From 805c38f107e7e332d2846407e0a89cade1d33ed1 Mon Sep 17 00:00:00 2001 From: Stevie Mayhew Date: Mon, 21 Mar 2016 11:30:38 +1300 Subject: [PATCH 01/24] BUGFIX: don't try and switch out of context of the tab system --- admin/javascript/LeftAndMain.js | 1 - 1 file changed, 1 deletion(-) diff --git a/admin/javascript/LeftAndMain.js b/admin/javascript/LeftAndMain.js index 43f9ef1c3..d607d3271 100644 --- a/admin/javascript/LeftAndMain.js +++ b/admin/javascript/LeftAndMain.js @@ -1331,7 +1331,6 @@ jQuery.noConflict(); } var container = this.closest('.cms-container'); - container.find('.cms-edit-form').tabs('select',0); //always switch to the first tab (list view) when searching container.loadPanel(url, "", {}, true); return false; From 0f2049d4d466e05f5d7f07fc63580836de8c6bff Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Tue, 21 Nov 2017 14:37:48 +0000 Subject: [PATCH 02/24] [SS-2017-008] Fix SQL injection in search engine --- model/connect/MySQLDatabase.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/model/connect/MySQLDatabase.php b/model/connect/MySQLDatabase.php index dc5ade9ce..f0628e4d5 100644 --- a/model/connect/MySQLDatabase.php +++ b/model/connect/MySQLDatabase.php @@ -105,10 +105,14 @@ class MySQLDatabase extends SS_Database { public function searchEngine($classesToSearch, $keywords, $start, $pageLength, $sortBy = "Relevance DESC", $extraFilter = "", $booleanSearch = false, $alternativeFileFilter = "", $invertedMatch = false ) { - if (!class_exists('SiteTree')) - throw new Exception('MySQLDatabase->searchEngine() requires "SiteTree" class'); - if (!class_exists('File')) - throw new Exception('MySQLDatabase->searchEngine() requires "File" class'); + if (!class_exists('SiteTree')) { + throw new Exception('MySQLDatabase->searchEngine() requires "SiteTree" class'); + } + if (!class_exists('File')) { + throw new Exception('MySQLDatabase->searchEngine() requires "File" class'); + } + $start = (int)$start; + $pageLength = (int)$pageLength; $keywords = $this->escapeString($keywords); $htmlEntityKeywords = htmlentities($keywords, ENT_NOQUOTES, 'UTF-8'); @@ -134,7 +138,7 @@ class MySQLDatabase extends SS_Database { if (array_key_exists('ShowInSearch', $fields)) $extraFilters['File'] .= " AND ShowInSearch <> 0"; - $limit = $start . ", " . (int) $pageLength; + $limit = $start . ", " . $pageLength; $notMatch = $invertedMatch ? "NOT " From 2ad3cc07d583041e23a5dca0d53ffbdf8c9cd0d0 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 23 Nov 2017 20:28:25 +0000 Subject: [PATCH 03/24] FIX Update meber passwordencryption to default on password change --- security/Member.php | 3 +-- tests/security/MemberTest.php | 42 ++++++++++++++--------------------- 2 files changed, 18 insertions(+), 27 deletions(-) diff --git a/security/Member.php b/security/Member.php index 817c4b01a..39573a4b9 100644 --- a/security/Member.php +++ b/security/Member.php @@ -975,8 +975,7 @@ class Member extends DataObject implements TemplateGlobalProvider { $encryption_details = Security::encrypt_password( $this->Password, // this is assumed to be cleartext $this->Salt, - ($this->PasswordEncryption) ? - $this->PasswordEncryption : Security::config()->password_encryption_algorithm, + $this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null, $this ); diff --git a/tests/security/MemberTest.php b/tests/security/MemberTest.php index d1db139e5..342a2da71 100644 --- a/tests/security/MemberTest.php +++ b/tests/security/MemberTest.php @@ -45,7 +45,21 @@ class MemberTest extends FunctionalTest { parent::tearDown(); } - + public function testPasswordEncryptionUpdatedOnChangedPassword() + { + Config::inst()->update('Security', 'password_encryption_algorithm', 'none'); + $member = Member::create(); + $member->SetPassword = 'password'; + $member->write(); + $this->assertEquals('password', $member->Password); + $this->assertEquals('none', $member->PasswordEncryption); + Config::inst()->update('Security', 'password_encryption_algorithm', 'blowfish'); + $member->SetPassword = 'newpassword'; + $member->write(); + $this->assertNotEquals('password', $member->Password); + $this->assertNotEquals('newpassword', $member->Password); + $this->assertEquals('blowfish', $member->PasswordEncryption); + } /** * @expectedException ValidationException @@ -94,28 +108,6 @@ class MemberTest extends FunctionalTest { ); } - public function testDefaultPasswordEncryptionDoesntChangeExistingMembers() { - $member = new Member(); - $member->Password = 'mypassword'; - $member->PasswordEncryption = 'sha1_v2.4'; - $member->write(); - - $origAlgo = Security::config()->password_encryption_algorithm; - Security::config()->password_encryption_algorithm = 'none'; - - $member->Password = 'mynewpassword'; - $member->write(); - - $this->assertEquals( - $member->PasswordEncryption, - 'sha1_v2.4' - ); - $result = $member->checkPassword('mynewpassword'); - $this->assertTrue($result->valid()); - - Security::config()->password_encryption_algorithm = $origAlgo; - } - public function testKeepsEncryptionOnEmptyPasswords() { $member = new Member(); $member->Password = 'mypassword'; @@ -126,8 +118,8 @@ class MemberTest extends FunctionalTest { $member->write(); $this->assertEquals( - $member->PasswordEncryption, - 'sha1_v2.4' + Security::config()->get('password_encryption_algorithm'), + $member->PasswordEncryption ); $result = $member->checkPassword(''); $this->assertTrue($result->valid()); From f5f1abe0cfa7c57556d2af22b5246d5095b408ff Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Thu, 30 Nov 2017 15:50:36 +1300 Subject: [PATCH 04/24] [ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt --- security/LoginAttempt.php | 48 ++++++++++++++-------- security/Member.php | 7 ++-- tests/security/MemberAuthenticatorTest.php | 3 +- tests/security/SecurityTest.php | 31 ++++++-------- 4 files changed, 51 insertions(+), 38 deletions(-) diff --git a/security/LoginAttempt.php b/security/LoginAttempt.php index 4da1e2440..ec5c19ca2 100644 --- a/security/LoginAttempt.php +++ b/security/LoginAttempt.php @@ -12,18 +12,20 @@ * @package framework * @subpackage security * - * @property string Email Email address used for login attempt - * @property string Status Status of the login attempt, either 'Success' or 'Failure' - * @property string IP IP address of user attempting to login + * @property string $Email Email address used for login attempt. @deprecated 3.0...5.0 + * @property string $EmailHashed sha1 hashed Email address used for login attempt + * @property string $Status Status of the login attempt, either 'Success' or 'Failure' + * @property string $IP IP address of user attempting to login * - * @property int MemberID ID of the Member, only if Member with Email exists + * @property int $MemberID ID of the Member, only if Member with Email exists * * @method Member Member() Member object of the user trying to log in, only if Member with Email exists */ class LoginAttempt extends DataObject { private static $db = array( - 'Email' => 'Varchar(255)', + 'Email' => 'Varchar(255)', // Remove in 5.0 + 'EmailHashed' => 'Varchar(255)', 'Status' => "Enum('Success,Failure')", 'IP' => 'Varchar(255)', ); @@ -32,24 +34,38 @@ class LoginAttempt extends DataObject { 'Member' => 'Member', // only linked if the member actually exists ); - private static $has_many = array(); - - private static $many_many = array(); - - private static $belongs_many_many = array(); - - /** - * - * @param boolean $includerelations a boolean value to indicate if the labels returned include relation fields - * - */ public function fieldLabels($includerelations = true) { $labels = parent::fieldLabels($includerelations); $labels['Email'] = _t('LoginAttempt.Email', 'Email Address'); + $labels['EmailHashed'] = _t('LoginAttempt.EmailHashed', 'Email Address (hashed)'); $labels['Status'] = _t('LoginAttempt.Status', 'Status'); $labels['IP'] = _t('LoginAttempt.IP', 'IP Address'); return $labels; } + /** + * Set email used for this attempt + * + * @param string $email + * @return $this + */ + public function setEmail($email) { + // Store hashed email only + $this->EmailHashed = sha1($email); + return $this; + } + + /** + * Get all login attempts for the given email address + * + * @param string $email + * @return DataList + */ + public static function getByEmail($email) { + return static::get()->filterAny(array( + 'Email' => $email, + 'EmailHashed' => sha1($email), + )); + } } diff --git a/security/Member.php b/security/Member.php index 9404f4ae6..a4462cbc3 100644 --- a/security/Member.php +++ b/security/Member.php @@ -405,9 +405,10 @@ class Member extends DataObject implements TemplateGlobalProvider { $state = false; } else { - $attempts = LoginAttempt::get()->filter($filter = array( - 'Email' => $this->{static::config()->unique_identifier_field}, - ))->sort('Created', 'DESC')->limit($this->config()->lock_out_after_incorrect_logins); + $email = $this->{static::config()->unique_identifier_field}; + $attempts = LoginAttempt::getByEmail($email) + ->sort('Created', 'DESC') + ->limit($this->config()->lock_out_after_incorrect_logins); if ($attempts->count() < $this->config()->lock_out_after_incorrect_logins) { $state = false; diff --git a/tests/security/MemberAuthenticatorTest.php b/tests/security/MemberAuthenticatorTest.php index f3e4598ca..bf6dd9942 100644 --- a/tests/security/MemberAuthenticatorTest.php +++ b/tests/security/MemberAuthenticatorTest.php @@ -196,7 +196,8 @@ class MemberAuthenticatorTest extends SapphireTest { $this->assertNull($response); $this->assertCount(1, LoginAttempt::get()); $attempt = LoginAttempt::get()->first(); - $this->assertEquals($email, $attempt->Email); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals(sha1($email), $attempt->EmailHashed); $this->assertEquals('Failure', $attempt->Status); } diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php index d336c1f64..3b8c19a2b 100644 --- a/tests/security/SecurityTest.php +++ b/tests/security/SecurityTest.php @@ -507,25 +507,21 @@ class SecurityTest extends FunctionalTest { /* UNSUCCESSFUL ATTEMPTS WITH WRONG PASSWORD FOR EXISTING USER ARE LOGGED */ $this->doTestLoginForm('testuser@example.com', 'wrongpassword'); - $attempt = DataObject::get_one('LoginAttempt', array( - '"LoginAttempt"."Email"' => 'testuser@example.com' - )); - $this->assertTrue(is_object($attempt)); - $member = DataObject::get_one('Member', array( - '"Member"."Email"' => 'testuser@example.com' - )); + $attempt = LoginAttempt::getByEmail('testuser@example.com')->first(); + $this->assertInstanceOf('LoginAttempt', $attempt); + $member = Member::get()->filter('Email', 'testuser@example.com')->first(); $this->assertEquals($attempt->Status, 'Failure'); - $this->assertEquals($attempt->Email, 'testuser@example.com'); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals($attempt->EmailHashed, sha1('testuser@example.com')); $this->assertEquals($attempt->Member(), $member); /* UNSUCCESSFUL ATTEMPTS WITH NONEXISTING USER ARE LOGGED */ $this->doTestLoginForm('wronguser@silverstripe.com', 'wrongpassword'); - $attempt = DataObject::get_one('LoginAttempt', array( - '"LoginAttempt"."Email"' => 'wronguser@silverstripe.com' - )); - $this->assertTrue(is_object($attempt)); + $attempt = LoginAttempt::getByEmail('wronguser@silverstripe.com')->first(); + $this->assertInstanceOf('LoginAttempt', $attempt); $this->assertEquals($attempt->Status, 'Failure'); - $this->assertEquals($attempt->Email, 'wronguser@silverstripe.com'); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals($attempt->EmailHashed, sha1('wronguser@silverstripe.com')); $this->assertNotNull( $this->loginErrorMessage(), 'An invalid email returns a message.' ); @@ -536,15 +532,14 @@ class SecurityTest extends FunctionalTest { /* SUCCESSFUL ATTEMPTS ARE LOGGED */ $this->doTestLoginForm('testuser@example.com', '1nitialPassword'); - $attempt = DataObject::get_one('LoginAttempt', array( - '"LoginAttempt"."Email"' => 'testuser@example.com' - )); + $attempt = LoginAttempt::getByEmail('testuser@example.com')->first(); $member = DataObject::get_one('Member', array( '"Member"."Email"' => 'testuser@example.com' )); - $this->assertTrue(is_object($attempt)); + $this->assertInstanceOf('LoginAttempt', $attempt); $this->assertEquals($attempt->Status, 'Success'); - $this->assertEquals($attempt->Email, 'testuser@example.com'); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals($attempt->EmailHashed, sha1('testuser@example.com')); $this->assertEquals($attempt->Member(), $member); } From 6ba00e829a9fb360dfe5cb0bc3d4544016c82357 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Thu, 30 Nov 2017 15:50:36 +1300 Subject: [PATCH 05/24] [ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt --- security/LoginAttempt.php | 48 ++++++++++++++-------- security/Member.php | 7 ++-- tests/security/MemberAuthenticatorTest.php | 3 +- tests/security/SecurityTest.php | 31 ++++++-------- 4 files changed, 51 insertions(+), 38 deletions(-) diff --git a/security/LoginAttempt.php b/security/LoginAttempt.php index 4da1e2440..ec5c19ca2 100644 --- a/security/LoginAttempt.php +++ b/security/LoginAttempt.php @@ -12,18 +12,20 @@ * @package framework * @subpackage security * - * @property string Email Email address used for login attempt - * @property string Status Status of the login attempt, either 'Success' or 'Failure' - * @property string IP IP address of user attempting to login + * @property string $Email Email address used for login attempt. @deprecated 3.0...5.0 + * @property string $EmailHashed sha1 hashed Email address used for login attempt + * @property string $Status Status of the login attempt, either 'Success' or 'Failure' + * @property string $IP IP address of user attempting to login * - * @property int MemberID ID of the Member, only if Member with Email exists + * @property int $MemberID ID of the Member, only if Member with Email exists * * @method Member Member() Member object of the user trying to log in, only if Member with Email exists */ class LoginAttempt extends DataObject { private static $db = array( - 'Email' => 'Varchar(255)', + 'Email' => 'Varchar(255)', // Remove in 5.0 + 'EmailHashed' => 'Varchar(255)', 'Status' => "Enum('Success,Failure')", 'IP' => 'Varchar(255)', ); @@ -32,24 +34,38 @@ class LoginAttempt extends DataObject { 'Member' => 'Member', // only linked if the member actually exists ); - private static $has_many = array(); - - private static $many_many = array(); - - private static $belongs_many_many = array(); - - /** - * - * @param boolean $includerelations a boolean value to indicate if the labels returned include relation fields - * - */ public function fieldLabels($includerelations = true) { $labels = parent::fieldLabels($includerelations); $labels['Email'] = _t('LoginAttempt.Email', 'Email Address'); + $labels['EmailHashed'] = _t('LoginAttempt.EmailHashed', 'Email Address (hashed)'); $labels['Status'] = _t('LoginAttempt.Status', 'Status'); $labels['IP'] = _t('LoginAttempt.IP', 'IP Address'); return $labels; } + /** + * Set email used for this attempt + * + * @param string $email + * @return $this + */ + public function setEmail($email) { + // Store hashed email only + $this->EmailHashed = sha1($email); + return $this; + } + + /** + * Get all login attempts for the given email address + * + * @param string $email + * @return DataList + */ + public static function getByEmail($email) { + return static::get()->filterAny(array( + 'Email' => $email, + 'EmailHashed' => sha1($email), + )); + } } diff --git a/security/Member.php b/security/Member.php index 39573a4b9..a83a9d20e 100644 --- a/security/Member.php +++ b/security/Member.php @@ -407,9 +407,10 @@ class Member extends DataObject implements TemplateGlobalProvider { return false; } - $attempts = LoginAttempt::get()->filter($filter = array( - 'Email' => $this->{static::config()->unique_identifier_field}, - ))->sort('Created', 'DESC')->limit($this->config()->lock_out_after_incorrect_logins); + $email = $this->{static::config()->unique_identifier_field}; + $attempts = LoginAttempt::getByEmail($email) + ->sort('Created', 'DESC') + ->limit($this->config()->lock_out_after_incorrect_logins); if ($attempts->count() < $this->config()->lock_out_after_incorrect_logins) { return false; diff --git a/tests/security/MemberAuthenticatorTest.php b/tests/security/MemberAuthenticatorTest.php index f3e4598ca..bf6dd9942 100644 --- a/tests/security/MemberAuthenticatorTest.php +++ b/tests/security/MemberAuthenticatorTest.php @@ -196,7 +196,8 @@ class MemberAuthenticatorTest extends SapphireTest { $this->assertNull($response); $this->assertCount(1, LoginAttempt::get()); $attempt = LoginAttempt::get()->first(); - $this->assertEquals($email, $attempt->Email); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals(sha1($email), $attempt->EmailHashed); $this->assertEquals('Failure', $attempt->Status); } diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php index 7c3283525..e123b8212 100644 --- a/tests/security/SecurityTest.php +++ b/tests/security/SecurityTest.php @@ -507,25 +507,21 @@ class SecurityTest extends FunctionalTest { /* UNSUCCESSFUL ATTEMPTS WITH WRONG PASSWORD FOR EXISTING USER ARE LOGGED */ $this->doTestLoginForm('testuser@example.com', 'wrongpassword'); - $attempt = DataObject::get_one('LoginAttempt', array( - '"LoginAttempt"."Email"' => 'testuser@example.com' - )); - $this->assertTrue(is_object($attempt)); - $member = DataObject::get_one('Member', array( - '"Member"."Email"' => 'testuser@example.com' - )); + $attempt = LoginAttempt::getByEmail('testuser@example.com')->first(); + $this->assertInstanceOf('LoginAttempt', $attempt); + $member = Member::get()->filter('Email', 'testuser@example.com')->first(); $this->assertEquals($attempt->Status, 'Failure'); - $this->assertEquals($attempt->Email, 'testuser@example.com'); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals($attempt->EmailHashed, sha1('testuser@example.com')); $this->assertEquals($attempt->Member(), $member); /* UNSUCCESSFUL ATTEMPTS WITH NONEXISTING USER ARE LOGGED */ $this->doTestLoginForm('wronguser@silverstripe.com', 'wrongpassword'); - $attempt = DataObject::get_one('LoginAttempt', array( - '"LoginAttempt"."Email"' => 'wronguser@silverstripe.com' - )); - $this->assertTrue(is_object($attempt)); + $attempt = LoginAttempt::getByEmail('wronguser@silverstripe.com')->first(); + $this->assertInstanceOf('LoginAttempt', $attempt); $this->assertEquals($attempt->Status, 'Failure'); - $this->assertEquals($attempt->Email, 'wronguser@silverstripe.com'); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals($attempt->EmailHashed, sha1('wronguser@silverstripe.com')); $this->assertNotNull( $this->loginErrorMessage(), 'An invalid email returns a message.' ); @@ -536,15 +532,14 @@ class SecurityTest extends FunctionalTest { /* SUCCESSFUL ATTEMPTS ARE LOGGED */ $this->doTestLoginForm('testuser@example.com', '1nitialPassword'); - $attempt = DataObject::get_one('LoginAttempt', array( - '"LoginAttempt"."Email"' => 'testuser@example.com' - )); + $attempt = LoginAttempt::getByEmail('testuser@example.com')->first(); $member = DataObject::get_one('Member', array( '"Member"."Email"' => 'testuser@example.com' )); - $this->assertTrue(is_object($attempt)); + $this->assertInstanceOf('LoginAttempt', $attempt); $this->assertEquals($attempt->Status, 'Success'); - $this->assertEquals($attempt->Email, 'testuser@example.com'); + $this->assertEmpty($attempt->Email); // Doesn't store potentially sensitive data + $this->assertEquals($attempt->EmailHashed, sha1('testuser@example.com')); $this->assertEquals($attempt->Member(), $member); } From 395880fa94b48ead9384453affb6bc27341619d5 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Wed, 29 Nov 2017 15:27:36 +1300 Subject: [PATCH 06/24] [ss-2017-007] Ensure xls formulae are safely sanitised on output CSVParser now strips leading tabs on cells --- dev/CSVParser.php | 4 ++- forms/gridfield/GridFieldExportButton.php | 24 +++++++++++++--- tests/dev/CSVParserTest.php | 28 +++++++++++-------- tests/dev/CsvBulkLoaderTest.php | 6 ++-- .../CsvBulkLoaderTest_PlayersWithHeader.csv | 1 + .../gridfield/GridFieldExportButtonTest.php | 16 +++++++++++ 6 files changed, 59 insertions(+), 20 deletions(-) diff --git a/dev/CSVParser.php b/dev/CSVParser.php index 158d9d863..4c1fdf3ba 100644 --- a/dev/CSVParser.php +++ b/dev/CSVParser.php @@ -247,7 +247,9 @@ class CSVParser extends Object implements Iterator { array($this->enclosure, $this->delimiter), $value ); - + // Trim leading tab + // [SS-2017-007] Ensure all cells with leading [@=+] have a leading tab + $value = ltrim($value, "\t"); if(array_key_exists($i, $this->headerRow)) { if($this->headerRow[$i]) { $row[$this->headerRow[$i]] = $value; diff --git a/forms/gridfield/GridFieldExportButton.php b/forms/gridfield/GridFieldExportButton.php index 30df9f01f..9c865b6a1 100644 --- a/forms/gridfield/GridFieldExportButton.php +++ b/forms/gridfield/GridFieldExportButton.php @@ -30,6 +30,15 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP */ protected $targetFragment; + /** + * Set to true to disable XLS sanitisation + * [SS-2017-007] Ensure all cells with leading [@=+] have a leading tab + * + * @config + * @var bool + */ + private static $xls_export_disabled = false; + /** * @param string $targetFragment The HTML fragment to write the button into * @param array $exportColumns The columns to include in the export @@ -91,12 +100,12 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP return SS_HTTPRequest::send_file($fileData, $fileName, 'text/csv'); } } - + /** * Return the columns to export - * - * @param GridField $gridField - * + * + * @param GridField $gridField + * * @return array */ protected function getExportColumnsForGridField(GridField $gridField) { @@ -174,6 +183,13 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP } $value = str_replace(array("\r", "\n"), "\n", $value); + + // [SS-2017-007] Sanitise XLS executable column values with a leading tab + if (!Config::inst()->get(get_class($this), 'xls_export_disabled') + && preg_match('/^[-@=+].*/', $value) + ) { + $value = "\t" . $value; + } $columnData[] = '"' . str_replace('"', '""', $value) . '"'; } diff --git a/tests/dev/CSVParserTest.php b/tests/dev/CSVParserTest.php index c895b2f8b..512717521 100644 --- a/tests/dev/CSVParserTest.php +++ b/tests/dev/CSVParserTest.php @@ -21,16 +21,18 @@ class CSVParserTest extends SapphireTest { $registered[] = $record['IsRegistered']; } - $this->assertEquals(array('John','Jane','Jamie','Järg'), $firstNames); + $this->assertEquals(array('John','Jane','Jamie','Järg','Jacob'), $firstNames); $this->assertEquals(array( "He's a good guy", "She is awesome." . PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography", "Pretty old, with an escaped comma", - "Unicode FTW"), $biographies); - $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays); - $this->assertEquals(array('1', '0', '1', '1'), $registered); + "Unicode FTW", + "Likes leading tabs in his biography", + ), $biographies); + $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays); + $this->assertEquals(array('1', '0', '1', '1', '0'), $registered); } public function testParsingWithHeadersAndColumnMap() { @@ -54,15 +56,16 @@ class CSVParserTest extends SapphireTest { $registered[] = $record['IsRegistered']; } - $this->assertEquals(array('John','Jane','Jamie','Järg'), $firstNames); + $this->assertEquals(array('John','Jane','Jamie','Järg','Jacob'), $firstNames); $this->assertEquals(array( "He's a good guy", "She is awesome." . PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography", "Pretty old, with an escaped comma", - "Unicode FTW"), $biographies); - $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays); - $this->assertEquals(array('1', '0', '1', '1'), $registered); + "Unicode FTW", + "Likes leading tabs in his biography"), $biographies); + $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays); + $this->assertEquals(array('1', '0', '1', '1', '0'), $registered); } public function testParsingWithExplicitHeaderRow() { @@ -82,15 +85,16 @@ class CSVParserTest extends SapphireTest { } /* And the first row will be returned in the data */ - $this->assertEquals(array('FirstName','John','Jane','Jamie','Järg'), $firstNames); + $this->assertEquals(array('FirstName','John','Jane','Jamie','Järg','Jacob'), $firstNames); $this->assertEquals(array( 'Biography', "He's a good guy", "She is awesome." . PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography", "Pretty old, with an escaped comma", - "Unicode FTW"), $biographies); - $this->assertEquals(array("Birthday","31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays); - $this->assertEquals(array('IsRegistered', '1', '0', '1', '1'), $registered); + "Unicode FTW", + "Likes leading tabs in his biography"), $biographies); + $this->assertEquals(array("Birthday","31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays); + $this->assertEquals(array('IsRegistered', '1', '0', '1', '1', '0'), $registered); } } diff --git a/tests/dev/CsvBulkLoaderTest.php b/tests/dev/CsvBulkLoaderTest.php index 7b1d15a5b..bb21b98f2 100644 --- a/tests/dev/CsvBulkLoaderTest.php +++ b/tests/dev/CsvBulkLoaderTest.php @@ -27,7 +27,7 @@ class CsvBulkLoaderTest extends SapphireTest { $results = $loader->load($filepath); // Test that right amount of columns was imported - $this->assertEquals(4, $results->Count(), 'Test correct count of imported data'); + $this->assertEquals(5, $results->Count(), 'Test correct count of imported data'); // Test that columns were correctly imported $obj = DataObject::get_one("CsvBulkLoaderTest_Player", array( @@ -49,14 +49,14 @@ class CsvBulkLoaderTest extends SapphireTest { $filepath = $this->getCurrentAbsolutePath() . '/CsvBulkLoaderTest_PlayersWithHeader.csv'; $loader->deleteExistingRecords = true; $results1 = $loader->load($filepath); - $this->assertEquals(4, $results1->Count(), 'Test correct count of imported data on first load'); + $this->assertEquals(5, $results1->Count(), 'Test correct count of imported data on first load'); //delete existing data before doing second CSV import $results2 = $loader->load($filepath, '512MB', true); //get all instances of the loaded DataObject from the database and count them $resultDataObject = DataObject::get('CsvBulkLoaderTest_Player'); - $this->assertEquals(4, $resultDataObject->Count(), + $this->assertEquals(5, $resultDataObject->Count(), 'Test if existing data is deleted before new data is added'); } diff --git a/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv b/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv index 2536266fc..f8e101f08 100644 --- a/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv +++ b/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv @@ -4,3 +4,4 @@ So awesome that she gets multiple rows and \"escaped\" strings in her biography","31/01/1982","0" "Jamie","Pretty old\, with an escaped comma","31/01/1882","1" "Järg","Unicode FTW","31/06/1982","1" +"Jacob"," Likes leading tabs in his biography","31/4/2000","0" diff --git a/tests/forms/gridfield/GridFieldExportButtonTest.php b/tests/forms/gridfield/GridFieldExportButtonTest.php index 42ef28e22..516a2bc13 100644 --- a/tests/forms/gridfield/GridFieldExportButtonTest.php +++ b/tests/forms/gridfield/GridFieldExportButtonTest.php @@ -53,6 +53,22 @@ class GridFieldExportButtonTest extends SapphireTest { ); } + public function testXLSSanitisation() { + // Create risky object + $object = new GridFieldExportButtonTest_Team(); + $object->Name = '=SUM(1, 2)'; + $object->write(); + + // Export + $button = new GridFieldExportButton(); + $button->setExportColumns(array('Name' => 'My Name')); + + $this->assertEquals( + "\"My Name\"\n\"\t=SUM(1, 2)\"\n\"Test\"\n\"Test2\"\n", + $button->generateExportFileData($this->gridField) + ); + } + public function testGenerateFileDataAnonymousFunctionField() { $button = new GridFieldExportButton(); $button->setExportColumns(array( From 22ccf3e2f9092f51e7f7288ce108598c6f17b49c Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Wed, 29 Nov 2017 15:27:36 +1300 Subject: [PATCH 07/24] [ss-2017-007] Ensure xls formulae are safely sanitised on output CSVParser now strips leading tabs on cells --- dev/CSVParser.php | 4 ++- forms/gridfield/GridFieldExportButton.php | 24 +++++++++++++--- tests/dev/CSVParserTest.php | 28 +++++++++++-------- tests/dev/CsvBulkLoaderTest.php | 6 ++-- .../CsvBulkLoaderTest_PlayersWithHeader.csv | 1 + .../gridfield/GridFieldExportButtonTest.php | 16 +++++++++++ 6 files changed, 59 insertions(+), 20 deletions(-) diff --git a/dev/CSVParser.php b/dev/CSVParser.php index 158d9d863..4c1fdf3ba 100644 --- a/dev/CSVParser.php +++ b/dev/CSVParser.php @@ -247,7 +247,9 @@ class CSVParser extends Object implements Iterator { array($this->enclosure, $this->delimiter), $value ); - + // Trim leading tab + // [SS-2017-007] Ensure all cells with leading [@=+] have a leading tab + $value = ltrim($value, "\t"); if(array_key_exists($i, $this->headerRow)) { if($this->headerRow[$i]) { $row[$this->headerRow[$i]] = $value; diff --git a/forms/gridfield/GridFieldExportButton.php b/forms/gridfield/GridFieldExportButton.php index 30df9f01f..9c865b6a1 100644 --- a/forms/gridfield/GridFieldExportButton.php +++ b/forms/gridfield/GridFieldExportButton.php @@ -30,6 +30,15 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP */ protected $targetFragment; + /** + * Set to true to disable XLS sanitisation + * [SS-2017-007] Ensure all cells with leading [@=+] have a leading tab + * + * @config + * @var bool + */ + private static $xls_export_disabled = false; + /** * @param string $targetFragment The HTML fragment to write the button into * @param array $exportColumns The columns to include in the export @@ -91,12 +100,12 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP return SS_HTTPRequest::send_file($fileData, $fileName, 'text/csv'); } } - + /** * Return the columns to export - * - * @param GridField $gridField - * + * + * @param GridField $gridField + * * @return array */ protected function getExportColumnsForGridField(GridField $gridField) { @@ -174,6 +183,13 @@ class GridFieldExportButton implements GridField_HTMLProvider, GridField_ActionP } $value = str_replace(array("\r", "\n"), "\n", $value); + + // [SS-2017-007] Sanitise XLS executable column values with a leading tab + if (!Config::inst()->get(get_class($this), 'xls_export_disabled') + && preg_match('/^[-@=+].*/', $value) + ) { + $value = "\t" . $value; + } $columnData[] = '"' . str_replace('"', '""', $value) . '"'; } diff --git a/tests/dev/CSVParserTest.php b/tests/dev/CSVParserTest.php index c895b2f8b..512717521 100644 --- a/tests/dev/CSVParserTest.php +++ b/tests/dev/CSVParserTest.php @@ -21,16 +21,18 @@ class CSVParserTest extends SapphireTest { $registered[] = $record['IsRegistered']; } - $this->assertEquals(array('John','Jane','Jamie','Järg'), $firstNames); + $this->assertEquals(array('John','Jane','Jamie','Järg','Jacob'), $firstNames); $this->assertEquals(array( "He's a good guy", "She is awesome." . PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography", "Pretty old, with an escaped comma", - "Unicode FTW"), $biographies); - $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays); - $this->assertEquals(array('1', '0', '1', '1'), $registered); + "Unicode FTW", + "Likes leading tabs in his biography", + ), $biographies); + $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays); + $this->assertEquals(array('1', '0', '1', '1', '0'), $registered); } public function testParsingWithHeadersAndColumnMap() { @@ -54,15 +56,16 @@ class CSVParserTest extends SapphireTest { $registered[] = $record['IsRegistered']; } - $this->assertEquals(array('John','Jane','Jamie','Järg'), $firstNames); + $this->assertEquals(array('John','Jane','Jamie','Järg','Jacob'), $firstNames); $this->assertEquals(array( "He's a good guy", "She is awesome." . PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography", "Pretty old, with an escaped comma", - "Unicode FTW"), $biographies); - $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays); - $this->assertEquals(array('1', '0', '1', '1'), $registered); + "Unicode FTW", + "Likes leading tabs in his biography"), $biographies); + $this->assertEquals(array("31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays); + $this->assertEquals(array('1', '0', '1', '1', '0'), $registered); } public function testParsingWithExplicitHeaderRow() { @@ -82,15 +85,16 @@ class CSVParserTest extends SapphireTest { } /* And the first row will be returned in the data */ - $this->assertEquals(array('FirstName','John','Jane','Jamie','Järg'), $firstNames); + $this->assertEquals(array('FirstName','John','Jane','Jamie','Järg','Jacob'), $firstNames); $this->assertEquals(array( 'Biography', "He's a good guy", "She is awesome." . PHP_EOL . "So awesome that she gets multiple rows and \"escaped\" strings in her biography", "Pretty old, with an escaped comma", - "Unicode FTW"), $biographies); - $this->assertEquals(array("Birthday","31/01/1988","31/01/1982","31/01/1882","31/06/1982"), $birthdays); - $this->assertEquals(array('IsRegistered', '1', '0', '1', '1'), $registered); + "Unicode FTW", + "Likes leading tabs in his biography"), $biographies); + $this->assertEquals(array("Birthday","31/01/1988","31/01/1982","31/01/1882","31/06/1982","31/4/2000"), $birthdays); + $this->assertEquals(array('IsRegistered', '1', '0', '1', '1', '0'), $registered); } } diff --git a/tests/dev/CsvBulkLoaderTest.php b/tests/dev/CsvBulkLoaderTest.php index 7b1d15a5b..bb21b98f2 100644 --- a/tests/dev/CsvBulkLoaderTest.php +++ b/tests/dev/CsvBulkLoaderTest.php @@ -27,7 +27,7 @@ class CsvBulkLoaderTest extends SapphireTest { $results = $loader->load($filepath); // Test that right amount of columns was imported - $this->assertEquals(4, $results->Count(), 'Test correct count of imported data'); + $this->assertEquals(5, $results->Count(), 'Test correct count of imported data'); // Test that columns were correctly imported $obj = DataObject::get_one("CsvBulkLoaderTest_Player", array( @@ -49,14 +49,14 @@ class CsvBulkLoaderTest extends SapphireTest { $filepath = $this->getCurrentAbsolutePath() . '/CsvBulkLoaderTest_PlayersWithHeader.csv'; $loader->deleteExistingRecords = true; $results1 = $loader->load($filepath); - $this->assertEquals(4, $results1->Count(), 'Test correct count of imported data on first load'); + $this->assertEquals(5, $results1->Count(), 'Test correct count of imported data on first load'); //delete existing data before doing second CSV import $results2 = $loader->load($filepath, '512MB', true); //get all instances of the loaded DataObject from the database and count them $resultDataObject = DataObject::get('CsvBulkLoaderTest_Player'); - $this->assertEquals(4, $resultDataObject->Count(), + $this->assertEquals(5, $resultDataObject->Count(), 'Test if existing data is deleted before new data is added'); } diff --git a/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv b/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv index 2536266fc..f8e101f08 100644 --- a/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv +++ b/tests/dev/CsvBulkLoaderTest_PlayersWithHeader.csv @@ -4,3 +4,4 @@ So awesome that she gets multiple rows and \"escaped\" strings in her biography","31/01/1982","0" "Jamie","Pretty old\, with an escaped comma","31/01/1882","1" "Järg","Unicode FTW","31/06/1982","1" +"Jacob"," Likes leading tabs in his biography","31/4/2000","0" diff --git a/tests/forms/gridfield/GridFieldExportButtonTest.php b/tests/forms/gridfield/GridFieldExportButtonTest.php index 42ef28e22..516a2bc13 100644 --- a/tests/forms/gridfield/GridFieldExportButtonTest.php +++ b/tests/forms/gridfield/GridFieldExportButtonTest.php @@ -53,6 +53,22 @@ class GridFieldExportButtonTest extends SapphireTest { ); } + public function testXLSSanitisation() { + // Create risky object + $object = new GridFieldExportButtonTest_Team(); + $object->Name = '=SUM(1, 2)'; + $object->write(); + + // Export + $button = new GridFieldExportButton(); + $button->setExportColumns(array('Name' => 'My Name')); + + $this->assertEquals( + "\"My Name\"\n\"\t=SUM(1, 2)\"\n\"Test\"\n\"Test2\"\n", + $button->generateExportFileData($this->gridField) + ); + } + public function testGenerateFileDataAnonymousFunctionField() { $button = new GridFieldExportButton(); $button->setExportColumns(array( From 25e276cf3784dc1ab3a38252192ccd61f9d63121 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Thu, 30 Nov 2017 14:48:36 +1300 Subject: [PATCH 08/24] [ss-2017-006] Fix user agent invalidation on session startup --- control/Session.php | 40 +++++++++++++++++++++++++++-------- tests/control/SessionTest.php | 16 ++++++++++++-- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/control/Session.php b/control/Session.php index e40018a4f..a4ad854f0 100644 --- a/control/Session.php +++ b/control/Session.php @@ -145,15 +145,7 @@ class Session { if($data instanceof Session) $data = $data->inst_getAll(); $this->data = $data; - - if (isset($this->data['HTTP_USER_AGENT'])) { - if ($this->data['HTTP_USER_AGENT'] != $this->userAgent()) { - // Funny business detected! - $this->inst_clearAll(); - $this->inst_destroy(); - $this->inst_start(); - } - } + $this->expireIfInvalid(); } /** @@ -392,6 +384,9 @@ class Session { $this->data = isset($_SESSION) ? $_SESSION : array(); } + // Ensure session is validated on start + $this->expireIfInvalid(); + // Modify the timeout behaviour so it's the *inactive* time before the session expires. // By default it's the total session lifetime if($timeout && !headers_sent()) { @@ -631,4 +626,31 @@ class Session { Deprecation::notice('4.0', 'Use the "Session.timeout" config setting instead'); return Config::inst()->get('Session', 'timeout'); } + + /** + * Validate the user agent against the current data, resetting the + * current session if a mismatch is detected. + * + * @deprecated 3.0..4.0 Removed in 4.0 + * @return bool If user agent has been set against this session, returns + * the valid state of this session as either true or false. If the agent + * isn't set it is assumed valid and returns true. + */ + private function expireIfInvalid() { + // If not set, indeterminable; Assume true as safe default + if (!isset($this->data['HTTP_USER_AGENT'])) { + return true; + } + + // Agents match, deterministically true + if ($this->data['HTTP_USER_AGENT'] === $this->userAgent()) { + return true; + } + + // Funny business detected! + $this->inst_clearAll(); + $this->inst_destroy(); + $this->inst_start(); + return false; + } } diff --git a/tests/control/SessionTest.php b/tests/control/SessionTest.php index 1b5c5ee45..3b54f6200 100644 --- a/tests/control/SessionTest.php +++ b/tests/control/SessionTest.php @@ -97,15 +97,27 @@ class SessionTest extends SapphireTest { $_SERVER['HTTP_USER_AGENT'] = 'Test Agent'; // Generate our session + /** @var Session $s */ $s = Injector::inst()->create('Session', array()); $s->inst_set('val', 123); $s->inst_finalize(); + $data = $s->inst_getAll(); // Change our UA $_SERVER['HTTP_USER_AGENT'] = 'Fake Agent'; - // Verify the new session reset our values - $s2 = Injector::inst()->create('Session', $s); + // Verify the new session reset our values (passed by constructor) + /** @var Session $s2 */ + $s2 = Injector::inst()->create('Session', $data); $this->assertNotEquals($s2->inst_get('val'), 123); + + // Verify a started session resets our values (initiated by $_SESSION object) + /** @var Session $s3 */ + $s3 = Injector::inst()->create('Session', []); + foreach ($data as $key => $value) { + $s3->inst_set($key, $value); + } + $s3->inst_start(); + $this->assertNotEquals($s3->inst_get('val'), 123); } } From db54112f3cca012e33257c782dffd7154bf663a5 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Thu, 30 Nov 2017 14:48:36 +1300 Subject: [PATCH 09/24] [ss-2017-006] Fix user agent invalidation on session startup --- control/Session.php | 40 +++++++++++++++++++++++++++-------- tests/control/SessionTest.php | 16 ++++++++++++-- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/control/Session.php b/control/Session.php index e40018a4f..a4ad854f0 100644 --- a/control/Session.php +++ b/control/Session.php @@ -145,15 +145,7 @@ class Session { if($data instanceof Session) $data = $data->inst_getAll(); $this->data = $data; - - if (isset($this->data['HTTP_USER_AGENT'])) { - if ($this->data['HTTP_USER_AGENT'] != $this->userAgent()) { - // Funny business detected! - $this->inst_clearAll(); - $this->inst_destroy(); - $this->inst_start(); - } - } + $this->expireIfInvalid(); } /** @@ -392,6 +384,9 @@ class Session { $this->data = isset($_SESSION) ? $_SESSION : array(); } + // Ensure session is validated on start + $this->expireIfInvalid(); + // Modify the timeout behaviour so it's the *inactive* time before the session expires. // By default it's the total session lifetime if($timeout && !headers_sent()) { @@ -631,4 +626,31 @@ class Session { Deprecation::notice('4.0', 'Use the "Session.timeout" config setting instead'); return Config::inst()->get('Session', 'timeout'); } + + /** + * Validate the user agent against the current data, resetting the + * current session if a mismatch is detected. + * + * @deprecated 3.0..4.0 Removed in 4.0 + * @return bool If user agent has been set against this session, returns + * the valid state of this session as either true or false. If the agent + * isn't set it is assumed valid and returns true. + */ + private function expireIfInvalid() { + // If not set, indeterminable; Assume true as safe default + if (!isset($this->data['HTTP_USER_AGENT'])) { + return true; + } + + // Agents match, deterministically true + if ($this->data['HTTP_USER_AGENT'] === $this->userAgent()) { + return true; + } + + // Funny business detected! + $this->inst_clearAll(); + $this->inst_destroy(); + $this->inst_start(); + return false; + } } diff --git a/tests/control/SessionTest.php b/tests/control/SessionTest.php index 1b5c5ee45..3b54f6200 100644 --- a/tests/control/SessionTest.php +++ b/tests/control/SessionTest.php @@ -97,15 +97,27 @@ class SessionTest extends SapphireTest { $_SERVER['HTTP_USER_AGENT'] = 'Test Agent'; // Generate our session + /** @var Session $s */ $s = Injector::inst()->create('Session', array()); $s->inst_set('val', 123); $s->inst_finalize(); + $data = $s->inst_getAll(); // Change our UA $_SERVER['HTTP_USER_AGENT'] = 'Fake Agent'; - // Verify the new session reset our values - $s2 = Injector::inst()->create('Session', $s); + // Verify the new session reset our values (passed by constructor) + /** @var Session $s2 */ + $s2 = Injector::inst()->create('Session', $data); $this->assertNotEquals($s2->inst_get('val'), 123); + + // Verify a started session resets our values (initiated by $_SESSION object) + /** @var Session $s3 */ + $s3 = Injector::inst()->create('Session', []); + foreach ($data as $key => $value) { + $s3->inst_set($key, $value); + } + $s3->inst_start(); + $this->assertNotEquals($s3->inst_get('val'), 123); } } From 84d7afb3477885e9d69f2ac10838179efc1d3b91 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 30 Nov 2017 16:51:05 +0000 Subject: [PATCH 10/24] FIX Use baseDataClass for allVersions as with other methods --- model/Versioned.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/Versioned.php b/model/Versioned.php index 4dc191628..b49b00885 100644 --- a/model/Versioned.php +++ b/model/Versioned.php @@ -1050,7 +1050,7 @@ class Versioned extends DataExtension implements TemplateGlobalProvider { $oldMode = self::get_reading_mode(); self::reading_stage('Stage'); - $list = DataObject::get(get_class($this->owner), $filter, $sort, $join, $limit); + $list = DataObject::get(ClassInfo::baseDataClass($this->owner), $filter, $sort, $join, $limit); if($having) $having = $list->having($having); $query = $list->dataQuery()->query(); From 2aa1d8f2c495f47b3439d3c2d9f96a1e7f089113 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 30 Nov 2017 18:08:48 +0000 Subject: [PATCH 11/24] remove create_function usage --- admin/tests/LeftAndMainTest.php | 4 +++- api/RestfulService.php | 4 +++- core/Object.php | 4 +++- dev/install/install.php5 | 4 +++- forms/Form.php | 4 +++- forms/ListboxField.php | 4 +++- model/fieldtypes/HTMLText.php | 4 +++- tests/forms/uploadfield/UploadFieldTest.php | 8 ++++++-- .../Adapter/thirdparty/sfYaml/lib/sfYamlInline.php | 2 +- 9 files changed, 28 insertions(+), 10 deletions(-) diff --git a/admin/tests/LeftAndMainTest.php b/admin/tests/LeftAndMainTest.php index 750f40856..63bfbc8a9 100644 --- a/admin/tests/LeftAndMainTest.php +++ b/admin/tests/LeftAndMainTest.php @@ -173,7 +173,9 @@ class LeftAndMainTest extends FunctionalTest { $adminuser = $this->objFromFixture('Member', 'admin'); $securityonlyuser = $this->objFromFixture('Member', 'securityonlyuser'); $allcmssectionsuser = $this->objFromFixture('Member', 'allcmssectionsuser'); - $allValsFn = create_function('$obj', 'return $obj->getValue();'); + $allValsFn = function($obj) { + return $obj->getValue(); + }; // anonymous user $this->session()->inst_set('loggedInAs', null); diff --git a/api/RestfulService.php b/api/RestfulService.php index 517459976..38797ce44 100644 --- a/api/RestfulService.php +++ b/api/RestfulService.php @@ -373,7 +373,9 @@ class RestfulService extends ViewableData implements Flushable { if( preg_match('/([^:]+): (.+)/m', $field, $match) ) { $match[1] = preg_replace_callback( '/(?<=^|[\x09\x20\x2D])./', - create_function('$matches', 'return strtoupper($matches[0]);'), + function($matches) { + return strtoupper($matches[0]); + }, trim($match[1]) ); if( isset($headers[$match[1]]) ) { diff --git a/core/Object.php b/core/Object.php index ce0464377..98691d10f 100755 --- a/core/Object.php +++ b/core/Object.php @@ -948,7 +948,9 @@ abstract class Object { */ protected function createMethod($method, $code) { self::$extra_methods[get_class($this)][strtolower($method)] = array ( - 'function' => create_function('$obj, $args', $code) + 'function' => function($obj, $args) use ($code) { + eval($code); + } ); } diff --git a/dev/install/install.php5 b/dev/install/install.php5 index 5df46ffbc..9bcf6ac11 100755 --- a/dev/install/install.php5 +++ b/dev/install/install.php5 @@ -1307,7 +1307,9 @@ class Installer extends InstallRequirements { $locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US'; $type = addcslashes($config['db']['type'], "\'"); $dbConfig = $config['db'][$type]; - $dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig); + $dbConfig = array_map(function($v) { + return addcslashes($v, "\\'"); + }, $dbConfig); if(!isset($dbConfig['path'])) $dbConfig['path'] = ''; if(!$dbConfig) { echo "

Bad config submitted

";
diff --git a/forms/Form.php b/forms/Form.php
index eee8f1b86..096e1a723 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -859,7 +859,9 @@ class Form extends RequestHandler {
 		$attrs = $this->getAttributes();
 
 		// Remove empty
-		$attrs = array_filter((array)$attrs, create_function('$v', 'return ($v || $v === 0);'));
+		$attrs = array_filter((array)$attrs, function($v) {
+		    return ($v || $v === 0);
+        });
 
 		// Remove excluded
 		if($exclude) $attrs = array_diff_key($attrs, array_flip($exclude));
diff --git a/forms/ListboxField.php b/forms/ListboxField.php
index bdc402b5f..335af9737 100644
--- a/forms/ListboxField.php
+++ b/forms/ListboxField.php
@@ -136,7 +136,9 @@ class ListboxField extends DropdownField {
 	public function setSource($source) {
 		if($source) {
 			$hasCommas = array_filter(array_keys($source),
-				create_function('$key', 'return strpos($key, ",") !== FALSE;'));
+			function($key) {
+			    return strpos($key, ",") !== FALSE;
+			});
 			if($hasCommas) {
 				throw new InvalidArgumentException('No commas allowed in $source keys');
 			}
diff --git a/model/fieldtypes/HTMLText.php b/model/fieldtypes/HTMLText.php
index db1bad2f8..e0c351089 100644
--- a/model/fieldtypes/HTMLText.php
+++ b/model/fieldtypes/HTMLText.php
@@ -118,7 +118,9 @@ class HTMLText extends Text {
 			$doc = new DOMDocument();
 
 			// Catch warnings thrown by loadHTML and turn them into a failure boolean rather than a SilverStripe error
-			set_error_handler(create_function('$no, $str', 'throw new Exception("HTML Parse Error: ".$str);'), E_ALL);
+			set_error_handler(function($no, $str) {
+                throw new Exception("HTML Parse Error: " . $str);
+            }, E_ALL);
 			//  Nonbreaking spaces get converted into weird characters, so strip them
 			$value = str_replace(' ', ' ', $this->RAW());
 			try {
diff --git a/tests/forms/uploadfield/UploadFieldTest.php b/tests/forms/uploadfield/UploadFieldTest.php
index 6382574c4..a4eaf9d57 100644
--- a/tests/forms/uploadfield/UploadFieldTest.php
+++ b/tests/forms/uploadfield/UploadFieldTest.php
@@ -728,7 +728,9 @@ class UploadFieldTest extends FunctionalTest {
 		// A bit too much coupling with GridField, but a full template overload would make things too complex
 		$parser = new CSSContentParser($response->getBody());
 		$items = $parser->getBySelector('.ss-gridfield-item');
-		$itemIDs = array_map(create_function('$el', 'return (int)$el["data-id"];'), $items);
+		$itemIDs = array_map(function($el) {
+            return (int)$el["data-id"];
+        }, $items);
 		$this->assertContains($file4->ID, $itemIDs, 'Contains file in assigned folder');
 		$this->assertContains($fileSubfolder->ID, $itemIDs, 'Contains file in subfolder');
 	}
@@ -746,7 +748,9 @@ class UploadFieldTest extends FunctionalTest {
 		// A bit too much coupling with GridField, but a full template overload would make things too complex
 		$parser = new CSSContentParser($response->getBody());
 		$items = $parser->getBySelector('.ss-gridfield-item');
-		$itemIDs = array_map(create_function('$el', 'return (int)$el["data-id"];'), $items);
+		$itemIDs = array_map(function($el) {
+		    return (int)$el["data-id"];
+        }, $items);
 		$this->assertContains($file4->ID, $itemIDs, 'Contains file in assigned folder');
 		$this->assertNotContains($fileSubfolder->ID, $itemIDs, 'Does not contain file in subfolder');
 	}
diff --git a/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php b/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php
index a88cbb3d9..8dd7ac289 100644
--- a/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php
+++ b/thirdparty/zend_translate_railsyaml/library/Translate/Adapter/thirdparty/sfYaml/lib/sfYamlInline.php
@@ -135,7 +135,7 @@ class sfYamlInline
     if (
       (1 == count($keys) && '0' == $keys[0])
       ||
-      (count($keys) > 1 && array_reduce($keys, create_function('$v,$w', 'return (integer) $v + $w;'), 0) == count($keys) * (count($keys) - 1) / 2))
+      (count($keys) > 1 && array_reduce($keys, function($v,$w) { return (integer) $v + $w;}, 0) == count($keys) * (count($keys) - 1) / 2))
     {
       $output = array();
       foreach ($value as $val)

From 8d1a5ed8b7b35336b21f440edea0a4a917d3fc4f Mon Sep 17 00:00:00 2001
From: Daniel Hensby 
Date: Tue, 5 Dec 2017 14:19:59 +0000
Subject: [PATCH 12/24] More code style fixes

---
 admin/code/CMSBatchActionHandler.php |  7 +++++--
 admin/code/CMSMenuItem.php           |  2 +-
 admin/code/LeftAndMain.php           | 12 +++++++++++-
 admin/code/SecurityAdmin.php         |  2 +-
 api/RestfulService.php               | 14 +++++++-------
 cli-script.php                       |  2 +-
 control/CookieJar.php                |  2 +-
 forms/ListboxField.php               |  2 +-
 8 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/admin/code/CMSBatchActionHandler.php b/admin/code/CMSBatchActionHandler.php
index d69a1f086..8237be9d4 100644
--- a/admin/code/CMSBatchActionHandler.php
+++ b/admin/code/CMSBatchActionHandler.php
@@ -23,10 +23,13 @@ class CMSBatchActionHandler extends RequestHandler {
 		'handleConfirmation',
 	);
 
+    /**
+     * @var Controller
+     */
 	protected $parentController;
 
 	/**
-	 * @var String
+	 * @var string
 	 */
 	protected $urlSegment;
 
@@ -38,7 +41,7 @@ class CMSBatchActionHandler extends RequestHandler {
 	protected $recordClass = 'SiteTree';
 
 	/**
-	 * @param string $parentController
+	 * @param Controller $parentController
 	 * @param string $urlSegment
 	 * @param string $recordClass
 	 */
diff --git a/admin/code/CMSMenuItem.php b/admin/code/CMSMenuItem.php
index b6efce7c3..1eb59a26d 100644
--- a/admin/code/CMSMenuItem.php
+++ b/admin/code/CMSMenuItem.php
@@ -41,7 +41,7 @@ class CMSMenuItem extends Object {
 	 * Attributes for the link. For instance, custom data attributes or standard
 	 * HTML anchor properties.
 	 *
-	 * @var string
+	 * @var array
 	 */
 	protected $attributes = array();
 
diff --git a/admin/code/LeftAndMain.php b/admin/code/LeftAndMain.php
index 03c077d06..d8915869d 100644
--- a/admin/code/LeftAndMain.php
+++ b/admin/code/LeftAndMain.php
@@ -398,7 +398,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
 		Requirements::css(FRAMEWORK_DIR . '/css/GridField.css');
 
 		// Browser-specific requirements
-		$ie = isset($_SERVER['HTTP_USER_AGENT']) ? strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') : false;
+		$ie = isset($_SERVER['HTTP_USER_AGENT']) ? strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false : false;
 		if($ie) {
 			$version = substr($_SERVER['HTTP_USER_AGENT'], $ie + 5, 3);
 
@@ -1838,6 +1838,16 @@ class LeftAndMainMarkingFilter {
 	 */
 	protected $params = array();
 
+    /**
+     * @var array
+     */
+	public $ids = array();
+
+    /**
+     * @var array
+     */
+	public $expanded = array();
+
 	/**
 	 * @param array $params Request params (unsanitized)
 	 */
diff --git a/admin/code/SecurityAdmin.php b/admin/code/SecurityAdmin.php
index dd57b0c3b..ccdc42ef5 100755
--- a/admin/code/SecurityAdmin.php
+++ b/admin/code/SecurityAdmin.php
@@ -171,7 +171,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 			$groupsTab->addExtraClass('ui-state-active');
 		} elseif($actionParam == 'users') {
 			$usersTab->addExtraClass('ui-state-active');
-		} elseif($actionParam == 'roles') {
+		} elseif($actionParam == 'roles' && isset($rolesTab)) {
 			$rolesTab->addExtraClass('ui-state-active');
 		}
 
diff --git a/api/RestfulService.php b/api/RestfulService.php
index 38797ce44..ee51b3aa5 100644
--- a/api/RestfulService.php
+++ b/api/RestfulService.php
@@ -420,7 +420,7 @@ class RestfulService extends ViewableData implements Flushable {
 		if($element)
 			$childElements = $xml->{$collection}->{$element};
 
-		if($childElements){
+		if(isset($childElements) && $childElements){
 			foreach($childElements as $child){
 				$data = array();
 				foreach($child->attributes() as $key => $value){
@@ -450,7 +450,7 @@ class RestfulService extends ViewableData implements Flushable {
 		if($element)
 			$childElements = $xml->{$collection}->{$element};
 
-		if($childElements)
+		if(isset($childElements[$attr]))
 			$attr_value = (string) $childElements[$attr];
 
 		return Convert::raw2xml($attr_value);
@@ -476,7 +476,7 @@ class RestfulService extends ViewableData implements Flushable {
 		if($element)
 			$childElements = $xml->{$collection}->{$element};
 
-		if($childElements){
+		if(isset($childElements) && $childElements){
 			foreach($childElements as $child){
 				$data = array();
 				$this->getRecurseValues($child,$data);
@@ -525,7 +525,7 @@ class RestfulService extends ViewableData implements Flushable {
 		if($element)
 			$childElements = $xml->{$collection}->{$element};
 
-		if($childElements)
+		if(isset($childElements) && $childElements)
 			return Convert::raw2xml($childElements);
 	}
 
@@ -575,7 +575,7 @@ class RestfulService_Response extends SS_HTTPResponse {
 	protected $simpleXML;
 
 	/**
-	 * @var boolean It should be populated with cached request
+	 * @var RestfulService_Response|false It should be populated with cached request
 	 * when a request referring to this response was unsuccessful
 	 */
 	protected $cachedResponse = false;
@@ -602,14 +602,14 @@ class RestfulService_Response extends SS_HTTPResponse {
 	 * get the cached response object. This allows you to access the cached
 	 * eaders, not just the cached body.
 	 *
-	 * @return RestfulSerivice_Response The cached response object
+	 * @return RestfulService_Response|false The cached response object
 	 */
 	public function getCachedResponse() {
 		return $this->cachedResponse;
 	}
 
 	/**
-	 * @return string
+	 * @return string|false
 	 */
 	public function getCachedBody() {
 		if ($this->cachedResponse) {
diff --git a/cli-script.php b/cli-script.php
index 48a87b38d..a25079c88 100755
--- a/cli-script.php
+++ b/cli-script.php
@@ -41,7 +41,7 @@ if(isset($_SERVER['argv'][2])) {
 	if(!isset($_GET)) $_GET = array();
 	if(!isset($_REQUEST)) $_REQUEST = array();
 	foreach($args as $arg) {
-		if(strpos($arg,'=') == false) {
+		if(strpos($arg,'=') === false) {
 			$_GET['args'][] = $arg;
 		} else {
 			$newItems = array();
diff --git a/control/CookieJar.php b/control/CookieJar.php
index 2b2a80c58..9f328f12e 100644
--- a/control/CookieJar.php
+++ b/control/CookieJar.php
@@ -144,7 +144,7 @@ class CookieJar implements Cookie_Backend {
 	 * @see http://uk3.php.net/manual/en/function.setcookie.php
 	 *
 	 * @param string $name The name of the cookie
-	 * @param string|array $value The value for the cookie to hold
+	 * @param string|array|false $value The value for the cookie to hold
 	 * @param int $expiry The number of days until expiry
 	 * @param string $path The path to save the cookie on (falls back to site base)
 	 * @param string $domain The domain to make the cookie available on
diff --git a/forms/ListboxField.php b/forms/ListboxField.php
index 335af9737..f88ec4933 100644
--- a/forms/ListboxField.php
+++ b/forms/ListboxField.php
@@ -139,7 +139,7 @@ class ListboxField extends DropdownField {
 			function($key) {
 			    return strpos($key, ",") !== FALSE;
 			});
-			if($hasCommas) {
+			if(!empty($hasCommas)) {
 				throw new InvalidArgumentException('No commas allowed in $source keys');
 			}
 		}

From 5f7f1ea150911765d5d5830b3b45591fde351a8d Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Wed, 6 Dec 2017 16:23:43 +1300
Subject: [PATCH 13/24] Added 3.5.6-rc1 changelog

---
 docs/en/04_Changelogs/rc/3.5.6-rc1.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 docs/en/04_Changelogs/rc/3.5.6-rc1.md

diff --git a/docs/en/04_Changelogs/rc/3.5.6-rc1.md b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
new file mode 100644
index 000000000..4bb118918
--- /dev/null
+++ b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
@@ -0,0 +1,25 @@
+# 3.5.6-rc1
+
+
+
+## Change Log
+
+### Bugfixes
+
+ * 2017-11-30 [84d7afb34]() Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1]() deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d]() Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-16 [dda14e895]() HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3]() for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f]() ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec]() Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559]() Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e]() Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123]() Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c]() Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6]() Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10]() don't try and switch out of context of the tab system (Stevie Mayhew)

From d09c2d7b03680f9a3930cd5697196e303a2c8a1a Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Wed, 6 Dec 2017 16:27:12 +1300
Subject: [PATCH 14/24] Added 3.5.6-rc1 changelog

---
 docs/en/04_Changelogs/rc/3.5.6-rc1.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/en/04_Changelogs/rc/3.5.6-rc1.md b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
index 4bb118918..765adb95c 100644
--- a/docs/en/04_Changelogs/rc/3.5.6-rc1.md
+++ b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
@@ -4,6 +4,12 @@
 
 ## Change Log
 
+### Security
+
+ * 2017-11-30 [6ba00e829]() Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [25e276cf3]() user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f]() Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+
 ### Bugfixes
 
  * 2017-11-30 [84d7afb34]() Use baseDataClass for allVersions as with other methods (Daniel Hensby)

From 8537dd56dd622fc13fc949cc23c43e3c4f76bd89 Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Wed, 6 Dec 2017 18:11:03 +1300
Subject: [PATCH 15/24] Added 3.6.3-rc2 changelog

---
 docs/en/04_Changelogs/rc/3.6.3-rc2.md | 34 +++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 docs/en/04_Changelogs/rc/3.6.3-rc2.md

diff --git a/docs/en/04_Changelogs/rc/3.6.3-rc2.md b/docs/en/04_Changelogs/rc/3.6.3-rc2.md
new file mode 100644
index 000000000..8889b2951
--- /dev/null
+++ b/docs/en/04_Changelogs/rc/3.6.3-rc2.md
@@ -0,0 +1,34 @@
+# 3.6.3-rc2
+
+
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829]() Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [db54112f3]() user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f]() Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d]() SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Bugfixes
+
+ * 2017-12-05 [8477de15](https://github.com/silverstripe/silverstripe-siteconfig/commit/8477de15203c4c80ca55365200fa3c7c031d70d8) Remove unused Behat tests from 3.6 branch (Robbie Averill)
+ * 2017-11-30 [84d7afb34]() Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1]() deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d]() Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-22 [ef6d86f2c]() Allow lowercase and uppercase delcaration of legacy Int class (Daniel Hensby)
+ * 2017-11-16 [dda14e895]() HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3]() for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f]() ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec]() Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559]() Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e]() Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123]() Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c]() Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6]() Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10]() don't try and switch out of context of the tab system (Stevie Mayhew)

From b6a7e474411991eeafc2c4b37f100fc9c252099c Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Thu, 7 Dec 2017 13:27:17 +1300
Subject: [PATCH 16/24] Added 3.5.6 changelog

---
 docs/en/04_Changelogs/3.5.6.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 docs/en/04_Changelogs/3.5.6.md

diff --git a/docs/en/04_Changelogs/3.5.6.md b/docs/en/04_Changelogs/3.5.6.md
new file mode 100644
index 000000000..ad6d2bf17
--- /dev/null
+++ b/docs/en/04_Changelogs/3.5.6.md
@@ -0,0 +1,32 @@
+# 3.5.6
+
+
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829](https://github.com/silverstripe/silverstripe-framework/commit/6ba00e829a9fb360dfe5cb0bc3d4544016c82357) Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [25e276cf3](https://github.com/silverstripe/silverstripe-framework/commit/25e276cf3784dc1ab3a38252192ccd61f9d63121) user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f](https://github.com/silverstripe/silverstripe-framework/commit/22ccf3e2f9092f51e7f7288ce108598c6f17b49c) Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d](https://github.com/silverstripe/silverstripe-framework/commit/0f2049d4d466e05f5d7f07fc63580836de8c6bff) SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Bugfixes
+
+ * 2017-11-30 [84d7afb34](https://github.com/silverstripe/silverstripe-framework/commit/84d7afb3477885e9d69f2ac10838179efc1d3b91) Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1](https://github.com/silverstripe/silverstripe-framework/commit/09a003bc13390359fa717a4256f9278303d59544) deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d](https://github.com/silverstripe/silverstripe-framework/commit/2ad3cc07d583041e23a5dca0d53ffbdf8c9cd0d0) Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-16 [dda14e895](https://github.com/silverstripe/silverstripe-framework/commit/dda14e89596a0de0b70eace27f7015bc0bb40669) HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3](https://github.com/silverstripe/silverstripe-framework/commit/52f0eadd3b1ad37806a95b6dd05427add3166cc5) for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f](https://github.com/silverstripe/silverstripe-framework/commit/ce3fd370fb07ffc18742323b0dd99f30cf28cf14) ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec](https://github.com/silverstripe/silverstripe-framework/commit/1053de7ec39d1a2ce6826ea2db8f55114755098d) Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559](https://github.com/silverstripe/silverstripe-framework/commit/cbac3755909bc5d72d923b07747fd6a98e2215dc) Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e](https://github.com/silverstripe/silverstripe-framework/commit/32cef975ef6c816d8b5bc953cffbd18492686281) Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123](https://github.com/silverstripe/silverstripe-framework/commit/264cec1239ee8d75e67c5402970a91cf58e50539) Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c](https://github.com/silverstripe/silverstripe-framework/commit/2f579b64cb9cb8986489e312b253dba5061e304b) Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6](https://github.com/silverstripe/silverstripe-framework/commit/00f1ad5d692f0a44b58bb216e5378e51dc96243d) Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10](https://github.com/silverstripe/silverstripe-framework/commit/805c38f107e7e332d2846407e0a89cade1d33ed1) don't try and switch out of context of the tab system (Stevie Mayhew)

From bf74e8347aca858f6400d0c74b0fa13092effac2 Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Thu, 7 Dec 2017 13:35:49 +1300
Subject: [PATCH 17/24] Added 3.6.3 changelog

---
 docs/en/04_Changelogs/3.6.3.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 docs/en/04_Changelogs/3.6.3.md

diff --git a/docs/en/04_Changelogs/3.6.3.md b/docs/en/04_Changelogs/3.6.3.md
new file mode 100644
index 000000000..2e28aa093
--- /dev/null
+++ b/docs/en/04_Changelogs/3.6.3.md
@@ -0,0 +1,34 @@
+# 3.6.3
+
+
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829](https://github.com/silverstripe/silverstripe-framework/commit/6ba00e829a9fb360dfe5cb0bc3d4544016c82357) Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [db54112f3](https://github.com/silverstripe/silverstripe-framework/commit/db54112f3cca012e33257c782dffd7154bf663a5) user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f](https://github.com/silverstripe/silverstripe-framework/commit/22ccf3e2f9092f51e7f7288ce108598c6f17b49c) Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d](https://github.com/silverstripe/silverstripe-framework/commit/0f2049d4d466e05f5d7f07fc63580836de8c6bff) SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Bugfixes
+
+ * 2017-12-05 [8477de15](https://github.com/silverstripe/silverstripe-siteconfig/commit/8477de15203c4c80ca55365200fa3c7c031d70d8) Remove unused Behat tests from 3.6 branch (Robbie Averill)
+ * 2017-11-30 [84d7afb34](https://github.com/silverstripe/silverstripe-framework/commit/84d7afb3477885e9d69f2ac10838179efc1d3b91) Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1](https://github.com/silverstripe/silverstripe-framework/commit/09a003bc13390359fa717a4256f9278303d59544) deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d](https://github.com/silverstripe/silverstripe-framework/commit/2ad3cc07d583041e23a5dca0d53ffbdf8c9cd0d0) Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-22 [ef6d86f2c](https://github.com/silverstripe/silverstripe-framework/commit/ef6d86f2c695d319f9c07ccd9f4d93e83263e356) Allow lowercase and uppercase delcaration of legacy Int class (Daniel Hensby)
+ * 2017-11-16 [dda14e895](https://github.com/silverstripe/silverstripe-framework/commit/dda14e89596a0de0b70eace27f7015bc0bb40669) HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3](https://github.com/silverstripe/silverstripe-framework/commit/52f0eadd3b1ad37806a95b6dd05427add3166cc5) for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f](https://github.com/silverstripe/silverstripe-framework/commit/ce3fd370fb07ffc18742323b0dd99f30cf28cf14) ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec](https://github.com/silverstripe/silverstripe-framework/commit/1053de7ec39d1a2ce6826ea2db8f55114755098d) Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559](https://github.com/silverstripe/silverstripe-framework/commit/cbac3755909bc5d72d923b07747fd6a98e2215dc) Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e](https://github.com/silverstripe/silverstripe-framework/commit/32cef975ef6c816d8b5bc953cffbd18492686281) Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123](https://github.com/silverstripe/silverstripe-framework/commit/264cec1239ee8d75e67c5402970a91cf58e50539) Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c](https://github.com/silverstripe/silverstripe-framework/commit/2f579b64cb9cb8986489e312b253dba5061e304b) Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6](https://github.com/silverstripe/silverstripe-framework/commit/00f1ad5d692f0a44b58bb216e5378e51dc96243d) Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10](https://github.com/silverstripe/silverstripe-framework/commit/805c38f107e7e332d2846407e0a89cade1d33ed1) don't try and switch out of context of the tab system (Stevie Mayhew)

From 052f11a4277146e9b4d50d704dbc60ea689fee5f Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Fri, 8 Dec 2017 11:52:48 +1300
Subject: [PATCH 18/24] Remove merge artifact

---
 security/Member.php.orig | 2045 --------------------------------------
 1 file changed, 2045 deletions(-)
 delete mode 100644 security/Member.php.orig

diff --git a/security/Member.php.orig b/security/Member.php.orig
deleted file mode 100644
index 10cb8a632..000000000
--- a/security/Member.php.orig
+++ /dev/null
@@ -1,2045 +0,0 @@
- 'Varchar',
-		'Surname' => 'Varchar',
-		'Email' => 'Varchar(254)', // See RFC 5321, Section 4.5.3.1.3. (256 minus the < and > character)
-		'TempIDHash' => 'Varchar(160)', // Temporary id used for cms re-authentication
-		'TempIDExpired' => 'SS_Datetime', // Expiry of temp login
-		'Password' => 'Varchar(160)',
-		'RememberLoginToken' => 'Varchar(160)', // Note: this currently holds a hash, not a token.
-		'NumVisit' => 'Int', // @deprecated 4.0
-		'LastVisited' => 'SS_Datetime', // @deprecated 4.0
-		'AutoLoginHash' => 'Varchar(160)', // Used to auto-login the user on password reset
-		'AutoLoginExpired' => 'SS_Datetime',
-		// This is an arbitrary code pointing to a PasswordEncryptor instance,
-		// not an actual encryption algorithm.
-		// Warning: Never change this field after its the first password hashing without
-		// providing a new cleartext password as well.
-		'PasswordEncryption' => "Varchar(50)",
-		'Salt' => 'Varchar(50)',
-		'PasswordExpiry' => 'Date',
-		'LockedOutUntil' => 'SS_Datetime',
-		'Locale' => 'Varchar(6)',
-		// handled in registerFailedLogin(), only used if $lock_out_after_incorrect_logins is set
-		'FailedLoginCount' => 'Int',
-		// In ISO format
-		'DateFormat' => 'Varchar(30)',
-		'TimeFormat' => 'Varchar(30)',
-	);
-
-	private static $belongs_many_many = array(
-		'Groups' => 'Group',
-	);
-
-	private static $has_one = array();
-
-	private static $has_many = array(
-		'LoggedPasswords' => 'MemberPassword',
-	);
-
-	private static $many_many = array();
-
-	private static $many_many_extraFields = array();
-
-	private static $default_sort = '"Surname", "FirstName"';
-
-	private static $indexes = array(
-		'Email' => true,
-		//Removed due to duplicate null values causing MSSQL problems
-		//'AutoLoginHash' => Array('type'=>'unique', 'value'=>'AutoLoginHash', 'ignoreNulls'=>true)
-	);
-
-	/**
-	 * @config
-	 * @var boolean
-	 */
-	private static $notify_password_change = false;
-
-	/**
-	 * Flag whether or not member visits should be logged (count only)
-	 *
-	 * @deprecated 4.0
-	 * @var bool
-	 * @config
-	 */
-	private static $log_last_visited = true;
-
-	/**
-	 * Flag whether we should count number of visits
-	 *
-	 * @deprecated 4.0
-	 * @var bool
-	 * @config
-	 */
-	private static $log_num_visits = true;
-
-	/**
-	 * All searchable database columns
-	 * in this object, currently queried
-	 * with a "column LIKE '%keywords%'
-	 * statement.
-	 *
-	 * @var array
-	 * @todo Generic implementation of $searchable_fields on DataObject,
-	 * with definition for different searching algorithms
-	 * (LIKE, FULLTEXT) and default FormFields to construct a searchform.
-	 */
-	private static $searchable_fields = array(
-		'FirstName',
-		'Surname',
-		'Email',
-	);
-
-	/**
-	 * @config
-	 * @var array
-	 */
-	private static $summary_fields = array(
-		'FirstName',
-		'Surname',
-		'Email',
-	);
-
-	/**
-	 * @config
-	 * @var array
-	 */
-	private static $casting = array(
-		'Name' => 'Varchar',
-	);
-
-	/**
-	 * Internal-use only fields
-	 *
-	 * @config
-	 * @var array
-	 */
-	private static $hidden_fields = array(
-		'RememberLoginToken',
-		'AutoLoginHash',
-		'AutoLoginExpired',
-		'PasswordEncryption',
-		'PasswordExpiry',
-		'LockedOutUntil',
-		'TempIDHash',
-		'TempIDExpired',
-		'Salt',
-		'NumVisit', // @deprecated 4.0
-	);
-
-	/**
-	 * @config
-	 * @var Array See {@link set_title_columns()}
-	 */
-	private static $title_format = null;
-
-	/**
-	 * The unique field used to identify this member.
-	 * By default, it's "Email", but another common
-	 * field could be Username.
-	 *
-	 * @config
-	 * @var string
-	 */
-	private static $unique_identifier_field = 'Email';
-
-	/**
-	 * @config
-	 * {@link PasswordValidator} object for validating user's password
-	 */
-	private static $password_validator = null;
-
-	/**
-	 * @config
-	 * The number of days that a password should be valid for.
-	 * By default, this is null, which means that passwords never expire
-	 */
-	private static $password_expiry_days = null;
-
-	/**
-	 * @config
-	 * @var Int Number of incorrect logins after which
-	 * the user is blocked from further attempts for the timespan
-	 * defined in {@link $lock_out_delay_mins}.
-	 */
-	private static $lock_out_after_incorrect_logins = 10;
-
-	/**
-	 * @config
-	 * @var integer Minutes of enforced lockout after incorrect password attempts.
-	 * Only applies if {@link $lock_out_after_incorrect_logins} greater than 0.
-	 */
-	private static $lock_out_delay_mins = 15;
-
-	/**
-	 * @config
-	 * @var String If this is set, then a session cookie with the given name will be set on log-in,
-	 * and cleared on logout.
-	 */
-	private static $login_marker_cookie = null;
-
-	/**
-	 * Indicates that when a {@link Member} logs in, Member:session_regenerate_id()
-	 * should be called as a security precaution.
-	 *
-	 * This doesn't always work, especially if you're trying to set session cookies
-	 * across an entire site using the domain parameter to session_set_cookie_params()
-	 *
-	 * @config
-	 * @var boolean
-	 */
-	private static $session_regenerate_id = true;
-
-
-	/**
-	 * Default lifetime of temporary ids.
-	 *
-	 * This is the period within which a user can be re-authenticated within the CMS by entering only their password
-	 * and without losing their workspace.
-	 *
-	 * Any session expiration outside of this time will require them to login from the frontend using their full
-	 * username and password.
-	 *
-	 * Defaults to 72 hours. Set to zero to disable expiration.
-	 *
-	 * @config
-	 * @var int Lifetime in seconds
-	 */
-	private static $temp_id_lifetime = 259200;
-
-	/**
-	 * @deprecated 4.0 Use the "Member.session_regenerate_id" config setting instead
-	 */
-	public static function set_session_regenerate_id($bool) {
-		Deprecation::notice('4.0', 'Use the "Member.session_regenerate_id" config setting instead');
-		self::config()->session_regenerate_id = $bool;
-	}
-
-	/**
-	 * Ensure the locale is set to something sensible by default.
-	 */
-	public function populateDefaults() {
-		parent::populateDefaults();
-		$this->Locale = i18n::get_closest_translation(i18n::get_locale());
-	}
-
-	public function requireDefaultRecords() {
-		parent::requireDefaultRecords();
-		// Default groups should've been built by Group->requireDefaultRecords() already
-		static::default_admin();
-	}
-
-	/**
-	 * Get the default admin record if it exists, or creates it otherwise if enabled
-	 *
-	 * @return Member
-	 */
-	public static function default_admin() {
-		// Check if set
-		if(!Security::has_default_admin()) return null;
-
-		// Find or create ADMIN group
-		singleton('Group')->requireDefaultRecords();
-		$adminGroup = Permission::get_groups_by_permission('ADMIN')->First();
-
-		// Find member
-		$admin = Member::get()
-			->filter('Email', Security::default_admin_username())
-			->first();
-		if(!$admin) {
-			// 'Password' is not set to avoid creating
-			// persistent logins in the database. See Security::setDefaultAdmin().
-			// Set 'Email' to identify this as the default admin
-			$admin = Member::create();
-			$admin->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin');
-			$admin->Email = Security::default_admin_username();
-			$admin->write();
-		}
-
-		// Ensure this user is in the admin group
-		if(!$admin->inGroup($adminGroup)) {
-			// Add member to group instead of adding group to member
-			// This bypasses the privilege escallation code in Member_GroupSet
-			$adminGroup
-				->DirectMembers()
-				->add($admin);
-		}
-
-		return $admin;
-	}
-
-	/**
-	 * If this is called, then a session cookie will be set to "1" whenever a user
-	 * logs in.  This lets 3rd party tools, such as apache's mod_rewrite, detect
-	 * whether a user is logged in or not and alter behaviour accordingly.
-	 *
-	 * One known use of this is to bypass static caching for logged in users.  This is
-	 * done by putting this into _config.php
-	 * 
-	 * Member::set_login_marker_cookie("SS_LOGGED_IN");
-	 * 

-	 *
-	 * And then adding this condition to each of the rewrite rules that make use of
-	 * the static cache.
-	 * 
-	 * RewriteCond %{HTTP_COOKIE} !SS_LOGGED_IN=1
-	 * 

-	 *
-	 * @deprecated 4.0 Use the "Member.login_marker_cookie" config setting instead
-	 * @param $cookieName string The name of the cookie to set.
-	 */
-	public static function set_login_marker_cookie($cookieName) {
-		Deprecation::notice('4.0', 'Use the "Member.login_marker_cookie" config setting instead');
-		self::config()->login_marker_cookie = $cookieName;
-	}
-
-	/**
-	 * Check if the passed password matches the stored one (if the member is not locked out).
-	 *
-	 * @param string $password
-	 * @return ValidationResult
-	 */
-	public function checkPassword($password) {
-		$result = $this->canLogIn();
-
-		// Short-circuit the result upon failure, no further checks needed.
-		if (!$result->valid()) {
-			return $result;
-		}
-
-		// Allow default admin to login as self
-		if($this->isDefaultAdmin() && Security::check_default_admin($this->Email, $password)) {
-			return $result;
-		}
-
-		// Check a password is set on this member
-		if(empty($this->Password) && $this->exists()) {
-			$result->error(_t('Member.NoPassword','There is no password on this member.'));
-			return $result;
-		}
-
-		$e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
-		if(!$e->check($this->Password, $password, $this->Salt, $this)) {
-			$result->error(_t (
-				'Member.ERRORWRONGCRED',
-				'The provided details don\'t seem to be correct. Please try again.'
-			));
-		}
-
-		return $result;
-	}
-
-	/**
-	 * Check if this user is the currently configured default admin
-	 *
-	 * @return bool
-	 */
-	public function isDefaultAdmin() {
-		return Security::has_default_admin()
-			&& $this->Email === Security::default_admin_username();
-	}
-
-	/**
-	 * Returns a valid {@link ValidationResult} if this member can currently log in, or an invalid
-	 * one with error messages to display if the member is locked out.
-	 *
-	 * You can hook into this with a "canLogIn" method on an attached extension.
-	 *
-	 * @return ValidationResult
-	 */
-	public function canLogIn() {
-		$result = ValidationResult::create();
-
-		if($this->isLockedOut()) {
-			$result->error(
-				_t(
-					'Member.ERRORLOCKEDOUT2',
-					'Your account has been temporarily disabled because of too many failed attempts at ' .
-					'logging in. Please try again in {count} minutes.',
-					null,
-					array('count' => $this->config()->lock_out_delay_mins)
-				)
-			);
-		}
-
-		$this->extend('canLogIn', $result);
-		return $result;
-	}
-
-	/**
-	 * Returns true if this user is locked out
-	 */
-	public function isLockedOut() {
-		$state = true;
-		if ($this->LockedOutUntil && $this->dbObject('LockedOutUntil')->InFuture()) {
-			$state = true;
-		} elseif ($this->config()->lock_out_after_incorrect_logins <= 0) {
-			$state = false;
-		} else {
-
-<<<<<<< HEAD
-			$attempts = LoginAttempt::get()->filter($filter = array(
-				'Email' => $this->{static::config()->unique_identifier_field},
-			))->sort('Created', 'DESC')->limit($this->config()->lock_out_after_incorrect_logins);
-=======
-		$email = $this->{static::config()->unique_identifier_field};
-		$attempts = LoginAttempt::getByEmail($email)
-			->sort('Created', 'DESC')
-			->limit($this->config()->lock_out_after_incorrect_logins);
->>>>>>> silverstripe-security/3.5
-
-			if ($attempts->count() < $this->config()->lock_out_after_incorrect_logins) {
-				$state = false;
-			} else {
-
-				$success = false;
-				foreach ($attempts as $attempt) {
-					if ($attempt->Status === 'Success') {
-						$success = true;
-						$state = false;
-						break;
-					}
-				}
-
-				if (!$success) {
-					$lockedOutUntil = $attempts->first()->dbObject('Created')->Format('U')
-					                  + ($this->config()->lock_out_delay_mins * 60);
-					if (SS_Datetime::now()->Format('U') < $lockedOutUntil) {
-						$state = true;
-					} else {
-						$state = false;
-					}
-				}
-			}
-		}
-
-		$this->extend('updateIsLockedOut', $state);
-		return $state;
-	}
-
-	/**
-	 * Regenerate the session_id.
-	 * This wrapper is here to make it easier to disable calls to session_regenerate_id(), should you need to.
-	 * They have caused problems in certain
-	 * quirky problems (such as using the Windmill 0.3.6 proxy).
-	 */
-	public static function session_regenerate_id() {
-		if(!self::config()->session_regenerate_id) return;
-
-		// This can be called via CLI during testing.
-		if(Director::is_cli()) return;
-
-		$file = '';
-		$line = '';
-
-		// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
-		// There's nothing we can do about this, because it's an operating system function!
-		if(!headers_sent($file, $line)) @session_regenerate_id(true);
-	}
-
-	/**
-	 * Get the field used for uniquely identifying a member
-	 * in the database. {@see Member::$unique_identifier_field}
-	 *
-	 * @deprecated 4.0 Use the "Member.unique_identifier_field" config setting instead
-	 * @return string
-	 */
-	public static function get_unique_identifier_field() {
-		Deprecation::notice('4.0', 'Use the "Member.unique_identifier_field" config setting instead');
-		return Member::config()->unique_identifier_field;
-	}
-
-	/**
-	 * Set the field used for uniquely identifying a member
-	 * in the database. {@see Member::$unique_identifier_field}
-	 *
-	 * @deprecated 4.0 Use the "Member.unique_identifier_field" config setting instead
-	 * @param $field The field name to set as the unique field
-	 */
-	public static function set_unique_identifier_field($field) {
-		Deprecation::notice('4.0', 'Use the "Member.unique_identifier_field" config setting instead');
-		Member::config()->unique_identifier_field = $field;
-	}
-
-	/**
-	 * Set a {@link PasswordValidator} object to use to validate member's passwords.
-	 */
-	public static function set_password_validator($pv) {
-		self::$password_validator = $pv;
-	}
-
-	/**
-	 * Returns the current {@link PasswordValidator}
-	 */
-	public static function password_validator() {
-		return self::$password_validator;
-	}
-
-	/**
-	 * Set the number of days that a password should be valid for.
-	 * Set to null (the default) to have passwords never expire.
-	 *
-	 * @deprecated 4.0 Use the "Member.password_expiry_days" config setting instead
-	 */
-	public static function set_password_expiry($days) {
-		Deprecation::notice('4.0', 'Use the "Member.password_expiry_days" config setting instead');
-		self::config()->password_expiry_days = $days;
-	}
-
-	/**
-	 * Configure the security system to lock users out after this many incorrect logins
-	 *
-	 * @deprecated 4.0 Use the "Member.lock_out_after_incorrect_logins" config setting instead
-	 */
-	public static function lock_out_after_incorrect_logins($numLogins) {
-		Deprecation::notice('4.0', 'Use the "Member.lock_out_after_incorrect_logins" config setting instead');
-		self::config()->lock_out_after_incorrect_logins = $numLogins;
-	}
-
-
-	public function isPasswordExpired() {
-		if(!$this->PasswordExpiry) return false;
-		return strtotime(date('Y-m-d')) >= strtotime($this->PasswordExpiry);
-	}
-
-	/**
-	 * Logs this member in
-	 *
-	 * @param bool $remember If set to TRUE, the member will be logged in automatically the next time.
-	 */
-	public function logIn($remember = false) {
-		$this->extend('beforeMemberLoggedIn');
-
-		self::session_regenerate_id();
-
-		Session::set("loggedInAs", $this->ID);
-		// This lets apache rules detect whether the user has logged in
-		if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, 1, 0);
-
-		$this->addVisit();
-
-		// Only set the cookie if autologin is enabled
-		if($remember && Security::config()->autologin_enabled) {
-			// Store the hash and give the client the cookie with the token.
-			$generator = new RandomGenerator();
-			$token = $generator->randomToken('sha1');
-			$hash = $this->encryptWithUserSettings($token);
-			$this->RememberLoginToken = $hash;
-			Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
-		} else {
-			$this->RememberLoginToken = null;
-			Cookie::force_expiry('alc_enc');
-		}
-
-		// Clear the incorrect log-in count
-		$this->registerSuccessfulLogin();
-
-		// Don't set column if its not built yet (the login might be precursor to a /dev/build...)
-		if(array_key_exists('LockedOutUntil', DB::field_list('Member'))) {
-			$this->LockedOutUntil = null;
-		}
-
-		$this->regenerateTempID();
-
-		$this->write();
-
-		// Audit logging hook
-		$this->extend('memberLoggedIn');
-	}
-
-	/**
-	 * @deprecated 4.0
-	 */
-	public function addVisit() {
-		if($this->config()->log_num_visits) {
-			Deprecation::notice(
-				'4.0',
-				'Member::$NumVisit is deprecated. From 4.0 onwards you should implement this as a custom extension'
-			);
-			$this->NumVisit++;
-		}
-	}
-
-	/**
-	 * Trigger regeneration of TempID.
-	 *
-	 * This should be performed any time the user presents their normal identification (normally Email)
-	 * and is successfully authenticated.
-	 */
-	public function regenerateTempID() {
-		$generator = new RandomGenerator();
-		$this->TempIDHash = $generator->randomToken('sha1');
-		$this->TempIDExpired = self::config()->temp_id_lifetime
-			? date('Y-m-d H:i:s', strtotime(SS_Datetime::now()->getValue()) + self::config()->temp_id_lifetime)
-			: null;
-		$this->write();
-	}
-
-	/**
-	 * Check if the member ID logged in session actually
-	 * has a database record of the same ID. If there is
-	 * no logged in user, FALSE is returned anyway.
-	 *
-	 * @return boolean TRUE record found FALSE no record found
-	 */
-	public static function logged_in_session_exists() {
-		if($id = Member::currentUserID()) {
-			if($member = DataObject::get_by_id('Member', $id)) {
-				if($member->exists()) return true;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * Log the user in if the "remember login" cookie is set
-	 *
-	 * The remember login token will be changed on every successful
-	 * auto-login.
-	 */
-	public static function autoLogin() {
-		// Don't bother trying this multiple times
-		self::$_already_tried_to_auto_log_in = true;
-
-		if(!Security::config()->autologin_enabled
-			|| strpos(Cookie::get('alc_enc'), ':') === false
-			|| Session::get("loggedInAs")
-			|| !Security::database_is_ready()
-		) {
-			return;
-		}
-
-		list($uid, $token) = explode(':', Cookie::get('alc_enc'), 2);
-
-		if (!$uid || !$token) {
-			return;
-		}
-
-		$member = DataObject::get_by_id("Member", $uid);
-
-		// check if autologin token matches
-		if($member) {
-			$hash = $member->encryptWithUserSettings($token);
-			if(!$member->RememberLoginToken || $member->RememberLoginToken !== $hash) {
-				$member = null;
-			}
-		}
-
-		if($member) {
-			self::session_regenerate_id();
-			Session::set("loggedInAs", $member->ID);
-			// This lets apache rules detect whether the user has logged in
-			if(Member::config()->login_marker_cookie) {
-				Cookie::set(Member::config()->login_marker_cookie, 1, 0, null, null, false, true);
-			}
-
-			$generator = new RandomGenerator();
-			$token = $generator->randomToken('sha1');
-			$hash = $member->encryptWithUserSettings($token);
-			$member->RememberLoginToken = $hash;
-			Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
-
-			$member->addVisit();
-			$member->write();
-
-			// Audit logging hook
-			$member->extend('memberAutoLoggedIn');
-		}
-	}
-
-	/**
-	 * Logs this member out.
-	 */
-	public function logOut() {
-		$this->extend('beforeMemberLoggedOut');
-
-		Session::clear("loggedInAs");
-		if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, null, 0);
-
-		Session::destroy();
-
-		$this->extend('memberLoggedOut');
-
-		$this->RememberLoginToken = null;
-		Cookie::force_expiry('alc_enc');
-
-		// Switch back to live in order to avoid infinite loops when
-		// redirecting to the login screen (if this login screen is versioned)
-		Session::clear('readingMode');
-
-		$this->write();
-
-		// Audit logging hook
-		$this->extend('memberLoggedOut');
-	}
-
-	/**
-	 * Utility for generating secure password hashes for this member.
-	 */
-	public function encryptWithUserSettings($string) {
-		if (!$string) return null;
-
-		// If the algorithm or salt is not available, it means we are operating
-		// on legacy account with unhashed password. Do not hash the string.
-		if (!$this->PasswordEncryption) {
-			return $string;
-		}
-
-		// We assume we have PasswordEncryption and Salt available here.
-		$e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
-		return $e->encrypt($string, $this->Salt);
-
-	}
-
-	/**
-	 * Generate an auto login token which can be used to reset the password,
-	 * at the same time hashing it and storing in the database.
-	 *
-	 * @param int $lifetime The lifetime of the auto login hash in days (by default 2 days)
-	 *
-	 * @returns string Token that should be passed to the client (but NOT persisted).
-	 *
-	 * @todo Make it possible to handle database errors such as a "duplicate key" error
-	 */
-	public function generateAutologinTokenAndStoreHash($lifetime = 2) {
-		do {
-			$generator = new RandomGenerator();
-			$token = $generator->randomToken();
-			$hash = $this->encryptWithUserSettings($token);
-		} while(DataObject::get_one('Member', array(
-			'"Member"."AutoLoginHash"' => $hash
-		)));
-
-		$this->AutoLoginHash = $hash;
-		$this->AutoLoginExpired = date('Y-m-d H:i:s', time() + (86400 * $lifetime));
-
-		$this->write();
-
-		return $token;
-	}
-
-	/**
-	 * Check the token against the member.
-	 *
-	 * @param string $autologinToken
-	 *
-	 * @returns bool Is token valid?
-	 */
-	public function validateAutoLoginToken($autologinToken) {
-		$hash = $this->encryptWithUserSettings($autologinToken);
-		$member = self::member_from_autologinhash($hash, false);
-		return (bool)$member;
-	}
-
-	/**
-	 * Return the member for the auto login hash
-	 *
-	 * @param string $hash The hash key
-	 * @param bool $login Should the member be logged in?
-	 *
-	 * @return Member the matching member, if valid
-	 * @return Member
-	 */
-	public static function member_from_autologinhash($hash, $login = false) {
-
-		$nowExpression = DB::get_conn()->now();
-		$member = DataObject::get_one('Member', array(
-			"\"Member\".\"AutoLoginHash\"" => $hash,
-			"\"Member\".\"AutoLoginExpired\" > $nowExpression" // NOW() can't be parameterised
-		));
-
-		if($login && $member) $member->logIn();
-
-		return $member;
-	}
-
-	/**
-	 * Find a member record with the given TempIDHash value
-	 *
-	 * @param string $tempid
-	 * @return Member
-	 */
-	public static function member_from_tempid($tempid) {
-		$members = Member::get()
-			->filter('TempIDHash', $tempid);
-
-		// Exclude expired
-		if(static::config()->temp_id_lifetime) {
-			$members = $members->filter('TempIDExpired:GreaterThan', SS_Datetime::now()->getValue());
-		}
-
-		return $members->first();
-	}
-
-	/**
-	 * Returns the fields for the member form - used in the registration/profile module.
-	 * It should return fields that are editable by the admin and the logged-in user.
-	 *
-	 * @return FieldList Returns a {@link FieldList} containing the fields for
-	 *                   the member form.
-	 */
-	public function getMemberFormFields() {
-		$fields = parent::getFrontendFields();
-
-		$fields->replaceField('Password', $this->getMemberPasswordField());
-
-		$fields->replaceField('Locale', new DropdownField (
-			'Locale',
-			$this->fieldLabel('Locale'),
-			i18n::get_existing_translations()
-		));
-
-		$fields->removeByName(static::config()->hidden_fields);
-		$fields->removeByName('LastVisited');
-		$fields->removeByName('FailedLoginCount');
-
-
-		$this->extend('updateMemberFormFields', $fields);
-		return $fields;
-	}
-
-	/**
-	 * Builds "Change / Create Password" field for this member
-	 *
-	 * @return ConfirmedPasswordField
-	 */
-	public function getMemberPasswordField() {
-		$editingPassword = $this->isInDB();
-		$label = $editingPassword
-			? _t('Member.EDIT_PASSWORD', 'New Password')
-			: $this->fieldLabel('Password');
-		/** @var ConfirmedPasswordField $password */
-		$password = ConfirmedPasswordField::create(
-			'Password',
-			$label,
-			null,
-			null,
-			$editingPassword
-		);
-
-		// If editing own password, require confirmation of existing
-		if($editingPassword && $this->ID == Member::currentUserID()) {
-			$password->setRequireExistingPassword(true);
-		}
-
-		$password->setCanBeEmpty(true);
-		$this->extend('updateMemberPasswordField', $password);
-		return $password;
-	}
-
-
-	/**
-	 * Returns the {@link RequiredFields} instance for the Member object. This
-	 * Validator is used when saving a {@link CMSProfileController} or added to
-	 * any form responsible for saving a users data.
-	 *
-	 * To customize the required fields, add a {@link DataExtension} to member
-	 * calling the `updateValidator()` method.
-	 *
-	 * @return Member_Validator
-	 */
-	public function getValidator() {
-		$validator = Injector::inst()->create('Member_Validator');
-		$validator->setForMember($this);
-		$this->extend('updateValidator', $validator);
-
-		return $validator;
-	}
-
-
-	/**
-	 * Returns the current logged in user
-	 *
-	 * @return Member|null
-	 */
-	public static function currentUser() {
-		$id = Member::currentUserID();
-
-		if($id) {
-			return DataObject::get_by_id('Member', $id) ?: null;
-		}
-	}
-
-	/**
-	 * Get the ID of the current logged in user
-	 *
-	 * @return int Returns the ID of the current logged in user or 0.
-	 */
-	public static function currentUserID() {
-		$id = Session::get("loggedInAs");
-		if(!$id && !self::$_already_tried_to_auto_log_in) {
-			self::autoLogin();
-			$id = Session::get("loggedInAs");
-		}
-
-		return is_numeric($id) ? $id : 0;
-	}
-	private static $_already_tried_to_auto_log_in = false;
-
-
-	/*
-	 * Generate a random password, with randomiser to kick in if there's no words file on the
-	 * filesystem.
-	 *
-	 * @return string Returns a random password.
-	 */
-	public static function create_new_password() {
-		$words = Config::inst()->get('Security', 'word_list');
-
-		if($words && file_exists($words)) {
-			$words = file($words);
-
-			list($usec, $sec) = explode(' ', microtime());
-			srand($sec + ((float) $usec * 100000));
-
-			$word = trim($words[rand(0,sizeof($words)-1)]);
-			$number = rand(10,999);
-
-			return $word . $number;
-		} else {
-			$random = rand();
-			$string = md5($random);
-			$output = substr($string, 0, 8);
-			return $output;
-		}
-	}
-
-	/**
-	 * Event handler called before writing to the database.
-	 */
-	public function onBeforeWrite() {
-		if($this->SetPassword) $this->Password = $this->SetPassword;
-
-		// If a member with the same "unique identifier" already exists with a different ID, don't allow merging.
-		// Note: This does not a full replacement for safeguards in the controller layer (e.g. in a registration form),
-		// but rather a last line of defense against data inconsistencies.
-		$identifierField = Member::config()->unique_identifier_field;
-		if($this->$identifierField) {
-
-			// Note: Same logic as Member_Validator class
-			$filter = array("\"$identifierField\"" => $this->$identifierField);
-			if($this->ID) {
-				$filter[] = array('"Member"."ID" <> ?' => $this->ID);
-			}
-			$existingRecord = DataObject::get_one('Member', $filter);
-
-			if($existingRecord) {
-				throw new ValidationException(ValidationResult::create(false, _t(
-					'Member.ValidationIdentifierFailed',
-					'Can\'t overwrite existing member #{id} with identical identifier ({name} = {value}))',
-					'Values in brackets show "fieldname = value", usually denoting an existing email address',
-					array(
-						'id' => $existingRecord->ID,
-						'name' => $identifierField,
-						'value' => $this->$identifierField
-					)
-				)));
-			}
-		}
-
-		// We don't send emails out on dev/tests sites to prevent accidentally spamming users.
-		// However, if TestMailer is in use this isn't a risk.
-		if(
-			(Director::isLive() || Email::mailer() instanceof TestMailer)
-			&& $this->isChanged('Password')
-			&& $this->record['Password']
-			&& $this->config()->notify_password_change
-		) {
-			$e = Member_ChangePasswordEmail::create();
-			$e->populateTemplate($this);
-			$e->setTo($this->Email);
-			$e->send();
-		}
-
-		// The test on $this->ID is used for when records are initially created.
-		// Note that this only works with cleartext passwords, as we can't rehash
-		// existing passwords.
-		if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
-			//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
-			// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
-			$this->Salt = '';
-			// Password was changed: encrypt the password according the settings
-			$encryption_details = Security::encrypt_password(
-				$this->Password, // this is assumed to be cleartext
-				$this->Salt,
-				$this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null,
-				$this
-			);
-
-			// Overwrite the Password property with the hashed value
-			$this->Password = $encryption_details['password'];
-			$this->Salt = $encryption_details['salt'];
-			$this->PasswordEncryption = $encryption_details['algorithm'];
-
-			// If we haven't manually set a password expiry
-			if(!$this->isChanged('PasswordExpiry')) {
-				// then set it for us
-				if(self::config()->password_expiry_days) {
-					$this->PasswordExpiry = date('Y-m-d', time() + 86400 * self::config()->password_expiry_days);
-				} else {
-					$this->PasswordExpiry = null;
-				}
-			}
-		}
-
-		// save locale
-		if(!$this->Locale) {
-			$this->Locale = i18n::get_locale();
-		}
-
-		parent::onBeforeWrite();
-	}
-
-	public function onAfterWrite() {
-		parent::onAfterWrite();
-
-		Permission::flush_permission_cache();
-
-		if($this->isChanged('Password')) {
-			MemberPassword::log($this);
-		}
-	}
-
-	public function onAfterDelete() {
-		parent::onAfterDelete();
-
-		//prevent orphaned records remaining in the DB
-		$this->deletePasswordLogs();
-	}
-
-	/**
-	 * Delete the MemberPassword objects that are associated to this user
-	 *
-	 * @return self
-	 */
-	protected function deletePasswordLogs() {
-		foreach ($this->LoggedPasswords() as $password) {
-			$password->delete();
-			$password->destroy();
-		}
-		return $this;
-	}
-
-	/**
-	 * Filter out admin groups to avoid privilege escalation,
-	 * If any admin groups are requested, deny the whole save operation.
-	 *
-	 * @param Array $ids Database IDs of Group records
-	 * @return boolean True if the change can be accepted
-	 */
-	public function onChangeGroups($ids) {
-		// unless the current user is an admin already OR the logged in user is an admin
-		if(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
-			return true;
-		}
-
-		// If there are no admin groups in this set then it's ok
-		$adminGroups = Permission::get_groups_by_permission('ADMIN');
-		$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
-		return count(array_intersect($ids, $adminGroupIDs)) == 0;
-	}
-
-
-	/**
-	 * Check if the member is in one of the given groups.
-	 *
-	 * @param array|SS_List $groups Collection of {@link Group} DataObjects to check
-	 * @param boolean $strict Only determine direct group membership if set to true (Default: false)
-	 * @return bool Returns TRUE if the member is in one of the given groups, otherwise FALSE.
-	 */
-	public function inGroups($groups, $strict = false) {
-		if($groups) foreach($groups as $group) {
-			if($this->inGroup($group, $strict)) return true;
-		}
-
-		return false;
-	}
-
-
-	/**
-	 * Check if the member is in the given group or any parent groups.
-	 *
-	 * @param int|Group|string $group Group instance, Group Code or ID
-	 * @param boolean $strict Only determine direct group membership if set to TRUE (Default: FALSE)
-	 * @return bool Returns TRUE if the member is in the given group, otherwise FALSE.
-	 */
-	public function inGroup($group, $strict = false) {
-		if(is_numeric($group)) {
-			$groupCheckObj = DataObject::get_by_id('Group', $group);
-		} elseif(is_string($group)) {
-			$groupCheckObj = DataObject::get_one('Group', array(
-				'"Group"."Code"' => $group
-			));
-		} elseif($group instanceof Group) {
-			$groupCheckObj = $group;
-		} else {
-			user_error('Member::inGroup(): Wrong format for $group parameter', E_USER_ERROR);
-		}
-
-		if(!$groupCheckObj) return false;
-
-		$groupCandidateObjs = ($strict) ? $this->getManyManyComponents("Groups") : $this->Groups();
-		if($groupCandidateObjs) foreach($groupCandidateObjs as $groupCandidateObj) {
-			if($groupCandidateObj->ID == $groupCheckObj->ID) return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Adds the member to a group. This will create the group if the given
-	 * group code does not return a valid group object.
-	 *
-	 * @param string $groupcode
-	 * @param string Title of the group
-	 */
-	public function addToGroupByCode($groupcode, $title = "") {
-		$group = DataObject::get_one('Group', array(
-			'"Group"."Code"' => $groupcode
-		));
-
-		if($group) {
-			$this->Groups()->add($group);
-		} else {
-			if(!$title) $title = $groupcode;
-
-			$group = new Group();
-			$group->Code = $groupcode;
-			$group->Title = $title;
-			$group->write();
-
-			$this->Groups()->add($group);
-		}
-	}
-
-	/**
-	 * Removes a member from a group.
-	 *
-	 * @param string $groupcode
-	 */
-	public function removeFromGroupByCode($groupcode) {
-		$group = Group::get()->filter(array('Code' => $groupcode))->first();
-
-		if($group) {
-			$this->Groups()->remove($group);
-		}
-	}
-
-	/**
-	 * @param Array $columns Column names on the Member record to show in {@link getTitle()}.
-	 * @param String $sep Separator
-	 */
-	public static function set_title_columns($columns, $sep = ' ') {
-		if (!is_array($columns)) $columns = array($columns);
-		self::config()->title_format = array('columns' => $columns, 'sep' => $sep);
-	}
-
-	//------------------- HELPER METHODS -----------------------------------//
-
-	/**
-	 * Get the complete name of the member, by default in the format ", ".
-	 * Falls back to showing either field on its own.
-	 *
-	 * You can overload this getter with {@link set_title_format()}
-	 * and {@link set_title_sql()}.
-	 *
-	 * @return string Returns the first- and surname of the member. If the ID
-	 *  of the member is equal 0, only the surname is returned.
-	 */
-	public function getTitle() {
-		$format = $this->config()->title_format;
-		if ($format) {
-			$values = array();
-			foreach($format['columns'] as $col) {
-				$values[] = $this->getField($col);
-			}
-			return join($format['sep'], $values);
-		}
-		if($this->getField('ID') === 0)
-			return $this->getField('Surname');
-		else{
-			if($this->getField('Surname') && $this->getField('FirstName')){
-				return $this->getField('Surname') . ', ' . $this->getField('FirstName');
-			}elseif($this->getField('Surname')){
-				return $this->getField('Surname');
-			}elseif($this->getField('FirstName')){
-				return $this->getField('FirstName');
-			}else{
-				return null;
-			}
-		}
-	}
-
-	/**
-	 * Return a SQL CONCAT() fragment suitable for a SELECT statement.
-	 * Useful for custom queries which assume a certain member title format.
-	 *
-	 * @param String $tableName
-	 * @return String SQL
-	 */
-	public static function get_title_sql($tableName = 'Member') {
-		// This should be abstracted to SSDatabase concatOperator or similar.
-		$op = (DB::get_conn() instanceof MSSQLDatabase) ? " + " : " || ";
-
-		$format = self::config()->title_format;
-		if ($format) {
-			$columnsWithTablename = array();
-			foreach($format['columns'] as $column) {
-				$columnsWithTablename[] = "\"$tableName\".\"$column\"";
-			}
-
-			return "(".join(" $op '".$format['sep']."' $op ", $columnsWithTablename).")";
-		} else {
-			return "(\"$tableName\".\"Surname\" $op ' ' $op \"$tableName\".\"FirstName\")";
-		}
-	}
-
-
-	/**
-	 * Get the complete name of the member
-	 *
-	 * @return string Returns the first- and surname of the member.
-	 */
-	public function getName() {
-		return ($this->Surname) ? trim($this->FirstName . ' ' . $this->Surname) : $this->FirstName;
-	}
-
-
-	/**
-	 * Set first- and surname
-	 *
-	 * This method assumes that the last part of the name is the surname, e.g.
-	 * A B C will result in firstname A B and surname C
-	 *
-	 * @param string $name The name
-	 */
-	public function setName($name) {
-		$nameParts = explode(' ', $name);
-		$this->Surname = array_pop($nameParts);
-		$this->FirstName = join(' ', $nameParts);
-	}
-
-
-	/**
-	 * Alias for {@link setName}
-	 *
-	 * @param string $name The name
-	 * @see setName()
-	 */
-	public function splitName($name) {
-		return $this->setName($name);
-	}
-
-	/**
-	 * Override the default getter for DateFormat so the
-	 * default format for the user's locale is used
-	 * if the user has not defined their own.
-	 *
-	 * @return string ISO date format
-	 */
-	public function getDateFormat() {
-		if($this->getField('DateFormat')) {
-			return $this->getField('DateFormat');
-		} else {
-			return Config::inst()->get('i18n', 'date_format');
-		}
-	}
-
-	/**
-	 * Override the default getter for TimeFormat so the
-	 * default format for the user's locale is used
-	 * if the user has not defined their own.
-	 *
-	 * @return string ISO date format
-	 */
-	public function getTimeFormat() {
-		if($this->getField('TimeFormat')) {
-			return $this->getField('TimeFormat');
-		} else {
-			return Config::inst()->get('i18n', 'time_format');
-		}
-	}
-
-	//---------------------------------------------------------------------//
-
-
-	/**
-	 * Get a "many-to-many" map that holds for all members their group memberships,
-	 * including any parent groups where membership is implied.
-	 * Use {@link DirectGroups()} to only retrieve the group relations without inheritance.
-	 *
-	 * @todo Push all this logic into Member_GroupSet's getIterator()?
-	 * @return Member_Groupset
-	 */
-	public function Groups() {
-		$groups = Member_GroupSet::create('Group', 'Group_Members', 'GroupID', 'MemberID');
-		$groups = $groups->forForeignID($this->ID);
-
-		$this->extend('updateGroups', $groups);
-
-		return $groups;
-	}
-
-	/**
-	 * @return ManyManyList
-	 */
-	public function DirectGroups() {
-		return $this->getManyManyComponents('Groups');
-	}
-
-	/**
-	 * Get a member SQLMap of members in specific groups
-	 *
-	 * If no $groups is passed, all members will be returned
-	 *
-	 * @param mixed $groups - takes a SS_List, an array or a single Group.ID
-	 * @return SQLMap Returns an SQLMap that returns all Member data.
-	 * @see map()
-	 */
-	public static function map_in_groups($groups = null) {
-		$groupIDList = array();
-
-		if($groups instanceof SS_List) {
-			foreach( $groups as $group ) {
-				$groupIDList[] = $group->ID;
-			}
-		} elseif(is_array($groups)) {
-			$groupIDList = $groups;
-		} elseif($groups) {
-			$groupIDList[] = $groups;
-		}
-
-		// No groups, return all Members
-		if(!$groupIDList) {
-			return Member::get()->sort(array('Surname'=>'ASC', 'FirstName'=>'ASC'))->map();
-		}
-
-		$membersList = new ArrayList();
-		// This is a bit ineffective, but follow the ORM style
-		foreach(Group::get()->byIDs($groupIDList) as $group) {
-			$membersList->merge($group->Members());
-		}
-
-		$membersList->removeDuplicates('ID');
-		return $membersList->map();
-	}
-
-
-	/**
-	 * Get a map of all members in the groups given that have CMS permissions
-	 *
-	 * If no groups are passed, all groups with CMS permissions will be used.
-	 *
-	 * @param array $groups Groups to consider or NULL to use all groups with
-	 *                      CMS permissions.
-	 * @return SS_Map Returns a map of all members in the groups given that
-	 *                have CMS permissions.
-	 */
-	public static function mapInCMSGroups($groups = null) {
-		if(!$groups || $groups->Count() == 0) {
-			$perms = array('ADMIN', 'CMS_ACCESS_AssetAdmin');
-
-			if(class_exists('CMSMain')) {
-				$cmsPerms = singleton('CMSMain')->providePermissions();
-			} else {
-				$cmsPerms = singleton('LeftAndMain')->providePermissions();
-			}
-
-			if(!empty($cmsPerms)) {
-				$perms = array_unique(array_merge($perms, array_keys($cmsPerms)));
-			}
-
-			$permsClause = DB::placeholders($perms);
-			$groups = DataObject::get('Group')
-				->innerJoin("Permission", '"Permission"."GroupID" = "Group"."ID"')
-				->where(array(
-					"\"Permission\".\"Code\" IN ($permsClause)" => $perms
-				));
-		}
-
-		$groupIDList = array();
-
-		if(is_a($groups, 'SS_List')) {
-			foreach($groups as $group) {
-				$groupIDList[] = $group->ID;
-			}
-		} elseif(is_array($groups)) {
-			$groupIDList = $groups;
-		}
-
-		$members = Member::get()
-			->innerJoin("Group_Members", '"Group_Members"."MemberID" = "Member"."ID"')
-			->innerJoin("Group", '"Group"."ID" = "Group_Members"."GroupID"');
-		if($groupIDList) {
-			$groupClause = DB::placeholders($groupIDList);
-			$members = $members->where(array(
-				"\"Group\".\"ID\" IN ($groupClause)" => $groupIDList
-			));
-		}
-
-		return $members->sort('"Member"."Surname", "Member"."FirstName"')->map();
-	}
-
-
-	/**
-	 * Get the groups in which the member is NOT in
-	 *
-	 * When passed an array of groups, and a component set of groups, this
-	 * function will return the array of groups the member is NOT in.
-	 *
-	 * @param array $groupList An array of group code names.
-	 * @param array $memberGroups A component set of groups (if set to NULL,
-	 *                            $this->groups() will be used)
-	 * @return array Groups in which the member is NOT in.
-	 */
-	public function memberNotInGroups($groupList, $memberGroups = null){
-		if(!$memberGroups) $memberGroups = $this->Groups();
-
-		foreach($memberGroups as $group) {
-			if(in_array($group->Code, $groupList)) {
-				$index = array_search($group->Code, $groupList);
-				unset($groupList[$index]);
-			}
-		}
-
-		return $groupList;
-	}
-
-
-	/**
-	 * Return a {@link FieldList} of fields that would appropriate for editing
-	 * this member.
-	 *
-	 * @return FieldList Return a FieldList of fields that would appropriate for
-	 *                   editing this member.
-	 */
-	public function getCMSFields() {
-		require_once 'Zend/Date.php';
-
-		$self = $this;
-		$this->beforeUpdateCMSFields(function(FieldList $fields) use ($self) {
-			/** @var FieldList $mainFields */
-			$mainFields = $fields->fieldByName("Root")->fieldByName("Main")->getChildren();
-
-			// Build change password field
-			$mainFields->replaceField('Password', $self->getMemberPasswordField());
-
-			$mainFields->replaceField('Locale', new DropdownField(
-				"Locale",
-				_t('Member.INTERFACELANG', "Interface Language", 'Language of the CMS'),
-				i18n::get_existing_translations()
-			));
-
-			$mainFields->removeByName($self->config()->hidden_fields);
-
-			// make sure that the "LastVisited" field exists
-			// it may have been removed using $self->config()->hidden_fields
-			if($mainFields->fieldByName("LastVisited")){
-			$mainFields->makeFieldReadonly('LastVisited');
-			}
-
-			if( ! $self->config()->lock_out_after_incorrect_logins) {
-				$mainFields->removeByName('FailedLoginCount');
-			}
-
-
-			// Groups relation will get us into logical conflicts because
-			// Members are displayed within  group edit form in SecurityAdmin
-			$fields->removeByName('Groups');
-
-			// Members shouldn't be able to directly view/edit logged passwords
-			$fields->removeByName('LoggedPasswords');
-
-			if(Permission::check('EDIT_PERMISSIONS')) {
-				$groupsMap = array();
-				foreach(Group::get() as $group) {
-					// Listboxfield values are escaped, use ASCII char instead of »
-					$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
-				}
-				asort($groupsMap);
-				$fields->addFieldToTab('Root.Main',
-					ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
-						->setMultiple(true)
-						->setSource($groupsMap)
-						->setAttribute(
-							'data-placeholder',
-							_t('Member.ADDGROUP', 'Add group', 'Placeholder text for a dropdown')
-						)
-				);
-
-
-				// Add permission field (readonly to avoid complicated group assignment logic).
-				// This should only be available for existing records, as new records start
-				// with no permissions until they have a group assignment anyway.
-				if($self->ID) {
-					$permissionsField = new PermissionCheckboxSetField_Readonly(
-						'Permissions',
-						false,
-						'Permission',
-						'GroupID',
-						// we don't want parent relationships, they're automatically resolved in the field
-						$self->getManyManyComponents('Groups')
-					);
-					$fields->findOrMakeTab('Root.Permissions', singleton('Permission')->i18n_plural_name());
-					$fields->addFieldToTab('Root.Permissions', $permissionsField);
-				}
-			}
-
-			$permissionsTab = $fields->fieldByName("Root")->fieldByName('Permissions');
-			if($permissionsTab) $permissionsTab->addExtraClass('readonly');
-
-			$defaultDateFormat = Zend_Locale_Format::getDateFormat(new Zend_Locale($self->Locale));
-			$dateFormatMap = array(
-				'MMM d, yyyy' => Zend_Date::now()->toString('MMM d, yyyy'),
-				'yyyy/MM/dd' => Zend_Date::now()->toString('yyyy/MM/dd'),
-				'MM/dd/yyyy' => Zend_Date::now()->toString('MM/dd/yyyy'),
-				'dd/MM/yyyy' => Zend_Date::now()->toString('dd/MM/yyyy'),
-			);
-			$dateFormatMap[$defaultDateFormat] = Zend_Date::now()->toString($defaultDateFormat)
-				. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
-			$mainFields->push(
-				$dateFormatField = new MemberDatetimeOptionsetField(
-					'DateFormat',
-					$self->fieldLabel('DateFormat'),
-					$dateFormatMap
-				)
-			);
-			$dateFormatField->setValue($self->DateFormat);
-
-			$defaultTimeFormat = Zend_Locale_Format::getTimeFormat(new Zend_Locale($self->Locale));
-			$timeFormatMap = array(
-				'h:mm a' => Zend_Date::now()->toString('h:mm a'),
-				'H:mm' => Zend_Date::now()->toString('H:mm'),
-			);
-			$timeFormatMap[$defaultTimeFormat] = Zend_Date::now()->toString($defaultTimeFormat)
-				. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
-			$mainFields->push(
-				$timeFormatField = new MemberDatetimeOptionsetField(
-					'TimeFormat',
-					$self->fieldLabel('TimeFormat'),
-					$timeFormatMap
-				)
-			);
-			$timeFormatField->setValue($self->TimeFormat);
-		});
-
-		return parent::getCMSFields();
-	}
-
-	/**
-	 *
-	 * @param boolean $includerelations a boolean value to indicate if the labels returned include relation fields
-	 *
-	 */
-	public function fieldLabels($includerelations = true) {
-		$labels = parent::fieldLabels($includerelations);
-
-		$labels['FirstName'] = _t('Member.FIRSTNAME', 'First Name');
-		$labels['Surname'] = _t('Member.SURNAME', 'Surname');
-		$labels['Email'] = _t('Member.EMAIL', 'Email');
-		$labels['Password'] = _t('Member.db_Password', 'Password');
-		$labels['NumVisit'] = _t('Member.db_NumVisit', 'Number of Visits');
-		$labels['LastVisited'] = _t('Member.db_LastVisited', 'Last Visited Date');
-		$labels['PasswordExpiry'] = _t('Member.db_PasswordExpiry', 'Password Expiry Date', 'Password expiry date');
-		$labels['LockedOutUntil'] = _t('Member.db_LockedOutUntil', 'Locked out until', 'Security related date');
-		$labels['Locale'] = _t('Member.db_Locale', 'Interface Locale');
-		$labels['DateFormat'] = _t('Member.DATEFORMAT', 'Date format');
-		$labels['TimeFormat'] = _t('Member.TIMEFORMAT', 'Time format');
-		if($includerelations){
-			$labels['Groups'] = _t('Member.belongs_many_many_Groups', 'Groups',
-				'Security Groups this member belongs to');
-		}
-		return $labels;
-	}
-
-	/**
-	 * Users can view their own record.
-	 * Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions.
-	 * This is likely to be customized for social sites etc. with a looser permission model.
-	 */
-	public function canView($member = null) {
-		if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
-
-		// extended access checks
-		$results = $this->extend('canView', $member);
-		if($results && is_array($results)) {
-			if(!min($results)) return false;
-			else return true;
-		}
-
-		// members can usually edit their own record
-		if($member && $this->ID == $member->ID) return true;
-
-		if(
-			Permission::checkMember($member, 'ADMIN')
-			|| Permission::checkMember($member, 'CMS_ACCESS_SecurityAdmin')
-		) {
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Users can edit their own record.
-	 * Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
-	 */
-	public function canEdit($member = null) {
-		if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
-
-		// extended access checks
-		$results = $this->extend('canEdit', $member);
-		if($results && is_array($results)) {
-			if(!min($results)) return false;
-			else return true;
-		}
-
-		// No member found
-		if(!($member && $member->exists())) return false;
-
-		// If the requesting member is not an admin, but has access to manage members,
-		// they still can't edit other members with ADMIN permission.
-		// This is a bit weak, strictly speaking they shouldn't be allowed to
-		// perform any action that could change the password on a member
-		// with "higher" permissions than himself, but thats hard to determine.
-		if(!Permission::checkMember($member, 'ADMIN') && Permission::checkMember($this, 'ADMIN')) return false;
-
-		return $this->canView($member);
-	}
-
-	/**
-	 * Users can edit their own record.
-	 * Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
-	 */
-	public function canDelete($member = null) {
-		if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
-
-		// extended access checks
-		$results = $this->extend('canDelete', $member);
-		if($results && is_array($results)) {
-			if(!min($results)) return false;
-			else return true;
-		}
-
-		// No member found
-		if(!($member && $member->exists())) return false;
-
-		// Members are not allowed to remove themselves,
-		// since it would create inconsistencies in the admin UIs.
-		if($this->ID && $member->ID == $this->ID) return false;
-
-		return $this->canEdit($member);
-	}
-
-
-	/**
-	 * Validate this member object.
-	 */
-	public function validate() {
-		$valid = parent::validate();
-
-		if(!$this->ID || $this->isChanged('Password')) {
-			if($this->Password && self::$password_validator) {
-				$valid->combineAnd(self::$password_validator->validate($this->Password, $this));
-			}
-		}
-
-		if((!$this->ID && $this->SetPassword) || $this->isChanged('SetPassword')) {
-			if($this->SetPassword && self::$password_validator) {
-				$valid->combineAnd(self::$password_validator->validate($this->SetPassword, $this));
-			}
-		}
-
-		return $valid;
-	}
-
-	/**
-	 * Change password. This will cause rehashing according to
-	 * the `PasswordEncryption` property.
-	 *
-	 * @param String $password Cleartext password
-	 */
-	public function changePassword($password) {
-		$this->Password = $password;
-		$valid = $this->validate();
-
-		if($valid->valid()) {
-			$this->AutoLoginHash = null;
-			$this->write();
-		}
-
-		return $valid;
-	}
-
-	/**
-	 * Tell this member that someone made a failed attempt at logging in as them.
-	 * This can be used to lock the user out temporarily if too many failed attempts are made.
-	 */
-	public function registerFailedLogin() {
-		if(self::config()->lock_out_after_incorrect_logins) {
-			// Keep a tally of the number of failed log-ins so that we can lock people out
-			++$this->FailedLoginCount;
-
-			if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
-				$lockoutMins = self::config()->lock_out_delay_mins;
-				$this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
-				$this->FailedLoginCount = 0;
-			}
-		}
-		$this->extend('registerFailedLogin');
-		$this->write();
-	}
-
-	/**
-	 * Tell this member that a successful login has been made
-	 */
-	public function registerSuccessfulLogin() {
-		if(self::config()->lock_out_after_incorrect_logins) {
-			// Forgive all past login failures
-			$this->FailedLoginCount = 0;
-			$this->LockedOutUntil = null;
-			$this->write();
-		}
-        $this->extend('onAfterRegisterSuccessfulLogin');
-	}
-	/**
-	 * Get the HtmlEditorConfig for this user to be used in the CMS.
-	 * This is set by the group. If multiple configurations are set,
-	 * the one with the highest priority wins.
-	 *
-	 * @return string
-	 */
-	public function getHtmlEditorConfigForCMS() {
-		$currentName = '';
-		$currentPriority = 0;
-
-		foreach($this->Groups() as $group) {
-			$configName = $group->HtmlEditorConfig;
-			if($configName) {
-				$config = HtmlEditorConfig::get($group->HtmlEditorConfig);
-				if($config && $config->getOption('priority') > $currentPriority) {
-					$currentName = $configName;
-					$currentPriority = $config->getOption('priority');
-				}
-			}
-		}
-
-		// If can't find a suitable editor, just default to cms
-		return $currentName ? $currentName : 'cms';
-	}
-
-	public static function get_template_global_variables() {
-		return array(
-			'CurrentMember' => 'currentUser',
-			'currentUser',
-		);
-	}
-}
-
-/**
- * Represents a set of Groups attached to a member.
- * Handles the hierarchy logic.
- * @package framework
- * @subpackage security
- */
-class Member_GroupSet extends ManyManyList {
-
-	protected function linkJoinTable() {
-		// Do not join the table directly
-		if($this->extraFields) {
-			user_error('Member_GroupSet does not support many_many_extraFields', E_USER_ERROR);
-		}
-	}
-
-	/**
-	 * Link this group set to a specific member.
-	 *
-	 * Recursively selects all groups applied to this member, as well as any
-	 * parent groups of any applied groups
-	 *
-	 * @param array|integer $id (optional) An ID or an array of IDs - if not provided, will use the current
-	 * ids as per getForeignID
-	 * @return array Condition In array(SQL => parameters format)
-	 */
-	public function foreignIDFilter($id = null) {
-		if ($id === null) $id = $this->getForeignID();
-
-		// Find directly applied groups
-		$manyManyFilter = parent::foreignIDFilter($id);
-		$query = new SQLQuery('"Group_Members"."GroupID"', '"Group_Members"', $manyManyFilter);
-		$groupIDs = $query->execute()->column();
-
-		// Get all ancestors, iteratively merging these into the master set
-		$allGroupIDs = array();
-		while($groupIDs) {
-			$allGroupIDs = array_merge($allGroupIDs, $groupIDs);
-			$groupIDs = DataObject::get("Group")->byIDs($groupIDs)->column("ParentID");
-			$groupIDs = array_filter($groupIDs);
-		}
-
-		// Add a filter to this DataList
-		if(!empty($allGroupIDs)) {
-			$allGroupIDsPlaceholders = DB::placeholders($allGroupIDs);
-			return array("\"Group\".\"ID\" IN ($allGroupIDsPlaceholders)" => $allGroupIDs);
-		} else {
-			return array('"Group"."ID"' => 0);
-		}
-	}
-
-	public function foreignIDWriteFilter($id = null) {
-		// Use the ManyManyList::foreignIDFilter rather than the one
-		// in this class, otherwise we end up selecting all inherited groups
-		return parent::foreignIDFilter($id);
-	}
-
-	public function add($item, $extraFields = null) {
-		// Get Group.ID
-		$itemID = null;
-		if(is_numeric($item)) {
-			$itemID = $item;
-		} else if($item instanceof Group) {
-			$itemID = $item->ID;
-		}
-
-		// Check if this group is allowed to be added
-		if($this->canAddGroups(array($itemID))) {
-			parent::add($item, $extraFields);
-		}
-	}
-
-	/**
-	 * Determine if the following groups IDs can be added
-	 *
-	 * @param array $itemIDs
-	 * @return boolean
-	 */
-	protected function canAddGroups($itemIDs) {
-		if(empty($itemIDs)) {
-			return true;
-		}
-		$member = $this->getMember();
-		return empty($member) || $member->onChangeGroups($itemIDs);
-	}
-
-	/**
-	 * Get foreign member record for this relation
-	 *
-	 * @return Member
-	 */
-	protected function getMember() {
-		$id = $this->getForeignID();
-		if($id) {
-			return DataObject::get_by_id('Member', $id);
-		}
-	}
-}
-
-/**
- * Class used as template to send an email saying that the password has been
- * changed.
- *
- * @package framework
- * @subpackage security
- */
-class Member_ChangePasswordEmail extends Email {
-
-	protected $from = '';   // setting a blank from address uses the site's default administrator email
-	protected $subject = '';
-	protected $ss_template = 'ChangePasswordEmail';
-
-	public function __construct() {
-		parent::__construct();
-
-		$this->subject = _t('Member.SUBJECTPASSWORDCHANGED', "Your password has been changed", 'Email subject');
-	}
-}
-
-
-
-/**
- * Class used as template to send the forgot password email
- *
- * @package framework
- * @subpackage security
- */
-class Member_ForgotPasswordEmail extends Email {
-	protected $from = '';  // setting a blank from address uses the site's default administrator email
-	protected $subject = '';
-	protected $ss_template = 'ForgotPasswordEmail';
-
-	public function __construct() {
-		parent::__construct();
-
-		$this->subject = _t('Member.SUBJECTPASSWORDRESET', "Your password reset link", 'Email subject');
-	}
-}
-
-/**
- * Member Validator
- *
- * Custom validation for the Member object can be achieved either through an
- * {@link DataExtension} on the Member_Validator object or, by specifying a subclass of
- * {@link Member_Validator} through the {@link Injector} API.
- * The Validator can also be modified by adding an Extension to Member and implement the
- * updateValidator hook.
- * {@see Member::getValidator()}
- *
- * Additional required fields can also be set via config API, eg.
- * 
- * Member_Validator:
- *   customRequired:
- *     - Surname
- * 
- *
- * @package framework
- * @subpackage security
- */
-class Member_Validator extends RequiredFields
-{
-	/**
-	 * Fields that are required by this validator
-	 * @config
-	 * @var array
-	 */
-	protected $customRequired = array(
-		'FirstName',
-		'Email'
-	);
-
-	/**
-	 * Determine what member this validator is meant for
-	 * @var Member
-	 */
-	protected $forMember = null;
-
-	/**
-	 * Constructor
-	 */
-	public function __construct() {
-		$required = func_get_args();
-
-		if(isset($required[0]) && is_array($required[0])) {
-			$required = $required[0];
-		}
-
-		$required = array_merge($required, $this->customRequired);
-
-		// check for config API values and merge them in
-		$config = $this->config()->customRequired;
-		if(is_array($config)){
-			$required = array_merge($required, $config);
-		}
-
-		parent::__construct(array_unique($required));
-	}
-
-	/**
-	 * Get the member this validator applies to.
-	 * @return Member
-	 */
-	public function getForMember()
-	{
-		return $this->forMember;
-	}
-
-	/**
-	 * Set the Member this validator applies to.
-	 * @param Member $value
-	 * @return $this
-	 */
-	public function setForMember(Member $value)
-	{
-		$this->forMember = $value;
-		return $this;
-	}
-
-	/**
-	 * Check if the submitted member data is valid (server-side)
-	 *
-	 * Check if a member with that email doesn't already exist, or if it does
-	 * that it is this member.
-	 *
-	 * @param array $data Submitted data
-	 * @return bool Returns TRUE if the submitted data is valid, otherwise
-	 *              FALSE.
-	 */
-	public function php($data)
-	{
-		$valid = parent::php($data);
-
-		$identifierField = (string)Member::config()->unique_identifier_field;
-
-		// Only validate identifier field if it's actually set. This could be the case if
-		// somebody removes `Email` from the list of required fields.
-		if(isset($data[$identifierField])){
-			$id = isset($data['ID']) ? (int)$data['ID'] : 0;
-			if(!$id && ($ctrl = $this->form->getController())){
-				// get the record when within GridField (Member editing page in CMS)
-				if($ctrl instanceof GridFieldDetailForm_ItemRequest && $record = $ctrl->getRecord()){
-					$id = $record->ID;
-				}
-			}
-
-			// If there's no ID passed via controller or form-data, use the assigned member (if available)
-			if(!$id && ($member = $this->getForMember())){
-				$id = $member->exists() ? $member->ID : 0;
-			}
-
-			// set the found ID to the data array, so that extensions can also use it
-			$data['ID'] = $id;
-
-			$members = Member::get()->filter($identifierField, $data[$identifierField]);
-			if($id) {
-				$members = $members->exclude('ID', $id);
-			}
-
-			if($members->count() > 0) {
-				$this->validationError(
-					$identifierField,
-					_t(
-						'Member.VALIDATIONMEMBEREXISTS',
-						'A member already exists with the same {identifier}',
-						array('identifier' => Member::singleton()->fieldLabel($identifierField))
-					),
-					'required'
-				);
-				$valid = false;
-			}
-		}
-
-
-		// Execute the validators on the extensions
-		$results = $this->extend('updatePHP', $data, $this->form);
-		$results[] = $valid;
-		return min($results);
-	}
-}

From 0e1753f33d855dd1567a4ac416d6031aa5e994e2 Mon Sep 17 00:00:00 2001
From: Loz Calver 
Date: Mon, 11 Dec 2017 17:32:13 +0000
Subject: [PATCH 19/24] FIX: Only show table_name warning on dev/build

---
 src/ORM/Connect/DBSchemaManager.php | 31 +++++++++++++++++++++++++++++
 src/ORM/DataObjectSchema.php        | 14 +++++--------
 2 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/src/ORM/Connect/DBSchemaManager.php b/src/ORM/Connect/DBSchemaManager.php
index 2eccafaa7..ddd3208ef 100644
--- a/src/ORM/Connect/DBSchemaManager.php
+++ b/src/ORM/Connect/DBSchemaManager.php
@@ -50,6 +50,20 @@ abstract class DBSchemaManager
      */
     protected $supressOutput = false;
 
+    /**
+     * @var array
+     */
+    protected static $table_name_warnings = [];
+
+    /**
+     * @param string
+     * @deprecated 4.0..5.0
+     */
+    public static function showTableNameWarning($table, $class)
+    {
+        static::$table_name_warnings[$table] = $class;
+    }
+
     /**
      * Injector injection point for database controller
      *
@@ -409,6 +423,23 @@ abstract class DBSchemaManager
                 $this->requireIndex($table, $indexName, $indexSpec);
             }
         }
+
+        // Check and display notice about $table_name
+        static $table_name_info_sent = false;
+
+        if (isset(static::$table_name_warnings[$table])) {
+            if (!$table_name_info_sent) {
+                $this->alterationMessage('Please note: It is strongly recommended to define a' .
+                    ' table_name for all namespaced models. Not defining a table_name may cause generated table' .
+                    ' names to be too long and may not be supported by your current database engine. The generated' .
+                    ' naming scheme will also change when upgrading to SilverStripe 5.0 and potentially break.',
+                    'error'
+                );
+                $table_name_info_sent = true;
+            }
+
+            $this->alterationMessage('table_name not set for class ' . static::$table_name_warnings[$table], 'notice');
+        }
     }
 
     /**
diff --git a/src/ORM/DataObjectSchema.php b/src/ORM/DataObjectSchema.php
index 18a616f59..6ad3cfe34 100644
--- a/src/ORM/DataObjectSchema.php
+++ b/src/ORM/DataObjectSchema.php
@@ -11,6 +11,7 @@ use SilverStripe\Core\Config\Configurable;
 use SilverStripe\Core\Injector\Injectable;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Dev\TestOnly;
+use SilverStripe\ORM\Connect\DBSchemaManager;
 use SilverStripe\ORM\FieldType\DBComposite;
 use SilverStripe\ORM\FieldType\DBField;
 
@@ -317,18 +318,13 @@ class DataObjectSchema
             return $class;
         }
 
-        if (!ClassInfo::classImplements($class, TestOnly::class) && $this->classHasTable($class)) {
-            trigger_error(
-                "It is recommended to define a table_name for your '$class'." .
-                ' Not defining a table_name may cause subsequent table names to be too long and may not be supported' .
-                ' by your current database engine, the generated naming scheme will also change when upgrading to' .
-                ' SilverStripe 5.0 and potentially break.',
-                E_USER_WARNING
-            );
-        }
         $separator = DataObjectSchema::config()->uninherited('table_namespace_separator');
         $table = str_replace('\\', $separator, trim($class, '\\'));
 
+        if (!ClassInfo::classImplements($class, TestOnly::class) && $this->classHasTable($class)) {
+            DBSchemaManager::showTableNameWarning($table, $class);
+        }
+
         return $table;
     }
 

From 2391af5ba7f6851bbefa71bd835ed64e73ac198f Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Tue, 12 Dec 2017 09:22:18 +1300
Subject: [PATCH 20/24] Fix literal linting

---
 src/ORM/Connect/DBSchemaManager.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/ORM/Connect/DBSchemaManager.php b/src/ORM/Connect/DBSchemaManager.php
index ddd3208ef..4ec52cbd9 100644
--- a/src/ORM/Connect/DBSchemaManager.php
+++ b/src/ORM/Connect/DBSchemaManager.php
@@ -429,10 +429,14 @@ abstract class DBSchemaManager
 
         if (isset(static::$table_name_warnings[$table])) {
             if (!$table_name_info_sent) {
-                $this->alterationMessage('Please note: It is strongly recommended to define a' .
-                    ' table_name for all namespaced models. Not defining a table_name may cause generated table' .
-                    ' names to be too long and may not be supported by your current database engine. The generated' .
-                    ' naming scheme will also change when upgrading to SilverStripe 5.0 and potentially break.',
+                $this->alterationMessage(
+                    <<<'MESSAGE'
+Please note: It is strongly recommended to define a
+table_name for all namespaced models. Not defining a table_name may cause generated table
+names to be too long and may not be supported by your current database engine. The generated
+naming scheme will also change when upgrading to SilverStripe 5.0 and potentially break.
+MESSAGE
+                    ,
                     'error'
                 );
                 $table_name_info_sent = true;

From 097d0697c5603889f871fa7767e1eddc91809b42 Mon Sep 17 00:00:00 2001
From: Robbie Averill 
Date: Tue, 12 Dec 2017 14:56:38 +1300
Subject: [PATCH 21/24] FIX Use Injector to retrieve the current session

---
 src/Security/SecurityToken.php | 42 ++++++++++++++++++++++++----------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/src/Security/SecurityToken.php b/src/Security/SecurityToken.php
index 12c90a84a..ff7d0ccfa 100644
--- a/src/Security/SecurityToken.php
+++ b/src/Security/SecurityToken.php
@@ -2,11 +2,13 @@
 
 namespace SilverStripe\Security;
 
+use Exception;
 use SilverStripe\Control\Controller;
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\Session;
 use SilverStripe\Core\Config\Configurable;
 use SilverStripe\Core\Injector\Injectable;
+use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Forms\FieldList;
 use SilverStripe\Forms\HiddenField;
 use SilverStripe\View\TemplateGlobalProvider;
@@ -56,7 +58,7 @@ class SecurityToken implements TemplateGlobalProvider
     protected static $enabled = true;
 
     /**
-     * @var String $name
+     * @var string $name
      */
     protected $name = null;
 
@@ -110,7 +112,7 @@ class SecurityToken implements TemplateGlobalProvider
     }
 
     /**
-     * @return String
+     * @return string
      */
     public static function get_default_name()
     {
@@ -146,11 +148,11 @@ class SecurityToken implements TemplateGlobalProvider
     }
 
     /**
-     * @return String
+     * @return string
      */
     public function getValue()
     {
-        $session = Controller::curr()->getRequest()->getSession();
+        $session = $this->getSession();
         $value = $session->get($this->getName());
 
         // only regenerate if the token isn't already set in the session
@@ -163,12 +165,28 @@ class SecurityToken implements TemplateGlobalProvider
     }
 
     /**
-     * @param String $val
+     * @param string $val
+     * @return $this
      */
     public function setValue($val)
     {
-        $session = Controller::curr()->getRequest()->getSession();
-        $session->set($this->getName(), $val);
+        $this->getSession()->set($this->getName(), $val);
+        return $this;
+    }
+
+    /**
+     * Returns the current session instance from the injector
+     *
+     * @return Session
+     * @throws Exception If the HTTPRequest class hasn't been registered as a service
+     */
+    protected function getSession()
+    {
+        $injector = Injector::inst();
+        if (!$injector->has(HTTPRequest::class)) {
+            throw new Exception('No HTTPRequest object available yet!');
+        }
+        return $injector->get(HTTPRequest::class)->getSession();
     }
 
     /**
@@ -188,8 +206,8 @@ class SecurityToken implements TemplateGlobalProvider
      *
      * Typically you'll want to check {@link Form->securityTokenEnabled()} before calling this method.
      *
-     * @param String $compare
-     * @return Boolean
+     * @param string $compare
+     * @return boolean
      */
     public function check($compare)
     {
@@ -246,8 +264,8 @@ class SecurityToken implements TemplateGlobalProvider
     }
 
     /**
-     * @param String $url
-     * @return String
+     * @param string $url
+     * @return string
      */
     public function addToUrl($url)
     {
@@ -272,7 +290,7 @@ class SecurityToken implements TemplateGlobalProvider
     /**
      * @uses RandomGenerator
      *
-     * @return String
+     * @return string
      */
     protected function generate()
     {

From eb6c1fc6de2e4863198ce5d1f96bfb3e32ae2b8d Mon Sep 17 00:00:00 2001
From: Robbie Averill 
Date: Tue, 12 Dec 2017 16:35:53 +1300
Subject: [PATCH 22/24] FIX Allow the current controller as well as injectable
 HTTPRequest objects

---
 src/Security/SecurityToken.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/Security/SecurityToken.php b/src/Security/SecurityToken.php
index ff7d0ccfa..10276a4c4 100644
--- a/src/Security/SecurityToken.php
+++ b/src/Security/SecurityToken.php
@@ -178,15 +178,17 @@ class SecurityToken implements TemplateGlobalProvider
      * Returns the current session instance from the injector
      *
      * @return Session
-     * @throws Exception If the HTTPRequest class hasn't been registered as a service
+     * @throws Exception If the HTTPRequest class hasn't been registered as a service and no controllers exist
      */
     protected function getSession()
     {
         $injector = Injector::inst();
-        if (!$injector->has(HTTPRequest::class)) {
-            throw new Exception('No HTTPRequest object available yet!');
+        if ($injector->has(HTTPRequest::class)) {
+            return $injector->get(HTTPRequest::class)->getSession();
+        } elseif (Controller::has_curr()) {
+            return Controller::curr()->getRequest()->getSession();
         }
-        return $injector->get(HTTPRequest::class)->getSession();
+        throw new Exception('No HTTPRequest object or controller available yet!');
     }
 
     /**

From ed6561d9f52dbe0eec30576b48c2eeb28b0329fd Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Thu, 14 Dec 2017 14:17:19 +1300
Subject: [PATCH 23/24] BUG Fix incorrect merge of associative /
 non-associative summary fields Fixes #7696

---
 src/ORM/DataObject.php                        | 13 ++-
 tests/php/ORM/DataObjectTest.php              | 92 +++++++++----------
 tests/php/ORM/DataObjectTest/Team.php         |  2 +-
 .../php/ORM/DataObjectTest/Team_Extension.php |  4 +
 4 files changed, 57 insertions(+), 54 deletions(-)

diff --git a/src/ORM/DataObject.php b/src/ORM/DataObject.php
index c9a61bb87..8fea18de2 100644
--- a/src/ORM/DataObject.php
+++ b/src/ORM/DataObject.php
@@ -3337,12 +3337,15 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
      */
     public function summaryFields()
     {
-        $fields = $this->config()->get('summary_fields');
+        $rawFields = $this->config()->get('summary_fields');
 
-        // if fields were passed in numeric array,
-        // convert to an associative array
-        if ($fields && array_key_exists(0, $fields)) {
-            $fields = array_combine(array_values($fields), array_values($fields));
+        // Merge associative / numeric keys
+        $fields = [];
+        foreach ($rawFields as $key => $value) {
+            if (is_int($key)) {
+                $key = $value;
+            }
+            $fields[$key] = $value;
         }
 
         if (!$fields) {
diff --git a/tests/php/ORM/DataObjectTest.php b/tests/php/ORM/DataObjectTest.php
index 77637977f..d25edc1f7 100644
--- a/tests/php/ORM/DataObjectTest.php
+++ b/tests/php/ORM/DataObjectTest.php
@@ -2,25 +2,23 @@
 
 namespace SilverStripe\ORM\Tests;
 
+use InvalidArgumentException;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Dev\SapphireTest;
 use SilverStripe\i18n\i18n;
+use SilverStripe\ORM\Connect\MySQLDatabase;
+use SilverStripe\ORM\DataObject;
 use SilverStripe\ORM\DataObjectSchema;
+use SilverStripe\ORM\DB;
 use SilverStripe\ORM\FieldType\DBBoolean;
 use SilverStripe\ORM\FieldType\DBDatetime;
 use SilverStripe\ORM\FieldType\DBField;
-use SilverStripe\ORM\DataObject;
-use SilverStripe\ORM\DB;
-use SilverStripe\ORM\Connect\MySQLDatabase;
 use SilverStripe\ORM\FieldType\DBPolymorphicForeignKey;
 use SilverStripe\ORM\FieldType\DBVarchar;
 use SilverStripe\ORM\ManyManyList;
 use SilverStripe\ORM\Tests\DataObjectTest\Player;
-use SilverStripe\ORM\ValidationException;
 use SilverStripe\View\ViewableData;
 use stdClass;
-use ReflectionException;
-use InvalidArgumentException;
 
 class DataObjectTest extends SapphireTest
 {
@@ -87,11 +85,11 @@ class DataObjectTest extends SapphireTest
 
         // Test with table required
         $this->assertEquals(
-            DataObjectTest\TeamComment::class.'.Varchar',
+            DataObjectTest\TeamComment::class . '.Varchar',
             $schema->fieldSpec(DataObjectTest\TeamComment::class, 'Name', DataObjectSchema::INCLUDE_CLASS)
         );
         $this->assertEquals(
-            DataObjectTest\TeamComment::class.'.Text',
+            DataObjectTest\TeamComment::class . '.Text',
             $schema->fieldSpec(DataObjectTest\TeamComment::class, 'Comment', DataObjectSchema::INCLUDE_CLASS)
         );
         $dbFields = $schema->fieldSpecs(DataObjectTest\ExtendedTeamComment::class);
@@ -127,8 +125,8 @@ class DataObjectTest extends SapphireTest
         // Values can be an array...
         $player = new DataObjectTest\Player(
             array(
-            'FirstName' => 'James',
-            'Surname' => 'Smith'
+                'FirstName' => 'James',
+                'Surname' => 'Smith'
             )
         );
 
@@ -278,7 +276,7 @@ class DataObjectTest extends SapphireTest
         $comment1 = DataObject::get_one(
             DataObjectTest\TeamComment::class,
             array(
-            '"DataObjectTest_TeamComment"."Name"' => 'Joe'
+                '"DataObjectTest_TeamComment"."Name"' => 'Joe'
             ),
             false
         );
@@ -287,7 +285,7 @@ class DataObjectTest extends SapphireTest
         $comment2 = DataObject::get_one(
             DataObjectTest\TeamComment::class,
             array(
-            '"DataObjectTest_TeamComment"."Name"' => 'Joe'
+                '"DataObjectTest_TeamComment"."Name"' => 'Joe'
             ),
             false
         );
@@ -297,7 +295,7 @@ class DataObjectTest extends SapphireTest
         $comment1 = DataObject::get_one(
             DataObjectTest\TeamComment::class,
             array(
-            '"DataObjectTest_TeamComment"."Name"' => 'Bob'
+                '"DataObjectTest_TeamComment"."Name"' => 'Bob'
             ),
             true
         );
@@ -306,7 +304,7 @@ class DataObjectTest extends SapphireTest
         $comment2 = DataObject::get_one(
             DataObjectTest\TeamComment::class,
             array(
-            '"DataObjectTest_TeamComment"."Name"' => 'Bob'
+                '"DataObjectTest_TeamComment"."Name"' => 'Bob'
             ),
             true
         );
@@ -338,7 +336,7 @@ class DataObjectTest extends SapphireTest
         $subteam1 = DataObject::get_one(
             strtolower(DataObjectTest\SubTeam::class),
             array(
-            '"DataObjectTest_Team"."Title"' => 'Subteam 1'
+                '"DataObjectTest_Team"."Title"' => 'Subteam 1'
             ),
             true
         );
@@ -705,8 +703,8 @@ class DataObjectTest extends SapphireTest
             $obj->getChangedFields(true, DataObject::CHANGE_VALUE),
             array(
                 'FirstName' => array(
-                    'before'=>'Captain',
-                    'after'=>'Captain-changed',
+                    'before' => 'Captain',
+                    'after' => 'Captain-changed',
                     'level' => DataObject::CHANGE_VALUE
                 )
             ),
@@ -1190,15 +1188,13 @@ class DataObjectTest extends SapphireTest
         $summaryFields = $team->summaryFields();
 
         $this->assertEquals(
-            'Custom Title',
-            $summaryFields['Title'],
-            'Custom title is preserved'
-        );
-
-        $this->assertEquals(
-            'Captain\'s shirt number',
-            $summaryFields['Captain.ShirtNumber'],
-            'Custom title on relation is preserved'
+            [
+                'Title' => 'Custom Title',
+                'Title.UpperCase' => 'Title',
+                'Captain.ShirtNumber' => 'Captain\'s shirt number',
+                'Captain.FavouriteTeam.Title' => 'Captain\'s favourite team',
+            ],
+            $summaryFields
         );
     }
 
@@ -1211,10 +1207,10 @@ class DataObjectTest extends SapphireTest
 
         $team1->update(
             array(
-            'DatabaseField' => 'Something',
-            'Captain.FirstName' => 'Jim',
-            'Captain.Email' => 'jim@example.com',
-            'Captain.FavouriteTeam.Title' => 'New and improved team 1',
+                'DatabaseField' => 'Something',
+                'Captain.FirstName' => 'Jim',
+                'Captain.Email' => 'jim@example.com',
+                'Captain.FavouriteTeam.Title' => 'New and improved team 1',
             )
         );
 
@@ -1242,8 +1238,8 @@ class DataObjectTest extends SapphireTest
 
         $team1->update(
             array(
-            'Captain.FirstName' => 'Jim',
-            'Captain.FavouriteTeam.Title' => 'New and improved team 1',
+                'Captain.FirstName' => 'Jim',
+                'Captain.FavouriteTeam.Title' => 'New and improved team 1',
             )
         );
         /* Test that the captain ID has been updated */
@@ -1459,8 +1455,8 @@ class DataObjectTest extends SapphireTest
         $this->expectException(InvalidArgumentException::class);
         $this->expectExceptionMessage('Controller is not a valid subclass of DataObject');
         /**
- * @skipUpgrade
-*/
+         * @skipUpgrade
+         */
         $dataObject->newClassInstance('Controller');
     }
 
@@ -1577,7 +1573,7 @@ class DataObjectTest extends SapphireTest
         $teamExtraFields = $team->manyManyExtraFields();
         $this->assertEquals(
             array(
-            'Players' => array('Position' => 'Varchar(100)')
+                'Players' => array('Position' => 'Varchar(100)')
             ),
             $teamExtraFields
         );
@@ -1587,8 +1583,8 @@ class DataObjectTest extends SapphireTest
         $teamExtraFields = $subTeam->manyManyExtraFields();
         $this->assertEquals(
             array(
-            'Players' => array('Position' => 'Varchar(100)'),
-            'FormerPlayers' => array('Position' => 'Varchar(100)')
+                'Players' => array('Position' => 'Varchar(100)'),
+                'FormerPlayers' => array('Position' => 'Varchar(100)')
             ),
             $teamExtraFields
         );
@@ -1598,7 +1594,7 @@ class DataObjectTest extends SapphireTest
         $this->assertEquals(
             $teamExtraFields,
             array(
-            'Position' => 'Varchar(100)'
+                'Position' => 'Varchar(100)'
             )
         );
 
@@ -1607,7 +1603,7 @@ class DataObjectTest extends SapphireTest
         $this->assertEquals(
             $playerExtraFields,
             array(
-            'Position' => 'Varchar(100)'
+                'Position' => 'Varchar(100)'
             )
         );
 
@@ -1797,9 +1793,9 @@ class DataObjectTest extends SapphireTest
         $company = new DataObjectTest\Company();
 
         $this->assertEquals(
-            array (
-                'CurrentStaff'     => DataObjectTest\Staff::class,
-                'PreviousStaff'    => DataObjectTest\Staff::class
+            array(
+                'CurrentStaff' => DataObjectTest\Staff::class,
+                'PreviousStaff' => DataObjectTest\Staff::class
             ),
             $company->hasMany(),
             'has_many strips field name data by default.'
@@ -1812,16 +1808,16 @@ class DataObjectTest extends SapphireTest
         );
 
         $this->assertEquals(
-            array (
-                'CurrentStaff'     => DataObjectTest\Staff::class.'.CurrentCompany',
-                'PreviousStaff'    => DataObjectTest\Staff::class.'.PreviousCompany'
+            array(
+                'CurrentStaff' => DataObjectTest\Staff::class . '.CurrentCompany',
+                'PreviousStaff' => DataObjectTest\Staff::class . '.PreviousCompany'
             ),
             $company->hasMany(false),
             'has_many returns field name data when $classOnly is false.'
         );
 
         $this->assertEquals(
-            DataObjectTest\Staff::class.'.CurrentCompany',
+            DataObjectTest\Staff::class . '.CurrentCompany',
             DataObject::getSchema()->hasManyComponent(DataObjectTest\Company::class, 'CurrentStaff', false),
             'has_many returns field name data on single records when $classOnly is false.'
         );
@@ -1897,7 +1893,7 @@ class DataObjectTest extends SapphireTest
     public function testBelongsTo()
     {
         $company = new DataObjectTest\Company();
-        $ceo     = new DataObjectTest\CEO();
+        $ceo = new DataObjectTest\CEO();
 
         $company->Name = 'New Company';
         $company->write();
@@ -1948,7 +1944,7 @@ class DataObjectTest extends SapphireTest
     public function testBelongsToPolymorphic()
     {
         $company = new DataObjectTest\Company();
-        $ceo     = new DataObjectTest\CEO();
+        $ceo = new DataObjectTest\CEO();
 
         $company->write();
         $ceo->write();
diff --git a/tests/php/ORM/DataObjectTest/Team.php b/tests/php/ORM/DataObjectTest/Team.php
index b44317d11..999250843 100644
--- a/tests/php/ORM/DataObjectTest/Team.php
+++ b/tests/php/ORM/DataObjectTest/Team.php
@@ -59,7 +59,7 @@ class Team extends DataObject implements TestOnly
     );
 
     private static $summary_fields = array(
-        'Title' => 'Custom Title',
+        'Title', // Overridden by Team_Extension
         'Title.UpperCase' => 'Title',
         'Captain.ShirtNumber' => 'Captain\'s shirt number',
         'Captain.FavouriteTeam.Title' => 'Captain\'s favourite team'
diff --git a/tests/php/ORM/DataObjectTest/Team_Extension.php b/tests/php/ORM/DataObjectTest/Team_Extension.php
index 4ad6926a0..bd6b93df2 100644
--- a/tests/php/ORM/DataObjectTest/Team_Extension.php
+++ b/tests/php/ORM/DataObjectTest/Team_Extension.php
@@ -7,6 +7,10 @@ use SilverStripe\ORM\DataExtension;
 
 class Team_Extension extends DataExtension implements TestOnly
 {
+    private static $summary_fields = [
+        'Title' => 'Custom Title', // override non-associative 'Title'
+    ];
+
     private static $db = array(
         'ExtendedDatabaseField' => 'Varchar'
     );

From 1c8576cee789cf8ec09f60cba3a362072d6d976b Mon Sep 17 00:00:00 2001
From: Damian Mooyman 
Date: Thu, 14 Dec 2017 14:18:41 +1300
Subject: [PATCH 24/24] Linting cleanup

---
 src/Core/Injector/Injector.php         | 12 ++++++------
 src/Dev/BulkLoader.php                 | 10 +++++-----
 src/Dev/DevelopmentAdmin.php           |  8 ++++----
 src/Forms/FieldList.php                |  2 +-
 src/ORM/Connect/DBSchemaManager.php    | 24 ++++++++++++------------
 src/ORM/Connect/Database.php           | 16 ++++++++--------
 src/ORM/Connect/MySQLSchemaManager.php | 10 +++++-----
 src/ORM/DataObject.php                 |  4 ++--
 tests/behat/src/CmsFormsContext.php    | 10 +++++-----
 tests/php/Control/ControllerTest.php   |  4 ++--
 tests/php/Dev/CsvBulkLoaderTest.php    |  2 +-
 tests/php/Forms/ListboxFieldTest.php   | 10 +++++-----
 tests/php/View/SSViewerTest.php        |  4 ++--
 13 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/src/Core/Injector/Injector.php b/src/Core/Injector/Injector.php
index 8c4c940d3..0b77d82d0 100644
--- a/src/Core/Injector/Injector.php
+++ b/src/Core/Injector/Injector.php
@@ -426,13 +426,13 @@ class Injector implements ContainerInterface
             // to ensure we get cached
             $spec['id'] = $id;
 
-//			We've removed this check because new functionality means that the 'class' field doesn't need to refer
-//			specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
-//			functionality
+//          We've removed this check because new functionality means that the 'class' field doesn't need to refer
+//          specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
+//          functionality
 //
-//			if (!class_exists($class)) {
-//				throw new Exception("Failed to load '$class' from $file");
-//			}
+//          if (!class_exists($class)) {
+//              throw new Exception("Failed to load '$class' from $file");
+//          }
 
             // store the specs for now - we lazy load on demand later on.
             $this->specs[$id] = $spec;
diff --git a/src/Dev/BulkLoader.php b/src/Dev/BulkLoader.php
index 989fc996d..3857fc173 100644
--- a/src/Dev/BulkLoader.php
+++ b/src/Dev/BulkLoader.php
@@ -136,11 +136,11 @@ abstract class BulkLoader extends ViewableData
     }
 
     /*
-	 * Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
-	 * Optionally truncates (clear) the table before it imports.
-	 *
-	 * @return BulkLoader_Result See {@link self::processAll()}
-	 */
+     * Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
+     * Optionally truncates (clear) the table before it imports.
+     *
+     * @return BulkLoader_Result See {@link self::processAll()}
+     */
     public function load($filepath)
     {
         Environment::increaseTimeLimitTo(3600);
diff --git a/src/Dev/DevelopmentAdmin.php b/src/Dev/DevelopmentAdmin.php
index db0757df0..99741822b 100644
--- a/src/Dev/DevelopmentAdmin.php
+++ b/src/Dev/DevelopmentAdmin.php
@@ -140,8 +140,8 @@ class DevelopmentAdmin extends Controller
 
 
     /*
-	 * Internal methods
-	 */
+     * Internal methods
+     */
 
     /**
      * @return array of url => description
@@ -175,8 +175,8 @@ class DevelopmentAdmin extends Controller
 
 
     /*
-	 * Unregistered (hidden) actions
-	 */
+     * Unregistered (hidden) actions
+     */
 
     /**
      * Build the default data, calling requireDefaultRecords on all
diff --git a/src/Forms/FieldList.php b/src/Forms/FieldList.php
index 6acfbbf61..c926986ed 100644
--- a/src/Forms/FieldList.php
+++ b/src/Forms/FieldList.php
@@ -688,7 +688,7 @@ class FieldList extends ArrayList
             $fieldMap[$field->getName()] = $field;
         }
 
-        // Iterate through the ordered list	of names, building a new array to be put into $this->items.
+        // Iterate through the ordered list of names, building a new array to be put into $this->items.
         // While we're doing this, empty out $fieldMap so that we can keep track of leftovers.
         // Unrecognised field names are okay; just ignore them
         $fields = array();
diff --git a/src/ORM/Connect/DBSchemaManager.php b/src/ORM/Connect/DBSchemaManager.php
index 4ec52cbd9..e501d7f87 100644
--- a/src/ORM/Connect/DBSchemaManager.php
+++ b/src/ORM/Connect/DBSchemaManager.php
@@ -890,13 +890,13 @@ MESSAGE
 
 
     /*
-	 * This is a lookup table for data types.
-	 * For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
-	 * So this is a DB-specific list of equivilents.
-	 *
-	 * @param string $type
-	 * @return string
-	 */
+     * This is a lookup table for data types.
+     * For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
+     * So this is a DB-specific list of equivilents.
+     *
+     * @param string $type
+     * @return string
+     */
     abstract public function dbDataType($type);
 
     /**
@@ -1151,10 +1151,10 @@ MESSAGE
     abstract public function varchar($values);
 
     /*
-	 * Returns data type for 'year' column
-	 *
-	 * @param array $values Contains a tokenised list of info about this data type
-	 * @return string
-	 */
+     * Returns data type for 'year' column
+     *
+     * @param array $values Contains a tokenised list of info about this data type
+     * @return string
+     */
     abstract public function year($values);
 }
diff --git a/src/ORM/Connect/Database.php b/src/ORM/Connect/Database.php
index ab6d56572..45d8b6c86 100644
--- a/src/ORM/Connect/Database.php
+++ b/src/ORM/Connect/Database.php
@@ -617,14 +617,14 @@ abstract class Database
     }
 
     /*
-	 * Determines if the current database connection supports a given list of extensions
-	 *
-	 * @param array $extensions List of extensions to check for support of. The key of this array
-	 * will be an extension name, and the value the configuration for that extension. This
-	 * could be one of partitions, tablespaces, or clustering
-	 * @return boolean Flag indicating support for all of the above
-	 * @todo Write test cases
-	 */
+     * Determines if the current database connection supports a given list of extensions
+     *
+     * @param array $extensions List of extensions to check for support of. The key of this array
+     * will be an extension name, and the value the configuration for that extension. This
+     * could be one of partitions, tablespaces, or clustering
+     * @return boolean Flag indicating support for all of the above
+     * @todo Write test cases
+     */
     public function supportsExtensions($extensions)
     {
         return false;
diff --git a/src/ORM/Connect/MySQLSchemaManager.php b/src/ORM/Connect/MySQLSchemaManager.php
index 30e827337..81f661ae2 100644
--- a/src/ORM/Connect/MySQLSchemaManager.php
+++ b/src/ORM/Connect/MySQLSchemaManager.php
@@ -614,11 +614,11 @@ class MySQLSchemaManager extends DBSchemaManager
     }
 
     /*
-	 * Return the MySQL-proprietary 'Year' datatype
-	 *
-	 * @param array $values Contains a tokenised list of info about this data type
-	 * @return string
-	 */
+     * Return the MySQL-proprietary 'Year' datatype
+     *
+     * @param array $values Contains a tokenised list of info about this data type
+     * @return string
+     */
     public function year($values)
     {
         return 'year(4)';
diff --git a/src/ORM/DataObject.php b/src/ORM/DataObject.php
index 8fea18de2..465ad03c4 100644
--- a/src/ORM/DataObject.php
+++ b/src/ORM/DataObject.php
@@ -3421,8 +3421,8 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
     }
 
     /*
-	 * @ignore
-	 */
+     * @ignore
+     */
     private static $subclass_access = true;
 
     /**
diff --git a/tests/behat/src/CmsFormsContext.php b/tests/behat/src/CmsFormsContext.php
index 3391be6b5..c345cb891 100644
--- a/tests/behat/src/CmsFormsContext.php
+++ b/tests/behat/src/CmsFormsContext.php
@@ -241,11 +241,11 @@ JS;
     }
 
     /*
-	 * @example Given the CMS settings has the following data
-	 *	| Title | My site title |
-	 *	| Theme | My site theme |
-	 * @Given /^the CMS settings have the following data$/
-	 */
+     * @example Given the CMS settings has the following data
+     *  | Title | My site title |
+     *  | Theme | My site theme |
+     * @Given /^the CMS settings have the following data$/
+     */
     public function theCmsSettingsHasData(TableNode $fieldsTable)
     {
         $fields = $fieldsTable->getRowsHash();
diff --git a/tests/php/Control/ControllerTest.php b/tests/php/Control/ControllerTest.php
index daead0a31..c9228911c 100644
--- a/tests/php/Control/ControllerTest.php
+++ b/tests/php/Control/ControllerTest.php
@@ -390,8 +390,8 @@ class ControllerTest extends FunctionalTest
             'Numeric actions do not slip through.'
         );
         //$this->assertFalse(
-        //	$controller->hasAction('lowercase_permission'),
-        //	'Lowercase permission does not slip through.'
+        //  $controller->hasAction('lowercase_permission'),
+        //  'Lowercase permission does not slip through.'
         //);
         $this->assertFalse(
             $controller->hasAction('undefined'),
diff --git a/tests/php/Dev/CsvBulkLoaderTest.php b/tests/php/Dev/CsvBulkLoaderTest.php
index e6cd461c1..beb0f54e7 100644
--- a/tests/php/Dev/CsvBulkLoaderTest.php
+++ b/tests/php/Dev/CsvBulkLoaderTest.php
@@ -230,7 +230,7 @@ class CsvBulkLoaderTest extends SapphireTest
 
         // null values are valid imported
         // $this->assertEquals($player->Biography, 'He\'s a good guy',
-        //	'Test retaining of previous information on duplicate when overwriting with blank field');
+        //  'Test retaining of previous information on duplicate when overwriting with blank field');
     }
 
     public function testLoadWithCustomImportMethods()
diff --git a/tests/php/Forms/ListboxFieldTest.php b/tests/php/Forms/ListboxFieldTest.php
index 66bccc81f..a674999a0 100644
--- a/tests/php/Forms/ListboxFieldTest.php
+++ b/tests/php/Forms/ListboxFieldTest.php
@@ -226,11 +226,11 @@ class ListboxFieldTest extends SapphireTest
          * @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved
          * to the {@link ListboxField::validate()} function
          */
-        //		$field->setValue(4);
-        //		$this->assertFalse(
-        //			$field->validate($validator),
-        //			'Field does not validate values outside of source map'
-        //		);
+        //      $field->setValue(4);
+        //      $this->assertFalse(
+        //          $field->validate($validator),
+        //          'Field does not validate values outside of source map'
+        //      );
         $field->setValue(
             false,
             new ArrayData(
diff --git a/tests/php/View/SSViewerTest.php b/tests/php/View/SSViewerTest.php
index 2260df02d..2f3351002 100644
--- a/tests/php/View/SSViewerTest.php
+++ b/tests/php/View/SSViewerTest.php
@@ -1775,8 +1775,8 @@ EOC;
         $this->assertContains($code, $result);
         // TODO Fix inline links in PHP mode
         // $this->assertContains(
-        // 	'',