This bug was introduced with the new nested CMS actions
around December 2012, but wasn't noticed until now
because checkAccessAction() would wrongly return TRUE
before the dataFieldByName() check was reached.
RequestHandler#handleAction now exists. It takes the request, and
the action to call on itself. All calls from handleRequest to call an action
will go through this method
Controller#handleAction has had it's signature changed to
match new RequestHandler#handleAction
RequestHandler#findAction has been added, which extracts the
"match URL to rules to find action" portion of RequestHandler#handleRequest
into a separate, overrideable function
GridField#handleAction has beeen renamed to handleAlterAction and
CMSBatchActionHandler#handleAction has been renamed to handleBatchAction to
avoid name clash with new RequestHandler#handleAction
Reason for change: The exact behaviour of request handling depended heavily
on whether you inherited from RequestHandler or Controller, and whether the
rule extracted it's action directly (like "foo/$ID" => 'foo') or dynamically
(like "$Action/$ID" => "handleAction"). This cleans up behaviour so
all calls follow the same path through handleRequest and handleAction, and
the additional behaviour that Controller adds is clear.
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.
Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
Shortcodes have traditionally had a problem that they are inside <p> tags,
but generate block level elements. This breaks HTML compliance.
This makes the shortcode parser now mutate the DOM based on the "class" attribute on
the shortcode to insert the generated block level element at the right place in the DOM
- for "left" and "right" elements it puts them just before the block level
element they are inside
- for "leftAlone" and "center" elements it splits the DOM around the shortcode.
The trade off is that shortcodes are no longer "text level" features. They need
knowledge of the HTML they are in to perform this transformation, so they can
only be used in (valid) HTML
Because I removed completely the static setting of SSL_VERIFYPEER I've
added the ability to declare default curl options on the class. This
means that users that really want to one line turn off SSL_VERIFYPEER
can do so without needing to pass a custom option in every request()
call.
Before now, the RestfulService_Response object was never sent the
response headers. For APIs that rely on the response headers to send
back information (signatures, pagination info, etc).
This change makes the curl response have the full HTTP response
(including Headers). We then extract the body and the header information
and assign them to relevant vars and then construct the response as
before (with the addition of the headers array).
This change required two new functions:
extractResponse: This extracts the HTTP Headers and the payload from the
curl response and assigns it to the relevany vars that are passed by
reference
parseRawHeaders: This was designed to mimic http_parse_headers (a
non-standard php class). It converts the headers into an associative
array.
All of the arguments supplied to the request function can impact what is
returned by a restful service.
This takes account of that and makes the cache key more specific,
including basic auth details, so we don't rely on *just* the absolute
URL for caching.
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.
API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)
See https://github.com/silverstripe/sapphire/pull/1178 for context.