Commit Graph

1146 Commits

Author SHA1 Message Date
Damian Mooyman
e301279358 Merge pull request #3425 from halkyon/removing_deprecated2
Removing deprecated class/functions marked for deprecation in 3.0/3.1
2014-08-26 09:13:08 +12:00
Ingo Schommer
e56ad9b37c Don't clear BackURL after MemberAuthenticator::authenticate()
It breaks logic flow, e.g. when

Its called by BasicAuth:requireLogin() when basic auth is enabled,
before any controller logic kicks in (on every HTTP request).
This means you can't use session-based BackURLs with basic auth enabled,
breaking flows like redirection after Facebook logins.

I can't see why a clear() was necessary here, looks like a overly
cautious way to prevent infinite loops? Can't see how those
would be caused by requireLogin() though.

Been there since all the way back in 2007: a377a67e54
2014-08-25 23:12:52 +12:00
Sean Harvey
07eef2ece2 Removing deprecated class/functions marked for deprecation in 3.0/3.1 2014-08-25 12:06:05 +12:00
Sean Harvey
0e07f1a7f5 Merge remote-tracking branch 'origin/3.0' into 3.1 2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b FIX Opt-out pf form message escaping (fixes #2796)
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/.
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.

We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803.
2014-08-22 16:59:34 +12:00
Damian Mooyman
eb069e605d Remove all redundant whitespace 2014-08-19 09:17:15 +12:00
Sean Harvey
404478b07f Removing @deprecated 3.1 functionality and classes.
Changelog has been updated to include what was removed in terms of
major functionality, and what to use as a replacement.
2014-08-18 16:00:13 +12:00
Damian Mooyman
0433ba1642 BUG Revert some changes to ManyManyList
BUG Fix incompatibility in Member_GroupList
Fix regressions in merges from 3.1
BUG Fix Security failing on test classes
BUG Fix postgresql compatibility
Clarify sql encoding of table names
2014-07-23 12:38:41 +12:00
Damian Mooyman
d8e9af8af8 API New Database abstraction layer. Ticket #7429
Database abstraction broken up into controller, connector, query builder, and schema manager, each independently configurable via YAML / Injector
Creation of new DBQueryGenerator for database specific generation of SQL
Support for parameterised queries, move of code base to use these over escaped conditions
Refactor of SQLQuery into separate query classes for each of INSERT UPDATE DELETE and SELECT
Support for PDO
Installation process upgraded to use new ORM
SS_DatabaseException created to handle database errors, maintaining details of raw sql and parameter details for user code designed interested in that data.
Renamed DB static methods to conform correctly to naming conventions (e.g. DB::getConn -> DB::get_conn)
3.2 upgrade docs
Performance Optimisation and simplification of code to use more concise API
API Ability for database adapters to register extensions to ConfigureFromEnv.php
2014-07-09 18:04:05 +12:00
Ingo Schommer
58445245d9 Conditionally reset MemberLoginForm.force_message
Avoid starting a session just because the login form is rendered,
which adds overhead to requests and makes them harder to cache.
2014-06-03 23:21:57 +12:00
Damian Mooyman
e9c3ff933f Merge remote-tracking branch 'origin/3.1'
Conflicts:
	.travis.yml
	composer.json
2014-05-06 10:22:09 +12:00
Tim Snadden
afad65ee71 Fix 'Uncaught ReferenceError: jQuery is not defined' if jQuery is not included in template. 2014-04-30 09:30:22 +12:00
Damian Mooyman
982ad569b9 Merge remote-tracking branch 'origin/3.1' 2014-04-22 12:09:51 +12:00
Mateusz U
36d925543b Merge pull request #3020 from tractorcow/pulls/3.1-autocomplete-username
API Security.remember_username to disable login form autocompletion
2014-04-11 09:17:27 +12:00
Damian Mooyman
997077ae83 API Security.remember_username to disable login form autocompletion 2014-04-11 09:05:25 +12:00
Ingo Schommer
be12656bd9 Returning response from doChangePassword() 2014-04-10 17:21:56 +12:00
Ingo Schommer
f737922cdf Prevent IE errors on hidden login forms
In order to focus a field, it needs to be visible,
which can't be guaranteed on a core level by the login form JavaScript.
Optionally check for visibility via jQuery if it exists,
and allow explicit disabling of this behaviour via a unique identifier.
2014-04-08 11:28:54 +12:00
Simon Welsh
3e57cc069e Merge pull request #2907 from dhensby/patch-1
FIX Log out current member when forgotten password
2014-03-15 21:42:41 +13:00
Simon Welsh
18661005ee Corrects merge errors.
Closes #2937
2014-03-11 07:04:24 +13:00
Simon Welsh
d431e98ecf Merge branch '3.1'
Conflicts:
	forms/Form.php
	forms/FormField.php
	security/Member.php
	security/MemberLoginForm.php
2014-03-10 22:58:49 +13:00
Damian Mooyman
1cc366fe23 Merge pull request #2850 from kinglozzer/2827-member-extend
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827)
2014-03-04 13:42:17 +13:00
Ingo Schommer
c047a7b990 Reset FailedLoginCount on successful password reset 2014-03-03 17:47:16 +13:00
Daniel Hensby
ab52b677aa FIX Log out current member when forgotten password
At the moment, if a user is logged in on a device (say, their phone) but has forgotten their password.

If they attempt to reset their password on their desktop, then open the email on their phone they then see the reset password form *with* the CurrentPassword field. I'm not entirely sure what happens if a DIFFERENT user is currently logged in, but I think they remain logged in and you're effectively trying to change their password.

Both scenarios are not ideal and (in fact) this happens a lot in the real world as it's a legitimate complaint we're receiving from a visitors of one of our client's websites.
2014-02-28 14:27:45 +00:00
Ingo Schommer
9afcf8f01a Allow vetoing forgot password requests 2014-02-25 13:05:32 +13:00
Loz Calver
d91c7d14b8 FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827)
Fix usage of  inside closure

Can't use self:: in closure either

Basic unit tests to check extensions are applied correctly
2014-02-16 21:21:15 +00:00
Ingo Schommer
6906c9bd1a API Removed auto-detection for i18n date/time formats
Default to "yyyy-MM-dd" for date format, and "H:mm" for time_format.
Switched to config API for setting/getting values.

Avoid using "MMM" in particular, since it causes
inconsistencies in month names between jQuery UI and Zend_Locale_Format.

Fixes https://github.com/silverstripe/silverstripe-cms/issues/544
2014-02-16 23:57:49 +13:00
Ingo Schommer
4af9143d3b Merge remote-tracking branch 'origin/3.1'
Conflicts:
	docs/en/misc/contributing/code.md
2014-02-07 16:43:22 +13:00
Kirk Mayo
632884252b NEW: Updating out of date URLs in the framework source code and docs 2014-02-07 15:10:44 +13:00
Ingo Schommer
bb9f84afd5 Merge pull request #2806 from tractorcow/pulls/bug-member-locale
BUG Default Member.Locale now chooses a better default value when i18n.locale is not a valid translation
2014-02-03 17:03:48 -08:00
Ingo Schommer
0d7e9a9692 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	_config/routes.yml
	docs/en/topics/datamodel.md
	forms/DropdownField.php
2014-02-04 08:19:04 +13:00
Ingo Schommer
124886a7f9 Merge pull request #2799 from yearofthegus/document-magic-members
Documented magic properties of DataObject
2014-01-30 18:26:23 -08:00
Ingo Schommer
ab070944d5 Merge branch 'pulls/apidocs-package-list' of https://github.com/madmatt/silverstripe-framework into madmatt-pulls/apidocs-package-list
Conflicts:
	view/SSTemplateParser.php
	view/SSTemplateParser.php.inc
2014-01-31 15:15:59 +13:00
Damian Mooyman
293c672fa7 BUG Default Member.Locale now chooses a better default value when i18n.locale is not a valid translation
This will resolve issues in cases where the site locale may be assigned a value that does not have an explicit translation. E.g. if the locale is en_NZ (and it's appropriate for this to be the assigned locale), Afrikaans will no longer be the default selected locale when creating members. Now en_US is chosen as a better fallback default.

This is a minor ease of use fix that means fewer CMS users can be accidentally created in Afrikaans within NZ based sites.

Test cases included.
2014-01-30 15:55:14 +13:00
Gus King
5797efa263 Documented magic properties of DataObject 2014-01-26 00:11:32 -05:00
Will Rossiter
13bd4e96b1 Correct PHPDoc for Member::currentUser. (Fixes #2750) 2014-01-12 16:08:31 +13:00
micmania1
229bea399b added logout url to Security and deprecated Security::set_login_url in favour of config 2013-12-20 21:55:54 +00:00
Ingo Schommer
7591e43ab9 Merge remote-tracking branch 'origin/3.1' 2013-12-19 23:33:58 +01:00
Ingo Schommer
627e3cdf11 Revert entity name change
Partially reverts b0f38f4990
which broke unit tests relying on the old entity name
in 3.1, where translations and the en.yml master file have been backported to.
2013-12-19 23:13:13 +01:00
Ingo Schommer
f29d51f433 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	docs/en/reference/dataobject.md
	lang/es.yml
2013-12-19 20:23:09 +01:00
Ingo Schommer
23371b01aa "lost password" translation master (fixes #2725) 2013-12-19 20:00:59 +01:00
Sean Harvey
6fc9db6f0e API DataObject::validate() visibility changed to public (issue #1659)
DataObject::validate() is currently set to protected, but this means
you can't call validate() from outside the context of itself unless
you overload the method to use a public visibility and then call
parent::validate()

As it would turn out, most classes that overload this method already
set the visibility to public, so it would make sense the parent matches
that as well.
2013-12-19 16:36:39 +13:00
Ingo Schommer
15c7252af0 beforeMemberLoggedIn/beforeMemberLoggedOut hooks
Required to save/restore parts of the session information,
which Member nukes indiscriminately on logout.

Specific use case is restoring linkages to temporary databases
on Behat test runs.
2013-12-18 18:26:01 +01:00
madmatt
bebe0f6e37 Updating @package and @subpackage doc tags 2013-11-29 17:49:30 +13:00
Andrew Short
bedf292612 Merge branch '3.1'
Conflicts:
	docs/en/reference/execution-pipeline.md
	lang/nl.yml
2013-11-11 18:18:25 +11:00
Sean Harvey
70c23f37de Merge pull request #2608 from andrewvt/3.1
added removeFromGroupByCode() function to Member.php
2013-11-03 12:27:10 -08:00
andrewvt
953dec8863 Updated group filter
Updated group filter
2013-11-01 07:22:13 -04:00
Sean Harvey
42fa4d6005 Merge pull request #2574 from dhensby/patch-1
Allowing chaining on `PasswordValidator`
2013-10-31 15:54:18 -07:00
Devlin
6c6ab7b0ce Bad redirect in ChangePasswordForm->doChangePassword() 2013-10-30 09:57:28 +01:00
andrewvt
9a11c643da added removeFromGroupByCode() function to Member.php
I was using the addToGroupByCode() function today and it would have been handy to have a removeFromGroupByCode() so I decided to add one.
2013-10-24 16:57:00 -04:00
Mateusz Uzdowski
1a39f61598 BUG Fix the password reset message to be shown consistently.
If we detect any of the password reset GET params, it's safe to assume
that someone intended a password reset, regardless of other conditions.
2013-10-25 09:29:21 +13:00
Ingo Schommer
b56ca812dc Merge remote-tracking branch 'origin/3.1'
Conflicts:
	tests/security/MemberTest.php
2013-10-23 14:53:29 +02:00
Ingo Schommer
d7e10e620a Merge pull request #2537 from wilr/membervalidator
FIX: Use Injector API for managing Member_Validator instance.
2013-10-23 03:01:15 -07:00
Ingo Schommer
1895f289cc Merge pull request #2560 from TomSpeak/patch-2
NEW Hook for `Member::registerFailedLogin`
2013-10-22 11:57:21 +02:00
Daniel Hensby
974d575826 Allowing chaining on PasswordValidator
Allowing chaining on `PasswordValidator`.

Also using injector pattern for `ValidationResult` instanciation
2013-10-21 20:01:30 +01:00
Ingo Schommer
25b6175e67 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	.travis.yml
	forms/FormField.php
2013-10-20 13:52:56 +02:00
Thomas Speak
d22ca62c6f BUG FailedLoginCount reset
If you fail your maximum login attempts and are locked out, further failed login attempts add to your already existing FailedLoginCount as it is only reset if you log in successfully. This means that if you're locked out, then try again, one failure will automatically lock you out again, regardless of what you set your max limit to.

Example:

lock_out_after_incorrect_logins: 3
FailedLoginCount: 0

The user fails three login attempts.

lock_out_after_incorrect_logins: 3
FailedLoginCount: 3

The user is now locked out.

Lockout time passes.

The user fails their 4th login.

lock_out_after_incorrect_logins: 3
FailedLoginCount: 4

This will continue to happen until the user successfully logs in, without giving them the pre-defined amount of login attempts again due to this condition being met after every incorrect login:
```php
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
```

FailedLoginTestCount Test Added
2013-10-18 13:48:11 +01:00
Thomas Speak
e8287cd2f5 NEW Hook for Member::registerFailedLogin
Adding a hook for registerFailedLogin so that it is possible to add some custom logic when a user fails to login

Also rearranged the write as this function could hit the DB up to 3 times. Now it will me 0 or 1 times.
2013-10-18 10:17:28 +01:00
Will Rossiter
813d34b15e FIX: Use Injector API for managing Member_Validator instance.
Updates the CMS profile page and SecurityAdmin to give developers a few ways to customise the required fields.

Added extension hook updateValidator for getValidator for things like modules to inject required fields to go along with Injector for replacing the entire class for project specific use.
2013-10-16 11:29:43 +13:00
Devlin
5ea314d012 FIX PasswordValidator->characterStrength() Documentation 2013-10-15 12:44:50 +02:00
Will Rossiter
b0f38f4990 Change default message to be credential agnostic. 2013-10-11 11:22:15 +13:00
Ingo Schommer
b367dd6237 API Removed Member.LastVisited and Member.NumVisits 2013-10-10 12:35:07 +02:00
Ingo Schommer
8727d1b1eb Merge remote-tracking branch 'origin/3.1' 2013-10-10 12:11:50 +02:00
Ingo Schommer
cd225f0fa4 No HTML entities in "Groups" ListboxField (fixes #2513) 2013-10-10 12:08:16 +02:00
Ingo Schommer
60fc7e5346 Merge remote-tracking branch 'origin/3.1' 2013-10-06 19:07:39 +02:00
Damian Mooyman
5bbea12b45 BUG Issue with login form failing to login in certain situations. Fixes issue #2424 2013-10-03 17:12:30 +13:00
Ingo Schommer
c7f656cd00 API Removed "PastMember" cookie and template getter
The functionality is easy to replicate in custom controllers,
and is too rarely used to be placed in core.

This also removes the `Member::is_repeat_member()` getter
and the `PastMember`/`IsRepeatMember` template globals.

See https://groups.google.com/forum/#!topic/silverstripe-dev/b8K3wU64TXg
2013-09-27 20:06:25 +02:00
Ingo Schommer
455e550d9a Merge remote-tracking branch 'origin/3.1'
Conflicts:
	docs/en/topics/testing/create-silverstripe-test.md
	forms/Form.php
	i18n/i18n.php
	model/Image.php
2013-09-27 19:22:14 +02:00
Ingo Schommer
0ea7042443 $privileged_permissions visibility (fixes #2464) 2013-09-27 18:56:38 +02:00
Ingo Schommer
03d1d58148 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/code/SecurityAdmin.php
	css/AssetUploadField.css
	docs/en/topics/configuration.md
	security/PermissionRole.php
2013-09-12 17:33:36 +02:00
Ingo Schommer
c2b312d76f Merge remote-tracking branch 'origin/3.1.0' into 3.1 2013-09-12 17:24:42 +02:00
Ingo Schommer
f803704d91 FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
05757efceb FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
720c149aee FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Ingo Schommer
091c096dbf FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
cfa88adf4b FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
68ca47b0dd FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:35 +02:00
Sean Harvey
e43ca931d6 Merge pull request #2343 from chillu/pulls/security-404
Returning 404 on /Security, instead of Controller.ss template
2013-09-05 18:56:23 -07:00
Ingo Schommer
1c31c098ee FIX Correct Zend_Locale fallbacks in i18n/DateField/DateTimeField
Due to the recent change of translations to transifex, some
locales changed their names, which prompted a fix to
i18n::get_available_translations() (see 00ffe7294).
This caused a regression where short locales are determined
from the YAML file names (e.g. "en"), but weren't matched up
with fully qualified locales from get_available_translations() (e.g. "en_US").
Since this list is used in the admin/myprofile dropdown for the Member.Locale value,
it didn't match up with any entries and defaulted to the first one ("Africaans").

Note that the behaviour of admin/myprofile is still a bit weird:
It defaults the locale on new members to the one set for the current administrator.
So if a site defaults to en_US in _config.php, but the admin happens to view
his backend in de_DE, all members he creates default to de_DE as well.

Thanks to @tractorcow for contributing and peer reviewing!
2013-08-30 10:18:00 +02:00
Ingo Schommer
20b49e215c Merge pull request #2136 from nedmas/fix-remove-export-button-padding
FIX: GridField button styling
2013-08-30 00:24:21 -07:00
Ingo Schommer
a4c6ae3e90 Merge remote-tracking branch 'origin/3.1' 2013-08-22 13:56:33 +02:00
Simon Welsh
151baeede1 Correct line length and indentation 2013-08-21 18:54:05 +12:00
Ingo Schommer
18ae4c5db6 Returning 404 on /Security, instead of Controller.ss template
We shouldn't expose unsolicited content on public URLs,
mainly because it impacts SEO.
2013-08-20 21:12:55 +02:00
Mateusz Uzdowski
085d2e62cb BUG MemberLoginForm fields should be tagged as required. 2013-08-12 09:32:03 +12:00
Ingo Schommer
2a35f2f928 Merge remote-tracking branch 'origin/3.1' 2013-08-07 17:34:11 +02:00
Julian Seidenberg
17e0432252 BUG adding a more descriptive message when the CMS session times out. It used to say "Forbidden", now it says "Not logged in". 2013-08-06 17:27:37 +12:00
Hamish Friedlander
0a79ac3592 Merge branch 'origin/3.1'
Conflicts:
	templates/forms/CheckboxSetField.ss
	templates/forms/FormField_holder.ss
	templates/forms/OptionsetField.ss
2013-07-19 16:25:38 +12:00
Mateusz Uzdowski
d4a6f7304e BUG First error should take precedence here. No further checks needed. 2013-07-19 08:54:52 +12:00
Ingo Schommer
d4a1e6d294 BUG Prevent clickjacking in CMS and Security controllers (fixes #2215) 2013-07-14 22:44:09 +02:00
Ingo Schommer
b58e2dbe3a Member.lock_out_delay_mins configurable, password security docs 2013-07-11 09:47:28 +02:00
Simon Welsh
fbce9fd7cd Merge branch '3.1'
Conflicts:
	.travis.yml
	docs/en/misc/contributing/code.md
	javascript/HtmlEditorField.js
2013-07-05 10:22:58 +12:00
Simon Welsh
1d5ac5876b Only redirect on logout if we're not already redirecting 2013-06-27 09:49:10 +12:00
Tom Densham
3596892001 FIX: GridField button styling
Remove all top/bottom margins from buttons and apply to GridFieldButtonRow component. Ensure that all buttons are added to a suitable GridFieldButtonRow in ModelAdmin, SecurityAdmin and Group.
2013-06-21 14:22:00 +01:00
Ingo Schommer
94b4237372 Merge remote-tracking branch 'origin/3.1' 2013-06-19 11:17:33 +02:00
Will Morgan
db3eed1f9a Using Injector pattern for ValidationResult in Member 2013-06-18 15:49:58 +01:00
Stig Lindqvist
2eafd63297 Merge pull request #2077 from halkyon/changepassword_validation_redirection_issue
BUG If BackURL set, validation errors send the user to wrong place.
2013-06-07 22:44:13 -07:00
Sean Harvey
83bff54ec2 BUG If BackURL set, validation errors send the user to wrong place.
If there's validation errors in the ChangePasswordForm, the user
is taken to the BackURL because redirectBack() will go there if
it's set.

Instead of this, just redirect back to the "changepassword" action
on the Security controller.
2013-06-08 11:34:58 +12:00
Sean Harvey
7862ececbd Allow PasswordValidator to be translated 2013-06-08 10:48:27 +12:00
Will Morgan
1c0ae76f8e Adding passwordless message instead of throwing an exception 2013-06-07 16:52:44 +02:00
Ingo Schommer
88536998b9 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	.travis.yml
2013-05-31 18:08:59 +02:00
Sam Minnée
5d76048275 Merge pull request #1780 from hdrlab/patch-4
Disable ID based partial caching for all security actions
2013-05-24 23:53:04 -07:00
Sam Minnée
628391e3f1 Merge pull request #1979 from nedmas/patch-1
BUGFIX: singleton('Group')->Members() fails
2013-05-24 19:45:54 -07:00
Ingo Schommer
016368afdc Merge pull request #1994 from mateusz/logout-cleanup
BUG Clean up the logOut and session destructon routines.
2013-05-24 16:01:42 -07:00
Tom Densham
d36fbfb1b2 BUGFIX: singleton('Group')->Members() fails
Running Members() on a Group that has no Db record causes UnsavedRelationList to be returned by DirectMembers() which in turn causes alterDataQuery() to fall over when called on an UnsavedRelationList. This just adds a simple check to prevent it.
2013-05-23 17:31:19 +02:00
Sam Minnee
d97ca43cd0 Merge branch '3.1'
Conflicts:
	README.md
	dev/install/install.php5
	forms/ConfirmedPasswordField.php
	tests/forms/FormTest.php
2013-05-23 19:01:58 +12:00
Sean Harvey
ac2216dabc Merge pull request #1969 from robert-h-curry/patch-1
Only show direct members of a group in the members field
2013-05-22 20:28:17 -07:00
Mateusz Uzdowski
2f7fd967b2 BUG Clean up the logOut and session destructon routines. 2013-05-23 13:27:41 +12:00
Ingo Schommer
ee784c3663 Fix priority of Member->getHtmlEditorConfigForCMS() (silverstripe/silverstripe-cms#728) 2013-05-22 21:31:42 +02:00
Robert Curry
aeb5a2e42a Only show direct members of a group in the members field
The call to Members() includes members of child groups, which was causing any members added through the grid field to be added to the child groups as well.
2013-05-22 18:48:36 +12:00
Sean Harvey
abad856534 Use create() to instantiate Member_GroupSet on Member::Groups()
Keeps it consistent with how HasManyList and ManyManyList are
instantiated in DataObject.
2013-05-22 13:56:36 +12:00
Sean Harvey
15f7c884f8 Merge pull request #1756 from halkyon/permission_denied_hook
BUG Security::permissionFailure() fixing permissionDenied hook inconsistency
2013-05-13 02:15:58 -07:00
Will Morgan
17e31fc609 Merge pull request #1 from silverstripe/master
Syncing back because I suck at Git
2013-05-08 03:45:51 -07:00
Ingo Schommer
3e88c98ca5 API Restrict MemberLoginForm to POST requests for increased security
CVE-2013-2653 - Thanks to Fara Rustein of Deloitte Argentina for reporting.
2013-05-08 10:25:28 +02:00
Josua2012
59be4a3be0 Allow custom ChangePasswordForm form
With this modification we can use Object::useCustomClass() to create a
custom ChangePasswordForm form:
Object::useCustomClass('ChangePasswordForm',
'CustomChangePasswordForm');
2013-05-08 09:39:39 +02:00
Ingo Schommer
6c2e791a48 Merge remote-tracking branch 'origin/3.1' 2013-04-29 08:59:06 +02:00
Will Morgan
8f6451612b Use correct config variable name in encrypt_password
Use correct config variable name in encrypt_password
Fixes https://github.com/silverstripe/sapphire/issues/1709
2013-04-28 09:58:42 +12:00
Will Morgan
0de8a8a304 Use correct config variable name in encrypt_password
Use correct config variable name in encrypt_password
Fixes https://github.com/silverstripe/sapphire/issues/1709
2013-04-27 13:29:13 +02:00
Will Morgan
c61f050757 Use correct config variable name in encrypt_password
Use correct config variable name in encrypt_password
Fixes https://github.com/silverstripe/sapphire/issues/1709
2013-04-27 13:22:00 +02:00
Will Morgan
72a7f0e672 AJAX friendly responses for Security class
Final work around issue #1802 - creating templates for complex layout
operations and removing HTML from this controller.
2013-04-26 12:29:35 +01:00
hdrlab
22f5c06fd3 Disable ID based partial caching for all security actions
Disables ID based partial caching for all security actions so that actions such as Security/lostpassword and Security/passwordsent work properly even if partial caching is used.
2013-04-19 16:45:05 +12:00
Marvin Dickhaus
ea558828c9 Group description in CMSFields 2013-04-14 22:11:19 +02:00
Sean Harvey
1eadff5a4f BUG Security::permissionFailure() fixing permissionDenied hook inconsistency
permissionDenied only works if Security::permissionFailure() is called when
there's currently no logged in Member. This fixes it so failed attempts
with logged in Member also includes the permissionDenied hook.

In addition, fix an undefined $member variable
2013-04-12 10:59:00 +12:00
Ingo Schommer
0343a77d30 Merge remote-tracking branch 'origin/3.1' 2013-04-11 11:42:04 +02:00
Ingo Schommer
7d6edccb0a Marked Security.token as private 2013-04-09 01:48:20 +02:00
Ingo Schommer
97819b3f21 Correct encoding in MemberLoginForm->forgotPassword() URLs (fixes #6126) 2013-04-05 11:15:34 +02:00
Ingo Schommer
cfafa19cc3 FIX Disallow group removal when member is edited in groups view
It would invalidate this view. Only allow group editing
for new members added to this group (with a group default),
and for members edited through the "root" view.
2013-04-05 00:51:24 +02:00
Will Rossiter
70144ad549 FIX: Groups should be able to have titles longer than 50 characters (Fixes: open/5611) 2013-03-26 22:05:37 +13:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
4cd6d00159 Fixed forceExpiry() usage 2013-03-19 10:49:52 +01:00
Ingo Schommer
b416e50bff Fixed deprecations 2013-03-19 10:38:14 +01:00
Ingo Schommer
bea1b9002d Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/HTTP.php
2013-02-26 13:28:35 +01:00
Ingo Schommer
0c6ac1960e Fixed whitespace usage 2013-02-18 15:43:52 +01:00
Ingo Schommer
92458d9f43 Fixed line lengths 2013-02-18 14:41:49 +01:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
30096ee730 BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
14a56c18e9 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/Director.php
2013-02-07 21:45:16 +01:00
Ingo Schommer
79eacb2439 FIX Group->canEdit() correct non-admin checks (fixes #8250)
Due to changed return value of DataObject::get(),
the (negated) check always returned false.
This wasn't noticed in 3.0 because Group->canEdit() is rarely
enforced, but does become noticeable in 3.1 where GridField
checks those object-level permissions.

Thanks to @purplespider for reporting!
2013-02-07 09:19:57 +01:00
Ingo Schommer
18c9a95996 API Removed 'BadLoginURL' session var from MemberLoginForm
It was never set in core, and is generally undocumented,
hence just unnecessarily increases the security surface
of this sensitive class.
2013-02-05 22:49:06 +01:00
Ingo Schommer
634c91c6ff Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	email/Mailer.php
2013-01-30 12:46:24 +01:00
Simon Welsh
c9f728fefb FIX Only check the remember token if a user exists 2013-01-30 09:17:47 +13:00
jean
c048a019f6 BUGFIX Avoid infinite redirection when logging out and when showing a custom login page after displaying the draft version of a page. 2013-01-29 19:24:37 +01:00
Sam Minnee
5f9348b016 FIX: Ensure that Security views respect redirections triggered by Page_Controller::init()
Sometimes Page_Controller::init() will trigger a redirection.  For example, it may redirect to a
canonical URL.  In this case, the Security views, which co-opt Page_Controller, need to respect
this.
2013-01-29 18:19:15 +01:00
Sam Minnee
f54697930e API CHANGE: Add a PermissionFailureException that can be thrown to trigger a log-in. 2013-01-29 18:10:42 +01:00
Sam Minnee
d8bfc0bb48 API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself. 2013-01-29 18:03:47 +01:00
Ingo Schommer
c11b3918fc Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/css/screen.css
	admin/scss/_style.scss
	core/PaginatedList.php
	email/Mailer.php
2013-01-21 11:14:57 +01:00
Ingo Schommer
e74ec57756 BUG Permission checkbox display on members (fixes #8193) 2013-01-17 19:36:53 +01:00
Ingo Schommer
f07ad307e4 API Removed non-functional $join argument from DataObject::get() and other APIs
See 68bb74820
2013-01-09 18:28:55 +01:00
Ingo Schommer
22eeaa4ac1 BUG Members should not be allowed to delete themselves (fixes #8121) 2012-12-16 23:53:45 +01:00
Ingo Schommer
d13c53fda6 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/model/DataQueryTest.php
2012-12-14 10:57:28 +01:00
Justin Martin
a355e1d03d BUG: Set visibility on login form methods to public. 2012-12-14 13:42:11 +13:00
Hamish Friedlander
27113f82c3 API Make DataList and ArrayList immutable
In 3.0 there was some confusion about whether DataLists and ArrayLists
were mutable or not. If DataLists were immutable, they'd return the result, and your code
would look like

  $list = $list->filter(....);

If DataLists were mutable, they'd operate on themselves, returning nothing, and your code
would look like

 $list->filter(....);

This makes all DataLists and ArrayList immutable for all _searching_ operations.
Operations on DataList that modify the underlying SQL data store remain mutating.

- These functions no longer mutate the existing object, and if you do not capture the value
returned by them will have no effect:

  ArrayList#reverse
  ArrayList#sort
  ArrayList#filter
  ArrayList#exclude

  DataList#dataQuery (use DataList#alterDataQuery to modify dataQuery in a safe manner)
  DataList#where
  DataList#limit
  DataList#sort
  DataList#addFilter
  DataList#applyFilterContext
  DataList#innerJoin
  DataList#leftJoin
  DataList#find
  DataList#byIDs
  DataList#reverse

- DataList#setDataQueryParam has been added as syntactic sugar around the most common
cause of accessing the dataQuery directly - setting query parameters

- RelationList#setForeignID has been removed. Always use RelationList#forForeignID
when querying, and overload RelationList#foreignIDList when subclassing.

- Relatedly,the protected variable RelationList->foreignID has been removed, as the ID is
now stored on a query parameter. Use RelationList#getForeignID to read it.
2012-12-14 13:30:35 +13:00
Ingo Schommer
644cc79ebb API Removed methods previously deprecated in 3.0 2012-12-14 01:16:47 +01:00
Ingo Schommer
c6b1d4aa6b API Storing alternative DB name in cookie rather than session
Session is not initialized by the time we need to use
the setting in DB::connect(). Cookie values get initialized
automatically for each request.

Tightened name format validation to ensure it can only
be used for temporary databases, rather than switching
the browser session to a different production database.

Encrypting token for secure cookie usage.
Added dev/generatesecuretoken to generate this token.
Not storing in YML config directly because of web access issues.
2012-12-13 23:21:48 +01:00
Ingo Schommer
2369cc4f42 Moved group member listing utility buttons after field
Stay consistent with main member listing in admin/security,
and de-emphasize their importantce. Having the "link existing"
closer to the actual table is a much stronger UI coupling.
2012-12-13 10:15:03 +01:00
Ingo Schommer
5fed5b91c9 API Moved email bounce handling to new 'emailbouncehandler' module 2012-12-12 23:36:42 +01:00
Simon Welsh
b0121b541c Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c Add codesniffer that ensures indentation is with tabs. 2012-12-12 00:12:11 +13:00
Ingo Schommer
c55c7c33f8 Merge branch '3.0'
Conflicts:
	admin/code/CMSProfileController.php
	composer.json
	tests/model/DataObjectTest.php
2012-11-22 23:51:28 +01:00
Sean Harvey
587d669861 Removing deprecated PasswordEncryptor::compare() method
Use PasswordEncryptor::check() instead
2012-11-15 14:43:16 +13:00
Sean Harvey
f122b103a1 Remove deprecated Group::addToGroupByName()
Use $member->addToGroupByCode($groupcode) instead
2012-11-15 14:43:15 +13:00
Mateusz Uzdowski
a8b0e44d98 API Hash autologin tokens before storing in the database.
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.

This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
2012-11-09 11:29:42 +01:00
Sean Harvey
169366a011 Merge branch '3.0' 2012-11-06 13:04:21 +13:00
Sean Harvey
3451da001a BUG Fixing session keep alive for non-ADMIN users
SecurityAdmin isn't always available for CMS users, as they might
not have permission to view that section. This fixes the problem
with session keep alive by moving the ping to Security/ping, which
is available for all users.
2012-11-05 15:41:10 +13:00
Will Rossiter
69ea73b4ed Merge pull request #777 from halkyon/field_edit3
Member_ProfileForm respect canEdit() permissions on Member
2012-10-27 20:11:46 -07:00
Sean Harvey
f6a90467e4 Merge branch '3.0' 2012-10-15 10:10:01 +13:00
Damian Mooyman
c99991ba7a BUG Dummy Page_Controller initiated during login now is correctly initialised via dependency injection 2012-10-11 13:45:54 +13:00
Ingo Schommer
d1ee7612f5 Merge remote-tracking branch 'origin/3.0' 2012-10-08 16:48:52 +02:00
Saophalkun Ponlu
e3a27ea7da CMS member profile now is no longer in a popup (#7880) 2012-10-08 12:57:55 +02:00
Sean Harvey
0cce58040a BUG Fix deprecated use of dataFieldByName() in Member_Validator 2012-10-08 09:26:28 +13:00
Ingo Schommer
56f7ce1dcf Merge remote-tracking branch 'origin/3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	control/HTTPResponse.php
	model/Database.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	view/Requirements.php
	view/SSViewer.php
2012-10-03 16:16:19 +02:00
Sam Minnee
1f7fc1f76a FIX Remove instances of lines longer than 120c
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit.  This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Ingo Schommer
b75c4b84ec Localization for PermissionCheckboxSetField 2012-09-28 16:41:25 +02:00
Jeremy Bridson
07bc75c281 ENHANCEMENT: open/7881 - removed disabled checkboxes and replaced them with green ticks. Added help text above the list of permissions. Removed action buttons by fade out when user goes to users permissions tab. 2012-09-28 16:37:35 +02:00
Ingo Schommer
91e4fde96f ENHANCEMENT "Readonly" behaviour for CMS tabs 2012-09-28 16:37:35 +02:00
Simon Welsh
1e629f4585 Merge branch '3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	dev/Profiler.php
	view/Requirements.php
2012-09-21 14:56:56 +12:00
Ingo Schommer
e2f073f38a Method visibility according to coding conventions 2012-09-20 10:46:59 +02:00
Sean Harvey
9c2be0f025 Merge branch '3.0' 2012-09-17 15:16:52 +12:00
Josh
399b2a23da FIXED: collateFamilyIDs() nested groups throws error
http://open.silverstripe.org/ticket/7835
2012-09-14 12:12:37 -03:00
Ingo Schommer
6544c8fc13 Merge remote-tracking branch 'origin/3.0' 2012-09-11 14:05:45 +02:00
Ingo Schommer
5eca675146 Fixed PermissionRole field localization 2012-09-11 13:53:09 +02:00
Sean Harvey
5cbd2dbeb4 BUG CMSProfileController::Member_ProfileForm() respecting canEdit() permissions on Member
CMSProfileController currently checks canView() which ensures that a logged in CMS
Member can access the profile controller, but when saving the record on Member_ProfileForm
there is no check for canEdit(), so extended permissions don't get respected.

This adds a check for canEdit() in Member_ProfileForm, and adds some functional tests
to check permissions.
2012-09-07 11:24:47 +12:00
Sean Harvey
dcf5d217ad BUG Fixing deprecated usage of dataFieldByName() in Member_Validator 2012-09-07 11:24:41 +12:00
Ingo Schommer
55892fedd8 Merge remote-tracking branch 'origin/3.0' 2012-08-15 20:32:16 +02:00
Roland Lehmann
701da8b822 Updated translations; i18n for fieldLabels 2012-08-15 20:30:30 +02:00
Ingo Schommer
3bce3550d3 Merge remote-tracking branch 'origin/3.0' 2012-08-12 22:21:06 +02:00
Naomi Guyer
ae52be54f0 FIX: Missing last login time (fixes 7666)
Add in missing user login time
2012-08-10 18:08:53 +12:00
Hamish Friedlander
95d0be636c Merge remote-tracking branch 'origin/3.0' 2012-07-25 11:44:53 +12:00
Hamish Friedlander
b7691077cf API Prep forForeignID for immutability in 3.1 per 7673 2012-07-23 10:31:47 +12:00
Ingo Schommer
4b9ccabcf6 Merge pull request #603 from willrossi/trac7296
FIX: ensure permissions_for_member() accounts for denied permissions
2012-07-05 09:26:04 -07:00
Sean Harvey
bea58b1193 Merge pull request #607 from willrossi/trac6416
FIX: check GetRandom() exists for RandomGenerator.
2012-07-01 18:38:53 -07:00
Sean Harvey
a4ff1d3613 FIX: check GetRandom() exists for RandomGenerator
See http://open.silverstripe.org/ticket/6416
2012-07-01 21:05:10 +12:00
Will Rossiter
f9ea5430bb API: add SecurityToken::reset() as a shortcut for regenerating a secure token.
See http://open.silverstripe.org/ticket/6303
2012-07-01 20:53:58 +12:00
Will Rossiter
9babb01a4b FIX: ensure that permissions_for_member() accounts for denied permissions.
Taken from http://open.silverstripe.org/ticket/7296. PermissionTest extended to validate that permissions_for_member() includes permissions denied pre applying patch. PermissionTest passes post patch.
2012-07-01 17:55:20 +12:00
Will Rossiter
a4bce3fc44 ENHANCEMENT: remove dependencies between framework tests and cms module. 2012-06-20 16:17:29 +02:00
Sam Minnee
3f0136749b API CHANGE: Add Security::ignore_disallowed_actions() to allow site features to be disabled when permissions have failed, rather than redirecting to the log-in form. (Trac #7097) 2012-06-15 15:17:48 +12:00
Sean Harvey
8b2cb9a7d9 BUGFIX Declare PasswordEncryptor_Blowfish::get_cost() as static 2012-06-15 12:13:33 +12:00
Cam Spiers
9139f737b8 ENHANCEMENT: Added the ability to set a cost (the property was protected before and there were no setters and getters) and enforced the php requirements on the cost string used in the salt of crypt. Specifically, two digit from 04-31. Updated unit tests for blowfish algorithm to actually use the salt generation function and to test the newly implemented cost setting and getting functionality. 2012-06-14 15:13:11 +12:00
Ingo Schommer
2a52ce2ff8 MINOR Fixed duplicate help text on Group->getCMSFields() 2012-06-13 15:04:40 +02:00
Marcus Nyeholt
82a1e7d282 MINOR Use injector for creating Member_GroupSet object
MINOR Use injector for creating many many list objects

MINOR Use injector for creating objects from within the DataList

MINOR Use Injector::inst() for creating objects; cannot rely on this->injector being present due to many classes being created with 'new', so use inst() directly

MINOR Remove injector autoset property for now; automatically setting it breaks a few test cases that don't know about it for now, and it's not needed just yet
2012-06-05 01:33:44 +10:00
Sean Harvey
c3eabffcb9 MINOR Use shorthand {class}::get() syntax instead of DataList::create()
in core code.
2012-05-28 21:13:42 +12:00
Sean Harvey
45465dca91 Merge pull request #483 from halkyon/cms_ping_keepalive
Re-instate CMS ping to ensure sessions are kept alive
2012-05-23 15:55:22 -07:00