Commit Graph

2245 Commits

Author SHA1 Message Date
Ingo Schommer
720c149aee FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Ingo Schommer
cfa88adf4b FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
68ca47b0dd FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:35 +02:00
Sean Harvey
95bb799e6f BUG Fixing SQLQuery::aggregate() adding ORDER BY when no limit.
DataQuery::initialiseQuery() will add a default sort to a query,
and when calling up an aggregate it will make a query like this
which doesn't make sense:

SELECT MAX("LastEdited") FROM "Member" ORDER BY "ID"

In this case there is no need to add the ORDER BY, and it will
break databases like MSSQL in cases such as
GenericTemplateGlobalProvider
which provides a default List() function for adding aggregates
into SSViewer template cacheblocks.

If we add a limit, however, then it does make sense:

SELECT MAX("LastEdited") FROM "Member" ORDER BY "ID" LIMIT 10

This fixes SQLQuery::aggregate() to NOT add an ORDER BY to an
aggregate call if there is no limit.
2013-09-06 18:11:11 +12:00
Ingo Schommer
1c31c098ee FIX Correct Zend_Locale fallbacks in i18n/DateField/DateTimeField
Due to the recent change of translations to transifex, some
locales changed their names, which prompted a fix to
i18n::get_available_translations() (see 00ffe7294).
This caused a regression where short locales are determined
from the YAML file names (e.g. "en"), but weren't matched up
with fully qualified locales from get_available_translations() (e.g. "en_US").
Since this list is used in the admin/myprofile dropdown for the Member.Locale value,
it didn't match up with any entries and defaulted to the first one ("Africaans").

Note that the behaviour of admin/myprofile is still a bit weird:
It defaults the locale on new members to the one set for the current administrator.
So if a site defaults to en_US in _config.php, but the admin happens to view
his backend in de_DE, all members he creates default to de_DE as well.

Thanks to @tractorcow for contributing and peer reviewing!
2013-08-30 10:18:00 +02:00
Johannes Hammersen, x75
b8495da5d9 BUG Cached images stored in wrong folder
If multiple image manipulations are performend the resulting cached image is stored in assets/_resampled because the cached version of the image has no ParentID, which cacheFilename needs to set the correct path.
2013-08-26 10:16:42 +02:00
Ingo Schommer
8092dfa3d5 Merge remote-tracking branch 'origin/3.1' 2013-08-22 14:11:45 +02:00
Ingo Schommer
eb311691be Fixed 3.1-specific switchToWindow() behat feature 2013-08-22 14:10:54 +02:00
Ingo Schommer
a4c6ae3e90 Merge remote-tracking branch 'origin/3.1' 2013-08-22 13:56:33 +02:00
Ingo Schommer
4a3a88710f Merge remote-tracking branch 'origin/3.1.0' into 3.1
Conflicts:
	dev/BehatFixtureFactory.php
	model/Hierarchy.php
	tests/behat/features/bootstrap/FeatureContext.php
	tests/core/CoreTest.php
2013-08-22 13:00:25 +02:00
Ingo Schommer
40c239076b Merge remote-tracking branch 'origin/3.0' into 3.1.0
Conflicts:
	model/Hierarchy.php
2013-08-22 12:55:47 +02:00
Ingo Schommer
54edc0ddac Fix Behat window switching in chrome
Workaround only, see https://groups.google.com/forum/#!topic/behat/QNhOuGHKEWI
2013-08-22 12:49:38 +02:00
Simon Welsh
c66cc952d2 Correct line length and indentation 2013-08-21 21:27:16 +12:00
Simon Welsh
4cb98f1afd Only have Scrutinizer check PHP files 2013-08-21 21:02:12 +12:00
Simon Welsh
151baeede1 Correct line length and indentation 2013-08-21 18:54:05 +12:00
Simon Welsh
4db6520357 Only have Scrutinizer check PHP files 2013-08-21 17:57:31 +12:00
Ingo Schommer
a6da1f5570 Merge pull request #2294 from wilr/fixgridexport
FIX: Remove limit on GridField export
2013-08-20 14:08:18 -07:00
Ingo Schommer
46362175f0 Merge remote-tracking branch 'origin/3.1.0' into 3.1 2013-08-20 20:59:31 +02:00
Ingo Schommer
a592c36adf Merge remote-tracking branch 'origin/3.0' into 3.1.0
Conflicts:
	docs/en/changelogs/index.md
2013-08-20 20:49:01 +02:00
Ingo Schommer
699cbfe851 Merge branch '3.1.0' into 3.1
Conflicts:
	thirdparty/jquery-entwine/dist/jquery.concrete-dist.js
	thirdparty/jquery-entwine/spec/SpecRunner.html
	thirdparty/jquery-entwine/spec/spec.entwine.eventcapture.js
	thirdparty/jquery-entwine/spec/spec.entwine.namespaces.js
	thirdparty/jquery-entwine/src/domevents/jquery.entwine.domevents.addrem.js
	thirdparty/jquery-entwine/src/jquery.entwine.eventcapture.js
	thirdparty/jquery-entwine/src/jquery.entwine.js
	thirdparty/jquery-entwine/src/jquery.focusinout.js
2013-08-20 16:58:40 +02:00
Ingo Schommer
2fd5558a70 Fixed "insert image" behat feature
Was using wrong button label, and ignoring the
"unsaved changes" warning dialog
2013-08-20 16:19:30 +02:00
Hamish Friedlander
4a7aef0e25 FIX Double slashes in ParameterConfirmationToken 2013-08-19 11:35:34 +12:00
Will Rossiter
c7bdfcd76a Merge pull request #2293 from robert-h-curry/empty-arraylist
Preempt fatal errors when making some function calls on an empty ArrayList
2013-08-17 16:53:48 -07:00
Ingo Schommer
7ae75c1a89 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	forms/HtmlEditorField.php
2013-08-16 13:37:44 +02:00
Ingo Schommer
de3b1b22d3 Fixed behat tests for confirming grid field dialogs 2013-08-16 13:34:23 +02:00
Ingo Schommer
362d35742f Fixed behat tests to confirm file deletion dialog 2013-08-16 13:34:23 +02:00
Ingo Schommer
c8aabd33ac Removed debug code
Regression from 82401b56
2013-08-07 17:37:59 +02:00
Ingo Schommer
2a35f2f928 Merge remote-tracking branch 'origin/3.1' 2013-08-07 17:34:11 +02:00
Ingo Schommer
afe06661ef Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/templates/Includes/LeftAndMain_Menu.ss
	admin/templates/Includes/ModelAdmin_ImportSpec.ss
	admin/templates/Includes/ModelAdmin_Tools.ss
	admin/templates/LeftAndMain.ss
	admin/templates/ModelSidebar.ss
	i18n/i18n.php
	templates/ComplexTableField.ss
	templates/ComplexTableField_popup.ss
	templates/FileIFrameField_iframe.ss
	templates/Includes/GridFieldItemEditView.ss
	templates/Includes/TableListField_PageControls.ss
	templates/RelationComplexTableField.ss
	templates/TableField.ss
	templates/TableListField.ss
2013-08-07 17:14:47 +02:00
Ingo Schommer
00ffe72944 Translations: Switch to Transifex format
- Based on new (last) translation download from getlocalization.com
- Removed untranslated strings. Getlocalization started including those at some point
which is highly annoying, unnecessary and breaks the new transfix system,
since it'll mark all of the english strings as actual translations
- Avoid dots in entities. It confuses the Transifex YML parser
- Removed some locales unknown to Transifex which didn't have any translations anyway
- Removed "lolcat" locale, uses custom notation (en@lolcal)
  which SilverStripe's i18n system can't handle
  (needs mapping from SS naming to Zend naming)
- Renamed "Te Reo/Maori" locale from "mi_NZ" to "mi" (Transifex/CLDR notation)
- Namespaced all entities used in templates (deprecated usage)
- Converted dots to underscores where template filenames are used for namespaces,
since Transifex YML parsing handles them as separate YML keys otherwise
- Removed whitespace in entity names, SilverStripe i18n can't handle it
- Only allow selection of locales registered through i18n::$all_locales to avoid
  issues with unknown locales in Zend's CLDR database
2013-08-07 00:25:16 +02:00
Hamish Friedlander
2110493466 Merge branch '3.0' into 3.1 2013-08-07 09:43:52 +12:00
Will Rossiter
65d96e8d7c FIX: Remove limit on GridField export
Allow DataList::limit() to take a null value to remove the limit.

Added tests for limit(). Note the one failure, currently the ORM doesn't support unlimited values with an offset.
2013-08-05 19:59:12 +12:00
Robert Curry
d69520bd70 Preempt fatal errors when making some function calls on an empty ArrayList
The function "first" on ArrayList uses the PHP function "reset", which
returns false if there aren't any elements in the array. Two functions
inside ArrayList use this function, "canFilterBy" and "byID". I've
changed these functions to catch the possibility of a false return from
first().
2013-08-05 15:47:58 +12:00
Hamish Friedlander
342058742c FIX Flush on memory exhaustion and headers sent 2013-08-02 09:41:16 +12:00
Hamish Friedlander
d44024b1cf Merge branch 'origin/3.1' 2013-07-24 13:29:55 +12:00
Hamish Friedlander
541436feb0 Merge branch 'origin/3.0' into 3.1 2013-07-24 12:09:44 +12:00
Hamish Friedlander
a1ea905ca8 FIX Nice errors and allows flush on module removal 2013-07-24 09:57:01 +12:00
Hamish Friedlander
0a79ac3592 Merge branch 'origin/3.1'
Conflicts:
	templates/forms/CheckboxSetField.ss
	templates/forms/FormField_holder.ss
	templates/forms/OptionsetField.ss
2013-07-19 16:25:38 +12:00
Hamish Friedlander
d38bd7d5cb Merge branch 'origin/3.0' into 3.1 2013-07-19 14:18:49 +12:00
Hamish Friedlander
1298d4a5bd FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:24:32 +12:00
Ingo Schommer
920edf88e7 Test allowedExtensions in UploadField, return correct HTTP status 2013-07-12 13:16:34 +02:00
Ingo Schommer
b58e2dbe3a Member.lock_out_delay_mins configurable, password security docs 2013-07-11 09:47:28 +02:00
Daniel Hensby
378d829e8f Adding test to prove issue with HTTP Header parsing in RestfulService
I have a header like:
X-BB-Auth: xxxx

and it is being given back to me as X-Bb-Auth - i want to prove the issue and the fix
2013-07-10 12:47:13 +01:00
Andrew Short
8a62593754 Merge branch '3.1' 2013-07-10 18:27:19 +10:00
Cam Spiers
b44641336b FIX ConfigManifest regenerating every request if variantKeySpec is an empty array() 2013-07-10 11:53:44 +12:00
Andrew Short
bfdf14fafa Merge branch '3.1' 2013-07-09 13:42:32 +10:00
Cam Spiers
2d30592f72 Improve memory performance when generating config static and class caches 2013-07-08 21:24:14 +12:00
Jeremy Thomerson
f6ff39369f FEATURE: <% include %> inherits iterator scope of parent template 2013-07-07 12:39:42 +00:00
Sam Minnée
0173707cd1 Merge pull request #2164 from tractorcow/3.1-datetimefield-fixes
BUG Fixed DateTimeField where time value was being parsed incorrectly.
2013-07-06 19:03:33 -07:00
Sam Minnée
ecf8f273c0 Merge pull request #2201 from hafriedlander/fix/session
Fixes to session, primarily around cookie_secure
2013-07-06 18:59:07 -07:00
Hamish Friedlander
2886f6ee14 FIX Session was started every time, even if no data set
Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
2013-07-07 09:12:10 +12:00
Cam Spiers
0aeb2293bb Allow module directories to be named with more valid characters ensuring that module names in fragment meta-data are correct.
Unit tests for ConfigManifest reference path parsing
2013-07-06 14:16:59 +12:00
Simon Welsh
4b57a343a2 Merge remote-tracking branch 'origin/3.1' 2013-07-05 11:56:31 +12:00
Simon Welsh
ff45f7ce4d DataListTest should not rely on order of values when not explictly sorting 2013-07-05 11:45:34 +12:00
Simon Welsh
dfc8dbdee0 Merge remote-tracking branch 'origin/3.1' 2013-07-05 10:23:59 +12:00
Simon Welsh
fbce9fd7cd Merge branch '3.1'
Conflicts:
	.travis.yml
	docs/en/misc/contributing/code.md
	javascript/HtmlEditorField.js
2013-07-05 10:22:58 +12:00
Ingo Schommer
c3e9e44204 Merge pull request #2197 from hafriedlander/fix/dbapichange
FIX Recent patch to DataObject#db changed API which broke core
2013-07-04 15:20:52 -07:00
Simon Welsh
d844c74e3c Merge branch '3.0' into 3.1
Conflicts:
	.travis.yml
	control/HTTP.php
	email/Mailer.php
	tests/control/HTTPTest.php
2013-07-05 10:17:14 +12:00
Hamish Friedlander
ca63e33c19 FIX Recent patch to DataObject#db changed API which broke core 2013-07-05 10:11:35 +12:00
Damian Mooyman
11f4b2c620 API HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls.
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.

HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce

HTTP::absoluteURLs now handles additional cases where urls were not translated.

Test cases for HTTP::absoluteURLs added for both css and attribute links.

Cleaned up replacement expression and improved documentation.
2013-07-05 09:08:58 +12:00
Ingo Schommer
067a94bd93 Postgres compat in MemberCsvBulkLoaderTest and GroupTest 2013-07-04 22:46:23 +02:00
Ingo Schommer
cf20923fd6 Postgres compat in SQLQueryTest 2013-07-04 22:28:13 +02:00
Hamish Friedlander
dacb2aa638 FIX HtmlEditorField not re-checking sanitisation server side 2013-07-04 08:53:23 +12:00
Jeremy Thomerson
50e9eee2e9 FIX #2174: SearchFilter needs casting helper for DataObject base fields
Commit 964b3f2 fixed an issue where dbObject was returning casting helpers for
fields that were not actually DB objects, but had something in $casting config.

However, because dbObject was no longer calling DataObject->castingHelper, this
exposed a bug that the underlying function db($fieldName) was not returning
field specs for the base fields that are created by SS automatically on all
DataObjects (i.e. Created, LastEdited, etc).

This commit fixes the underlying issue that DataObject->db($fieldName) should
return the field specs for *all* DB fields like its documentation says it will,
including those base fields that are automatically created and do not appear in
$db.
2013-07-03 03:03:40 +00:00
Ingo Schommer
429bbc5223 Merge pull request #2137 from jthomerson/pulls/fix_viewable_data_wrapped_value
FIX: ViewableData wasn't setting values when using default cast
2013-07-02 00:40:56 -07:00
Mateusz Uzdowski
21844a8a07 Merge branch 'pr/2173' into 3.1 2013-07-02 15:52:31 +12:00
Mateusz Uzdowski
f9ede95e5b Add configuration system tests for Only and Except combinations. 2013-07-02 15:51:53 +12:00
Hamish Friedlander
5484283a25 FIX changing environment in config.php changes matched yaml rules 2013-07-02 13:21:27 +12:00
Hamish Friedlander
e74c002647 FIX Only and Except rules in Configs not working 2013-07-01 15:47:37 +12:00
Daniel Hensby
9a40b16496 Adding tests to FormField and Form for extra classes
Added tests that were missing from `Form` and ones for my new logic
2013-06-29 13:35:34 +01:00
Ingo Schommer
a6c3d1e269 Flag "insert image" behat test as @assets
Required in order to run them remotely, which currently
doesn't support file upload through Selenium
2013-06-28 12:21:00 +02:00
Damian Mooyman
feb03f5443 BUG Fixed issue where time value was being parsed incorrectly in some locales 2013-06-28 16:45:33 +12:00
Simon Welsh
aecda4882b Merge pull request #2150 from hafriedlander/fix/templatevars-v2
FIX Arguments to method calls reseting scope
2013-06-25 21:59:14 -07:00
Simon Welsh
e55be50783 FIX: ConfigStaticManifest not handling multipart namespaces
Fixes #2126
2013-06-26 16:01:55 +12:00
Hamish Friedlander
ae3e3f3b44 FIX Arguments to method calls reseting scope 2013-06-25 17:35:16 +12:00
Simon Welsh
1edf45fbed Merge pull request #2130 from chillu/pulls/allowed_actions-deny
API Enforce $allowed_actions in RequestHandler->checkAccessAction()
2013-06-24 12:41:15 -07:00
Ingo Schommer
2f9eaeea41 Merge pull request #2021 from jthomerson/fix_if_link_not_working
FIX: <% if Link %> wasn't working
2013-06-24 06:16:21 -07:00
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Jeremy Thomerson
e6bfabfd6c TEST: additional test for ViewableData not wrapping cached strings 2013-06-21 16:20:00 +00:00
CheeseSucker
761eec7736 Unit test for bugfix in ViewableData::obj(). 2013-06-21 16:17:22 +00:00
Hamish Friedlander
328467f1b5 FIX: ConfirmedPasswordField used to expose existing hash 2013-06-20 14:09:30 +12:00
Ingo Schommer
2160fb8000 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/javascript/LeftAndMain.js
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
	tests/control/ControllerTest.php
2013-06-19 14:03:43 +02:00
Ingo Schommer
94b4237372 Merge remote-tracking branch 'origin/3.1' 2013-06-19 11:17:33 +02:00
Sam Minnee
526b40414a FIX: Ensure that actions inferred from templates with the "_action" suffix also respect allowed_actions.
FIX: Ensure SSViewer::hasTemplate() is aware of themes.

To do this, RequestHandler::definingClassForAction() has been created, splitting out the code that looks up the class that defines a given action into its own method.  This is then overridden in Controller to look at templates.
2013-06-19 20:11:50 +12:00
Ingo Schommer
1d402dd513 Unset test state in DirectorTest
This broke RSSFeedTest when running through 'sake'
2013-06-18 23:24:22 +02:00
Jeremy Thomerson
964b3f2d48 FIX: <% if Link %> wasn't working
Since ViewableData was returning a casting helper for Link, but DataObject was
only using $this->$fieldname to set values on that casting helper, you could
not use <% if Link %> (or <% if $Link %>) in your templates because Link is not
a field, and thus had no value to be set on the casting helper, causing
hasValue to think that there was no value.  Since DataObject->dbObject says that
"it only matches fields and not methods", it seems safe to have it call db(..)
to get the field spec, and not call ViewableData->castingHelper at all.
2013-06-15 13:44:03 +00:00
Will Rossiter
9775204436 FIX Allow filtering on joined columns 2013-06-15 12:06:24 +12:00
Will Rossiter
0129e185b8 Coding conventions, PHPDoc cleanup 2013-06-15 12:06:24 +12:00
Damian Mooyman
be986c6524 API Allow $summary_fields to support methods on DBFields 2013-06-13 09:41:24 +12:00
Ingo Schommer
71a5615213 Test $allowed_actions on controllers with template name=action conventions 2013-06-10 12:33:30 +02:00
Stig Lindqvist
dbc2b62c69 Merge pull request #2054 from chillu/pulls/dataobject-duplicate-hasone
BUG Correct relation saving in DataObject->duplicateRelations()
2013-06-07 22:54:36 -07:00
Mike Parkhill
574c11a834 Behat: "Insert image from web" feature
Partially fixes https://github.com/silverstripe/silverstripe-cms/issues/628
Modified a bit by Ingo :)
2013-06-07 16:10:21 +02:00
Ingo Schommer
fd6060e7be Behat: More robust "field should contain" logic 2013-06-07 16:02:29 +02:00
Ingo Schommer
924664527b Less assumptions in "HTML field contains" step
Not using the loose idea of a "field name" in the NamedSelector
sense of the word as "field with id exists".
2013-06-07 15:46:05 +02:00
Ingo Schommer
7dfe5ccbd2 Limit "should see a button" to actually visible elements 2013-06-07 15:45:15 +02:00
Stig Lindqvist
17bca1db86 Behat: Adding context for 'Given I should not see a "xxx" button' 2013-06-07 12:06:01 +02:00
Ingo Schommer
ff5624c57e BUG Fixed dropdown step definition for "preview" dropdowns
Broke after I optimized it to work with a TreeDropdownField
which assumes <li><a> structures that thie "preview" dropdowns
don't have. I also failed at the recursion assignment, causing
infinite loops...
2013-06-07 11:45:09 +02:00
Ingo Schommer
23e51b871b BUG Accept $limit=0 in SQLQuery->setLimit()
SQLQuery->setLimit(0, 99) should result in "SELECT ... LIMIT 0 OFFSET 1".
In fact it does "SELECT ..." without a LIMIT clause at all,
which is unexpected. This is regardless of the $offset value.
2013-06-06 15:27:14 +02:00
Ingo Schommer
4603378e00 Behat: Fixed step notation 2013-06-06 15:26:50 +02:00
Ingo Schommer
7791f20f49 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
2013-06-05 15:17:06 +02:00