Damian Mooyman
2bdfd65e9b
BUG Security::findAnAdministrator doesn't always find an admin
2014-11-18 15:36:34 +13:00
Damian Mooyman
53c40a94fa
API Enable re-authentication within the CMS if a user session is lost
...
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Will Rossiter
61ec808604
Set $lock_out_after_incorrect_logins out of the box
2014-09-26 10:49:53 +12:00
Sean Harvey
0e07f1a7f5
Merge remote-tracking branch 'origin/3.0' into 3.1
2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b
FIX Opt-out pf form message escaping ( fixes #2796 )
...
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/ .
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.
We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803 .
2014-08-22 16:59:34 +12:00
Tim Snadden
afad65ee71
Fix 'Uncaught ReferenceError: jQuery is not defined' if jQuery is not included in template.
2014-04-30 09:30:22 +12:00
Mateusz U
36d925543b
Merge pull request #3020 from tractorcow/pulls/3.1-autocomplete-username
...
API Security.remember_username to disable login form autocompletion
2014-04-11 09:17:27 +12:00
Damian Mooyman
997077ae83
API Security.remember_username to disable login form autocompletion
2014-04-11 09:05:25 +12:00
Ingo Schommer
be12656bd9
Returning response from doChangePassword()
2014-04-10 17:21:56 +12:00
Ingo Schommer
f737922cdf
Prevent IE errors on hidden login forms
...
In order to focus a field, it needs to be visible,
which can't be guaranteed on a core level by the login form JavaScript.
Optionally check for visibility via jQuery if it exists,
and allow explicit disabling of this behaviour via a unique identifier.
2014-04-08 11:28:54 +12:00
Damian Mooyman
1cc366fe23
Merge pull request #2850 from kinglozzer/2827-member-extend
...
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827 )
2014-03-04 13:42:17 +13:00
Ingo Schommer
c047a7b990
Reset FailedLoginCount on successful password reset
2014-03-03 17:47:16 +13:00
Ingo Schommer
9afcf8f01a
Allow vetoing forgot password requests
2014-02-25 13:05:32 +13:00
Loz Calver
d91c7d14b8
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once ( fixes #2827 )
...
Fix usage of inside closure
Can't use self:: in closure either
Basic unit tests to check extensions are applied correctly
2014-02-16 21:21:15 +00:00
Kirk Mayo
632884252b
NEW: Updating out of date URLs in the framework source code and docs
2014-02-07 15:10:44 +13:00
Ingo Schommer
bb9f84afd5
Merge pull request #2806 from tractorcow/pulls/bug-member-locale
...
BUG Default Member.Locale now chooses a better default value when i18n.locale is not a valid translation
2014-02-03 17:03:48 -08:00
Ingo Schommer
124886a7f9
Merge pull request #2799 from yearofthegus/document-magic-members
...
Documented magic properties of DataObject
2014-01-30 18:26:23 -08:00
Ingo Schommer
ab070944d5
Merge branch 'pulls/apidocs-package-list' of https://github.com/madmatt/silverstripe-framework into madmatt-pulls/apidocs-package-list
...
Conflicts:
view/SSTemplateParser.php
view/SSTemplateParser.php.inc
2014-01-31 15:15:59 +13:00
Damian Mooyman
293c672fa7
BUG Default Member.Locale now chooses a better default value when i18n.locale is not a valid translation
...
This will resolve issues in cases where the site locale may be assigned a value that does not have an explicit translation. E.g. if the locale is en_NZ (and it's appropriate for this to be the assigned locale), Afrikaans will no longer be the default selected locale when creating members. Now en_US is chosen as a better fallback default.
This is a minor ease of use fix that means fewer CMS users can be accidentally created in Afrikaans within NZ based sites.
Test cases included.
2014-01-30 15:55:14 +13:00
Gus King
5797efa263
Documented magic properties of DataObject
2014-01-26 00:11:32 -05:00
Will Rossiter
13bd4e96b1
Correct PHPDoc for Member::currentUser. ( Fixes #2750 )
2014-01-12 16:08:31 +13:00
Ingo Schommer
627e3cdf11
Revert entity name change
...
Partially reverts b0f38f4990
which broke unit tests relying on the old entity name
in 3.1, where translations and the en.yml master file have been backported to.
2013-12-19 23:13:13 +01:00
Ingo Schommer
23371b01aa
"lost password" translation master ( fixes #2725 )
2013-12-19 20:00:59 +01:00
Ingo Schommer
15c7252af0
beforeMemberLoggedIn/beforeMemberLoggedOut hooks
...
Required to save/restore parts of the session information,
which Member nukes indiscriminately on logout.
Specific use case is restoring linkages to temporary databases
on Behat test runs.
2013-12-18 18:26:01 +01:00
madmatt
bebe0f6e37
Updating @package and @subpackage doc tags
2013-11-29 17:49:30 +13:00
Sean Harvey
70c23f37de
Merge pull request #2608 from andrewvt/3.1
...
added removeFromGroupByCode() function to Member.php
2013-11-03 12:27:10 -08:00
andrewvt
953dec8863
Updated group filter
...
Updated group filter
2013-11-01 07:22:13 -04:00
Devlin
6c6ab7b0ce
Bad redirect in ChangePasswordForm->doChangePassword()
2013-10-30 09:57:28 +01:00
andrewvt
9a11c643da
added removeFromGroupByCode() function to Member.php
...
I was using the addToGroupByCode() function today and it would have been handy to have a removeFromGroupByCode() so I decided to add one.
2013-10-24 16:57:00 -04:00
Mateusz Uzdowski
1a39f61598
BUG Fix the password reset message to be shown consistently.
...
If we detect any of the password reset GET params, it's safe to assume
that someone intended a password reset, regardless of other conditions.
2013-10-25 09:29:21 +13:00
Ingo Schommer
d7e10e620a
Merge pull request #2537 from wilr/membervalidator
...
FIX: Use Injector API for managing Member_Validator instance.
2013-10-23 03:01:15 -07:00
Will Rossiter
813d34b15e
FIX: Use Injector API for managing Member_Validator instance.
...
Updates the CMS profile page and SecurityAdmin to give developers a few ways to customise the required fields.
Added extension hook updateValidator for getValidator for things like modules to inject required fields to go along with Injector for replacing the entire class for project specific use.
2013-10-16 11:29:43 +13:00
Devlin
5ea314d012
FIX PasswordValidator->characterStrength() Documentation
2013-10-15 12:44:50 +02:00
Will Rossiter
b0f38f4990
Change default message to be credential agnostic.
2013-10-11 11:22:15 +13:00
Ingo Schommer
cd225f0fa4
No HTML entities in "Groups" ListboxField ( fixes #2513 )
2013-10-10 12:08:16 +02:00
Damian Mooyman
5bbea12b45
BUG Issue with login form failing to login in certain situations. Fixes issue #2424
2013-10-03 17:12:30 +13:00
Ingo Schommer
0ea7042443
$privileged_permissions visibility ( fixes #2464 )
2013-09-27 18:56:38 +02:00
Ingo Schommer
03d1d58148
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
admin/code/SecurityAdmin.php
css/AssetUploadField.css
docs/en/topics/configuration.md
security/PermissionRole.php
2013-09-12 17:33:36 +02:00
Ingo Schommer
c2b312d76f
Merge remote-tracking branch 'origin/3.1.0' into 3.1
2013-09-12 17:24:42 +02:00
Ingo Schommer
f803704d91
FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
05757efceb
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
720c149aee
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
...
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Ingo Schommer
091c096dbf
FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
cfa88adf4b
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
68ca47b0dd
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
...
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:35 +02:00
Sean Harvey
e43ca931d6
Merge pull request #2343 from chillu/pulls/security-404
...
Returning 404 on /Security, instead of Controller.ss template
2013-09-05 18:56:23 -07:00
Ingo Schommer
1c31c098ee
FIX Correct Zend_Locale fallbacks in i18n/DateField/DateTimeField
...
Due to the recent change of translations to transifex, some
locales changed their names, which prompted a fix to
i18n::get_available_translations() (see 00ffe7294
).
This caused a regression where short locales are determined
from the YAML file names (e.g. "en"), but weren't matched up
with fully qualified locales from get_available_translations() (e.g. "en_US").
Since this list is used in the admin/myprofile dropdown for the Member.Locale value,
it didn't match up with any entries and defaulted to the first one ("Africaans").
Note that the behaviour of admin/myprofile is still a bit weird:
It defaults the locale on new members to the one set for the current administrator.
So if a site defaults to en_US in _config.php, but the admin happens to view
his backend in de_DE, all members he creates default to de_DE as well.
Thanks to @tractorcow for contributing and peer reviewing!
2013-08-30 10:18:00 +02:00
Ingo Schommer
20b49e215c
Merge pull request #2136 from nedmas/fix-remove-export-button-padding
...
FIX: GridField button styling
2013-08-30 00:24:21 -07:00
Simon Welsh
151baeede1
Correct line length and indentation
2013-08-21 18:54:05 +12:00
Ingo Schommer
18ae4c5db6
Returning 404 on /Security, instead of Controller.ss template
...
We shouldn't expose unsolicited content on public URLs,
mainly because it impacts SEO.
2013-08-20 21:12:55 +02:00