Sean Harvey
0e07f1a7f5
Merge remote-tracking branch 'origin/3.0' into 3.1
2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b
FIX Opt-out pf form message escaping ( fixes #2796 )
...
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/ .
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.
We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803 .
2014-08-22 16:59:34 +12:00
Damian Mooyman
997077ae83
API Security.remember_username to disable login form autocompletion
2014-04-11 09:05:25 +12:00
Damian Mooyman
0cbad41d3b
Rewrote usages of error suppression operator
2014-03-05 15:48:55 +13:00
Damian Mooyman
6d5d3d8cb7
Rewrote usages of error suppression operator
2014-03-05 14:22:19 +13:00
Damian Mooyman
1cc366fe23
Merge pull request #2850 from kinglozzer/2827-member-extend
...
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827 )
2014-03-04 13:42:17 +13:00
Ingo Schommer
c047a7b990
Reset FailedLoginCount on successful password reset
2014-03-03 17:47:16 +13:00
Loz Calver
d91c7d14b8
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once ( fixes #2827 )
...
Fix usage of inside closure
Can't use self:: in closure either
Basic unit tests to check extensions are applied correctly
2014-02-16 21:21:15 +00:00
andrewvt
389bdb4ddf
Added a unit test for removeFromGroupByCode()
...
Added a unit test for removeFromGroupByCode()
2013-10-31 22:05:13 -04:00
Will Rossiter
813d34b15e
FIX: Use Injector API for managing Member_Validator instance.
...
Updates the CMS profile page and SecurityAdmin to give developers a few ways to customise the required fields.
Added extension hook updateValidator for getValidator for things like modules to inject required fields to go along with Injector for replacing the entire class for project specific use.
2013-10-16 11:29:43 +13:00
Ingo Schommer
05757efceb
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
720c149aee
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
...
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Ingo Schommer
cfa88adf4b
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
68ca47b0dd
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
...
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:35 +02:00
Ingo Schommer
b58e2dbe3a
Member.lock_out_delay_mins configurable, password security docs
2013-07-11 09:47:28 +02:00
Simon Welsh
d844c74e3c
Merge branch '3.0' into 3.1
...
Conflicts:
.travis.yml
control/HTTP.php
email/Mailer.php
tests/control/HTTPTest.php
2013-07-05 10:17:14 +12:00
Ingo Schommer
067a94bd93
Postgres compat in MemberCsvBulkLoaderTest and GroupTest
2013-07-04 22:46:23 +02:00
Ingo Schommer
fb784af738
API Enforce $allowed_actions in RequestHandler->checkAccessAction()
...
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk
Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.
Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Ingo Schommer
3334eafcb1
API Marked statics private, use Config API instead ( #8317 )
...
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Hamish Friedlander
7efae6b95f
Merge remote-tracking branch 'origin/3.0' into 3.1
2013-02-18 14:31:57 +13:00
Ingo Schommer
30096ee730
BUGFIX Keep Member.PasswordEncryption setting on empty passwords
...
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
634c91c6ff
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
email/Mailer.php
2013-01-30 12:46:24 +01:00
Sam Minnee
d8bfc0bb48
API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself.
2013-01-29 18:03:47 +01:00
Ingo Schommer
22eeaa4ac1
BUG Members should not be allowed to delete themselves ( fixes #8121 )
2012-12-16 23:53:45 +01:00
Ingo Schommer
644cc79ebb
API Removed methods previously deprecated in 3.0
2012-12-14 01:16:47 +01:00
Simon Welsh
b0121b541c
Add codesniffer that ensures indentation is with tabs.
2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c
Add codesniffer that ensures indentation is with tabs.
2012-12-12 00:12:11 +13:00
Ingo Schommer
15a687f1e7
Merge remote-tracking branch 'origin/3.0'
2012-11-23 15:31:08 +01:00
Ingo Schommer
aa72425e84
Fixed PHPUnit assertions for incomplete tests in core
...
Avoid PHPUnit throwing "test didn't run any assertions"
notices in PHP. If nothing else, it keeps test output
looking less broken by default, making it more likely
that actual errors do get noticed.
2012-11-23 15:16:39 +01:00
Ingo Schommer
c55c7c33f8
Merge branch '3.0'
...
Conflicts:
admin/code/CMSProfileController.php
composer.json
tests/model/DataObjectTest.php
2012-11-22 23:51:28 +01:00
Mateusz Uzdowski
a8b0e44d98
API Hash autologin tokens before storing in the database.
...
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.
This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
2012-11-09 11:29:42 +01:00
Andrew O'Neil
6dd6a5c188
APICHANGE: Use late static binding for Object::remove_extension()
2012-11-07 11:07:55 +13:00
Andrew O'Neil
fdea5321c7
APICHANGE: add_extension() is now called directly on the class, instead of on Object
2012-11-07 11:07:55 +13:00
Ingo Schommer
56f7ce1dcf
Merge remote-tracking branch 'origin/3.0'
...
Conflicts:
control/Cookie.php
control/Director.php
control/HTTPResponse.php
model/Database.php
model/MySQLDatabase.php
model/SQLQuery.php
view/Requirements.php
view/SSViewer.php
2012-10-03 16:16:19 +02:00
Sam Minnee
1f7fc1f76a
FIX Remove instances of lines longer than 120c
...
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Simon Welsh
1e629f4585
Merge branch '3.0'
...
Conflicts:
control/Cookie.php
control/Director.php
dev/Profiler.php
view/Requirements.php
2012-09-21 14:56:56 +12:00
Ingo Schommer
e2f073f38a
Method visibility according to coding conventions
2012-09-20 10:46:59 +02:00
Ingo Schommer
4b9ccabcf6
Merge pull request #603 from willrossi/trac7296
...
FIX: ensure permissions_for_member() accounts for denied permissions
2012-07-05 09:26:04 -07:00
Will Rossiter
f9ea5430bb
API: add SecurityToken::reset() as a shortcut for regenerating a secure token.
...
See http://open.silverstripe.org/ticket/6303
2012-07-01 20:53:58 +12:00
Will Rossiter
9babb01a4b
FIX: ensure that permissions_for_member() accounts for denied permissions.
...
Taken from http://open.silverstripe.org/ticket/7296 . PermissionTest extended to validate that permissions_for_member() includes permissions denied pre applying patch. PermissionTest passes post patch.
2012-07-01 17:55:20 +12:00
Will Rossiter
a4bce3fc44
ENHANCEMENT: remove dependencies between framework tests and cms module.
2012-06-20 16:17:29 +02:00
Sam Minnee
09e821efc3
MINOR: Don't leave cost=31 blowfish setting dormant in code, causing timeouts.
2012-06-15 13:47:38 +12:00
Cam Spiers
9139f737b8
ENHANCEMENT: Added the ability to set a cost (the property was protected before and there were no setters and getters) and enforced the php requirements on the cost string used in the salt of crypt. Specifically, two digit from 04-31. Updated unit tests for blowfish algorithm to actually use the salt generation function and to test the newly implemented cost setting and getting functionality.
2012-06-14 15:13:11 +12:00
Stig Lindqvist
bbe3879eaa
BUGFIX: Member::mapInGroups() throws SQL error
...
Renamed the Member::mapInGroups() to Member::map_in_groups() since it's a static method and throws deprecation message if using the old variant.
Rewrote the mapInGroups to use a more ORMy way of fetching Members for a set of groups and included a test for.
2012-05-10 13:53:54 +12:00
Sean Harvey
b1e17578c7
API CHANGE Removed assertType() and assertEmpty() workarounds. Use assertInstanceOf()
...
instead of assertType(), assertEmpty() is available in PHPUnit 3.5+.
PHPUnit 3.4 is no longer supported, so please upgrade your version to
work.
MINOR Removed FullTestSuite which was a workaround for PHPUnit but not
used.
2012-05-09 23:05:39 +12:00
Andrew O'Neil
0c0a91e3c1
MINOR: Fix coding conventions
2012-05-08 10:33:03 +12:00
Andrew O'Neil
5cf3720bf0
ENHANCEMENT: Use the best blowfish encryption available - this fixes fragility between PHP versions and system installations
2012-05-07 15:04:09 +12:00
Andrew O'Neil
89fc8e5fdd
APICHANGE: PasswordEncryptor::check() allows for more powerful password checking, deprecating PasswordEncryptor::compare()
2012-05-07 15:03:53 +12:00
Andrew O'Neil
fa60f9e8b2
ENHANCEMENT: Implement blowfish encryption and use it by default. ( #7111 )
2012-05-02 13:51:29 +12:00
Sean Harvey
8a6671d72e
BUGFIX Member::onChangeGroups() should allow ADMIN permission grant if the logged in user is an ADMIN
2012-04-27 12:27:46 +12:00