mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-09-30 21:29:23 +02:00
Updated changelog, moved "statics in Page.php" to top
Its going to be a fatal error on every upgrade unless tended to, so we need to ensure people don't overlook it in the guide.
This commit is contained in:
Ingo Schommer
parent
7f6671628d
commit
d877c1063d
@ -8,6 +8,7 @@
|
||||
* Resizing of preview to common screen widths ("desktop", "tablet" and "smartphone")
|
||||
* Decluttered "Edit Page" buttons by moving minor actions into a "more options" panel
|
||||
* Auto-detect CMS changes and highlight the save button for better informancy
|
||||
* New context action "Show children as list" on tree for better management on large sites
|
||||
* Display "last edited" and "last published" data for pages in CMS
|
||||
* CMS form fields now support help text through `setDescription()`, both inline and as tooltips
|
||||
* Removed SiteTree "MetaTitle" and "MetaKeywords" fields
|
||||
@ -36,6 +37,81 @@
|
||||
|
||||
## Upgrading
|
||||
|
||||
### Statics in custom Page classes need to be "private"
|
||||
|
||||
**Requires action on every SilverStripe installation.**
|
||||
|
||||
Typical error message: `Access level to ErrorPage::$db must be public`
|
||||
|
||||
Related to the configuration change described above, many statics in core are now
|
||||
marked with `private` visibility. While PHP allows making variables more visible
|
||||
(e.g. from "private" to "public"), it complains if you try to restrict visibility in subclasses.
|
||||
The core framework extends from the `Page` class in your own codebase (`mysite/`),
|
||||
which means you need to change those statics to `private` yourself.
|
||||
The same rules apply to controllers subclassd from `Page_Controller`.
|
||||
|
||||
Before:
|
||||
|
||||
:::php
|
||||
<?php
|
||||
class Page extends SiteTree {
|
||||
static $db = array('MyVar' => 'Text');
|
||||
}
|
||||
class Page_Controller extends ContentController {
|
||||
static $allowed_actions = array('myaction');
|
||||
}
|
||||
|
||||
After:
|
||||
|
||||
:::php
|
||||
<?php
|
||||
class Page extends SiteTree {
|
||||
private static $db = array('MyVar' => 'Text');
|
||||
}
|
||||
class Page_Controller extends ContentController {
|
||||
private static $allowed_actions = array('myaction');
|
||||
}
|
||||
|
||||
Most statics defined in `SiteTree` and `DataObject` are affected, for example:
|
||||
`$db`, `$has_one`, `$has_many`, `$many_many`, `$defaults`, `$allowed_children`.
|
||||
The same goes for statics defined in `ContentController`, e.g. `$allowed_actions`.
|
||||
|
||||
Classes which are not further extended by the core (e.g. all custom `DataObject` subclasses)
|
||||
are not affected by this change, although we recommend to mark those inherited statics
|
||||
as `private` as well, to make it clear that they should be accessed through the Config API.
|
||||
|
||||
### default_cast is now Text
|
||||
|
||||
In order to reduce the chance of accidentally allowing XSS attacks, the value of default_cast
|
||||
has been changed in 3.1 from HTMLText to Text. This means that any values used in a template
|
||||
that haven't been explicitly cast as safe will be escaped (`<` replaced with `<` etc).
|
||||
|
||||
When upgrading, if methods return HTML fragments they need to explicitly cast them
|
||||
as such. This can either be done by returning an HTMLText object, like:
|
||||
|
||||
:::php
|
||||
return DBField::create_field('HTMLText', '<div></div>');
|
||||
|
||||
or by defining the casting of the accessor method, like:
|
||||
|
||||
:::php
|
||||
class Page extends SiteTree {
|
||||
private static $casting = array(
|
||||
'MyDiv' => 'HTMLText'
|
||||
)
|
||||
|
||||
function MyDiv() {
|
||||
return '<div></div>';
|
||||
}
|
||||
}
|
||||
|
||||
SSViewer#process (and as a result ViewableData#renderWith) have been changed to already return
|
||||
explicitly cast HTMLText instances, so functions that return the result of these methods won't
|
||||
have to do any additional casting.
|
||||
|
||||
Note that this change means that if code was testing the result via is_string, that is no longer
|
||||
reliable.
|
||||
|
||||
### Static properties are immutable and private, you must use Config API.
|
||||
|
||||
A common SilverStripe pattern is to use a static variable on a class to define a configuration parameter.
|
||||
@ -138,77 +214,6 @@ for details.
|
||||
|
||||
For more information about how to use the config system, see the ["Configuration" topic](/topic/configuration).
|
||||
|
||||
### Statics in custom Page classes need to be "private"
|
||||
|
||||
Related to the configuration change described above, many statics in core are now
|
||||
marked with `private` visibility. While PHP allows making variables more visible
|
||||
(e.g. from "private" to "public"), it complains if you try to restrict visibility in subclasses.
|
||||
The core framework extends from the `Page` class in your own codebase (`mysite/`),
|
||||
which means you need to change those statics to `private` yourself.
|
||||
The same rules apply to controllers subclassd from `Page_Controller`.
|
||||
|
||||
Before:
|
||||
|
||||
:::php
|
||||
<?php
|
||||
class Page extends SiteTree {
|
||||
static $db = array('MyVar' => 'Text');
|
||||
}
|
||||
class Page_Controller extends ContentController {
|
||||
static $allowed_actions = array('myaction');
|
||||
}
|
||||
|
||||
After:
|
||||
|
||||
:::php
|
||||
<?php
|
||||
class Page extends SiteTree {
|
||||
private static $db = array('MyVar' => 'Text');
|
||||
}
|
||||
class Page_Controller extends ContentController {
|
||||
private static $allowed_actions = array('myaction');
|
||||
}
|
||||
|
||||
Most statics defined in `SiteTree` and `DataObject` are affected, for example:
|
||||
`$db`, `$has_one`, `$has_many`, `$many_many`, `$defaults`, `$allowed_children`.
|
||||
The same goes for statics defined in `ContentController`, e.g. `$allowed_actions`.
|
||||
|
||||
Classes which are not further extended by the core (e.g. all custom `DataObject` subclasses)
|
||||
are not affected by this change, although we recommend to mark those inherited statics
|
||||
as `private` as well, to make it clear that they should be accessed through the Config API.
|
||||
|
||||
### default_cast is now Text
|
||||
|
||||
In order to reduce the chance of accidentally allowing XSS attacks, the value of default_cast
|
||||
has been changed in 3.1 from HTMLText to Text. This means that any values used in a template
|
||||
that haven't been explicitly cast as safe will be escaped (`<` replaced with `<` etc).
|
||||
|
||||
When upgrading, if methods return HTML fragments they need to explicitly cast them
|
||||
as such. This can either be done by returning an HTMLText object, like:
|
||||
|
||||
:::php
|
||||
return DBField::create_field('HTMLText', '<div></div>');
|
||||
|
||||
or by defining the casting of the accessor method, like:
|
||||
|
||||
:::php
|
||||
class Page extends SiteTree {
|
||||
private static $casting = array(
|
||||
'MyDiv' => 'HTMLText'
|
||||
)
|
||||
|
||||
function MyDiv() {
|
||||
return '<div></div>';
|
||||
}
|
||||
}
|
||||
|
||||
SSViewer#process (and as a result ViewableData#renderWith) have been changed to already return
|
||||
explicitly cast HTMLText instances, so functions that return the result of these methods won't
|
||||
have to do any additional casting.
|
||||
|
||||
Note that this change means that if code was testing the result via is_string, that is no longer
|
||||
reliable.
|
||||
|
||||
### Deny URL access if `Controller::$allowed_actions` is undefined or empty array
|
||||
|
||||
In order to make controller access checks more consistent and easier to
|
||||
|
||||
Loading…
Reference in New Issue
Block a user