bcccc63d33
API Methods to override logout_accross_devices
2021-04-19 13:13:35 +12:00
fdd23a3675
Merge branch '4.7' into 4
2021-04-14 11:35:58 +12:00
e2777ded8e
• Add missing string
...
• Move attribute to login-forms
2021-04-13 15:33:49 +12:00
bbcc187c02
Update conflicting translations.
...
Revert removal of translations.
2021-04-12 11:42:57 +12:00
8692aabe9b
Use new designs
2021-04-08 12:32:12 +12:00
1c7fd287a1
ENH Reduce default token period from 90 to 30 days
2021-04-06 13:22:10 +12:00
66fa597b3b
FIX Better handling of remember me token when login across devices is disabled ( #9895 )
...
* BUG Make sure remember me tokens are not invalidated when logging out without the logout_across_devices flag
* Remove unneeded comment
2021-03-31 11:31:52 +13:00
44fae4497b
Better describe the 'keep me signed in' checkbox
2021-03-30 13:19:55 +13:00
22b2d58b5a
Update src/Security/Member.php
...
Co-authored-by: Steve Boyd <emteknetnz@gmail.com>
2021-03-22 09:02:18 +01:00
19052e6924
Update src/Security/Member.php
...
Co-authored-by: Steve Boyd <emteknetnz@gmail.com>
2021-03-22 09:02:13 +01:00
0586c55e62
prevent spaces in emails
...
so this is not the first time a customer of mine is just copy pasting stuff in emails fields and somehow, a space at the end skips validation. this update ensure there is no space before or after the email, it would probably save a lot of time for everyone to have this build in.
it's probably better to fix it here rather than at form level because this also happens for csv imports etc
2021-03-19 10:11:02 +01:00
c932d7e7fb
Fix the phpdoc blocks
2020-12-21 22:23:23 +01:00
7184703a57
Merge pull request #9516 from alessandromarotta/isLockectOut-call-LoginAttempt-getByEmail
...
isLockedOut() in Member.php call LoginAttempt::getByEmail but it passes to it the unique_identifier_field instead $this->Email
2020-10-01 17:43:30 -07:00
27bd5d12e3
ENH Replace E_USER_ERROR errors with exceptions
2020-09-24 23:51:21 -07:00
ae0ece2b02
Merge pull request #9665 from creative-commoners/pulls/4/php8-fqcn-token
2020-09-18 20:44:22 +01:00
ab50e2cc51
Merge branch '4.6' into 4
2020-09-15 13:44:57 +12:00
8bcfa57342
BUG Make PasswordEncryptor::check more resistent to timing attacks
2020-09-10 22:17:50 +12:00
adaf793ddb
BUG Always validate Member credentials against DRAFT stage ( #9671 )
2020-09-08 11:47:04 +12:00
622cf8b914
FIX: Drop parameter names in Injector instantiation to preserve behaviour in PHP 8
...
Fixes #9667
2020-09-07 17:24:00 +12:00
7377d094c0
FIX: Include missing security page titles when CMS not installed ( fixes #9648 )
2020-08-21 14:55:06 +01:00
65e0233258
PATCH: using standard way to refer to classes Group and PermissionRoleCode
2020-07-14 07:50:05 +12:00
f3d1e308e5
Update Member.php
...
The public function isLockedOut() in Member.php call LoginAttempt::getByEmail but serves to it the unique_identifier_field.
This PR could allow to extensions to patch the use of uniqueidentifierfield (otherwise it would be necessary to extends the Member Class to override the isLockedOut function, with a lot of problems)
2020-05-10 19:07:22 +02:00
42cee6f5fb
Merge pull request #9489 from mattclegg/1587548067
...
DOCS: Fix typos
2020-04-22 12:28:02 +01:00
826d1fa4eb
Merge pull request #9491 from mattclegg/1587548119
...
DOCS: Remove unnecessary `return`
2020-04-22 12:22:15 +01:00
2f717a4d90
DOCS: Remove unnecessary `return`
2020-04-22 15:50:12 +05:45
d521a52a33
DOCS: Fix typos
2020-04-22 15:20:11 +05:45
237b2d5f74
Convert array delcarations to short array syntax
2020-04-20 18:58:09 +01:00
cb36aab80c
Merge branch '4.5' into 4
2020-04-15 14:49:19 +12:00
e968f5cb86
DOCS: Remove outdated TODO
2020-04-14 15:00:08 +05:45
f77f725355
Merge pull request #9447 from mattclegg/docs__GridFieldDetailForm_ItemRequest-httpError
...
[DOCS] Better debug text for errors generated by GridFieldDetailForm_ItemRequest
2020-04-02 13:05:49 -07:00
9e0ed0a50a
Fix spaces around concatenation operator
2020-04-02 12:09:22 +01:00
5bf2ac83ee
Merge branch '4.5' into 4
2020-04-01 19:23:47 +01:00
e80f1b2b83
[DOCS] Member::logInAs is not a valid example
...
Member::logInAs doesn't exist as a static function.
Additionally, `logInAs` does exist as a function in SapphireTest.php, so, should this be updated to also use `Member::actAs` for consistency?
2020-03-31 18:20:21 +05:45
5002f514b3
FIX Capitalisation fixes in welcome back message ( #9439 )
2020-03-23 15:54:30 +13:00
06dab6b539
[BUGFIX] silverstripe/admin is not required to be installed
...
If the silverstripe/admin module is not installed then the javascript/css requirements fail to load
2020-03-16 18:54:01 +05:45
bd2ccf70fa
Merge pull request #9282 from open-sausages/pulls/4/docs/clarify-basic-auth
...
DOCS Clarify BasicAuth limitations
2019-10-22 14:01:51 +13:00
33a28394d6
Merge branch '4.4' into 4
2019-10-18 15:59:28 +13:00
0cf5d4cbe2
Merge branch '4.3' into 4.4
2019-10-18 15:58:13 +13:00
46b9530d88
PSR2 linting fixes
2019-10-18 15:31:39 +13:00
7873efde9c
Merge branch '4.4' into 4
2019-10-18 10:58:19 +13:00
8dcda91538
DOCS Clarify BasicAuth limitations
2019-10-10 10:41:39 +13:00
d7752b7945
Run PSR2 Lint cleaner
2019-10-04 13:26:31 +13:00
e49cec3a00
Merge pull request #9247 from jakxnz/pulls/4/record-login-attempt-outputs
...
ENHANCEMENT: MemberAuthenticator::recordLoginAttempt() outputs
2019-10-03 10:46:34 -07:00
88fde6e7c3
Merge branch '4.4' into 4
2019-09-24 17:29:06 +12:00
50a1aa4c4d
Merge branch '4.3' into 4.4
2019-09-24 17:28:31 +12:00
b002ef1171
Merge branch '4.4' into 4
2019-09-24 17:26:50 +12:00
8b7063a8e2
[CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution
2019-09-24 16:03:48 +12:00
eccfa9b10d
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
5af205993d
[CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution
2019-09-24 16:00:51 +12:00
569237c0f4
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:00:51 +12:00
a033662a3a
MemberAuthenticator::recordLoginAttempt() outputs
2019-09-24 14:24:59 +12:00
3cfc21c405
Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission
...
Fix administrators not being able to see files that are restricted to groups
2019-09-23 11:13:26 -07:00
efdb9cc718
FIX: run member CMS validator when editing via groups ( fixes #9184 )
2019-09-23 16:59:58 +01:00
6a1c6ecec6
Fix administrators not being able to see files that are restricted to groups
...
Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777
2019-09-23 16:44:28 +12:00
233e0e7aa0
ENH PasswordExpirationMiddleware implementation ( #9207 )
2019-09-12 14:34:06 +12:00
e8c2f963fd
FIX Member::getLastName() now correctly returns the Member surname
2019-09-06 12:12:27 -07:00
22a6a5b1e3
NEW Add getLastName() method to Member.php ( #9222 )
...
* Add getLastName() method to Member.php
Add getLastName() method to Silverstripe\Security\Member.php to allow use of $LastName instead of $Surname in templates as it is a common mistake made
this is for issue #9219
as discussed in Slack on 04-Sep-2019
* Minor doc block clean-up
* Update src/Security/Member.php - typo fix
Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
2019-09-06 20:31:22 +12:00
dd40d53e6b
Merge branch '4.4' into 4
2019-09-04 09:46:33 +12:00
24015c7767
Merge branch '4.3' into 4.4
2019-09-04 09:42:09 +12:00
0b991cc039
Merge pull request #9198 from elabuwa/pulls/4.3/bug-fix-html-entities-breadcrumbs-in-group
...
Bug : Add html_entity_decode to group parents
2019-08-30 09:51:52 +12:00
fe4eb5dd2a
Update src/Security/Group.php
...
Co-Authored-By: Maxime Rainville <maxime@rainville.me>
2019-08-29 15:44:41 +12:00
73f43c6f42
BUG Remove placeholder text on new group form
2019-08-28 17:14:19 +12:00
9b7075ed5d
Update Group.php
2019-08-27 16:22:00 +12:00
a976a1688b
Update Group.php
...
move to private method
2019-08-27 16:21:08 +12:00
40e5c4ec59
Update Group.php
...
use of convert::raw2xml, rename $grp to $group
2019-08-27 16:19:40 +12:00
4f8240bd48
Update src/Security/Group.php
...
Co-Authored-By: Andre Kiste <bergice@users.noreply.github.com>
2019-08-27 12:19:03 +12:00
f7a602137a
add html_entity_decode to breadcrumbs
2019-08-27 11:49:17 +12:00
a5d6b998fc
Merge branch '4.4' into 4
2019-08-16 16:40:39 +12:00
bae7e32680
FIX Member::changePassword() no longer applies password validation rules to the hashed value
2019-08-16 09:06:07 +12:00
0672f8b76b
NEW HTTPRequest now has hasSession() to determine whether a session exists for it
2019-08-02 11:29:23 +12:00
3224c9971b
Merge branch '4.4' into 4
2019-08-02 11:24:54 +12:00
3b96c51688
Merge branch '4.3' into 4.4
2019-08-02 11:24:45 +12:00
5c794dfcdd
FIX Prevent setting session value when no session exists yet
2019-07-29 17:16:01 +02:00
29a663c65d
Merge branch '4.4' into 4
2019-07-15 09:24:49 +12:00
7ef13e7ef6
FIX Confirmation components to respect SS_BASE_URL ( #9074 )
2019-07-05 16:05:41 +12:00
d04e54c1be
Merge branch '4.4' into 4
2019-06-10 17:33:30 +12:00
c747b1f8d3
Merge branch '4.3' into 4.4
2019-06-10 17:32:07 +12:00
f766555d61
Merge branch '4.2' into 4.3
2019-06-10 17:27:05 +12:00
ca56e8d78e
[CVE-2019-12246] Denial of Service on flush and development URL tools
2019-06-10 17:23:56 +12:00
d873779956
API checkHistoricalPasswords(), characterStrength() and minLength() are now correctly deprecated from 4.5.0 onwards
2019-05-27 09:12:32 +12:00
dfa90715f7
Merge branch '4.4' into 4
2019-05-13 16:08:05 +12:00
abaeeb9432
Merge branch '4.3' into 4.4
2019-05-13 15:56:41 +12:00
53cb804929
Merge branch '4.2' into 4.3
2019-05-13 15:56:23 +12:00
db0e6f7104
Fix password validation min length message
...
When relying on static config instead of an explicitly set minLength then this message would show without the value, like "it must be or more characters long".
2019-05-13 13:43:29 +12:00
5dc57518c2
NEW Filter out authenticators that are falsy
...
Use-case: if a module is defining its own authenticator and you want to disable it, as it seems we don't have `unregister_authenticator()` anymore and I can't spot how to remove YAML-based injected properties, then this lets you mark it as null or false to prevent it from erroring out when it attempts to call `supportedServices()`
2019-05-04 20:58:48 +12:00
7775f82584
FIX Handle falsy return value when setting form field value in setAuthenticatorClass()
2019-02-01 19:39:15 +03:00
ebfab45e23
API LoginForm::authentiator_class is now deprecated, use getters or setters instead
2019-02-01 19:39:15 +03:00
868258926f
Implement feedback on PSR-19 compatibility
2019-01-30 11:57:17 +13:00
b0fc161235
Merge branch '4' into pulls/4/deprecating-declared-permissions
2019-01-29 09:33:44 +02:00
47fbaebb92
Alter deprecation version numbers
...
Co-Authored-By: ScopeyNZ <guy@scopey.co.nz>
2018-11-06 00:07:24 +13:00
2ff7ee6752
NEW Deprecate RandomGenerator::generateEntropy in favour of using random_bytes directly
2018-11-01 19:51:15 +13:00
0703c1a94e
API Deprecating Permission::$declared_permissions and related methods/props
2018-11-01 09:28:05 +13:00
1e83dff4ed
BUGFIX #828 optimised query in graphql asset admin
2018-10-18 18:34:03 +13:00
ee24413c30
Merge branch '4.2' into 4
2018-10-03 15:28:05 +02:00
231d6d9a9f
FIX New members now receive the configured default locale, not the current locale
2018-09-28 16:25:10 +02:00
4d14e9b6b1
Merge pull request #8421 from creative-commoners/pulls/4.3/psr-5-deprecations
...
Update deprecation PHPDocs to be PSR-5 compliant
2018-09-28 14:18:54 +02:00
f842ee2eec
Update deprecation PHPDocs to be PSR-5 compliant
...
See: https://github.com/php-fig/fig-standards/blob/master/proposed/phpdoc-tags.md#55-deprecated
2018-09-28 10:49:14 +02:00
adb4d1f92d
MINOR Reduce some code complexity, update array syntax and injected SQLSelect etc
2018-09-27 16:40:23 +02:00
c269a987d5
Performance issues with BasicAuth and LoginAttempts
...
Two functions interact with the LoginAttempt object which when used in conjunction with BasicAuth result in significant performance degradation over time, as the LoginAttempts Table fills.
This fix adds an index to the lookup column EmailHashed and removes the Email filter part of getByEmail() so it can use the index resulting in a much faster query.
For more information see https://github.com/silverstripe/silverstripe-framework/issues/8389
2018-09-20 13:34:03 +12:00
373a8afeb5
Merge branch '4.2' into 4
2018-09-06 13:26:46 +02:00
Steve Boyd
Maxime Rainville
André Kiste
Thomas Portelange
William Desportes
Robbie Averill
Robbie Averill
Dan Hensby
Sam Minnee
Loz Calver
Nicolaas
Alessandro Marotta
Daniel Hensby
mattclegg
Serge Latyntcev
Ingo Schommer
Damian Mooyman
Aaron Carlino
Jackson Darlow
Loz Calver
bergice
Hels666
Robbie Averill
Dileep Ratnayake
Guy Marriott
matt-in-a-hat
Indy Griffiths
micmania1
Simon Gow