Merge remote-tracking branch '3.2.4' into 3.3.2

admin/code/LeftAndMain.php

@@ -1071,6 +1071,9 @@ class LeftAndMain extends Controller implements PermissionProvider {
 	 * @return SS_HTTPResponse JSON string with a
 	 */
 	public function savetreenode($request) {
+		if (!SecurityToken::inst()->checkRequest($request)) {
+			return $this->httpError(400);
+		}
 		if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) {
 			$this->getResponse()->setStatusCode(
 				403,
@@ -1499,6 +1502,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
 	 * @param int $id
 	 */
 	public function setCurrentPageID($id) {
+		$id = (int)$id;
 		Session::set($this->sessionNamespace() . ".currentPage", $id);
 	}
 

admin/javascript/LeftAndMain.Tree.js

@@ -97,7 +97,10 @@
 							});
 
 							$.ajax({
-								'url': self.data('urlSavetreenode'),
+								'url': $.path.addSearchParams(
+									self.data('urlSavetreenode'),
+									self.data('extraParams')
+								),
 								'type': 'POST',
 								'data': {
 									ID: nodeID, 

docs/en/04_Changelogs/3.1.19.md

@@ -0,0 +1,37 @@
+# 3.1.19
+
+## Upgrading
+
+`LoginForm` no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with
+login forms or other changes. To re-enable this, you'll need to use the `Injector` to create a custom login form.
+
+Define a login form:
+
+```php
+class CustomLoginForm extends MemberLoginForm {
+
+	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
+	{
+		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);
+
+		$this->disableSecurityToken();
+	}
+
+}
+```
+
+Add this to mysite/_config/config.yml
+
+```yaml
+Injector:
+  MemberLoginForm:
+    class: CustomLoginForm
+```
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+### Bugfixes

docs/en/04_Changelogs/rc/3.1.19-rc1.md

@@ -0,0 +1,24 @@
+# 3.1.19-rc1
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2016-04-18 [3c0f2e8](https://github.com/silverstripe/silverstripe-framework/commit/3c0f2e8e11a1bead64d869854b9dfc0f80e7579a) Add CSFR protection to tree reorganise (Daniel Hensby) - See [ss-2015-029](http://www.silverstripe.org/download/security-releases/ss-2015-029)
+ * 2016-04-18 [a24c826](https://github.com/silverstripe/silverstripe-framework/commit/a24c8260b1d048dc6a0836eb1be9a1ca2056e770) Store current page IDs as ints (Daniel Hensby) - See [ss-2016-004](http://www.silverstripe.org/download/security-releases/ss-2016-004)
+ * 2016-04-18 [1ccd392](https://github.com/silverstripe/silverstripe-framework/commit/1ccd3926e3dcecaa5c1b4f26a390d9eacc24a893) Properly check backurl on CMSSecurity@success (Daniel Hensby) - See [ss-2016-001](http://www.silverstripe.org/download/security-releases/ss-2016-001)
+ * 2016-04-18 [f32c893](https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2) Apply brute force protection to default admin (Daniel Hensby) - See [ss-2016-005](http://www.silverstripe.org/download/security-releases/ss-2016-005)
+ * 2016-04-18 [a6bd22a](https://github.com/silverstripe/silverstripe-framework/commit/a6bd22ab2f3b11a054d20be13306a19089510989) dont disable XSS for login forms (Daniel Hensby) - See [ss-2016-006](http://www.silverstripe.org/download/security-releases/ss-2016-006)
+
+### Bugfixes
+
+ * 2016-04-24 [fde6376](https://github.com/silverstripe/silverstripe-framework/commit/fde6376996dbaba31601065869c60676845eeb85) Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
+ * 2016-04-12 [36283b8](https://github.com/silverstripe/silverstripe-framework/commit/36283b86d5305cc2c5d4823e54972cd301978389) Stop "success" message showing in CMS (Daniel Hensby)
+ * 2016-03-31 [6ec2656](https://github.com/silverstripe/silverstripe-framework/commit/6ec26562019454483db79132a5c076cfa87dfe34) fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
+ * 2016-03-18 [add2ecd](https://github.com/silverstripe/silverstripe-framework/commit/add2ecdf8bb977a0234cf773b578eae9872a0d28) Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
+ * 2016-03-10 [bc31d9c](https://github.com/silverstripe/silverstripe-cms/commit/bc31d9ca9c667ba9015e35d5eae20158056a7b7c) Use `Controller::join_links()` in Reports (Daniel Hensby)
+ * 2016-03-08 [0364204](https://github.com/silverstripe/silverstripe-cms/commit/036420470da5def5c8e45c94601d3494273d476c) Incorrect title attribute on CMS tabs (Loz Calver)
+ * 2016-03-01 [817b836](https://github.com/silverstripe/silverstripe-framework/commit/817b83687028894574ba5a8e8ee8f3af21f23188) getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
+ * 2015-01-08 [adf0f10](https://github.com/silverstripe/silverstripe-framework/commit/adf0f102cc7a04cf8fcac8743801d48214118cad) Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)

docs/en/04_Changelogs/rc/3.2.4-rc1.md

@@ -0,0 +1,41 @@
+# 3.2.4-rc1
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2016-04-18 [3c0f2e8](https://github.com/silverstripe/silverstripe-framework/commit/3c0f2e8e11a1bead64d869854b9dfc0f80e7579a) Add CSFR protection to tree reorganise (Daniel Hensby) - See [ss-2015-029](http://www.silverstripe.org/download/security-releases/ss-2015-029)
+ * 2016-04-18 [a24c826](https://github.com/silverstripe/silverstripe-framework/commit/a24c8260b1d048dc6a0836eb1be9a1ca2056e770) Store current page IDs as ints (Daniel Hensby) - See [ss-2016-004](http://www.silverstripe.org/download/security-releases/ss-2016-004)
+ * 2016-04-18 [1ccd392](https://github.com/silverstripe/silverstripe-framework/commit/1ccd3926e3dcecaa5c1b4f26a390d9eacc24a893) Properly check backurl on CMSSecurity@success (Daniel Hensby) - See [ss-2016-001](http://www.silverstripe.org/download/security-releases/ss-2016-001)
+ * 2016-04-18 [f32c893](https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2) Apply brute force protection to default admin (Daniel Hensby) - See [ss-2016-005](http://www.silverstripe.org/download/security-releases/ss-2016-005)
+ * 2016-04-18 [a6bd22a](https://github.com/silverstripe/silverstripe-framework/commit/a6bd22ab2f3b11a054d20be13306a19089510989) dont disable XSS for login forms (Daniel Hensby) - See [ss-2016-006](http://www.silverstripe.org/download/security-releases/ss-2016-006)
+ * 2016-02-17 [37059eb](https://github.com/silverstripe/silverstripe-framework/commit/37059eb6b3546f304e9c031abca0f096ddb175c6) Hostname, IP and Protocol Spoofing through HTTP Headers (Ingo Schommer) - See [ss-2016-003](http://www.silverstripe.org/download/security-releases/ss-2016-003)
+ * 2016-02-17 [5d2fc0d](https://github.com/silverstripe/silverstripe-framework/commit/5d2fc0d7cac4ce686f7ae05c1a7b1ad8c01711a8) Block unauthenticated access to dev/build/defaults (Damian Mooyman) - See [ss-2015-028](http://www.silverstripe.org/download/security-releases/ss-2015-028)
+ * 2016-02-17 [013524a](https://github.com/silverstripe/silverstripe-framework/commit/013524af5069bb0cf909853f04418d9bef56d18c) Ensure Gridfield actions respect CSRF (Damian Mooyman) - See [ss-2016-002](http://www.silverstripe.org/download/security-releases/ss-2016-002)
+
+### Bugfixes
+
+ * 2016-04-24 [fde6376](https://github.com/silverstripe/silverstripe-framework/commit/fde6376996dbaba31601065869c60676845eeb85) Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
+ * 2016-04-12 [36283b8](https://github.com/silverstripe/silverstripe-framework/commit/36283b86d5305cc2c5d4823e54972cd301978389) Stop "success" message showing in CMS (Daniel Hensby)
+ * 2016-03-31 [6ec2656](https://github.com/silverstripe/silverstripe-framework/commit/6ec26562019454483db79132a5c076cfa87dfe34) fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
+ * 2016-03-28 [aeb4aa9](https://github.com/silverstripe/silverstripe-framework/commit/aeb4aa9565dfcd251f527362518e5c8be1df7e02) Dont allow plain text friendly errors (Daniel Hensby)
+ * 2016-03-27 [5ede516](https://github.com/silverstripe/silverstripe-framework/commit/5ede516c771055d09a1578e1598ac0ec58a28f5e) GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
+ * 2016-03-21 [9d62d9d](https://github.com/silverstripe/silverstripe-cms/commit/9d62d9d3818d6acfc08a98b5e0fcaf255295f70f) Link tracking not escaping `#` Fixes #1409 (Daniel Hensby)
+ * 2016-03-21 [5f8356d](https://github.com/silverstripe/silverstripe-framework/commit/5f8356d6868be9035c4b2a4d00d04c14ab34e4e4) Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
+ * 2016-03-18 [add2ecd](https://github.com/silverstripe/silverstripe-framework/commit/add2ecdf8bb977a0234cf773b578eae9872a0d28) Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
+ * 2016-03-18 [57cfe3c](https://github.com/silverstripe-labs/silverstripe-reports/commit/57cfe3c66a5d67e88bbb1d4150329c6d4841f683) Bad joining of links in reports (Daniel Hensby)
+ * 2016-03-10 [bc31d9c](https://github.com/silverstripe/silverstripe-cms/commit/bc31d9ca9c667ba9015e35d5eae20158056a7b7c) Use `Controller::join_links()` in Reports (Daniel Hensby)
+ * 2016-03-08 [0364204](https://github.com/silverstripe/silverstripe-cms/commit/036420470da5def5c8e45c94601d3494273d476c) Incorrect title attribute on CMS tabs (Loz Calver)
+ * 2016-03-07 [aa57427](https://github.com/silverstripe/silverstripe-framework/commit/aa57427874f0115c2c188dfc821ba09bf467d241) Don't install imagick on php 5.3 (Damian Mooyman)
+ * 2016-03-07 [86b1c8f](https://github.com/silverstripe/silverstripe-framework/commit/86b1c8fc2849e8f65f473286a3b2d09f4b76eaf7) file sync removes folders with dot in name (Jonathon Menz)
+ * 2016-03-07 [6a22454](https://github.com/silverstripe/silverstripe-framework/commit/6a2245474d0d6c13d52a9a5104ac8ac3e8fd68a2) Fix FulltextsearchEnable (Damian Mooyman)
+ * 2016-03-01 [2079844](https://github.com/silverstripe/silverstripe-framework/commit/2079844647e8422e600cb7c820e624a0a108bd07) fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
+ * 2016-03-01 [817b836](https://github.com/silverstripe/silverstripe-framework/commit/817b83687028894574ba5a8e8ee8f3af21f23188) getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
+ * 2016-02-26 [bd48d89](https://github.com/silverstripe/silverstripe-framework/commit/bd48d89642a259e0a4c93ab2a686bc45b2ac3bc4) undeclared constant issue (Daniel Hensby)
+ * 2016-02-26 [cc95703](https://github.com/silverstripe/silverstripe-framework/commit/cc95703b18187b3940f02380f8e5667d61345660) Fix regressions in missing CSRF on print button (Damian Mooyman)
+ * 2016-02-25 [3dc0d0e](https://github.com/silverstripe/silverstripe-framework/commit/3dc0d0ee89cba6b780c8770a94490c60a5b52745) Fix regression in gridfield get actions (Damian Mooyman)
+ * 2016-02-22 [65a0981](https://github.com/silverstripe/silverstripe-framework/commit/65a0981c0895bd92bcc020ef433b04e0de6ab05c) Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
+ * 2016-02-16 [644c807](https://github.com/silverstripe/silverstripe-cms/commit/644c8070311e82d35c39c6e1f0d37cc8aba53665) Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
+ * 2015-01-08 [adf0f10](https://github.com/silverstripe/silverstripe-framework/commit/adf0f102cc7a04cf8fcac8743801d48214118cad) Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)

javascript/lang/bg.js

@@ -0,0 +1,47 @@
+// This file was generated by silverstripe/cow from javascript/lang/src/bg.js.
+// See https://github.com/tractorcow/cow for details
+if(typeof(ss) == 'undefined' || typeof(ss.i18n) == 'undefined') {
+	if(typeof(console) != 'undefined') console.error('Class ss.i18n not defined');
+} else {
+	ss.i18n.addDictionary('bg', {
+    "VALIDATOR.FIELDREQUIRED": "Полето \"%s\" е задължително.",
+    "HASMANYFILEFIELD.UPLOADING": "Качване... %s",
+    "TABLEFIELD.DELETECONFIRMMESSAGE": "Да бъде ли изтрит този запис?",
+    "LOADING": "зареждане...",
+    "UNIQUEFIELD.SUGGESTED": "Стойността е променена '%s' : %s",
+    "UNIQUEFIELD.ENTERNEWVALUE": "Трябва да въведете валидна стойност в това поле",
+    "UNIQUEFIELD.CANNOTLEAVEEMPTY": "Полето не може да остане празно",
+    "RESTRICTEDTEXTFIELD.CHARCANTBEUSED": "Символът '%s' не може да бъде използван в това поле",
+    "UPDATEURL.CONFIRM": "Would you like me to change the URL to:\n\n%s/\n\nClick Ok to change the URL, click Cancel to leave it as:\n\n%s",
+    "UPDATEURL.CONFIRMURLCHANGED": "URL адресът беше сменен на\n'%s'",
+    "FILEIFRAMEFIELD.DELETEFILE": "Изтрий файла",
+    "FILEIFRAMEFIELD.UNATTACHFILE": "Премахни файла",
+    "FILEIFRAMEFIELD.DELETEIMAGE": "Изтрий снимката",
+    "FILEIFRAMEFIELD.CONFIRMDELETE": "Да бъде ли изтрит този файл?",
+    "LeftAndMain.IncompatBrowserWarning": "Your browser is not compatible with the CMS interface. Please use Internet Explorer 7+, Google Chrome 10+ or Mozilla Firefox 3.5+.",
+    "GRIDFIELD.ERRORINTRANSACTION": "Възникна грешка при извличане на данни от сървъра\n Опитайте отново по-късно.",
+    "HtmlEditorField.SelectAnchor": "Select an anchor",
+    "UploadField.ConfirmDelete": "Този файл ще бъде изтрит от сървъра. Сигурни ли сте?",
+    "UploadField.PHP_MAXFILESIZE": "Големината на файла надхвърля upload_max_filesize (php.ini директивата)",
+    "UploadField.HTML_MAXFILESIZE": "Големината на файла надхвърле MAX_FILE_SIZE (директива на HTML формата)",
+    "UploadField.ONLYPARTIALUPLOADED": "Файлът беше качен частично",
+    "UploadField.NOFILEUPLOADED": "Файлът не беше качен",
+    "UploadField.NOTMPFOLDER": "Липсва временна папка",
+    "UploadField.WRITEFAILED": "Файлът не можа да бъде записан",
+    "UploadField.STOPEDBYEXTENSION": "File upload stopped by extension",
+    "UploadField.TOOLARGE": "Много голям файл",
+    "UploadField.TOOSMALL": "Файлът е много малък",
+    "UploadField.INVALIDEXTENSION": "Това разширение не е разрешено",
+    "UploadField.MAXNUMBEROFFILESSIMPLE": "Максималния брой файлове е надхвърлен",
+    "UploadField.UPLOADEDBYTES": "Uploaded bytes exceed file size",
+    "UploadField.EMPTYRESULT": "Empty file upload result",
+    "UploadField.LOADING": "Зареждане ...",
+    "UploadField.Editing": "Редактиране ...",
+    "UploadField.Uploaded": "Качен",
+    "UploadField.OVERWRITEWARNING": "Вече съществува файл с това име",
+    "TreeDropdownField.ENTERTOSEARCH": "Натисни Enter за търсена",
+    "TreeDropdownField.OpenLink": "Отвори",
+    "TreeDropdownField.FieldTitle": "Избери",
+    "TreeDropdownField.SearchFieldTitle": "Избери или Търси"
+});
+}

javascript/lang/src/bg.js

@@ -0,0 +1,41 @@
+{
+    "VALIDATOR.FIELDREQUIRED": "Полето \"%s\" е задължително.",
+    "HASMANYFILEFIELD.UPLOADING": "Качване... %s",
+    "TABLEFIELD.DELETECONFIRMMESSAGE": "Да бъде ли изтрит този запис?",
+    "LOADING": "зареждане...",
+    "UNIQUEFIELD.SUGGESTED": "Стойността е променена '%s' : %s",
+    "UNIQUEFIELD.ENTERNEWVALUE": "Трябва да въведете валидна стойност в това поле",
+    "UNIQUEFIELD.CANNOTLEAVEEMPTY": "Полето не може да остане празно",
+    "RESTRICTEDTEXTFIELD.CHARCANTBEUSED": "Символът '%s' не може да бъде използван в това поле",
+    "UPDATEURL.CONFIRM": "Would you like me to change the URL to:\n\n%s/\n\nClick Ok to change the URL, click Cancel to leave it as:\n\n%s",
+    "UPDATEURL.CONFIRMURLCHANGED": "URL адресът беше сменен на\n'%s'",
+    "FILEIFRAMEFIELD.DELETEFILE": "Изтрий файла",
+    "FILEIFRAMEFIELD.UNATTACHFILE": "Премахни файла",
+    "FILEIFRAMEFIELD.DELETEIMAGE": "Изтрий снимката",
+    "FILEIFRAMEFIELD.CONFIRMDELETE": "Да бъде ли изтрит този файл?",
+    "LeftAndMain.IncompatBrowserWarning": "Your browser is not compatible with the CMS interface. Please use Internet Explorer 7+, Google Chrome 10+ or Mozilla Firefox 3.5+.",
+    "GRIDFIELD.ERRORINTRANSACTION": "Възникна грешка при извличане на данни от сървъра\n Опитайте отново по-късно.",
+    "HtmlEditorField.SelectAnchor": "Select an anchor",
+    "UploadField.ConfirmDelete": "Този файл ще бъде изтрит от сървъра. Сигурни ли сте?",
+    "UploadField.PHP_MAXFILESIZE": "Големината на файла надхвърля upload_max_filesize (php.ini директивата)",
+    "UploadField.HTML_MAXFILESIZE": "Големината на файла надхвърле MAX_FILE_SIZE (директива на HTML формата)",
+    "UploadField.ONLYPARTIALUPLOADED": "Файлът беше качен частично",
+    "UploadField.NOFILEUPLOADED": "Файлът не беше качен",
+    "UploadField.NOTMPFOLDER": "Липсва временна папка",
+    "UploadField.WRITEFAILED": "Файлът не можа да бъде записан",
+    "UploadField.STOPEDBYEXTENSION": "File upload stopped by extension",
+    "UploadField.TOOLARGE": "Много голям файл",
+    "UploadField.TOOSMALL": "Файлът е много малък",
+    "UploadField.INVALIDEXTENSION": "Това разширение не е разрешено",
+    "UploadField.MAXNUMBEROFFILESSIMPLE": "Максималния брой файлове е надхвърлен",
+    "UploadField.UPLOADEDBYTES": "Uploaded bytes exceed file size",
+    "UploadField.EMPTYRESULT": "Empty file upload result",
+    "UploadField.LOADING": "Зареждане ...",
+    "UploadField.Editing": "Редактиране ...",
+    "UploadField.Uploaded": "Качен",
+    "UploadField.OVERWRITEWARNING": "Вече съществува файл с това име",
+    "TreeDropdownField.ENTERTOSEARCH": "Натисни Enter за търсена",
+    "TreeDropdownField.OpenLink": "Отвори",
+    "TreeDropdownField.FieldTitle": "Избери",
+    "TreeDropdownField.SearchFieldTitle": "Избери или Търси"
+}

lang/bg.yml

@@ -1,25 +1,36 @@
 bg:
   AssetAdmin:
+    ALLOWEDEXTS: 'Позволени разширения на файловете за качване'
+    HIDEALLOWEDEXTS: 'Скрий позволените разширения'
     NEWFOLDER: НоваПапка
+    SHOWALLOWEDEXTS: 'Покажи позволените разширения'
   AssetTableField:
     CREATED: 'Създаден'
     DIM: Размери
     FILENAME: Име на файл
     FOLDER: Папка
+    HEIGHT: Височина
     LASTEDIT: 'Последна промяна'
     OWNER: Собственик
     SIZE: 'Големина на файла'
     TITLE: Заглавие
     TYPE: 'Тип на файла'
+    URL: URL
+    WIDTH: Широчина
   AssetUploadField:
     ChooseFiles: 'Избери файлове'
     DRAGFILESHERE: 'Завлечете файловете тук'
     DROPAREA: 'Зона за пускане'
     EDITALL: 'Редакция на всички'
     EDITANDORGANIZE: 'Редактиране и подреждане'
+    EDITINFO: 'Редактиране на файлове'
     FILES: Файлове
     FROMCOMPUTER: 'Избери файлове от компютъра'
+    FROMCOMPUTERINFO: 'Качи от компютъра'
+    INSERTURL: 'Въведи URL на файла'
+    REMOVEINFO: 'Премахни файла от това поле'
     TOTAL: Общо
+    TOUPLOAD: 'Избери файлове за качване...'
     UPLOADINPROGRESS: 'Моля, изчакайте... файловете се качват'
     UPLOADOR: ИЛИ
   BBCodeParser:
@@ -53,19 +64,40 @@ bg:
     ENTERINFO: 'Моля, въведете потребителско име и парола.'
     ERRORNOTADMIN: 'Този потребител не е администратор.'
     ERRORNOTREC: 'Това потребителско име / парола не е разпознато'
+  Boolean:
+    ANY: Всички
+    NOANSWER: 'Не'
+    YESANSWER: 'Да'
   CMSLoadingScreen_ss:
     LOADING: Зареждане ...
+    REQUIREJS: 'Необходимо е да активирате JavaScript.'
   CMSMain:
     ACCESS: 'Достъп до секция ''{title}'''
     ACCESSALLINTERFACES: 'Достъп до всички секции на CMS'
     SAVE: Запис
+  CMSMemberLoginForm:
+    BUTTONFORGOTPASSWORD: 'Забравена парола?'
+    BUTTONLOGIN: 'Влез обратно'
+    BUTTONLOGOUT: 'Изход'
+  CMSPageHistoryController_versions_ss:
+    PREVIEW: 'Преглед на сайта'
+  CMSPagesController_Tools_ss:
+    FILTER: Филтър
   CMSProfileController:
     MENUTITLE: 'Моят профил'
+  CMSSecurity:
+    SUCCESS: Успешно
+    TimedOutTitleAnonymous: 'Вашата сесия е изтекла.'
+    TimedOutTitleMember: 'Здравей {name}!<br />Твоята сесия е изтекла.'
   ChangePasswordEmail_ss:
     CHANGEPASSWORDTEXT1: 'Вие сменихте вашата парола за'
     CHANGEPASSWORDTEXT2: 'Вече можете да ползвате следните данни за вход:'
+    EMAIL: Ел. поща
     HELLO: Здравей!
     PASSWORD: Парола
+  CheckboxField:
+    NOANSWER: 'Не'
+    YESANSWER: 'Да'
   ConfirmedPasswordField:
     ATLEAST: 'Паролата трябва да е дълга мин. {min} символа.'
     BETWEEN: 'Паролата трябва да е дълга от {min} до {max} символа.'
@@ -80,18 +112,34 @@ bg:
     PLURALNAME: 'Обекти с данни'
     SINGULARNAME: 'Обект с данни'
   Date:
+    DAY: ден
+    DAYS: дни
+    HOUR: час
+    HOURS: часа
+    LessThanMinuteAgo: 'по-малко от минута'
+    MIN: минута
+    MINS: минути
+    MONTH: месец
+    MONTHS: месеци
+    SEC: секунда
+    SECS: секунди
     TIMEDIFFAGO: 'преди {difference}'
     TIMEDIFFIN: 'за {difference}'
+    YEAR: година
+    YEARS: години
   DateField:
-    NOTSET: 'Не нагласено'
+    NOTSET: 'не е зададена'
     TODAY: днес
     VALIDDATEFORMAT2: 'Моля, въведете валиден формат за дата ({format})'
     VALIDDATEMAXDATE: 'Датата трябва да бъде същата или преди ({date})'
     VALIDDATEMINDATE: 'Датата трябва да бъде същата или след ({date})'
+  DatetimeField:
+    NOTSET: 'не е зададена'
   Director:
     INVALID_REQUEST: 'Грешна заявка'
   DropdownField:
     CHOOSE: (Избери)
+    CHOOSESEARCH: '(Избери или Търси)'
   EmailField:
     VALIDATION: 'Моля, въведете имейл адрес'
   Enum:

lang/eo.yml

@@ -1,5 +1,7 @@
 eo:
   AssetAdmin:
+    ALLOWEDEXTS: 'Permesitaj alŝutaj dosieraj sufiksoj'
+    HIDEALLOWEDEXTS: 'Kaŝi permesitajn sufiksojn'
     NEWFOLDER: Nova dosierujo
     SHOWALLOWEDEXTS: 'Vidigi permesitajn sufiksojn'
   AssetTableField:
@@ -7,12 +9,14 @@ eo:
     DIM: Dimensioj
     FILENAME: Nomo de dosiero
     FOLDER: Dosierujo
+    HEIGHT: Alto
     LASTEDIT: 'Laste ŝanĝita'
     OWNER: Posedanto
     SIZE: 'Grando'
     TITLE: Titolo
     TYPE: 'Tipo'
     URL: URL
+    WIDTH: Larĝo
   AssetUploadField:
     ChooseFiles: 'Elekti dosierojn'
     DRAGFILESHERE: 'Ŝovi dosieron ĉi tien'
@@ -23,7 +27,10 @@ eo:
     FILES: Dosieroj
     FROMCOMPUTER: 'Elekti dosierojn el via komputilo'
     FROMCOMPUTERINFO: 'Alŝuti el via komputilo'
+    INSERTURL: 'Enigi el URL'
+    REMOVEINFO: 'Forigi ĉi tiun dosieron el ĉi tiu kampo'
     TOTAL: Totalo
+    TOUPLOAD: 'Elekti dosierojn alŝutotajn...'
     UPLOADINPROGRESS: 'Bonvolu atendi...alŝuto daŭras'
     UPLOADOR: AŬ
   BBCodeParser:
@@ -146,6 +153,7 @@ eo:
     INVALID_REQUEST: 'Malvalida peto'
   DropdownField:
     CHOOSE: (Elekti)
+    CHOOSESEARCH: '(Elekti aŭ serĉi)'
     SOURCE_VALIDATION: 'Bonvolu elekti valoron el la listo donita. {value} ne estas valida agordo'
   EmailField:
     VALIDATION: 'Bonvolu enigi readreson'
@@ -299,6 +307,7 @@ eo:
     IMAGETITLETEXT: 'Teksto de titolo (ŝpruchelpilo)'
     IMAGETITLETEXTDESC: 'Por plua informo pri la bildo'
     IMAGEWIDTHPX: Larĝo
+    INSERTMEDIA: 'Enigi registraĵojn'
     LINK: 'Ligilo'
     LINKANCHOR: 'Ankri al ĉi tiu paĝo'
     LINKDESCR: 'Ligila priskribo'
@@ -311,7 +320,9 @@ eo:
     PAGE: Paĝo
     SUBJECT: 'Temo de retpoŝto'
     URL: URL
+    URLDESCRIPTION: 'Enigu videojn kaj bildojn el la TTT en vian paĝon simple enigante la URL de la dosiero. Certigu ke vi havas permesojn antaŭ ol kunhavigi registraĵojn rekte el la TTT.<br /><br />Bonvolu noti ke dosieroj ne aldoniĝas al la konservejo de dosieroj de la CMS sed dosieroj enkorpiĝas el ties origina loko. Se ial la dosiero ne plu haveblas en ĝia origina loko, ĝi ne plu estos videbla en ĉi tiu paĝo.'
     URLNOTANOEMBEDRESOURCE: 'La URL ''{url}'' ne estas konvertebla al memorilo.'
+    UpdateMEDIA: 'Ĝisdatigi registraĵojn'
   Image:
     PLURALNAME: Dosieroj
     SINGULARNAME: Dosiero

lang/fi.yml

@@ -181,7 +181,7 @@ fi:
     NOVALIDUPLOAD: 'Tiedosto ei ole kelvollinen ladattavaksi'
     Name: Nimi
     PLURALNAME: Tiedostot
-    PdfType: 'Adobe Acrobat PDF -tiedosto'
+    PdfType: 'Adobe Acrobat PDF-tiedosto'
     PngType: 'PNG-kuva - hyvä yleinen muoto'
     SINGULARNAME: Tiedosto
     TOOLARGE: 'Tiedostokoko on liian suuri: maks. sallittu koko on {size}'
@@ -257,7 +257,7 @@ fi:
     DefaultGroupTitleContentAuthors: 'Sisällöntuottajat'
     Description: Kuvaus
     GroupReminder: 'Valitessasi isäntäryhmän roolit periytyvät tähän ryhmään'
-    HierarchyPermsError: 'Isäntä ryhmään ei voitu asettaa "%s" annettuja oikeuksia (vaaditaan JÄRJESTELMÄNVALVOJAN oikeudet)'
+    HierarchyPermsError: 'Isäntäryhmään ei voitu asettaa "%s" annettuja oikeuksia (vaaditaan JÄRJESTELMÄNVALVOJAN oikeudet)'
     Locked: 'Lukittu?'
     NoRoles: 'Rooleja ei löytynyt'
     PLURALNAME: Ryhmät
@@ -301,8 +301,6 @@ fi:
     FROMWEB: 'Webistä'
     FindInFolder: 'Etsi kansiosta'
     IMAGEALT: 'Vaihtoehtoinen teksti (alt)'
-    IMAGEALTTEXT: 'Vaihtoehtoinen teksti (alt) - näytetään jos kuvaa ei voida näyttää'
-    IMAGEALTTEXTDESC: 'Näytetään ruudunlukuohjelmille tai jos kuvia ei voi näyttää'
     IMAGEDIMENSIONS: Mitat
     IMAGEHEIGHTPX: Korkeus
     IMAGETITLE: 'Otsikko (tooltip) - kuvan lisätietoja varten'
@@ -336,13 +334,10 @@ fi:
   LeftAndMain:
     CANT_REORGANISE: 'Sinulla ei ole oikeuksia mennä ylemmän tason sivuille. Muutoksiasi ei tallennettu.'
     DELETED: Poistettu.
-    DropdownBatchActionsDefault: 'Valitse toiminto...'
     HELP: Ohje
-    PAGETYPE: 'Sivutyyppi'
     PERMAGAIN: 'Olet kirjautunut ulos CMS:stä. Jos haluat kirjautua uudelleen sisään, syötä käyttäjätunnuksesi ja salasanasi alla.'
     PERMALREADY: 'Pahoittelut, mutta et pääse tähän osaan CMS:ää. Jos haluat kirjautua jonain muuna, voit tehdä sen alta.'
     PERMDEFAULT: 'Sinun tulee olla kirjautuneena ylläpito-osioon; syötä tunnuksesi kenttiin.'
-    PLEASESAVE: 'Tallenna sivu: tätä sivua ei voitu päivittää, koska sitä ei ole vielä tallennettu.'
     PreviewButton: Esikatselu
     REORGANISATIONSUCCESSFUL: 'Hakemistopuu uudelleenjärjestettiin onnistuneesti.'
     SAVEDUP: Tallennettu.

lang/hr.yml

@@ -79,6 +79,7 @@ hr:
     TEXT2: 'link za resetiranje lozinke'
     TEXT3: za
   Form:
+    SubmitBtnLabel: Kreni
     VALIDATIONNOTUNIQUE: 'Unešena vrijednost nije unikatna'
     VALIDATIONPASSWORDSDONTMATCH: 'Lozinke se ne slažu'
     VALIDATIONPASSWORDSNOTEMPTY: 'Lozinke moraju imati najmanje jedan broj i jedan alfanumerički znak'

lang/it.yml

@@ -318,9 +318,7 @@ it:
     PAGE: Pagina
     SUBJECT: 'Oggetto email'
     URL: URL
-    URLDESCRIPTION: 'Inserisci video e immagini dal Web nella tua pagina semplicemente inserendo l''URL del file.
+    URLDESCRIPTION: 'Inserisci video e immagini dal Web nella tua pagina semplicemente inserendo l''URL del file. Si sicuro di avere i diritti o i permessi prima di condividere media direttamente dal Web.<br /><br />NB : i file non sono aggiunti allo storage file del CMS, ma incorpora il file dalla sua location principale, se per un qualsiasi motivo il file non e'' più raggiungibile nella sua location principale, non sara'' più visibile su questa pagina.'
-
-      Si sicuro di avere i diritti o i permessi prima di condividere media direttamente dal Web.<br /><br />NB : i file non sono aggiunti allo storage file del CMS, ma incorpora il file dalla sua location principale, se per un qualsiasi motivo il file non e'' più raggiungibile nella sua location principale, non sara'' più visibile su questa pagina.'
     URLNOTANOEMBEDRESOURCE: 'L''URL ''{url}'' non può essere convertito in una risorsa media.'
     UpdateMEDIA: 'Aggiorna Media'
   Image:

lang/nl.yml

@@ -1,18 +1,22 @@
 nl:
   AssetAdmin:
+    ALLOWEDEXTS: 'Toegestane extensies'
+    HIDEALLOWEDEXTS: 'Verberg toegestane extensies'
     NEWFOLDER: Nieuwe map
     SHOWALLOWEDEXTS: 'Toon toegestane extensies'
   AssetTableField:
     CREATED: 'Eerste upload'
-    DIM: Dimensies
+    DIM: Afmetingen
     FILENAME: Bestandsnaam
     FOLDER: Map
+    HEIGHT: Hoogte
     LASTEDIT: 'Laatste wijziging'
     OWNER: Eigenaar
     SIZE: 'Grootte'
     TITLE: Titel
     TYPE: 'Type'
     URL: URL
+    WIDTH: Breedte
   AssetUploadField:
     ChooseFiles: 'Selecteer bestand'
     DRAGFILESHERE: 'Sleep bestanden hierheen'
@@ -23,7 +27,10 @@ nl:
     FILES: Bestanden
     FROMCOMPUTER: 'Selecteer bestanden op uw computer'
     FROMCOMPUTERINFO: 'Uploaden vanaf uw computer'
+    INSERTURL: 'Voeg toe van URL'
+    REMOVEINFO: 'Verwijder bestand van dit veld'
     TOTAL: Totaal
+    TOUPLOAD: 'Selecteer bestanden voor upload'
     UPLOADINPROGRESS: 'Een ogenblik geduld... upload wordt uitgevoerd'
     UPLOADOR: OF
   BBCodeParser:
@@ -59,6 +66,8 @@ nl:
     ERRORNOTREC: 'De gebruikersnaam en/of het wachtwoord wordt niet herkend'
   Boolean:
     ANY: Elke
+    NOANSWER: 'Nee'
+    YESANSWER: 'Ja'
   CMSLoadingScreen_ss:
     LOADING: Laden...
     REQUIREJS: 'Het CMS vereist dat JavaScript ingeschakeld is.'
@@ -67,22 +76,44 @@ nl:
     ACCESSALLINTERFACES: 'Toegang tot alle CMS onderdelen'
     ACCESSALLINTERFACESHELP: 'Overstemt meer specifieke toegangsinstellingen'
     SAVE: Bewaar
+  CMSMemberLoginForm:
+    BUTTONFORGOTPASSWORD: 'Wachtwoord vergeten?'
+    BUTTONLOGIN: 'Opnieuw inloggen'
+    BUTTONLOGOUT: 'Uitloggen'
+    PASSWORDEXPIRED: '<p>Je wachtwoord is verlopen. <a target="_top" href="{link}">Kies een nieuw wachtwoord.</a></p>'
   CMSPageHistoryController_versions_ss:
     PREVIEW: 'Website voorbeeld'
+  CMSPagesController_Tools_ss:
+    FILTER: Filter
   CMSProfileController:
     MENUTITLE: 'Mijn Profiel'
+  CMSSecurity:
+    INVALIDUSER: '<p>Ongeldige gebruiker <a target="_top" href="{link}">Log hier opnieuw in</a> om verder te gaan.</p>'
+    LoginMessage: '<p>Je kunt verder met wat je aan het doen was, door opnieuw in te loggen.</p>'
+    SUCCESS: Succes
+    SUCCESSCONTENT: '<p>Je bent ingelogd. <a target="_top" href="{link}">Klik hier</a> als je niet automatisch wordt doorgestuurd.</p>'
+    TimedOutTitleAnonymous: 'Sessie is verlopen'
+    TimedOutTitleMember: 'Hallo {name}!<br />Je sessie is verlopen.'
   ChangePasswordEmail_ss:
     CHANGEPASSWORDTEXT1: 'U heeft het wachtwoord veranderd voor'
     CHANGEPASSWORDTEXT2: 'U kunt nu onderstaande gegevens gebruiken om in te loggen:'
     EMAIL: E-mail
     HELLO: Hallo
     PASSWORD: Wachtwoord
+  CheckboxField:
+    NOANSWER: 'Nee'
+    YESANSWER: 'Ja'
+  CheckboxFieldSetField:
+    SOURCE_VALIDATION: 'Selecteer een optie uit de lijst. {value} is geen geldige keuze.'
+  CheckboxSetField:
+    SOURCE_VALIDATION: 'Selecteer een optie uit de lijst. ''{value}'' is geen geldige keuze.'
   ConfirmedPasswordField:
     ATLEAST: 'Een wachtwoord moet tenminste {min} karakters hebben.'
     BETWEEN: 'Een wachtwoord moet tussen de {min} en {max} karakters hebben'
     MAXIMUM: 'Een wachtwoord mag maximaal {max} karakters hebben.'
     SHOWONCLICKTITLE: 'Verander wachtwoord'
   ContentController:
+    DRAFT_SITE_ACCESS_RESTRICTION: 'Je moet inloggen met je CMS wachtwoord om die inhoud te kunnen zien. <a href="%s">Klik hier</a> om terug te keren naar de gepubliceerde site.'
     NOTLOGGEDIN: 'Niet ingelogd'
   CreditCardField:
     FIRST: eerste
@@ -122,6 +153,8 @@ nl:
     INVALID_REQUEST: 'Fout bij verwerken'
   DropdownField:
     CHOOSE: (Kies)
+    CHOOSESEARCH: '(Kies of zoek)'
+    SOURCE_VALIDATION: 'Selecteer een optie uit de lijst. {value} is geen geldige keuze.'
   EmailField:
     VALIDATION: 'Gelieve een e-mailadres in te voeren.'
   Enum:
@@ -170,6 +203,7 @@ nl:
     TEXT3: voor
   Form:
     CSRF_EXPIRED_MESSAGE: 'Uw sessie is verlopen. Verzend het formulier opnieuw.'
+    CSRF_FAILED_MESSAGE: 'Er lijkt een technisch probleem te zijn. Klik op de knop terug, vernieuw uw browser, en probeer het opnieuw.'
     FIELDISREQUIRED: '{name} is verplicht'
     SubmitBtnLabel: Versturen
     VALIDATIONCREDITNUMBER: 'Gelieve uw credit card number {number} juist in te vullen'
@@ -243,6 +277,8 @@ nl:
   HtmlEditorField:
     ADDURL: 'Voeg URL toe'
     ADJUSTDETAILSDIMENSIONS: 'Details en afmetingen'
+    ANCHORSCANNOTACCESSPAGE: 'Je bent niet gemachtigd om de opgevraagde pagina te bekijken.'
+    ANCHORSPAGENOTFOUND: 'Pagina niet gevonden.'
     ANCHORVALUE: Anker
     BUTTONADDURL: 'Voeg URL toe'
     BUTTONINSERT: Invoegen
@@ -270,6 +306,7 @@ nl:
     IMAGETITLETEXT: 'Tooltip (title)'
     IMAGETITLETEXTDESC: 'Toon extra informatie over de afbeelding'
     IMAGEWIDTHPX: Breedte
+    INSERTMEDIA: 'Voeg media in'
     LINK: 'Link invoegen'
     LINKANCHOR: 'Anker op deze pagina'
     LINKDESCR: 'Linkomschrijving'
@@ -280,8 +317,10 @@ nl:
     LINKOPENNEWWIN: 'Link in een nieuw venster openen?'
     LINKTO: 'Verwijs naar'
     PAGE: Pagina
+    SUBJECT: 'Email onderwerp'
     URL: URL
     URLNOTANOEMBEDRESOURCE: '{url} kon niet worden omgezet in een media-bron.'
+    UpdateMEDIA: 'Media bijwerken'
   Image:
     PLURALNAME: Bestanden
     SINGULARNAME: Bestand
@@ -293,17 +332,23 @@ nl:
   LeftAndMain:
     CANT_REORGANISE: 'U hebt geen rechten om de pagina''s op het Top niveau aan te passen. Uw aanpassing is niet opgeslagen. '
     DELETED: Verwijderd.
+    DropdownBatchActionsDefault: Acties
     HELP: Help
     PERMAGAIN: 'U bent uitgelogd uit het CMS.  Als u weer wilt inloggen vul dan uw gebruikersnaam en wachtwoord hieronder in.'
+    PERMALREADY: 'Helaas, je hebt geen toegang tot dat deel van het CMS. Hieronder kun je inloggen als iemand anders.'
+    PERMDEFAULT: 'Je moet ingelogd zijn, om dit deel van de website te bekijken. Vul hieronder je inlog gegevens in.'
     PreviewButton: Voorbeeld
     REORGANISATIONSUCCESSFUL: 'Menu-indeling is aangepast'
     SAVEDUP: Opgeslagen.
     ShowAsList: 'laat als lijst zien'
     TooManyPages: 'Te veel pagina''s'
     ValidationError: 'Validatiefout'
+    VersionUnknown: onbekend
   LeftAndMain_Menu_ss:
     Hello: Hallo
     LOGOUT: 'Uitloggen'
+  ListboxField:
+    SOURCE_VALIDATION: 'Selecteer een optie uit de lijst. %s is geen geldige keuze.'
   LoginAttempt:
     Email: 'E-mailadres '
     IP: 'IP adres'
@@ -336,6 +381,7 @@ nl:
     NEWPASSWORD: 'Nieuw wachtwoord'
     NoPassword: 'Er is geen wachtwoord voor deze gebruiker.'
     PASSWORD: Wachtwoord
+    PASSWORDEXPIRED: 'Je wachtwoord is verlopen. Kies een nieuw wachtwoord.'
     PLURALNAME: Leden
     REMEMBERME: 'Wachtwoord onthouden voor de volgende keer?'
     SINGULARNAME: Lid
@@ -441,6 +487,7 @@ nl:
     SINGULARNAME: Rol
     Title: Titel
   PermissionRoleCode:
+    PLURALNAME: 'Permissie codes'
     PermsError: 'U moet (ADMIN) rechten hebben om de code "%s" toe te kennen'
     SINGULARNAME: 'Machtigingen rol code'
   Permissions:
@@ -506,6 +553,8 @@ nl:
     Print: Afdrukken
   TableListField_PageControls_ss:
     OF: van
+  TextField:
+    VALIDATEMAXLENGTH: 'De waarde voor {name} mag niet langer zijn dan {maxLength} tekens.'
   TimeField:
     VALIDATEFORMAT: 'Vul een geldig datumformaat in ({format})'
   ToggleField:

lang/sk.yml

@@ -301,8 +301,6 @@ sk:
     FROMWEB: 'Z webu'
     FindInFolder: 'Vyhľadať v priečinku'
     IMAGEALT: 'Atlernatívny text (alt)'
-    IMAGEALTTEXT: 'Atlernatívny text (alt) - sa zobrazí, ak nemôže byť obrázok zobrazený'
-    IMAGEALTTEXTDESC: 'Zobrazí sa na obrazovke, alebo ak obrázok nemôže byť zobrazený'
     IMAGEDIMENSIONS: Rozmery
     IMAGEHEIGHTPX: Výška
     IMAGETITLE: 'Text titulky (tooltip) - pre doplňujúce informácie o obrázku'
@@ -337,11 +335,9 @@ sk:
     CANT_REORGANISE: 'Nemáte oprávnenie meniť stránky najvyššej úrovne. Vaša zmena nebola uložená.'
     DELETED: Zmazané.
     HELP: Pomoc
-    PAGETYPE: 'Typ stránky:'
     PERMAGAIN: 'Boli ste odhlásený'
     PERMALREADY: 'Je nám ľúto, ale k tejto časti CMS nemáte prístup . Ak sa chcete prihlásiť ako niekto iný, urobte tak nižšie.'
     PERMDEFAULT: 'Musíte byť prihlásený/á k prístupu do oblasti administrácie, zadajte vaše prihlasovacie údaje dole, prosím.'
-    PLEASESAVE: 'Prosím uložte stránku: Táto stránka nemôže byť aktualizovaná, lebo ešte nebola uložená.'
     PreviewButton: Náhľad
     REORGANISATIONSUCCESSFUL: 'Strom webu bol reorganizovaný úspešne.'
     SAVEDUP: Uložené.

security/CMSSecurity.php

@@ -195,9 +195,16 @@ PHP
 
 		// Get redirect url
 		$controller = $this->getResponseController(_t('CMSSecurity.SUCCESS', 'Success'));
-		$backURL = $this->getRequest()->requestVar('BackURL')
+		$backURLs = array(
-			?: Session::get('BackURL')
+			$this->getRequest()->requestVar('BackURL'),
-			?: Director::absoluteURL(AdminRootController::config()->url_base, true);
+			Session::get('BackURL'),
+			Director::absoluteURL(AdminRootController::config()->url_base, true),
+		);
+		foreach ($backURLs as $backURL) {
+			if ($backURL && Director::is_site_url($backURL)) {
+				break;
+			}
+		}
 
 		// Show login
 		$controller = $controller->customise(array(

security/LoginForm.php

@@ -10,11 +10,6 @@
  * @subpackage security
  */
 abstract class LoginForm extends Form {
-	public function __construct($controller, $name, $fields, $actions) {
-		parent::__construct($controller, $name, $fields, $actions);
-
-		$this->disableSecurityToken();
-	}
 
 	/**
 	 * Authenticator class to use with this login form

security/Member.php

@@ -368,7 +368,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
 	 * Returns true if this user is locked out
 	 */
 	public function isLockedOut() {
-		return $this->LockedOutUntil && time() < strtotime($this->LockedOutUntil);
+		return $this->LockedOutUntil && SS_Datetime::now()->Format('U') < strtotime($this->LockedOutUntil);
 	}
 
 	/**
@@ -1607,7 +1607,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
 
 			if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
 				$lockoutMins = self::config()->lock_out_delay_mins;
-				$this->LockedOutUntil = date('Y-m-d H:i:s', time() + $lockoutMins*60);
+				$this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
 				$this->FailedLoginCount = 0;
 			}
 		}

security/MemberAuthenticator.php

@@ -51,8 +51,11 @@ class MemberAuthenticator extends Authenticator {
 		if($asDefaultAdmin) {
 			// If logging is as default admin, ensure record is setup correctly
 			$member = Member::default_admin();
-			$success = Security::check_default_admin($email, $data['Password']);
+			$success = !$member->isLockedOut() && Security::check_default_admin($email, $data['Password']);
-			if($success) return $member;
+			//protect against failed login
+			if($success) {
+				return $member;
+			}
 		}
 
 		// Attempt to identify user by email

tests/security/MemberAuthenticatorTest.php

@@ -164,4 +164,22 @@ class MemberAuthenticatorTest extends SapphireTest {
 		$this->assertEquals('The provided details don't seem to be correct. Please try again.', $form->Message());
 		$this->assertEquals('bad', $form->MessageType());
 	}
+
+	public function testDefaultAdminLockOut()
+	{
+		Config::inst()->update('Member', 'lock_out_after_incorrect_logins', 1);
+		Config::inst()->update('Member', 'lock_out_delay_mins', 10);
+		SS_Datetime::set_mock_now('2016-04-18 00:00:00');
+		$controller = new Security();
+		$form = new Form($controller, 'Form', new FieldList(), new FieldList());
+
+		// Test correct login
+		MemberAuthenticator::authenticate(array(
+			'Email' => 'admin',
+			'Password' => 'wrongpassword'
+		), $form);
+
+		$this->assertTrue(Member::default_admin()->isLockedOut());
+		$this->assertEquals(Member::default_admin()->LockedOutUntil, '2016-04-18 00:10:00');
+	}
 }