Commit Graph

73 Commits

Author SHA1 Message Date
Thomas Portelange
9391e696bb
use Member::class 2023-06-23 09:35:34 +02:00
Thomas Portelange
2e73b5eeca
Use cached query
Fixes https://github.com/silverstripe/silverstripe-framework/issues/10833
2023-06-22 11:04:26 +02:00
Thomas Portelange
54892fa267
request may not have a session
see https://github.com/silverstripe/silverstripe-framework/pull/10512
2022-09-28 10:44:13 +02:00
Loz Calver
903dd860b7 ENH: Add extension hooks to core emails 2022-05-16 10:02:49 +01:00
Steve Boyd
511b3bb060 ENH PHP 8.1 compatibility 2022-04-14 13:12:59 +12:00
Steve Boyd
ed492da636 Merge branch '4.10' into 4 2021-12-16 17:45:33 +13:00
Lukas
552cf5944d
MNT Fix various typos with codespell (#10177) 2021-12-13 21:05:33 +13:00
Florian Thoma
31668e8acf fix: remove login marker cookie on logout
Apply suggestions from code review

Co-authored-by: Michal Kleiner <mk@011.nz>
2021-11-01 10:04:18 +11:00
Florian Thoma
9a7c99fc4b FIX Take current request protocol into account when deleting session cookie 2021-08-06 10:55:05 +10:00
Florian Thoma
3e2ca3027b destroy session on logout instead of restarting it 2021-07-20 12:05:16 +10:00
Steve Boyd
b625ba99b3 ENH Remove wording for authenticated devices being manageable 2021-06-18 09:50:13 +12:00
André Kiste
e2777ded8e • Add missing string
• Move attribute to login-forms
2021-04-13 15:33:49 +12:00
André Kiste
bbcc187c02 Update conflicting translations.
Revert removal of translations.
2021-04-12 11:42:57 +12:00
André Kiste
8692aabe9b Use new designs 2021-04-08 12:32:12 +12:00
André Kiste
44fae4497b Better describe the 'keep me signed in' checkbox 2021-03-30 13:19:55 +13:00
Maxime Rainville
adaf793ddb
BUG Always validate Member credentials against DRAFT stage (#9671) 2020-09-08 11:47:04 +12:00
Daniel Hensby
237b2d5f74
Convert array delcarations to short array syntax 2020-04-20 18:58:09 +01:00
Robbie Averill
5002f514b3
FIX Capitalisation fixes in welcome back message (#9439) 2020-03-23 15:54:30 +13:00
Robbie Averill
e49cec3a00
Merge pull request #9247 from jakxnz/pulls/4/record-login-attempt-outputs
ENHANCEMENT: MemberAuthenticator::recordLoginAttempt() outputs
2019-10-03 10:46:34 -07:00
Aaron Carlino
b002ef1171 Merge branch '4.4' into 4 2019-09-24 17:26:50 +12:00
Serge Latyntcev
eccfa9b10d [CVE-2019-12203] Session fixation in "change password" form
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
Jackson Darlow
a033662a3a MemberAuthenticator::recordLoginAttempt() outputs 2019-09-24 14:24:59 +12:00
Serge Latyntsev
233e0e7aa0 ENH PasswordExpirationMiddleware implementation (#9207) 2019-09-12 14:34:06 +12:00
Robbie Averill
ebfab45e23 API LoginForm::authentiator_class is now deprecated, use getters or setters instead 2019-02-01 19:39:15 +03:00
Robbie Averill
83e461abbf Merge branch '4.2' into 4 2018-08-27 16:15:57 +12:00
Robbie Averill
18fff5c16c Remove past tense for "log in" in expired token message 2018-08-20 22:31:23 +12:00
Robbie Averill
dbab696690 FIX Message when changing password with invalid token now contains correct links to login
The Security controller should be used to return these links rather than the
ChangePasswordHandler
2018-08-20 22:30:12 +12:00
Ingo Schommer
2d6964c243
Merge pull request #8261 from open-sausages/pulls/4/secure-remember-me-cookie
NEW Option for secure "remember me" cookie
2018-07-31 09:19:15 +12:00
Ingo Schommer
114b0a5ea7
NEW Option for secure "remember me" cookie
Fixes #8234
2018-07-30 16:41:49 +01:00
Ingo Schommer
93b0884e19 BUG Lazy session state (fixes #8267)
Fixes regression from 3.x, where sessions where lazy started as required:
Either because an existing session identifier was sent through with the request,
or because new session data needed to be persisted as part of the request execution.

Without this lazy starting, *every* request will get a session,
which makes all those responses uncacheable by HTTP layers.

Note that 4.x also changed the $data vs. $changedData payloads:
In 3.x, they both contained key/value pairs.
In 4.x, $data contains key/value, while $changedData contains key/boolean to declare isChanged.
While this reduces duplication in the class, it also surfaced a bug which was latent in 3.x:
When an existing session is lazily resumed via start(), $data is set back to an empty array.
In 3.x, any changed data before this point was *also* retained in $changedData,
ensuring it gets merged into existing $_SESSION data.
In 4.x, this clears out data - hence the need for a more complex merge logic.

Since isset($this->data) is no longer an accurate indicator of a started session,
we introduce a separate $this->started flag.

Note that I've chosen not to make lazy an opt-in (e.g. via start($request, $lazy=false)).
We already have a distinction between lazy starting via init(), and force starting via start().
2018-07-19 13:32:04 +12:00
Daniel Hensby
560fe9820a FIX remove personal information from password reset confirmation screen 2018-07-05 14:19:15 +12:00
Robbie Averill
ea16e28aa7 Merge branch '4.1' into 4 2018-05-28 18:33:56 +12:00
Robbie Averill
722202fef4 Merge remote-tracking branch 'origin/4.0.4' into 4.1.1
# Conflicts:
  #	src/Control/Director.php
2018-05-24 15:41:11 +12:00
Robbie Averill
beec0c0d47 [SS-2018-010] Fix regression of SS-2017-002 2018-05-14 17:12:07 +12:00
Daniel Hensby
70effc7046
Revert "ENHANCEMENT Add config var to skip confirm logout (#7977)"
This reverts commit 47bcac930d.
2018-04-04 13:51:18 +01:00
Andrew Aitken-Fincham
47bcac930d ENHANCEMENT Add config var to skip confirm logout (#7977) 2018-04-04 09:43:49 +12:00
Damian Mooyman
386ef27f65
Update requesthandlers with missing extension points 2018-03-23 15:28:00 +13:00
Damian Mooyman
625f7b4eee
Merge remote-tracking branch 'origin/4.0' into 4.1 2018-03-13 14:26:18 +13:00
Joe Harvey
bf2cee3989 Bugfix - Correct duplicate nesting of 'Content' to be returned to template
In scenarios where:

- No member is logged in
- An 'AutoLoginHash' is provided via the 't' (token) query param
- The token isn't valid (determined by Member::validateAutoLoginToken())

The message which is intended to be returned to the end-user via $Content
in the template, is mistakenly double nested in ['Content' => ['Content' => 'Message']]
this leads to "The method forTemplate() doesn't exist on ArrayData" errors.

See - https://github.com/silverstripe/silverstripe-framework/issues/7866
2018-03-07 14:14:05 +00:00
Damian Mooyman
bca47029c4
Merge remote-tracking branch 'origin/4.0' into 4
# Conflicts:
#	src/Control/SimpleResourceURLGenerator.php
#	tests/php/Control/SimpleResourceURLGeneratorTest.php
2018-01-25 12:53:15 +13:00
Damian Mooyman
a3c52f901a
Merge remote-tracking branch 'origin/4.0' into 4
# Conflicts:
#	src/Core/TempFolder.php
#	src/ORM/DataObject.php
#	src/View/ThemeResourceLoader.php
#	src/includes/constants.php
#	tests/php/Control/SimpleResourceURLGeneratorTest.php
#	tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php
#	tests/php/View/RequirementsTest.php
2018-01-22 14:57:05 +13:00
Damian Mooyman
60fa7558d3
BUG Fix double casting in login authenticator name
Fixes #7769
2018-01-22 14:06:24 +13:00
Daniel Hensby
db610aaf3b
Fixing string concat CS issues 2018-01-16 18:39:30 +00:00
Daniel Hensby
eb55c27124
Merge branch '4.0' into 4 2017-12-05 12:14:22 +00:00
Loz Calver
c4b366828e FIX: Restore BackURL preservation on log out (closes #7636) 2017-11-27 16:15:28 +00:00
Simon Erkelens
0987003053 Add the ability to redirect a user to a custom page with custom content after changing their password 2017-11-27 14:18:40 +13:00
Damian Mooyman
ad36b8f6a9 Use restart instead of destroy 2017-11-03 12:08:38 +13:00
Daniel Hensby
a61ce077c6 FIX Sessions must be destroyed on logout 2017-11-03 12:08:38 +13:00
Simon Erkelens
6506a5b958 Don't add a . when there's no extension 2017-10-16 11:56:35 +13:00
Robbie Averill
6044579a3f MINOR Separate some areas of logic in LostPasswordHandler to make them more overridable 2017-10-05 14:17:38 +13:00