Commit Graph

18359 Commits

Author SHA1 Message Date
Simon Erkelens
2b26cafcff Separate out the log-out handling.
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
2017-06-07 21:11:58 +12:00
Sam Minnee
f9ea752bae NEW: Add AuthenticationHandler interface
NEW: Add IdentityStore for registering log-in / log-out data
NEW: Add AuthenticationRequestFilter for managing login
NEW: Add Security:setCurrentUser() / Security::getCurrentUser()
NEW: Add FunctionalTest::logOut()
2017-06-07 21:11:55 +12:00
Simon Erkelens
c4194f0ed2 CMS Login Handling
Move to canLogin in the authentication check. Protected isLockedOut

Enable login to be called with a different login service (CMSLogin), enabling CMS Log in. Seems the styling and/or output is still broken.

logOut could be managed from the Authenticator instead of the member
2017-06-07 21:11:54 +12:00
Sam Minnee
7af7e6719e API: Security.authenticators is now a map, not an array
Authenticators is now a map of keys -> service names. The key is used
in things such as URL segments. The “default_authenticator” value has
been replaced with the key “default” in this map, although in time a
default authenticator may not be needed.
IX: Refactor login() to avoid code duplication on single/multiple handlers
IX: Refactor LoginHandler to be more amenable to extension
IX: Fixed permissionFailure hack
his LoginHandler is expected to be the starting point for other
custom authenticators so it should be easier to repurpose components
`of it.
IX: Fix database-is-ready checks in tests.
IX: Fixed MemberAuthenticatorTest to match the new API
IX: Update security URLs in MemberTest
2017-06-07 21:11:53 +12:00
Sam Minnee
e226b67d06 Refactoring of authenticators
Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step.
Also cleaned up some minor typos I ran in to. Nothing major.

This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation.

FIX: Corrections to the multi-login-form support.

Importantly, the system provide a URL-space for each handler, e.g.
“Security/login/default” and “Security/login/other”. This is much
cleaner than identifying the active authenticator by a get parameter,
and means that the tabbed interface is only needed on the very first view.

Note that you can test this without a module simply by loading the
default authenticator twice:

SilverStripe\Security\Security:
  authenticators:
    default: SilverStripe\Security\MemberAuthenticator\Authenticator
    other: SilverStripe\Security\MemberAuthenticator\Authenticator

FIX: Refactor delegateToHandler / delegateToHandlers to have less
duplicated code.
2017-06-07 21:11:52 +12:00
Daniel Hensby
856aa79892 Merge pull request #6987 from open-sausages/pull/4.0/3239-consisten-fist-last-returns
Consistent return values for first and last methods
2017-06-06 16:59:04 +01:00
Damian Mooyman
8c0ced311f Merge pull request #6998 from AntonyThorpe/StrictFormMethodCheck
Updated Form.php & 04_Form_Security.md  - strictFormMethodCheck to true
2017-06-06 23:06:11 +12:00
Antony Thorpe
6348f2e3e8 Updated Form.php & 04_Form_Security.md
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
Damian Mooyman
ba44c4c30d Merge pull request #6988 from open-sausages/pulls/4.0/print-with-gotink
Fixes printing from crashing
2017-06-06 18:33:11 +12:00
Saophalkun Ponlu
e267d29b9a BUG Consistent return values for first and last methods 2017-06-06 17:22:55 +12:00
Christopher Joe
d12c986dd5
Fixes printing from crashing 2017-06-06 13:31:37 +12:00
Chris Joe
44f27645bd Merge pull request #6981 from edlinklater/patch-1
Docs: Correct Stevie's name on committers page
2017-05-31 13:40:31 +12:00
Ed Linklater
f007fca51f Docs: Correct Stevie's name on committers page 2017-05-31 12:27:06 +12:00
Daniel Hensby
90c2a7de11 Merge pull request #6979 from dhensby/pulls/bracket-test-only
FIX Bracket should implement TestOnly
2017-05-30 23:10:16 +01:00
Daniel Hensby
13ee3148d9
FIX Bracket should implement TestOnly 2017-05-30 22:44:24 +01:00
Daniel Hensby
11de4abe0a Merge pull request #6977 from andrewandante/FIX/move_dotenv_higher
move TRUSTED_PROXY below .env loader
2017-05-30 12:41:09 +01:00
Andrew Aitken-Fincham
8f44b8f0ba move trusted_proxy_ips below .env loader 2017-05-30 12:18:47 +01:00
Damian Mooyman
b27ef810d4 Merge pull request #6974 from colintucker/fix-csv-bulk-loader
Fixes a bug with split file names during CSV import
2017-05-30 16:18:06 +12:00
Chris Joe
8efaa180a4 Merge pull request #6969 from open-sausages/pulls/4.0/insert-page-link
API Remove legacy HTMLEditor classes
2017-05-30 11:42:08 +12:00
Damian Mooyman
e7d87add9f API Remove legacy HTMLEditor classes 2017-05-30 11:01:28 +12:00
Damian Mooyman
36e3a43bdb Merge pull request #6976 from nfauchelle/patch-5
Update 05_Dataobject_Relationship_Management.md
2017-05-30 10:05:27 +12:00
Damian Mooyman
f2fbabec17 Merge pull request #6975 from nfauchelle/patch-4
Fix $class variable from being clobbered
2017-05-30 10:04:29 +12:00
Nick
318b0248b7 Update 05_Dataobject_Relationship_Management.md
Correct a naffed up code block and a typo
2017-05-29 20:54:50 +12:00
Nick
acb74a8577 Fix $class variable from being clobbered
The $class variable gets overwritten in the function.

This causes error messages to be less helpful. For example if you setup a has_many but forget the has_one on the other side the error will look something like

`[Emergency] Uncaught Exception: No has_one found on class 'SomeObject', the has_many relation from 'SilverStripe\View\ViewableData' to 'SomeObject' requires a has_one on 'SomeObject'`

fixing this gives a more useful error, like

`[Emergency] Uncaught Exception: No has_one found on class 'SomeObject', the has_many relation from 'Page' to 'SomeObject' requires a has_one on 'SomeObject'`
2017-05-29 20:31:09 +12:00
Colin Tucker
db59e51c4a Fixes a bug with split file names during CSV import 2017-05-29 16:08:23 +10:00
Daniel Hensby
77444ca28d Merge pull request #6939 from open-sausages/pulls/4.0/query-join-alias
API Ensure that all DataQuery joins are aliased based on relationship name
2017-05-28 23:27:23 +01:00
Damian Mooyman
963d9197d3
API Ensure that all DataQuery joins are aliased based on relationship name 2017-05-26 13:38:58 +12:00
Chris Joe
adb2641ca6 Merge pull request #6967 from open-sausages/pulls/4/resample-doc-images
Resample doc images for react di
2017-05-26 12:07:07 +12:00
Aaron Carlino
06615e3d76 Resample doc images for react di 2017-05-26 11:08:07 +12:00
Chris Joe
5ec8d40c19 Merge pull request #6957 from open-sausages/pulls/4/react-di-documentation
Docs for React DI
2017-05-26 10:59:42 +12:00
Chris Joe
9da2b5c4ab Merge pull request #6930 from dhensby/pulls/4/db-schema-indexes
Cleaning up DB index definition
2017-05-26 10:54:16 +12:00
Daniel Hensby
893f19a5ea
DOCS Updating index definition examples 2017-05-25 23:29:12 +01:00
Daniel Hensby
3e556b5966
NEW Move index generation to DataObjectSchema and solidify index spec 2017-05-25 23:29:12 +01:00
Aaron Carlino
bfc373cf0f update docs with new api 2017-05-25 16:34:32 +12:00
Aaron Carlino
75981989b0 Docs for React DI 2017-05-25 14:58:55 +12:00
Chris Joe
9fe707d3b9 Merge pull request #6962 from open-sausages/pulls/4.0/remove-object-2
BUG Fix minor accessors of legacy ->class property
2017-05-25 12:32:11 +12:00
Damian Mooyman
9c63a8c8ce
BUG Fix race conditions in DatetimeFieldTest 2017-05-25 12:13:04 +12:00
Damian Mooyman
0cd40ca6e5
BUG Fix minor accessors of legacy ->class property 2017-05-25 11:55:12 +12:00
Damian Mooyman
29f450b1e1 Revert injector type hint to Injector 2017-05-25 11:06:48 +12:00
Ingo Schommer
c75f759b18 Merge pull request #6959 from open-sausages/pulls/4.0/time-to-get-webpacking
Enhancement add contribution notes about releasing to NPM
2017-05-25 08:12:27 +12:00
Christopher Joe
e327bf3c70 Enhancement add contribution notes about releasing to NPM 2017-05-24 17:07:05 +12:00
Chris Joe
8bff04740d Merge pull request #6909 from open-sausages/pulls/4.0/secure-assets-streaming
API Add streamable response object
2017-05-24 12:23:56 +12:00
Damian Mooyman
906a4c444b
API Add streamable response object 2017-05-23 16:32:29 +12:00
Chris Joe
44981de560 Merge pull request #6927 from open-sausages/pulls/4.0/remove-object
API Remove Object class
2017-05-23 15:15:01 +12:00
Damian Mooyman
e945ea64b5 Temporarily switch to composer 1.5 2017-05-23 13:50:35 +12:00
Damian Mooyman
d15b9ee0b0 Response to feedback 2017-05-23 13:50:35 +12:00
Damian Mooyman
fba8e2c245 API Remove Object class
API DataObjectSchema::manyManyComponent() return array is now associative array
2017-05-23 13:50:35 +12:00
Damian Mooyman
7e2f8d1f2d Merge pull request #6951 from sminnee/fix-2494
FIX: Don’t assume posix_getpwuid is available.
2017-05-23 13:10:56 +12:00
Damian Mooyman
cd0cac69ce Merge pull request #6952 from sminnee/fix-1666
FIX: Better error checking for non-writable temp paths
2017-05-23 13:00:10 +12:00
Sam Minnee
09164e7e2a FIX: Better error checking for non-writable temp paths
Fixes https://github.com/silverstripe/silverstripe-framework/issues/1666
2017-05-23 10:06:48 +12:00