Commit Graph

18617 Commits

Author SHA1 Message Date
Damian Mooyman
0f90c5b63f ENHANCEMENT Update style of CMSLogin form 2017-06-15 18:13:14 +12:00
Damian Mooyman
22e084f288 Merge pull request #7026 from Firesphere/move_default_admin
Move default admin
2017-06-15 18:12:51 +12:00
Damian Mooyman
024371c37e
API Change authentication ValidationResult handling to pass by-reference 2017-06-15 17:25:23 +12:00
Damian Mooyman
62d095305b
API Update DefaultAdmin services
API Improve validation of authentication process
2017-06-15 15:53:57 +12:00
Ingo Schommer
a51eb46735 Revert "Update translations"
This reverts commit f9e890176d.
It pulled updates from transifex *after* we switched translations
to 4.x only mode - which resulted in a lot of translation keys being
moved around. For example, asset-related translations went from
framework to the asset-admin module. The removal of these translations
in 3.x caused translations to go partially missing, since these new
modules are 4.x only.

See https://github.com/silverstripe/silverstripe-framework/issues/7002
2017-06-15 14:48:35 +12:00
Simon Erkelens
576eee72dc Remove DefaultAdmin things from Security and Member into the MemberAuthenticator, unifying and removing duplicate code. 2017-06-15 14:20:29 +12:00
Daniel Hensby
c130533865 Merge pull request #41 from silverstripe-security/patch/3.6.0/SS-2017-017
[SS-2017-017] FIX SVG uploads disabled by default
2017-06-14 14:44:03 +01:00
Daniel Hensby
215ff8ab55 Added 3.6.1-alpha1 changelog 2017-06-14 14:33:35 +01:00
Daniel Hensby
273a087f5a
Merge branch '3.6' into 3 2017-06-14 14:29:15 +01:00
Daniel Hensby
c66a5ebcd2 Merge pull request #7019 from robbieaverill/patch-6
FIX Update help link from 3.5 to 3.6
2017-06-14 14:15:56 +01:00
Daniel Hensby
c6b790ccb5 Merge pull request #7020 from marczhermo/3.6.1
Bug: Complex (curly) syntax
2017-06-14 14:00:23 +01:00
Marcz Hermo
1073eca2fa Bugfix: Complex (curly) syntax 2017-06-15 00:03:55 +12:00
Daniel Hensby
6f2b08b962
Merge branch '3.6' into 3 2017-06-14 12:02:27 +01:00
Daniel Hensby
ecc88b2cbe
Merge branch '3.5' into 3.6 2017-06-14 12:02:06 +01:00
Robbie Averill
fd57bd9100 FIX Update help link from 3.5 to 3.6 2017-06-14 15:29:28 +12:00
Loz Calver
4f4fb62dfa Merge pull request #7015 from bcairns/3.5
Fix changetracker checkbox bugs
2017-06-13 09:13:37 +01:00
Loz Calver
ae59c08703 Merge pull request #7014 from 3Dgoo/patch-1
Fixing language typo in docs
2017-06-13 09:05:21 +01:00
Brian Cairns
53c84d93da Fix changetracker checkbox bugs
1) Use quoted name attribute selector, to work with CheckboxsetField bracketed[] field names
2) Initialize unchecked boxes original values to 0 instead of undefined, as this is the value onchange() expects for unchecked boxes (see line 67)
2017-06-12 16:16:55 -06:00
Damian Mooyman
9c2f4e3c44 Merge pull request #7012 from dhensby/pulls/3.5/member-null
FIX Order of conditionals for getting default admin
2017-06-13 09:58:22 +12:00
3Dgoo
f0c00bfb78 Fixing language typo in docs 2017-06-13 05:37:07 +09:30
Daniel Hensby
a5c84b12ab
FIX Order of conditionals for getting default admin 2017-06-12 11:54:05 +01:00
Chris Joe
950b1dfec2 Merge pull request #7010 from flamerohr/pulls/4.0/no-path-to-follow
Enhancement show the path which threw the error
2017-06-12 10:36:46 +12:00
Damian Mooyman
0dcfa5fa9d FIX CMSSecurity doesn't have Authenticators assigned. 2017-06-12 10:10:34 +12:00
Christopher Joe
7178caf4a9 Enhancement show the path which threw the error 2017-06-12 10:08:12 +12:00
Simon Erkelens
3fe837dad7 Fix for CMS Authenticator. Should only apply to CMSSecurity 2017-06-10 14:47:53 +12:00
Damian Mooyman
413b4936a1 API Add extension hook to FormField::extraClass() 2017-06-10 14:26:22 +12:00
Damian Mooyman
4733abd79f Merge pull request #7006 from Firesphere/patch-1
FIX Not `CascadeLogInTo` anymore, but `CascadeInTo`
2017-06-10 13:43:48 +12:00
Simon Erkelens
5c4e55b60d It's not CascadeLogInTo anymore, it's CascadeInTo
I'm mildly surprised this didn't break. I changed it to CascadeInTo, as the logout action needs to cascade into the session as well.
2017-06-10 12:58:22 +12:00
Florian Thoma
7648428fdb add extension hoot to FormField::extraClass() 2017-06-10 09:52:22 +10:00
Damian Mooyman
c7f7233c4d Merge pull request #6829 from sminnee/authenticator-refactor
Refactor Authenticators
2017-06-09 16:46:56 +12:00
Damian Mooyman
d89bd15330
Move authentication hooks to SapphireTest 2017-06-09 16:25:40 +12:00
Damian Mooyman
62753b3cb1
Cleanup and RequestFilter refactor 2017-06-09 15:07:35 +12:00
Simon Erkelens
5fce3308b4 Move LostPasswordHandler in to it's own class.
- Moved the Authenticators from statics to normal
- Moved MemberLoginForm methods to the getFormFields as they make more sense there
- Did some spring-cleaning on the LostPasswordHandler
- Removed the BuildResponse from ChangePasswordHandler after spring cleaning
2017-06-08 20:09:57 +12:00
Simon Erkelens
082db89550 Feedback from Damian.
- Move the success and message to a validationresult
- Fix tests for validationresult return
- We need to clear the session in Test logOut method
- Rename to MemberAuthenticator and CMSMemberAuthenticator for consistency.
- Unify all to getCurrentUser on Security
- ChangePasswordHandler removed from Security
- Update SapphireTest for CMS login/logout
- Get the Member ID correctly, if it's an object.
- Only enable "remember me" when it's allowed.
- Add flag to disable password logging
- Remove Subsites coupling, give it an extension hook to disable itself
- Change cascadeLogInTo to cascadeInTo for the logout method logic naming
- Docblocks
- Basicauth config
2017-06-08 17:50:20 +12:00
Loz Calver
c5eeed84e8 Merge pull request #6993 from open-sausages/pulls/3/missing-changelog-notes
Add in missing changelog notes
2017-06-07 16:51:01 +01:00
Simon Erkelens
2b26cafcff Separate out the log-out handling.
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
2017-06-07 21:11:58 +12:00
Sam Minnee
f9ea752bae NEW: Add AuthenticationHandler interface
NEW: Add IdentityStore for registering log-in / log-out data
NEW: Add AuthenticationRequestFilter for managing login
NEW: Add Security:setCurrentUser() / Security::getCurrentUser()
NEW: Add FunctionalTest::logOut()
2017-06-07 21:11:55 +12:00
Simon Erkelens
c4194f0ed2 CMS Login Handling
Move to canLogin in the authentication check. Protected isLockedOut

Enable login to be called with a different login service (CMSLogin), enabling CMS Log in. Seems the styling and/or output is still broken.

logOut could be managed from the Authenticator instead of the member
2017-06-07 21:11:54 +12:00
Sam Minnee
7af7e6719e API: Security.authenticators is now a map, not an array
Authenticators is now a map of keys -> service names. The key is used
in things such as URL segments. The “default_authenticator” value has
been replaced with the key “default” in this map, although in time a
default authenticator may not be needed.
IX: Refactor login() to avoid code duplication on single/multiple handlers
IX: Refactor LoginHandler to be more amenable to extension
IX: Fixed permissionFailure hack
his LoginHandler is expected to be the starting point for other
custom authenticators so it should be easier to repurpose components
`of it.
IX: Fix database-is-ready checks in tests.
IX: Fixed MemberAuthenticatorTest to match the new API
IX: Update security URLs in MemberTest
2017-06-07 21:11:53 +12:00
Sam Minnee
e226b67d06 Refactoring of authenticators
Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step.
Also cleaned up some minor typos I ran in to. Nothing major.

This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation.

FIX: Corrections to the multi-login-form support.

Importantly, the system provide a URL-space for each handler, e.g.
“Security/login/default” and “Security/login/other”. This is much
cleaner than identifying the active authenticator by a get parameter,
and means that the tabbed interface is only needed on the very first view.

Note that you can test this without a module simply by loading the
default authenticator twice:

SilverStripe\Security\Security:
  authenticators:
    default: SilverStripe\Security\MemberAuthenticator\Authenticator
    other: SilverStripe\Security\MemberAuthenticator\Authenticator

FIX: Refactor delegateToHandler / delegateToHandlers to have less
duplicated code.
2017-06-07 21:11:52 +12:00
Damian Mooyman
7cf7a7094c Merge pull request #7000 from kinglozzer/uploadfield-size-ini
FIX: Upload_Validator failed to fetch max size from PHP ini values (fixes #6999)
2017-06-07 15:48:27 +12:00
Daniel Hensby
856aa79892 Merge pull request #6987 from open-sausages/pull/4.0/3239-consisten-fist-last-returns
Consistent return values for first and last methods
2017-06-06 16:59:04 +01:00
Loz Calver
4ad2cae864
FIX: Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) 2017-06-06 14:28:03 +01:00
Damian Mooyman
8c0ced311f Merge pull request #6998 from AntonyThorpe/StrictFormMethodCheck
Updated Form.php & 04_Form_Security.md  - strictFormMethodCheck to true
2017-06-06 23:06:11 +12:00
Damian Mooyman
057bfdae79 Merge pull request #6991 from jacobbuck/feature/3.6/extend-file-get-url
NEW Add 'updateURL' extension hook to File::getURL()
2017-06-06 21:28:16 +12:00
Antony Thorpe
6348f2e3e8 Updated Form.php & 04_Form_Security.md
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
Damian Mooyman
ba44c4c30d Merge pull request #6988 from open-sausages/pulls/4.0/print-with-gotink
Fixes printing from crashing
2017-06-06 18:33:11 +12:00
Damian Mooyman
058ba813e6 Merge pull request #6986 from open-sausages/pulls/3.0/but-its-so-tinymce
Fix tinymce image selection issue in newer versions of Chrome
2017-06-06 17:24:31 +12:00
Saophalkun Ponlu
e267d29b9a BUG Consistent return values for first and last methods 2017-06-06 17:22:55 +12:00
Jacob
92b7341200 Call $this->extend('updateURL', $url); befor returning $url 2017-06-06 13:38:11 +12:00