,15 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP
*/
protected $targetFragment;
+ /**
+ * Set to true to disable XLS sanitisation
+ * [SS-2017-007] Ensure all cells with leading [@=+] have a leading tab
+ *
+ * @config
+ * @var bool
+ */
+ private static $xls_export_disabled = false;
+
/**
* @param string $targetFragment The HTML fragment to write the button into
* @param array $exportColumns The columns to include in the export
@@ -91,12 +100,12 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP
return SS_HTTPRequest::send_file($fileData, $fileName, 'text/csv');
}
}
-
+
/**
* Return the columns to export
- *
- * @param GridField $gridField
- *
+ *
+ * @param GridField $gridField
+ *
* @return array
*/
protected function getExportColumnsForGridField(GridField $gridField) {
@@ -174,6 +183,13 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP
}
$value = str_replace(array("\r", "\n"), "\n", $value);
+
+ // [SS-2017-007] Sanitise XLS executable column values with a leading tab
+ if (!Config::inst()->get(get_class($this), 'xls_export_disabled')
+ && preg_match('/^[-@=+].*/', $value)
+ ) {
+ $value = "\t" . $value;
+ }
$columnData[] = '"' . str_replace('"', '""', $value) . '"';
}
diff --git a/model/Versioned.php b/model/Versioned.php
index 6c976007f..d9b8e12cc 100644
--- a/model/Versioned.php
+++ b/model/Versioned.php
@@ -1050,7 +1050,7 @@ class Versioned extends DataExtension implements TemplateGlobalProvider {
$oldMode = self::get_reading_mode();
self::reading_stage('Stage');
- $list = DataObject::get(get_class($this->owner), $filter, $sort, $join, $limit);
+ $list = DataObject::get(ClassInfo::baseDataClass($this->owner), $filter, $sort, $join, $limit);
if($having) $having = $list->having($having);
$query = $list->dataQuery()->query();
diff --git a/model/connect/MySQLDatabase.php b/model/connect/MySQLDatabase.php
index dc5ade9ce..f0628e4d5 100644
--- a/model/connect/MySQLDatabase.php
+++ b/model/connect/MySQLDatabase.php
@@ -105,10 +105,14 @@ class MySQLDatabase extends SS_Database {
public function searchEngine($classesToSearch, $keywords, $start, $pageLength, $sortBy = "Relevance DESC",
$extraFilter = "", $booleanSearch = false, $alternativeFileFilter = "", $invertedMatch = false
) {
- if (!class_exists('SiteTree'))
- throw new Exception('MySQLDatabase->searchEngine() requires "SiteTree" class');
- if (!class_exists('File'))
- throw new Exception('MySQLDatabase->searchEngine() requires "File" class');
+ if (!class_exists('SiteTree')) {
+ throw new Exception('MySQLDatabase->searchEngine() requires "SiteTree" class');
+ }
+ if (!class_exists('File')) {
+ throw new Exception('MySQLDatabase->searchEngine() requires "File" class');
+ }
+ $start = (int)$start;
+ $pageLength = (int)$pageLength;
$keywords = $this->escapeString($keywords);
$htmlEntityKeywords = htmlentities($keywords, ENT_NOQUOTES, 'UTF-8');
@@ -134,7 +138,7 @@ class MySQLDatabase extends SS_Database {
if (array_key_exists('ShowInSearch', $fields))
$extraFilters['File'] .= " AND ShowInSearch <> 0";
- $limit = $start . ", " . (int) $pageLength;
+ $limit = $start . ", " . $pageLength;
$notMatch = $invertedMatch
? "NOT "
diff --git a/model/fieldtypes/HTMLText.php b/model/fieldtypes/HTMLText.php
index db1bad2f8..e0c351089 100644
--- a/model/fieldtypes/HTMLText.php
+++ b/model/fieldtypes/HTMLText.php
@@ -118,7 +118,9 @@ class HTMLText extends Text {
$doc = new DOMDocument();
// Catch warnings thrown by loadHTML and turn them into a failure boolean rather than a SilverStripe error
- set_error_handler(create_function('$no, $str', 'throw new Exception("HTML Parse Error: ".$str);'), E_ALL);
+ set_error_handler(function($no, $str) {
+ throw new Exception("HTML Parse Error: " . $str);
+ }, E_ALL);
// Nonbreaking spaces get converted into weird characters, so strip them
$value = str_replace(' ', ' ', $this->RAW());
try {
diff --git a/security/Member.php b/security/Member.php
index a4462cbc3..149a461bb 100644
--- a/security/Member.php
+++ b/security/Member.php
@@ -404,7 +404,6 @@ class Member extends DataObject implements TemplateGlobalProvider {
} elseif ($this->config()->lock_out_after_incorrect_logins <= 0) {
$state = false;
} else {
-
$email = $this->{static::config()->unique_identifier_field};
$attempts = LoginAttempt::getByEmail($email)
->sort('Created', 'DESC')
@@ -985,8 +984,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
$encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext
$this->Salt,
- ($this->PasswordEncryption) ?
- $this->PasswordEncryption : Security::config()->password_encryption_algorithm,
+ $this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null,
$this
);
diff --git a/security/Member.php.orig b/security/Member.php.orig
new file mode 100644
index 000000000..10cb8a632
--- /dev/null
+++ b/security/Member.php.orig
@@ -0,0 +1,2045 @@
+ 'Varchar',
+ 'Surname' => 'Varchar',
+ 'Email' => 'Varchar(254)', // See RFC 5321, Section 4.5.3.1.3. (256 minus the < and > character)
+ 'TempIDHash' => 'Varchar(160)', // Temporary id used for cms re-authentication
+ 'TempIDExpired' => 'SS_Datetime', // Expiry of temp login
+ 'Password' => 'Varchar(160)',
+ 'RememberLoginToken' => 'Varchar(160)', // Note: this currently holds a hash, not a token.
+ 'NumVisit' => 'Int', // @deprecated 4.0
+ 'LastVisited' => 'SS_Datetime', // @deprecated 4.0
+ 'AutoLoginHash' => 'Varchar(160)', // Used to auto-login the user on password reset
+ 'AutoLoginExpired' => 'SS_Datetime',
+ // This is an arbitrary code pointing to a PasswordEncryptor instance,
+ // not an actual encryption algorithm.
+ // Warning: Never change this field after its the first password hashing without
+ // providing a new cleartext password as well.
+ 'PasswordEncryption' => "Varchar(50)",
+ 'Salt' => 'Varchar(50)',
+ 'PasswordExpiry' => 'Date',
+ 'LockedOutUntil' => 'SS_Datetime',
+ 'Locale' => 'Varchar(6)',
+ // handled in registerFailedLogin(), only used if $lock_out_after_incorrect_logins is set
+ 'FailedLoginCount' => 'Int',
+ // In ISO format
+ 'DateFormat' => 'Varchar(30)',
+ 'TimeFormat' => 'Varchar(30)',
+ );
+
+ private static $belongs_many_many = array(
+ 'Groups' => 'Group',
+ );
+
+ private static $has_one = array();
+
+ private static $has_many = array(
+ 'LoggedPasswords' => 'MemberPassword',
+ );
+
+ private static $many_many = array();
+
+ private static $many_many_extraFields = array();
+
+ private static $default_sort = '"Surname", "FirstName"';
+
+ private static $indexes = array(
+ 'Email' => true,
+ //Removed due to duplicate null values causing MSSQL problems
+ //'AutoLoginHash' => Array('type'=>'unique', 'value'=>'AutoLoginHash', 'ignoreNulls'=>true)
+ );
+
+ /**
+ * @config
+ * @var boolean
+ */
+ private static $notify_password_change = false;
+
+ /**
+ * Flag whether or not member visits should be logged (count only)
+ *
+ * @deprecated 4.0
+ * @var bool
+ * @config
+ */
+ private static $log_last_visited = true;
+
+ /**
+ * Flag whether we should count number of visits
+ *
+ * @deprecated 4.0
+ * @var bool
+ * @config
+ */
+ private static $log_num_visits = true;
+
+ /**
+ * All searchable database columns
+ * in this object, currently queried
+ * with a "column LIKE '%keywords%'
+ * statement.
+ *
+ * @var array
+ * @todo Generic implementation of $searchable_fields on DataObject,
+ * with definition for different searching algorithms
+ * (LIKE, FULLTEXT) and default FormFields to construct a searchform.
+ */
+ private static $searchable_fields = array(
+ 'FirstName',
+ 'Surname',
+ 'Email',
+ );
+
+ /**
+ * @config
+ * @var array
+ */
+ private static $summary_fields = array(
+ 'FirstName',
+ 'Surname',
+ 'Email',
+ );
+
+ /**
+ * @config
+ * @var array
+ */
+ private static $casting = array(
+ 'Name' => 'Varchar',
+ );
+
+ /**
+ * Internal-use only fields
+ *
+ * @config
+ * @var array
+ */
+ private static $hidden_fields = array(
+ 'RememberLoginToken',
+ 'AutoLoginHash',
+ 'AutoLoginExpired',
+ 'PasswordEncryption',
+ 'PasswordExpiry',
+ 'LockedOutUntil',
+ 'TempIDHash',
+ 'TempIDExpired',
+ 'Salt',
+ 'NumVisit', // @deprecated 4.0
+ );
+
+ /**
+ * @config
+ * @var Array See {@link set_title_columns()}
+ */
+ private static $title_format = null;
+
+ /**
+ * The unique field used to identify this member.
+ * By default, it's "Email", but another common
+ * field could be Username.
+ *
+ * @config
+ * @var string
+ */
+ private static $unique_identifier_field = 'Email';
+
+ /**
+ * @config
+ * {@link PasswordValidator} object for validating user's password
+ */
+ private static $password_validator = null;
+
+ /**
+ * @config
+ * The number of days that a password should be valid for.
+ * By default, this is null, which means that passwords never expire
+ */
+ private static $password_expiry_days = null;
+
+ /**
+ * @config
+ * @var Int Number of incorrect logins after which
+ * the user is blocked from further attempts for the timespan
+ * defined in {@link $lock_out_delay_mins}.
+ */
+ private static $lock_out_after_incorrect_logins = 10;
+
+ /**
+ * @config
+ * @var integer Minutes of enforced lockout after incorrect password attempts.
+ * Only applies if {@link $lock_out_after_incorrect_logins} greater than 0.
+ */
+ private static $lock_out_delay_mins = 15;
+
+ /**
+ * @config
+ * @var String If this is set, then a session cookie with the given name will be set on log-in,
+ * and cleared on logout.
+ */
+ private static $login_marker_cookie = null;
+
+ /**
+ * Indicates that when a {@link Member} logs in, Member:session_regenerate_id()
+ * should be called as a security precaution.
+ *
+ * This doesn't always work, especially if you're trying to set session cookies
+ * across an entire site using the domain parameter to session_set_cookie_params()
+ *
+ * @config
+ * @var boolean
+ */
+ private static $session_regenerate_id = true;
+
+
+ /**
+ * Default lifetime of temporary ids.
+ *
+ * This is the period within which a user can be re-authenticated within the CMS by entering only their password
+ * and without losing their workspace.
+ *
+ * Any session expiration outside of this time will require them to login from the frontend using their full
+ * username and password.
+ *
+ * Defaults to 72 hours. Set to zero to disable expiration.
+ *
+ * @config
+ * @var int Lifetime in seconds
+ */
+ private static $temp_id_lifetime = 259200;
+
+ /**
+ * @deprecated 4.0 Use the "Member.session_regenerate_id" config setting instead
+ */
+ public static function set_session_regenerate_id($bool) {
+ Deprecation::notice('4.0', 'Use the "Member.session_regenerate_id" config setting instead');
+ self::config()->session_regenerate_id = $bool;
+ }
+
+ /**
+ * Ensure the locale is set to something sensible by default.
+ */
+ public function populateDefaults() {
+ parent::populateDefaults();
+ $this->Locale = i18n::get_closest_translation(i18n::get_locale());
+ }
+
+ public function requireDefaultRecords() {
+ parent::requireDefaultRecords();
+ // Default groups should've been built by Group->requireDefaultRecords() already
+ static::default_admin();
+ }
+
+ /**
+ * Get the default admin record if it exists, or creates it otherwise if enabled
+ *
+ * @return Member
+ */
+ public static function default_admin() {
+ // Check if set
+ if(!Security::has_default_admin()) return null;
+
+ // Find or create ADMIN group
+ singleton('Group')->requireDefaultRecords();
+ $adminGroup = Permission::get_groups_by_permission('ADMIN')->First();
+
+ // Find member
+ $admin = Member::get()
+ ->filter('Email', Security::default_admin_username())
+ ->first();
+ if(!$admin) {
+ // 'Password' is not set to avoid creating
+ // persistent logins in the database. See Security::setDefaultAdmin().
+ // Set 'Email' to identify this as the default admin
+ $admin = Member::create();
+ $admin->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin');
+ $admin->Email = Security::default_admin_username();
+ $admin->write();
+ }
+
+ // Ensure this user is in the admin group
+ if(!$admin->inGroup($adminGroup)) {
+ // Add member to group instead of adding group to member
+ // This bypasses the privilege escallation code in Member_GroupSet
+ $adminGroup
+ ->DirectMembers()
+ ->add($admin);
+ }
+
+ return $admin;
+ }
+
+ /**
+ * If this is called, then a session cookie will be set to "1" whenever a user
+ * logs in. This lets 3rd party tools, such as apache's mod_rewrite, detect
+ * whether a user is logged in or not and alter behaviour accordingly.
+ *
+ * One known use of this is to bypass static caching for logged in users. This is
+ * done by putting this into _config.php
+ *
+ * Member::set_login_marker_cookie("SS_LOGGED_IN");
+ *
+ *
+ * And then adding this condition to each of the rewrite rules that make use of
+ * the static cache.
+ *
+ * RewriteCond %{HTTP_COOKIE} !SS_LOGGED_IN=1
+ *
+ *
+ * @deprecated 4.0 Use the "Member.login_marker_cookie" config setting instead
+ * @param $cookieName string The name of the cookie to set.
+ */
+ public static function set_login_marker_cookie($cookieName) {
+ Deprecation::notice('4.0', 'Use the "Member.login_marker_cookie" config setting instead');
+ self::config()->login_marker_cookie = $cookieName;
+ }
+
+ /**
+ * Check if the passed password matches the stored one (if the member is not locked out).
+ *
+ * @param string $password
+ * @return ValidationResult
+ */
+ public function checkPassword($password) {
+ $result = $this->canLogIn();
+
+ // Short-circuit the result upon failure, no further checks needed.
+ if (!$result->valid()) {
+ return $result;
+ }
+
+ // Allow default admin to login as self
+ if($this->isDefaultAdmin() && Security::check_default_admin($this->Email, $password)) {
+ return $result;
+ }
+
+ // Check a password is set on this member
+ if(empty($this->Password) && $this->exists()) {
+ $result->error(_t('Member.NoPassword','There is no password on this member.'));
+ return $result;
+ }
+
+ $e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
+ if(!$e->check($this->Password, $password, $this->Salt, $this)) {
+ $result->error(_t (
+ 'Member.ERRORWRONGCRED',
+ 'The provided details don\'t seem to be correct. Please try again.'
+ ));
+ }
+
+ return $result;
+ }
+
+ /**
+ * Check if this user is the currently configured default admin
+ *
+ * @return bool
+ */
+ public function isDefaultAdmin() {
+ return Security::has_default_admin()
+ && $this->Email === Security::default_admin_username();
+ }
+
+ /**
+ * Returns a valid {@link ValidationResult} if this member can currently log in, or an invalid
+ * one with error messages to display if the member is locked out.
+ *
+ * You can hook into this with a "canLogIn" method on an attached extension.
+ *
+ * @return ValidationResult
+ */
+ public function canLogIn() {
+ $result = ValidationResult::create();
+
+ if($this->isLockedOut()) {
+ $result->error(
+ _t(
+ 'Member.ERRORLOCKEDOUT2',
+ 'Your account has been temporarily disabled because of too many failed attempts at ' .
+ 'logging in. Please try again in {count} minutes.',
+ null,
+ array('count' => $this->config()->lock_out_delay_mins)
+ )
+ );
+ }
+
+ $this->extend('canLogIn', $result);
+ return $result;
+ }
+
+ /**
+ * Returns true if this user is locked out
+ */
+ public function isLockedOut() {
+ $state = true;
+ if ($this->LockedOutUntil && $this->dbObject('LockedOutUntil')->InFuture()) {
+ $state = true;
+ } elseif ($this->config()->lock_out_after_incorrect_logins <= 0) {
+ $state = false;
+ } else {
+
+<<<<<<< HEAD
+ $attempts = LoginAttempt::get()->filter($filter = array(
+ 'Email' => $this->{static::config()->unique_identifier_field},
+ ))->sort('Created', 'DESC')->limit($this->config()->lock_out_after_incorrect_logins);
+=======
+ $email = $this->{static::config()->unique_identifier_field};
+ $attempts = LoginAttempt::getByEmail($email)
+ ->sort('Created', 'DESC')
+ ->limit($this->config()->lock_out_after_incorrect_logins);
+>>>>>>> silverstripe-security/3.5
+
+ if ($attempts->count() < $this->config()->lock_out_after_incorrect_logins) {
+ $state = false;
+ } else {
+
+ $success = false;
+ foreach ($attempts as $attempt) {
+ if ($attempt->Status === 'Success') {
+ $success = true;
+ $state = false;
+ break;
+ }
+ }
+
+ if (!$success) {
+ $lockedOutUntil = $attempts->first()->dbObject('Created')->Format('U')
+ + ($this->config()->lock_out_delay_mins * 60);
+ if (SS_Datetime::now()->Format('U') < $lockedOutUntil) {
+ $state = true;
+ } else {
+ $state = false;
+ }
+ }
+ }
+ }
+
+ $this->extend('updateIsLockedOut', $state);
+ return $state;
+ }
+
+ /**
+ * Regenerate the session_id.
+ * This wrapper is here to make it easier to disable calls to session_regenerate_id(), should you need to.
+ * They have caused problems in certain
+ * quirky problems (such as using the Windmill 0.3.6 proxy).
+ */
+ public static function session_regenerate_id() {
+ if(!self::config()->session_regenerate_id) return;
+
+ // This can be called via CLI during testing.
+ if(Director::is_cli()) return;
+
+ $file = '';
+ $line = '';
+
+ // @ is to supress win32 warnings/notices when session wasn't cleaned up properly
+ // There's nothing we can do about this, because it's an operating system function!
+ if(!headers_sent($file, $line)) @session_regenerate_id(true);
+ }
+
+ /**
+ * Get the field used for uniquely identifying a member
+ * in the database. {@see Member::$unique_identifier_field}
+ *
+ * @deprecated 4.0 Use the "Member.unique_identifier_field" config setting instead
+ * @return string
+ */
+ public static function get_unique_identifier_field() {
+ Deprecation::notice('4.0', 'Use the "Member.unique_identifier_field" config setting instead');
+ return Member::config()->unique_identifier_field;
+ }
+
+ /**
+ * Set the field used for uniquely identifying a member
+ * in the database. {@see Member::$unique_identifier_field}
+ *
+ * @deprecated 4.0 Use the "Member.unique_identifier_field" config setting instead
+ * @param $field The field name to set as the unique field
+ */
+ public static function set_unique_identifier_field($field) {
+ Deprecation::notice('4.0', 'Use the "Member.unique_identifier_field" config setting instead');
+ Member::config()->unique_identifier_field = $field;
+ }
+
+ /**
+ * Set a {@link PasswordValidator} object to use to validate member's passwords.
+ */
+ public static function set_password_validator($pv) {
+ self::$password_validator = $pv;
+ }
+
+ /**
+ * Returns the current {@link PasswordValidator}
+ */
+ public static function password_validator() {
+ return self::$password_validator;
+ }
+
+ /**
+ * Set the number of days that a password should be valid for.
+ * Set to null (the default) to have passwords never expire.
+ *
+ * @deprecated 4.0 Use the "Member.password_expiry_days" config setting instead
+ */
+ public static function set_password_expiry($days) {
+ Deprecation::notice('4.0', 'Use the "Member.password_expiry_days" config setting instead');
+ self::config()->password_expiry_days = $days;
+ }
+
+ /**
+ * Configure the security system to lock users out after this many incorrect logins
+ *
+ * @deprecated 4.0 Use the "Member.lock_out_after_incorrect_logins" config setting instead
+ */
+ public static function lock_out_after_incorrect_logins($numLogins) {
+ Deprecation::notice('4.0', 'Use the "Member.lock_out_after_incorrect_logins" config setting instead');
+ self::config()->lock_out_after_incorrect_logins = $numLogins;
+ }
+
+
+ public function isPasswordExpired() {
+ if(!$this->PasswordExpiry) return false;
+ return strtotime(date('Y-m-d')) >= strtotime($this->PasswordExpiry);
+ }
+
+ /**
+ * Logs this member in
+ *
+ * @param bool $remember If set to TRUE, the member will be logged in automatically the next time.
+ */
+ public function logIn($remember = false) {
+ $this->extend('beforeMemberLoggedIn');
+
+ self::session_regenerate_id();
+
+ Session::set("loggedInAs", $this->ID);
+ // This lets apache rules detect whether the user has logged in
+ if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, 1, 0);
+
+ $this->addVisit();
+
+ // Only set the cookie if autologin is enabled
+ if($remember && Security::config()->autologin_enabled) {
+ // Store the hash and give the client the cookie with the token.
+ $generator = new RandomGenerator();
+ $token = $generator->randomToken('sha1');
+ $hash = $this->encryptWithUserSettings($token);
+ $this->RememberLoginToken = $hash;
+ Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
+ } else {
+ $this->RememberLoginToken = null;
+ Cookie::force_expiry('alc_enc');
+ }
+
+ // Clear the incorrect log-in count
+ $this->registerSuccessfulLogin();
+
+ // Don't set column if its not built yet (the login might be precursor to a /dev/build...)
+ if(array_key_exists('LockedOutUntil', DB::field_list('Member'))) {
+ $this->LockedOutUntil = null;
+ }
+
+ $this->regenerateTempID();
+
+ $this->write();
+
+ // Audit logging hook
+ $this->extend('memberLoggedIn');
+ }
+
+ /**
+ * @deprecated 4.0
+ */
+ public function addVisit() {
+ if($this->config()->log_num_visits) {
+ Deprecation::notice(
+ '4.0',
+ 'Member::$NumVisit is deprecated. From 4.0 onwards you should implement this as a custom extension'
+ );
+ $this->NumVisit++;
+ }
+ }
+
+ /**
+ * Trigger regeneration of TempID.
+ *
+ * This should be performed any time the user presents their normal identification (normally Email)
+ * and is successfully authenticated.
+ */
+ public function regenerateTempID() {
+ $generator = new RandomGenerator();
+ $this->TempIDHash = $generator->randomToken('sha1');
+ $this->TempIDExpired = self::config()->temp_id_lifetime
+ ? date('Y-m-d H:i:s', strtotime(SS_Datetime::now()->getValue()) + self::config()->temp_id_lifetime)
+ : null;
+ $this->write();
+ }
+
+ /**
+ * Check if the member ID logged in session actually
+ * has a database record of the same ID. If there is
+ * no logged in user, FALSE is returned anyway.
+ *
+ * @return boolean TRUE record found FALSE no record found
+ */
+ public static function logged_in_session_exists() {
+ if($id = Member::currentUserID()) {
+ if($member = DataObject::get_by_id('Member', $id)) {
+ if($member->exists()) return true;
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Log the user in if the "remember login" cookie is set
+ *
+ * The remember login token will be changed on every successful
+ * auto-login.
+ */
+ public static function autoLogin() {
+ // Don't bother trying this multiple times
+ self::$_already_tried_to_auto_log_in = true;
+
+ if(!Security::config()->autologin_enabled
+ || strpos(Cookie::get('alc_enc'), ':') === false
+ || Session::get("loggedInAs")
+ || !Security::database_is_ready()
+ ) {
+ return;
+ }
+
+ list($uid, $token) = explode(':', Cookie::get('alc_enc'), 2);
+
+ if (!$uid || !$token) {
+ return;
+ }
+
+ $member = DataObject::get_by_id("Member", $uid);
+
+ // check if autologin token matches
+ if($member) {
+ $hash = $member->encryptWithUserSettings($token);
+ if(!$member->RememberLoginToken || $member->RememberLoginToken !== $hash) {
+ $member = null;
+ }
+ }
+
+ if($member) {
+ self::session_regenerate_id();
+ Session::set("loggedInAs", $member->ID);
+ // This lets apache rules detect whether the user has logged in
+ if(Member::config()->login_marker_cookie) {
+ Cookie::set(Member::config()->login_marker_cookie, 1, 0, null, null, false, true);
+ }
+
+ $generator = new RandomGenerator();
+ $token = $generator->randomToken('sha1');
+ $hash = $member->encryptWithUserSettings($token);
+ $member->RememberLoginToken = $hash;
+ Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
+
+ $member->addVisit();
+ $member->write();
+
+ // Audit logging hook
+ $member->extend('memberAutoLoggedIn');
+ }
+ }
+
+ /**
+ * Logs this member out.
+ */
+ public function logOut() {
+ $this->extend('beforeMemberLoggedOut');
+
+ Session::clear("loggedInAs");
+ if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, null, 0);
+
+ Session::destroy();
+
+ $this->extend('memberLoggedOut');
+
+ $this->RememberLoginToken = null;
+ Cookie::force_expiry('alc_enc');
+
+ // Switch back to live in order to avoid infinite loops when
+ // redirecting to the login screen (if this login screen is versioned)
+ Session::clear('readingMode');
+
+ $this->write();
+
+ // Audit logging hook
+ $this->extend('memberLoggedOut');
+ }
+
+ /**
+ * Utility for generating secure password hashes for this member.
+ */
+ public function encryptWithUserSettings($string) {
+ if (!$string) return null;
+
+ // If the algorithm or salt is not available, it means we are operating
+ // on legacy account with unhashed password. Do not hash the string.
+ if (!$this->PasswordEncryption) {
+ return $string;
+ }
+
+ // We assume we have PasswordEncryption and Salt available here.
+ $e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
+ return $e->encrypt($string, $this->Salt);
+
+ }
+
+ /**
+ * Generate an auto login token which can be used to reset the password,
+ * at the same time hashing it and storing in the database.
+ *
+ * @param int $lifetime The lifetime of the auto login hash in days (by default 2 days)
+ *
+ * @returns string Token that should be passed to the client (but NOT persisted).
+ *
+ * @todo Make it possible to handle database errors such as a "duplicate key" error
+ */
+ public function generateAutologinTokenAndStoreHash($lifetime = 2) {
+ do {
+ $generator = new RandomGenerator();
+ $token = $generator->randomToken();
+ $hash = $this->encryptWithUserSettings($token);
+ } while(DataObject::get_one('Member', array(
+ '"Member"."AutoLoginHash"' => $hash
+ )));
+
+ $this->AutoLoginHash = $hash;
+ $this->AutoLoginExpired = date('Y-m-d H:i:s', time() + (86400 * $lifetime));
+
+ $this->write();
+
+ return $token;
+ }
+
+ /**
+ * Check the token against the member.
+ *
+ * @param string $autologinToken
+ *
+ * @returns bool Is token valid?
+ */
+ public function validateAutoLoginToken($autologinToken) {
+ $hash = $this->encryptWithUserSettings($autologinToken);
+ $member = self::member_from_autologinhash($hash, false);
+ return (bool)$member;
+ }
+
+ /**
+ * Return the member for the auto login hash
+ *
+ * @param string $hash The hash key
+ * @param bool $login Should the member be logged in?
+ *
+ * @return Member the matching member, if valid
+ * @return Member
+ */
+ public static function member_from_autologinhash($hash, $login = false) {
+
+ $nowExpression = DB::get_conn()->now();
+ $member = DataObject::get_one('Member', array(
+ "\"Member\".\"AutoLoginHash\"" => $hash,
+ "\"Member\".\"AutoLoginExpired\" > $nowExpression" // NOW() can't be parameterised
+ ));
+
+ if($login && $member) $member->logIn();
+
+ return $member;
+ }
+
+ /**
+ * Find a member record with the given TempIDHash value
+ *
+ * @param string $tempid
+ * @return Member
+ */
+ public static function member_from_tempid($tempid) {
+ $members = Member::get()
+ ->filter('TempIDHash', $tempid);
+
+ // Exclude expired
+ if(static::config()->temp_id_lifetime) {
+ $members = $members->filter('TempIDExpired:GreaterThan', SS_Datetime::now()->getValue());
+ }
+
+ return $members->first();
+ }
+
+ /**
+ * Returns the fields for the member form - used in the registration/profile module.
+ * It should return fields that are editable by the admin and the logged-in user.
+ *
+ * @return FieldList Returns a {@link FieldList} containing the fields for
+ * the member form.
+ */
+ public function getMemberFormFields() {
+ $fields = parent::getFrontendFields();
+
+ $fields->replaceField('Password', $this->getMemberPasswordField());
+
+ $fields->replaceField('Locale', new DropdownField (
+ 'Locale',
+ $this->fieldLabel('Locale'),
+ i18n::get_existing_translations()
+ ));
+
+ $fields->removeByName(static::config()->hidden_fields);
+ $fields->removeByName('LastVisited');
+ $fields->removeByName('FailedLoginCount');
+
+
+ $this->extend('updateMemberFormFields', $fields);
+ return $fields;
+ }
+
+ /**
+ * Builds "Change / Create Password" field for this member
+ *
+ * @return ConfirmedPasswordField
+ */
+ public function getMemberPasswordField() {
+ $editingPassword = $this->isInDB();
+ $label = $editingPassword
+ ? _t('Member.EDIT_PASSWORD', 'New Password')
+ : $this->fieldLabel('Password');
+ /** @var ConfirmedPasswordField $password */
+ $password = ConfirmedPasswordField::create(
+ 'Password',
+ $label,
+ null,
+ null,
+ $editingPassword
+ );
+
+ // If editing own password, require confirmation of existing
+ if($editingPassword && $this->ID == Member::currentUserID()) {
+ $password->setRequireExistingPassword(true);
+ }
+
+ $password->setCanBeEmpty(true);
+ $this->extend('updateMemberPasswordField', $password);
+ return $password;
+ }
+
+
+ /**
+ * Returns the {@link RequiredFields} instance for the Member object. This
+ * Validator is used when saving a {@link CMSProfileController} or added to
+ * any form responsible for saving a users data.
+ *
+ * To customize the required fields, add a {@link DataExtension} to member
+ * calling the `updateValidator()` method.
+ *
+ * @return Member_Validator
+ */
+ public function getValidator() {
+ $validator = Injector::inst()->create('Member_Validator');
+ $validator->setForMember($this);
+ $this->extend('updateValidator', $validator);
+
+ return $validator;
+ }
+
+
+ /**
+ * Returns the current logged in user
+ *
+ * @return Member|null
+ */
+ public static function currentUser() {
+ $id = Member::currentUserID();
+
+ if($id) {
+ return DataObject::get_by_id('Member', $id) ?: null;
+ }
+ }
+
+ /**
+ * Get the ID of the current logged in user
+ *
+ * @return int Returns the ID of the current logged in user or 0.
+ */
+ public static function currentUserID() {
+ $id = Session::get("loggedInAs");
+ if(!$id && !self::$_already_tried_to_auto_log_in) {
+ self::autoLogin();
+ $id = Session::get("loggedInAs");
+ }
+
+ return is_numeric($id) ? $id : 0;
+ }
+ private static $_already_tried_to_auto_log_in = false;
+
+
+ /*
+ * Generate a random password, with randomiser to kick in if there's no words file on the
+ * filesystem.
+ *
+ * @return string Returns a random password.
+ */
+ public static function create_new_password() {
+ $words = Config::inst()->get('Security', 'word_list');
+
+ if($words && file_exists($words)) {
+ $words = file($words);
+
+ list($usec, $sec) = explode(' ', microtime());
+ srand($sec + ((float) $usec * 100000));
+
+ $word = trim($words[rand(0,sizeof($words)-1)]);
+ $number = rand(10,999);
+
+ return $word . $number;
+ } else {
+ $random = rand();
+ $string = md5($random);
+ $output = substr($string, 0, 8);
+ return $output;
+ }
+ }
+
+ /**
+ * Event handler called before writing to the database.
+ */
+ public function onBeforeWrite() {
+ if($this->SetPassword) $this->Password = $this->SetPassword;
+
+ // If a member with the same "unique identifier" already exists with a different ID, don't allow merging.
+ // Note: This does not a full replacement for safeguards in the controller layer (e.g. in a registration form),
+ // but rather a last line of defense against data inconsistencies.
+ $identifierField = Member::config()->unique_identifier_field;
+ if($this->$identifierField) {
+
+ // Note: Same logic as Member_Validator class
+ $filter = array("\"$identifierField\"" => $this->$identifierField);
+ if($this->ID) {
+ $filter[] = array('"Member"."ID" <> ?' => $this->ID);
+ }
+ $existingRecord = DataObject::get_one('Member', $filter);
+
+ if($existingRecord) {
+ throw new ValidationException(ValidationResult::create(false, _t(
+ 'Member.ValidationIdentifierFailed',
+ 'Can\'t overwrite existing member #{id} with identical identifier ({name} = {value}))',
+ 'Values in brackets show "fieldname = value", usually denoting an existing email address',
+ array(
+ 'id' => $existingRecord->ID,
+ 'name' => $identifierField,
+ 'value' => $this->$identifierField
+ )
+ )));
+ }
+ }
+
+ // We don't send emails out on dev/tests sites to prevent accidentally spamming users.
+ // However, if TestMailer is in use this isn't a risk.
+ if(
+ (Director::isLive() || Email::mailer() instanceof TestMailer)
+ && $this->isChanged('Password')
+ && $this->record['Password']
+ && $this->config()->notify_password_change
+ ) {
+ $e = Member_ChangePasswordEmail::create();
+ $e->populateTemplate($this);
+ $e->setTo($this->Email);
+ $e->send();
+ }
+
+ // The test on $this->ID is used for when records are initially created.
+ // Note that this only works with cleartext passwords, as we can't rehash
+ // existing passwords.
+ if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
+ //reset salt so that it gets regenerated - this will invalidate any persistant login cookies
+ // or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
+ $this->Salt = '';
+ // Password was changed: encrypt the password according the settings
+ $encryption_details = Security::encrypt_password(
+ $this->Password, // this is assumed to be cleartext
+ $this->Salt,
+ $this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null,
+ $this
+ );
+
+ // Overwrite the Password property with the hashed value
+ $this->Password = $encryption_details['password'];
+ $this->Salt = $encryption_details['salt'];
+ $this->PasswordEncryption = $encryption_details['algorithm'];
+
+ // If we haven't manually set a password expiry
+ if(!$this->isChanged('PasswordExpiry')) {
+ // then set it for us
+ if(self::config()->password_expiry_days) {
+ $this->PasswordExpiry = date('Y-m-d', time() + 86400 * self::config()->password_expiry_days);
+ } else {
+ $this->PasswordExpiry = null;
+ }
+ }
+ }
+
+ // save locale
+ if(!$this->Locale) {
+ $this->Locale = i18n::get_locale();
+ }
+
+ parent::onBeforeWrite();
+ }
+
+ public function onAfterWrite() {
+ parent::onAfterWrite();
+
+ Permission::flush_permission_cache();
+
+ if($this->isChanged('Password')) {
+ MemberPassword::log($this);
+ }
+ }
+
+ public function onAfterDelete() {
+ parent::onAfterDelete();
+
+ //prevent orphaned records remaining in the DB
+ $this->deletePasswordLogs();
+ }
+
+ /**
+ * Delete the MemberPassword objects that are associated to this user
+ *
+ * @return self
+ */
+ protected function deletePasswordLogs() {
+ foreach ($this->LoggedPasswords() as $password) {
+ $password->delete();
+ $password->destroy();
+ }
+ return $this;
+ }
+
+ /**
+ * Filter out admin groups to avoid privilege escalation,
+ * If any admin groups are requested, deny the whole save operation.
+ *
+ * @param Array $ids Database IDs of Group records
+ * @return boolean True if the change can be accepted
+ */
+ public function onChangeGroups($ids) {
+ // unless the current user is an admin already OR the logged in user is an admin
+ if(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
+ return true;
+ }
+
+ // If there are no admin groups in this set then it's ok
+ $adminGroups = Permission::get_groups_by_permission('ADMIN');
+ $adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
+ return count(array_intersect($ids, $adminGroupIDs)) == 0;
+ }
+
+
+ /**
+ * Check if the member is in one of the given groups.
+ *
+ * @param array|SS_List $groups Collection of {@link Group} DataObjects to check
+ * @param boolean $strict Only determine direct group membership if set to true (Default: false)
+ * @return bool Returns TRUE if the member is in one of the given groups, otherwise FALSE.
+ */
+ public function inGroups($groups, $strict = false) {
+ if($groups) foreach($groups as $group) {
+ if($this->inGroup($group, $strict)) return true;
+ }
+
+ return false;
+ }
+
+
+ /**
+ * Check if the member is in the given group or any parent groups.
+ *
+ * @param int|Group|string $group Group instance, Group Code or ID
+ * @param boolean $strict Only determine direct group membership if set to TRUE (Default: FALSE)
+ * @return bool Returns TRUE if the member is in the given group, otherwise FALSE.
+ */
+ public function inGroup($group, $strict = false) {
+ if(is_numeric($group)) {
+ $groupCheckObj = DataObject::get_by_id('Group', $group);
+ } elseif(is_string($group)) {
+ $groupCheckObj = DataObject::get_one('Group', array(
+ '"Group"."Code"' => $group
+ ));
+ } elseif($group instanceof Group) {
+ $groupCheckObj = $group;
+ } else {
+ user_error('Member::inGroup(): Wrong format for $group parameter', E_USER_ERROR);
+ }
+
+ if(!$groupCheckObj) return false;
+
+ $groupCandidateObjs = ($strict) ? $this->getManyManyComponents("Groups") : $this->Groups();
+ if($groupCandidateObjs) foreach($groupCandidateObjs as $groupCandidateObj) {
+ if($groupCandidateObj->ID == $groupCheckObj->ID) return true;
+ }
+
+ return false;
+ }
+
+ /**
+ * Adds the member to a group. This will create the group if the given
+ * group code does not return a valid group object.
+ *
+ * @param string $groupcode
+ * @param string Title of the group
+ */
+ public function addToGroupByCode($groupcode, $title = "") {
+ $group = DataObject::get_one('Group', array(
+ '"Group"."Code"' => $groupcode
+ ));
+
+ if($group) {
+ $this->Groups()->add($group);
+ } else {
+ if(!$title) $title = $groupcode;
+
+ $group = new Group();
+ $group->Code = $groupcode;
+ $group->Title = $title;
+ $group->write();
+
+ $this->Groups()->add($group);
+ }
+ }
+
+ /**
+ * Removes a member from a group.
+ *
+ * @param string $groupcode
+ */
+ public function removeFromGroupByCode($groupcode) {
+ $group = Group::get()->filter(array('Code' => $groupcode))->first();
+
+ if($group) {
+ $this->Groups()->remove($group);
+ }
+ }
+
+ /**
+ * @param Array $columns Column names on the Member record to show in {@link getTitle()}.
+ * @param String $sep Separator
+ */
+ public static function set_title_columns($columns, $sep = ' ') {
+ if (!is_array($columns)) $columns = array($columns);
+ self::config()->title_format = array('columns' => $columns, 'sep' => $sep);
+ }
+
+ //------------------- HELPER METHODS -----------------------------------//
+
+ /**
+ * Get the complete name of the member, by default in the format ", ".
+ * Falls back to showing either field on its own.
+ *
+ * You can overload this getter with {@link set_title_format()}
+ * and {@link set_title_sql()}.
+ *
+ * @return string Returns the first- and surname of the member. If the ID
+ * of the member is equal 0, only the surname is returned.
+ */
+ public function getTitle() {
+ $format = $this->config()->title_format;
+ if ($format) {
+ $values = array();
+ foreach($format['columns'] as $col) {
+ $values[] = $this->getField($col);
+ }
+ return join($format['sep'], $values);
+ }
+ if($this->getField('ID') === 0)
+ return $this->getField('Surname');
+ else{
+ if($this->getField('Surname') && $this->getField('FirstName')){
+ return $this->getField('Surname') . ', ' . $this->getField('FirstName');
+ }elseif($this->getField('Surname')){
+ return $this->getField('Surname');
+ }elseif($this->getField('FirstName')){
+ return $this->getField('FirstName');
+ }else{
+ return null;
+ }
+ }
+ }
+
+ /**
+ * Return a SQL CONCAT() fragment suitable for a SELECT statement.
+ * Useful for custom queries which assume a certain member title format.
+ *
+ * @param String $tableName
+ * @return String SQL
+ */
+ public static function get_title_sql($tableName = 'Member') {
+ // This should be abstracted to SSDatabase concatOperator or similar.
+ $op = (DB::get_conn() instanceof MSSQLDatabase) ? " + " : " || ";
+
+ $format = self::config()->title_format;
+ if ($format) {
+ $columnsWithTablename = array();
+ foreach($format['columns'] as $column) {
+ $columnsWithTablename[] = "\"$tableName\".\"$column\"";
+ }
+
+ return "(".join(" $op '".$format['sep']."' $op ", $columnsWithTablename).")";
+ } else {
+ return "(\"$tableName\".\"Surname\" $op ' ' $op \"$tableName\".\"FirstName\")";
+ }
+ }
+
+
+ /**
+ * Get the complete name of the member
+ *
+ * @return string Returns the first- and surname of the member.
+ */
+ public function getName() {
+ return ($this->Surname) ? trim($this->FirstName . ' ' . $this->Surname) : $this->FirstName;
+ }
+
+
+ /**
+ * Set first- and surname
+ *
+ * This method assumes that the last part of the name is the surname, e.g.
+ * A B C will result in firstname A B and surname C
+ *
+ * @param string $name The name
+ */
+ public function setName($name) {
+ $nameParts = explode(' ', $name);
+ $this->Surname = array_pop($nameParts);
+ $this->FirstName = join(' ', $nameParts);
+ }
+
+
+ /**
+ * Alias for {@link setName}
+ *
+ * @param string $name The name
+ * @see setName()
+ */
+ public function splitName($name) {
+ return $this->setName($name);
+ }
+
+ /**
+ * Override the default getter for DateFormat so the
+ * default format for the user's locale is used
+ * if the user has not defined their own.
+ *
+ * @return string ISO date format
+ */
+ public function getDateFormat() {
+ if($this->getField('DateFormat')) {
+ return $this->getField('DateFormat');
+ } else {
+ return Config::inst()->get('i18n', 'date_format');
+ }
+ }
+
+ /**
+ * Override the default getter for TimeFormat so the
+ * default format for the user's locale is used
+ * if the user has not defined their own.
+ *
+ * @return string ISO date format
+ */
+ public function getTimeFormat() {
+ if($this->getField('TimeFormat')) {
+ return $this->getField('TimeFormat');
+ } else {
+ return Config::inst()->get('i18n', 'time_format');
+ }
+ }
+
+ //---------------------------------------------------------------------//
+
+
+ /**
+ * Get a "many-to-many" map that holds for all members their group memberships,
+ * including any parent groups where membership is implied.
+ * Use {@link DirectGroups()} to only retrieve the group relations without inheritance.
+ *
+ * @todo Push all this logic into Member_GroupSet's getIterator()?
+ * @return Member_Groupset
+ */
+ public function Groups() {
+ $groups = Member_GroupSet::create('Group', 'Group_Members', 'GroupID', 'MemberID');
+ $groups = $groups->forForeignID($this->ID);
+
+ $this->extend('updateGroups', $groups);
+
+ return $groups;
+ }
+
+ /**
+ * @return ManyManyList
+ */
+ public function DirectGroups() {
+ return $this->getManyManyComponents('Groups');
+ }
+
+ /**
+ * Get a member SQLMap of members in specific groups
+ *
+ * If no $groups is passed, all members will be returned
+ *
+ * @param mixed $groups - takes a SS_List, an array or a single Group.ID
+ * @return SQLMap Returns an SQLMap that returns all Member data.
+ * @see map()
+ */
+ public static function map_in_groups($groups = null) {
+ $groupIDList = array();
+
+ if($groups instanceof SS_List) {
+ foreach( $groups as $group ) {
+ $groupIDList[] = $group->ID;
+ }
+ } elseif(is_array($groups)) {
+ $groupIDList = $groups;
+ } elseif($groups) {
+ $groupIDList[] = $groups;
+ }
+
+ // No groups, return all Members
+ if(!$groupIDList) {
+ return Member::get()->sort(array('Surname'=>'ASC', 'FirstName'=>'ASC'))->map();
+ }
+
+ $membersList = new ArrayList();
+ // This is a bit ineffective, but follow the ORM style
+ foreach(Group::get()->byIDs($groupIDList) as $group) {
+ $membersList->merge($group->Members());
+ }
+
+ $membersList->removeDuplicates('ID');
+ return $membersList->map();
+ }
+
+
+ /**
+ * Get a map of all members in the groups given that have CMS permissions
+ *
+ * If no groups are passed, all groups with CMS permissions will be used.
+ *
+ * @param array $groups Groups to consider or NULL to use all groups with
+ * CMS permissions.
+ * @return SS_Map Returns a map of all members in the groups given that
+ * have CMS permissions.
+ */
+ public static function mapInCMSGroups($groups = null) {
+ if(!$groups || $groups->Count() == 0) {
+ $perms = array('ADMIN', 'CMS_ACCESS_AssetAdmin');
+
+ if(class_exists('CMSMain')) {
+ $cmsPerms = singleton('CMSMain')->providePermissions();
+ } else {
+ $cmsPerms = singleton('LeftAndMain')->providePermissions();
+ }
+
+ if(!empty($cmsPerms)) {
+ $perms = array_unique(array_merge($perms, array_keys($cmsPerms)));
+ }
+
+ $permsClause = DB::placeholders($perms);
+ $groups = DataObject::get('Group')
+ ->innerJoin("Permission", '"Permission"."GroupID" = "Group"."ID"')
+ ->where(array(
+ "\"Permission\".\"Code\" IN ($permsClause)" => $perms
+ ));
+ }
+
+ $groupIDList = array();
+
+ if(is_a($groups, 'SS_List')) {
+ foreach($groups as $group) {
+ $groupIDList[] = $group->ID;
+ }
+ } elseif(is_array($groups)) {
+ $groupIDList = $groups;
+ }
+
+ $members = Member::get()
+ ->innerJoin("Group_Members", '"Group_Members"."MemberID" = "Member"."ID"')
+ ->innerJoin("Group", '"Group"."ID" = "Group_Members"."GroupID"');
+ if($groupIDList) {
+ $groupClause = DB::placeholders($groupIDList);
+ $members = $members->where(array(
+ "\"Group\".\"ID\" IN ($groupClause)" => $groupIDList
+ ));
+ }
+
+ return $members->sort('"Member"."Surname", "Member"."FirstName"')->map();
+ }
+
+
+ /**
+ * Get the groups in which the member is NOT in
+ *
+ * When passed an array of groups, and a component set of groups, this
+ * function will return the array of groups the member is NOT in.
+ *
+ * @param array $groupList An array of group code names.
+ * @param array $memberGroups A component set of groups (if set to NULL,
+ * $this->groups() will be used)
+ * @return array Groups in which the member is NOT in.
+ */
+ public function memberNotInGroups($groupList, $memberGroups = null){
+ if(!$memberGroups) $memberGroups = $this->Groups();
+
+ foreach($memberGroups as $group) {
+ if(in_array($group->Code, $groupList)) {
+ $index = array_search($group->Code, $groupList);
+ unset($groupList[$index]);
+ }
+ }
+
+ return $groupList;
+ }
+
+
+ /**
+ * Return a {@link FieldList} of fields that would appropriate for editing
+ * this member.
+ *
+ * @return FieldList Return a FieldList of fields that would appropriate for
+ * editing this member.
+ */
+ public function getCMSFields() {
+ require_once 'Zend/Date.php';
+
+ $self = $this;
+ $this->beforeUpdateCMSFields(function(FieldList $fields) use ($self) {
+ /** @var FieldList $mainFields */
+ $mainFields = $fields->fieldByName("Root")->fieldByName("Main")->getChildren();
+
+ // Build change password field
+ $mainFields->replaceField('Password', $self->getMemberPasswordField());
+
+ $mainFields->replaceField('Locale', new DropdownField(
+ "Locale",
+ _t('Member.INTERFACELANG', "Interface Language", 'Language of the CMS'),
+ i18n::get_existing_translations()
+ ));
+
+ $mainFields->removeByName($self->config()->hidden_fields);
+
+ // make sure that the "LastVisited" field exists
+ // it may have been removed using $self->config()->hidden_fields
+ if($mainFields->fieldByName("LastVisited")){
+ $mainFields->makeFieldReadonly('LastVisited');
+ }
+
+ if( ! $self->config()->lock_out_after_incorrect_logins) {
+ $mainFields->removeByName('FailedLoginCount');
+ }
+
+
+ // Groups relation will get us into logical conflicts because
+ // Members are displayed within group edit form in SecurityAdmin
+ $fields->removeByName('Groups');
+
+ // Members shouldn't be able to directly view/edit logged passwords
+ $fields->removeByName('LoggedPasswords');
+
+ if(Permission::check('EDIT_PERMISSIONS')) {
+ $groupsMap = array();
+ foreach(Group::get() as $group) {
+ // Listboxfield values are escaped, use ASCII char instead of »
+ $groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
+ }
+ asort($groupsMap);
+ $fields->addFieldToTab('Root.Main',
+ ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
+ ->setMultiple(true)
+ ->setSource($groupsMap)
+ ->setAttribute(
+ 'data-placeholder',
+ _t('Member.ADDGROUP', 'Add group', 'Placeholder text for a dropdown')
+ )
+ );
+
+
+ // Add permission field (readonly to avoid complicated group assignment logic).
+ // This should only be available for existing records, as new records start
+ // with no permissions until they have a group assignment anyway.
+ if($self->ID) {
+ $permissionsField = new PermissionCheckboxSetField_Readonly(
+ 'Permissions',
+ false,
+ 'Permission',
+ 'GroupID',
+ // we don't want parent relationships, they're automatically resolved in the field
+ $self->getManyManyComponents('Groups')
+ );
+ $fields->findOrMakeTab('Root.Permissions', singleton('Permission')->i18n_plural_name());
+ $fields->addFieldToTab('Root.Permissions', $permissionsField);
+ }
+ }
+
+ $permissionsTab = $fields->fieldByName("Root")->fieldByName('Permissions');
+ if($permissionsTab) $permissionsTab->addExtraClass('readonly');
+
+ $defaultDateFormat = Zend_Locale_Format::getDateFormat(new Zend_Locale($self->Locale));
+ $dateFormatMap = array(
+ 'MMM d, yyyy' => Zend_Date::now()->toString('MMM d, yyyy'),
+ 'yyyy/MM/dd' => Zend_Date::now()->toString('yyyy/MM/dd'),
+ 'MM/dd/yyyy' => Zend_Date::now()->toString('MM/dd/yyyy'),
+ 'dd/MM/yyyy' => Zend_Date::now()->toString('dd/MM/yyyy'),
+ );
+ $dateFormatMap[$defaultDateFormat] = Zend_Date::now()->toString($defaultDateFormat)
+ . sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
+ $mainFields->push(
+ $dateFormatField = new MemberDatetimeOptionsetField(
+ 'DateFormat',
+ $self->fieldLabel('DateFormat'),
+ $dateFormatMap
+ )
+ );
+ $dateFormatField->setValue($self->DateFormat);
+
+ $defaultTimeFormat = Zend_Locale_Format::getTimeFormat(new Zend_Locale($self->Locale));
+ $timeFormatMap = array(
+ 'h:mm a' => Zend_Date::now()->toString('h:mm a'),
+ 'H:mm' => Zend_Date::now()->toString('H:mm'),
+ );
+ $timeFormatMap[$defaultTimeFormat] = Zend_Date::now()->toString($defaultTimeFormat)
+ . sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
+ $mainFields->push(
+ $timeFormatField = new MemberDatetimeOptionsetField(
+ 'TimeFormat',
+ $self->fieldLabel('TimeFormat'),
+ $timeFormatMap
+ )
+ );
+ $timeFormatField->setValue($self->TimeFormat);
+ });
+
+ return parent::getCMSFields();
+ }
+
+ /**
+ *
+ * @param boolean $includerelations a boolean value to indicate if the labels returned include relation fields
+ *
+ */
+ public function fieldLabels($includerelations = true) {
+ $labels = parent::fieldLabels($includerelations);
+
+ $labels['FirstName'] = _t('Member.FIRSTNAME', 'First Name');
+ $labels['Surname'] = _t('Member.SURNAME', 'Surname');
+ $labels['Email'] = _t('Member.EMAIL', 'Email');
+ $labels['Password'] = _t('Member.db_Password', 'Password');
+ $labels['NumVisit'] = _t('Member.db_NumVisit', 'Number of Visits');
+ $labels['LastVisited'] = _t('Member.db_LastVisited', 'Last Visited Date');
+ $labels['PasswordExpiry'] = _t('Member.db_PasswordExpiry', 'Password Expiry Date', 'Password expiry date');
+ $labels['LockedOutUntil'] = _t('Member.db_LockedOutUntil', 'Locked out until', 'Security related date');
+ $labels['Locale'] = _t('Member.db_Locale', 'Interface Locale');
+ $labels['DateFormat'] = _t('Member.DATEFORMAT', 'Date format');
+ $labels['TimeFormat'] = _t('Member.TIMEFORMAT', 'Time format');
+ if($includerelations){
+ $labels['Groups'] = _t('Member.belongs_many_many_Groups', 'Groups',
+ 'Security Groups this member belongs to');
+ }
+ return $labels;
+ }
+
+ /**
+ * Users can view their own record.
+ * Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions.
+ * This is likely to be customized for social sites etc. with a looser permission model.
+ */
+ public function canView($member = null) {
+ if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
+
+ // extended access checks
+ $results = $this->extend('canView', $member);
+ if($results && is_array($results)) {
+ if(!min($results)) return false;
+ else return true;
+ }
+
+ // members can usually edit their own record
+ if($member && $this->ID == $member->ID) return true;
+
+ if(
+ Permission::checkMember($member, 'ADMIN')
+ || Permission::checkMember($member, 'CMS_ACCESS_SecurityAdmin')
+ ) {
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
+ * Users can edit their own record.
+ * Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
+ */
+ public function canEdit($member = null) {
+ if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
+
+ // extended access checks
+ $results = $this->extend('canEdit', $member);
+ if($results && is_array($results)) {
+ if(!min($results)) return false;
+ else return true;
+ }
+
+ // No member found
+ if(!($member && $member->exists())) return false;
+
+ // If the requesting member is not an admin, but has access to manage members,
+ // they still can't edit other members with ADMIN permission.
+ // This is a bit weak, strictly speaking they shouldn't be allowed to
+ // perform any action that could change the password on a member
+ // with "higher" permissions than himself, but thats hard to determine.
+ if(!Permission::checkMember($member, 'ADMIN') && Permission::checkMember($this, 'ADMIN')) return false;
+
+ return $this->canView($member);
+ }
+
+ /**
+ * Users can edit their own record.
+ * Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
+ */
+ public function canDelete($member = null) {
+ if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
+
+ // extended access checks
+ $results = $this->extend('canDelete', $member);
+ if($results && is_array($results)) {
+ if(!min($results)) return false;
+ else return true;
+ }
+
+ // No member found
+ if(!($member && $member->exists())) return false;
+
+ // Members are not allowed to remove themselves,
+ // since it would create inconsistencies in the admin UIs.
+ if($this->ID && $member->ID == $this->ID) return false;
+
+ return $this->canEdit($member);
+ }
+
+
+ /**
+ * Validate this member object.
+ */
+ public function validate() {
+ $valid = parent::validate();
+
+ if(!$this->ID || $this->isChanged('Password')) {
+ if($this->Password && self::$password_validator) {
+ $valid->combineAnd(self::$password_validator->validate($this->Password, $this));
+ }
+ }
+
+ if((!$this->ID && $this->SetPassword) || $this->isChanged('SetPassword')) {
+ if($this->SetPassword && self::$password_validator) {
+ $valid->combineAnd(self::$password_validator->validate($this->SetPassword, $this));
+ }
+ }
+
+ return $valid;
+ }
+
+ /**
+ * Change password. This will cause rehashing according to
+ * the `PasswordEncryption` property.
+ *
+ * @param String $password Cleartext password
+ */
+ public function changePassword($password) {
+ $this->Password = $password;
+ $valid = $this->validate();
+
+ if($valid->valid()) {
+ $this->AutoLoginHash = null;
+ $this->write();
+ }
+
+ return $valid;
+ }
+
+ /**
+ * Tell this member that someone made a failed attempt at logging in as them.
+ * This can be used to lock the user out temporarily if too many failed attempts are made.
+ */
+ public function registerFailedLogin() {
+ if(self::config()->lock_out_after_incorrect_logins) {
+ // Keep a tally of the number of failed log-ins so that we can lock people out
+ ++$this->FailedLoginCount;
+
+ if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
+ $lockoutMins = self::config()->lock_out_delay_mins;
+ $this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
+ $this->FailedLoginCount = 0;
+ }
+ }
+ $this->extend('registerFailedLogin');
+ $this->write();
+ }
+
+ /**
+ * Tell this member that a successful login has been made
+ */
+ public function registerSuccessfulLogin() {
+ if(self::config()->lock_out_after_incorrect_logins) {
+ // Forgive all past login failures
+ $this->FailedLoginCount = 0;
+ $this->LockedOutUntil = null;
+ $this->write();
+ }
+ $this->extend('onAfterRegisterSuccessfulLogin');
+ }
+ /**
+ * Get the HtmlEditorConfig for this user to be used in the CMS.
+ * This is set by the group. If multiple configurations are set,
+ * the one with the highest priority wins.
+ *
+ * @return string
+ */
+ public function getHtmlEditorConfigForCMS() {
+ $currentName = '';
+ $currentPriority = 0;
+
+ foreach($this->Groups() as $group) {
+ $configName = $group->HtmlEditorConfig;
+ if($configName) {
+ $config = HtmlEditorConfig::get($group->HtmlEditorConfig);
+ if($config && $config->getOption('priority') > $currentPriority) {
+ $currentName = $configName;
+ $currentPriority = $config->getOption('priority');
+ }
+ }
+ }
+
+ // If can't find a suitable editor, just default to cms
+ return $currentName ? $currentName : 'cms';
+ }
+
+ public static function get_template_global_variables() {
+ return array(
+ 'CurrentMember' => 'currentUser',
+ 'currentUser',
+ );
+ }
+}
+
+/**
+ * Represents a set of Groups attached to a member.
+ * Handles the hierarchy logic.
+ * @package framework
+ * @subpackage security
+ */
+class Member_GroupSet extends ManyManyList {
+
+ protected function linkJoinTable() {
+ // Do not join the table directly
+ if($this->extraFields) {
+ user_error('Member_GroupSet does not support many_many_extraFields', E_USER_ERROR);
+ }
+ }
+
+ /**
+ * Link this group set to a specific member.
+ *
+ * Recursively selects all groups applied to this member, as well as any
+ * parent groups of any applied groups
+ *
+ * @param array|integer $id (optional) An ID or an array of IDs - if not provided, will use the current
+ * ids as per getForeignID
+ * @return array Condition In array(SQL => parameters format)
+ */
+ public function foreignIDFilter($id = null) {
+ if ($id === null) $id = $this->getForeignID();
+
+ // Find directly applied groups
+ $manyManyFilter = parent::foreignIDFilter($id);
+ $query = new SQLQuery('"Group_Members"."GroupID"', '"Group_Members"', $manyManyFilter);
+ $groupIDs = $query->execute()->column();
+
+ // Get all ancestors, iteratively merging these into the master set
+ $allGroupIDs = array();
+ while($groupIDs) {
+ $allGroupIDs = array_merge($allGroupIDs, $groupIDs);
+ $groupIDs = DataObject::get("Group")->byIDs($groupIDs)->column("ParentID");
+ $groupIDs = array_filter($groupIDs);
+ }
+
+ // Add a filter to this DataList
+ if(!empty($allGroupIDs)) {
+ $allGroupIDsPlaceholders = DB::placeholders($allGroupIDs);
+ return array("\"Group\".\"ID\" IN ($allGroupIDsPlaceholders)" => $allGroupIDs);
+ } else {
+ return array('"Group"."ID"' => 0);
+ }
+ }
+
+ public function foreignIDWriteFilter($id = null) {
+ // Use the ManyManyList::foreignIDFilter rather than the one
+ // in this class, otherwise we end up selecting all inherited groups
+ return parent::foreignIDFilter($id);
+ }
+
+ public function add($item, $extraFields = null) {
+ // Get Group.ID
+ $itemID = null;
+ if(is_numeric($item)) {
+ $itemID = $item;
+ } else if($item instanceof Group) {
+ $itemID = $item->ID;
+ }
+
+ // Check if this group is allowed to be added
+ if($this->canAddGroups(array($itemID))) {
+ parent::add($item, $extraFields);
+ }
+ }
+
+ /**
+ * Determine if the following groups IDs can be added
+ *
+ * @param array $itemIDs
+ * @return boolean
+ */
+ protected function canAddGroups($itemIDs) {
+ if(empty($itemIDs)) {
+ return true;
+ }
+ $member = $this->getMember();
+ return empty($member) || $member->onChangeGroups($itemIDs);
+ }
+
+ /**
+ * Get foreign member record for this relation
+ *
+ * @return Member
+ */
+ protected function getMember() {
+ $id = $this->getForeignID();
+ if($id) {
+ return DataObject::get_by_id('Member', $id);
+ }
+ }
+}
+
+/**
+ * Class used as template to send an email saying that the password has been
+ * changed.
+ *
+ * @package framework
+ * @subpackage security
+ */
+class Member_ChangePasswordEmail extends Email {
+
+ protected $from = ''; // setting a blank from address uses the site's default administrator email
+ protected $subject = '';
+ protected $ss_template = 'ChangePasswordEmail';
+
+ public function __construct() {
+ parent::__construct();
+
+ $this->subject = _t('Member.SUBJECTPASSWORDCHANGED', "Your password has been changed", 'Email subject');
+ }
+}
+
+
+
+/**
+ * Class used as template to send the forgot password email
+ *
+ * @package framework
+ * @subpackage security
+ */
+class Member_ForgotPasswordEmail extends Email {
+ protected $from = ''; // setting a blank from address uses the site's default administrator email
+ protected $subject = '';
+ protected $ss_template = 'ForgotPasswordEmail';
+
+ public function __construct() {
+ parent::__construct();
+
+ $this->subject = _t('Member.SUBJECTPASSWORDRESET', "Your password reset link", 'Email subject');
+ }
+}
+
+/**
+ * Member Validator
+ *
+ * Custom validation for the Member object can be achieved either through an
+ * {@link DataExtension} on the Member_Validator object or, by specifying a subclass of
+ * {@link Member_Validator} through the {@link Injector} API.
+ * The Validator can also be modified by adding an Extension to Member and implement the
+ * updateValidator hook.
+ * {@see Member::getValidator()}
+ *
+ * Additional required fields can also be set via config API, eg.
+ *
+ * Member_Validator:
+ * customRequired:
+ * - Surname
+ *
+ *
+ * @package framework
+ * @subpackage security
+ */
+class Member_Validator extends RequiredFields
+{
+ /**
+ * Fields that are required by this validator
+ * @config
+ * @var array
+ */
+ protected $customRequired = array(
+ 'FirstName',
+ 'Email'
+ );
+
+ /**
+ * Determine what member this validator is meant for
+ * @var Member
+ */
+ protected $forMember = null;
+
+ /**
+ * Constructor
+ */
+ public function __construct() {
+ $required = func_get_args();
+
+ if(isset($required[0]) && is_array($required[0])) {
+ $required = $required[0];
+ }
+
+ $required = array_merge($required, $this->customRequired);
+
+ // check for config API values and merge them in
+ $config = $this->config()->customRequired;
+ if(is_array($config)){
+ $required = array_merge($required, $config);
+ }
+
+ parent::__construct(array_unique($required));
+ }
+
+ /**
+ * Get the member this validator applies to.
+ * @return Member
+ */
+ public function getForMember()
+ {
+ return $this->forMember;
+ }
+
+ /**
+ * Set the Member this validator applies to.
+ * @param Member $value
+ * @return $this
+ */
+ public function setForMember(Member $value)
+ {
+ $this->forMember = $value;
+ return $this;
+ }
+
+ /**
+ * Check if the submitted member data is valid (server-side)
+ *
+ * Check if a member with that email doesn't already exist, or if it does
+ * that it is this member.
+ *
+ * @param array $data Submitted data
+ * @return bool Returns TRUE if the submitted data is valid, otherwise
+ * FALSE.
+ */
+ public function php($data)
+ {
+ $valid = parent::php($data);
+
+ $identifierField = (string)Member::config()->unique_identifier_field;
+
+ // Only validate identifier field if it's actually set. This could be the case if
+ // somebody removes `Email` from the list of required fields.
+ if(isset($data[$identifierField])){
+ $id = isset($data['ID']) ? (int)$data['ID'] : 0;
+ if(!$id && ($ctrl = $this->form->getController())){
+ // get the record when within GridField (Member editing page in CMS)
+ if($ctrl instanceof GridFieldDetailForm_ItemRequest && $record = $ctrl->getRecord()){
+ $id = $record->ID;
+ }
+ }
+
+ // If there's no ID passed via controller or form-data, use the assigned member (if available)
+ if(!$id && ($member = $this->getForMember())){
+ $id = $member->exists() ? $member->ID : 0;
+ }
+
+ // set the found ID to the data array, so that extensions can also use it
+ $data['ID'] = $id;
+
+ $members = Member::get()->filter($identifierField, $data[$identifierField]);
+ if($id) {
+ $members = $members->exclude('ID', $id);
+ }
+
+ if($members->count() > 0) {
+ $this->validationError(
+ $identifierField,
+ _t(
+ 'Member.VALIDATIONMEMBEREXISTS',
+ 'A member already exists with the same {identifier}',
+ array('identifier' => Member::singleton()->fieldLabel($identifierField))
+ ),
+ 'required'
+ );
+ $valid = false;
+ }
+ }
+
+
+ // Execute the validators on the extensions
+ $results = $this->extend('updatePHP', $data, $this->form);
+ $results[] = $valid;
+ return min($results);
+ }
+}
diff --git a/tests/control/SessionTest.php b/tests/control/SessionTest.php
index 1b5c5ee45..3b54f6200 100644
--- a/tests/control/SessionTest.php
+++ b/tests/control/SessionTest.php
@@ -97,15 +97,27 @@ class SessionTest extends SapphireTest {
$_SERVER['HTTP_USER_AGENT'] = 'Test Agent';
// Generate our session
+ /** @var Session $s */
$s = Injector::inst()->create('Session', array());
$s->inst_set('val', 123);
$s->inst_finalize();
+ $data = $s->inst_getAll();
// Change our UA
$_SERVER['HTTP_USER_AGENT'] = 'Fake Agent';
- // Verify the new session reset our values
- $s2 = Injector::inst()->create('Session', $s);
+ // Verify the new session reset our values (passed by constructor)
+ /** @var Session $s2 */
+ $s2 = Injector::inst()->create('Session', $data);
$this->assertNotEquals($s2->inst_get('val'), 123);
+
+ // Verify a started session resets our values (initiated by $_SESSION object)
+ /** @var Session $s3 */
+ $s3 = Injector::inst()->create('Session', []);
+ foreach ($data as $key => $value) {
+ $s3->inst_set($key, $value);
+ }
+ $s3->inst_start();
+ $this->assertNotEquals($s3->inst_get('val'), 123);
}
}
diff --git a/tests/dev/CSVParserTest.php b/tests/dev/CSVParserTest.php
index c895b2f8b..512717521 100644
--- a/tests/dev/CSVParserTest.php
+++ b/tests/dev/CSVParserTest.php
@@ -21,16 +21,18 @@ class CSVParserTest extends SapphireTest {
$registered[] = $record['IsRegistered'];
}
- $this->assertEquals(array('John','Jane','Jamie','Järg'), $firstNames);
+ $this->assertEquals(array('John','Jane','Jamie','Järg','Jacob'), $firstNames);
$this->assertEquals(array(
"He's a good guy",
"She is awesome." . PHP_EOL
. "So awesome that she gets multiple rows and \"escaped\" strings in her biography",
"Pretty old, with an escaped comma",
- "Unicode FTW"), $biographies);
- $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays);
- $this->assertEquals(array('1', '0', '1', '1'), $registered);
+ "Unicode FTW",
+ "Likes leading tabs in his biography",
+ ), $biographies);
+ $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays);
+ $this->assertEquals(array('1', '0', '1', '1', '0'), $registered);
}
public function testParsingWithHeadersAndColumnMap() {
@@ -54,15 +56,16 @@ class CSVParserTest extends SapphireTest {
$registered[] = $record['IsRegistered'];
}
- $this->assertEquals(array('John','Jane','Jamie','Järg'), $firstNames);
+ $this->assertEquals(array('John','Jane','Jamie','Järg','Jacob'), $firstNames);
$this->assertEquals(array(
"He's a good guy",
"She is awesome."
. PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography",
"Pretty old, with an escaped comma",
- "Unicode FTW"), $biographies);
- $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays);
- $this->assertEquals(array('1', '0', '1', '1'), $registered);
+ "Unicode FTW",
+ "Likes leading tabs in his biography"), $biographies);
+ $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays);
+ $this->assertEquals(array('1', '0', '1', '1', '0'), $registered);
}
public function testParsingWithExplicitHeaderRow() {
@@ -82,15 +85,16 @@ class CSVParserTest extends SapphireTest {
}
/* And the first row will be returned in the data */
- $this->assertEquals(array('FirstName','John','Jane','Jamie','Järg'), $firstNames);
+ $this->assertEquals(array('FirstName','John','Jane','Jamie','Järg','Jacob'), $firstNames);
$this->assertEquals(array(
'Biography',
"He's a good guy",
"She is awesome." . PHP_EOL
. "So awesome that she gets multiple rows and \"escaped\" strings in her biography",
"Pretty old, with an escaped comma",
- "Unicode FTW"), $biographies);
- $this->assertEquals(array("Birthday","31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays);
- $this->assertEquals(array('IsRegistered', '1', '0', '1', '1'), $registered);
+ "Unicode FTW",
+ "Likes leading tabs in his biography"), $biographies);
+ $this->assertEquals(array("Birthday","31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays);
+ $this->assertEquals(array('IsRegistered', '1', '0', '1', '1', '0'), $registered);
}
}
diff --git a/tests/dev/CsvBulkLoaderTest.php b/tests/dev/CsvBulkLoaderTest.php
index 7b1d15a5b..bb21b98f2 100644
--- a/tests/dev/CsvBulkLoaderTest.php
+++ b/tests/dev/CsvBulkLoaderTest.php
@@ -27,7 +27,7 @@ class CsvBulkLoaderTest extends SapphireTest {
$results = $loader->load($filepath);
// Test that right amount of columns was imported
- $this->assertEquals(4, $results->Count(), 'Test correct count of imported data');
+ $this->assertEquals(5, $results->Count(), 'Test correct count of imported data');
// Test that columns were correctly imported
$obj = DataObject::get_one("CsvBulkLoaderTest_Player", array(
@@ -49,14 +49,14 @@ class CsvBulkLoaderTest extends SapphireTest {
$filepath = $this->getCurrentAbsolutePath() . '/CsvBulkLoaderTest_PlayersWithHeader.csv';
$loader->deleteExistingRecords = true;
$results1 = $loader->load($filepath);
- $this->assertEquals(4, $results1->Count(), 'Test correct count of imported data on first load');
+ $this->assertEquals(5, $results1->Count(), 'Test correct count of imported data on first load');
//delete existing data before doing second CSV import
$results2 = $loader->load($filepath, '512MB', true);
//get all instances of the loaded DataObject from the database and count them
$resultDataObject = DataObject::get('CsvBulkLoaderTest_Player');
- $this->assertEquals(4, $resultDataObject->Count(),
+ $this->assertEquals(5, $resultDataObject->Count(),
'Test if existing data is deleted before new data is added');
}
diff --git a/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv b/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv
index 2536266fc..f8e101f08 100644
--- a/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv
+++ b/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv
@@ -4,3 +4,4 @@
So awesome that she gets multiple rows and \"escaped\" strings in her biography","31/01/1982","0"
"Jamie","Pretty old\, with an escaped comma","31/01/1882","1"
"Järg","Unicode FTW","31/06/1982","1"
+"Jacob"," Likes leading tabs in his biography","31/4/2000","0"
diff --git a/tests/forms/gridfield/GridFieldExportButtonTest.php b/tests/forms/gridfield/GridFieldExportButtonTest.php
index 42ef28e22..516a2bc13 100644
--- a/tests/forms/gridfield/GridFieldExportButtonTest.php
+++ b/tests/forms/gridfield/GridFieldExportButtonTest.php
@@ -53,6 +53,22 @@ class GridFieldExportButtonTest extends SapphireTest {
);
}
+ public function testXLSSanitisation() {
+ // Create risky object
+ $object = new GridFieldExportButtonTest_Team();
+ $object->Name = '=SUM(1, 2)';
+ $object->write();
+
+ // Export
+ $button = new GridFieldExportButton();
+ $button->setExportColumns(array('Name' => 'My Name'));
+
+ $this->assertEquals(
+ "\"My Name\"\n\"\t=SUM(1, 2)\"\n\"Test\"\n\"Test2\"\n",
+ $button->generateExportFileData($this->gridField)
+ );
+ }
+
public function testGenerateFileDataAnonymousFunctionField() {
$button = new GridFieldExportButton();
$button->setExportColumns(array(
diff --git a/tests/forms/uploadfield/UploadFieldTest.php b/tests/forms/uploadfield/UploadFieldTest.php
index 6382574c4..a4eaf9d57 100644
--- a/tests/forms/uploadfield/UploadFieldTest.php
+++ b/tests/forms/uploadfield/UploadFieldTest.php
@@ -728,7 +728,9 @@ class UploadFieldTest extends FunctionalTest {
// A bit too much coupling with GridField, but a full template overload would make things too complex
$parser = new CSSContentParser($response->getBody());
$items = $parser->getBySelector('.ss-gridfield-item');
- $itemIDs = array_map(create_function('$el', 'return (int)$el["data-id"];'), $items);
+ $itemIDs = array_map(function($el) {
+ return (int)$el["data-id"];
+ }, $items);
$this->assertContains($file4->ID, $itemIDs, 'Contains file in assigned folder');
$this->assertContains($fileSubfolder->ID, $itemIDs, 'Contains file in subfolder');
}
@@ -746,7 +748,9 @@ class UploadFieldTest extends FunctionalTest {
// A bit too much coupling with GridField, but a full template overload would make things too complex
$parser = new CSSContentParser($response->getBody());
$items = $parser->getBySelector('.ss-gridfield-item');
- $itemIDs = array_map(create_function('$el', 'return (int)$el["data-id"];'), $items);
+ $itemIDs = array_map(function($el) {
+ return (int)$el["data-id"];
+ }, $items);
$this->assertContains($file4->ID, $itemIDs, 'Contains file in assigned folder');
$this->assertNotContains($fileSubfolder->ID, $itemIDs, 'Does not contain file in subfolder');
}
diff --git a/tests/security/MemberTest.php b/tests/security/MemberTest.php
index d1db139e5..342a2da71 100644
--- a/tests/security/MemberTest.php
+++ b/tests/security/MemberTest.php
@@ -45,7 +45,21 @@ class MemberTest extends FunctionalTest {
parent::tearDown();
}
-
+ public function testPasswordEncryptionUpdatedOnChangedPassword()
+ {
+ Config::inst()->update('Security', 'password_encryption_algorithm', 'none');
+ $member = Member::create();
+ $member->SetPassword = 'password';
+ $member->write();
+ $this->assertEquals('password', $member->Password);
+ $this->assertEquals('none', $member->PasswordEncryption);
+ Config::inst()->update('Security', 'password_encryption_algorithm', 'blowfish');
+ $member->SetPassword = 'newpassword';
+ $member->write();
+ $this->assertNotEquals('password', $member->Password);
+ $this->assertNotEquals('newpassword', $member->Password);
+ $this->assertEquals('blowfish', $member->PasswordEncryption);
+ }
/**
* @expectedException ValidationException
@@ -94,28 +108,6 @@ class MemberTest extends FunctionalTest {
);
}
- public function testDefaultPasswordEncryptionDoesntChangeExistingMembers() {
- $member = new Member();
- $member->Password = 'mypassword';
- $member->PasswordEncryption = 'sha1_v2.4';
- $member->write();
-
- $origAlgo = Security::config()->password_encryption_algorithm;
- Security::config()->password_encryption_algorithm = 'none';
-
- $member->Password = 'mynewpassword';
- $member->write();
-
- $this->assertEquals(
- $member->PasswordEncryption,
- 'sha1_v2.4'
- );
- $result = $member->checkPassword('mynewpassword');
- $this->assertTrue($result->valid());
-
- Security::config()->password_encryption_algorithm = $origAlgo;
- }
-
public function testKeepsEncryptionOnEmptyPasswords() {
$member = new Member();
$member->Password = 'mypassword';
@@ -126,8 +118,8 @@ class MemberTest extends FunctionalTest {
$member->write();
$this->assertEquals(
- $member->PasswordEncryption,
- 'sha1_v2.4'
+ Security::config()->get('password_encryption_algorithm'),
+ $member->PasswordEncryption
);
$result = $member->checkPassword('');
$this->assertTrue($result->valid());
diff --git a/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php b/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php
index a88cbb3d9..8dd7ac289 100644
--- a/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php
+++ b/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php
@@ -135,7 +135,7 @@ class sfYamlInline
if (
(1 == count($keys) && '0' == $keys[0])
||
- (count($keys) > 1 && array_reduce($keys, create_function('$v,$w', 'return (integer) $v + $w;'), 0) == count($keys) * (count($keys) - 1) / 2))
+ (count($keys) > 1 && array_reduce($keys, function($v,$w) { return (integer) $v + $w;}, 0) == count($keys) * (count($keys) - 1) / 2))
{
$output = array();
foreach ($value as $val)