Commit Graph

11640 Commits

Author SHA1 Message Date
Hamish Friedlander
4b54383d68 API change request handling to be more orthogonal
RequestHandler#handleAction now exists. It takes the request, and
the action to call on itself. All calls from handleRequest to call an action
will go through this method

Controller#handleAction has had it's signature changed to
match new RequestHandler#handleAction

RequestHandler#findAction has been added, which extracts the
"match URL to rules to find action" portion of RequestHandler#handleRequest
into a separate, overrideable function

GridField#handleAction has beeen renamed to handleAlterAction and
CMSBatchActionHandler#handleAction has been renamed to handleBatchAction to
avoid name clash with new RequestHandler#handleAction

Reason for change: The exact behaviour of request handling depended heavily
on whether you inherited from RequestHandler or Controller, and whether the
rule extracted it's action directly (like "foo/$ID" => 'foo') or dynamically
(like "$Action/$ID" => "handleAction"). This cleans up behaviour so
all calls follow the same path through handleRequest and handleAction, and
the additional behaviour that Controller adds is clear.
2013-02-18 14:56:04 +13:00
Hamish Friedlander
5fd55a50f2 API Tighten up allowed_actions
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
2013-02-18 14:53:33 +13:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
37b8034462 Fixed changelog 2013-02-18 01:34:51 +01:00
Ingo Schommer
ad9f26a00f Updated changelog 2013-02-18 01:29:30 +01:00
Ingo Schommer
eafafb31e3 Fixed screen.css (wrong compilation) 2013-02-18 01:28:17 +01:00
Ingo Schommer
62987139d4 Updated changelog 2013-02-18 01:19:33 +01:00
Ingo Schommer
d3d0b21e80 Updated translations 2013-02-18 01:17:30 +01:00
Ingo Schommer
56ad1d027e Updated changelog 2013-02-18 01:03:57 +01:00
Ingo Schommer
190e0b8a47 Add ContentController->handleWidget() to $allowed_actions
Required by recent $allowed_actions security fix
2013-02-18 00:10:06 +01:00
Ingo Schommer
30096ee730 BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
d51e0bc2ec Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:30:40 +01:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
303352926b 3.0.4 changelog update 2013-02-17 23:28:22 +01:00
Ingo Schommer
f8bbc0a726 BUGFIX Escape HTML in DropdownField and ListboxField
Fixes reflected XSS in Group titles when using
in group selections (e.g. in "New Member" form).
2013-02-17 23:27:15 +01:00
Ingo Schommer
604ede30a4 BUGFIX Escape HTML in CMS status messages 2013-02-17 23:27:15 +01:00
Ingo Schommer
7bb0bbff0e BUGFIX Fixed XSS in admin/security and "My Profile" forms 2013-02-17 23:27:15 +01:00
Ingo Schommer
eecd34868f BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:16:25 +01:00
Ingo Schommer
3e27d27f7a Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:16:25 +01:00
Ingo Schommer
50995fbecb BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Hamish Friedlander
2335c074b3 NEW Make shortcode parser more clever about placement
Shortcodes have traditionally had a problem that they are inside <p> tags,
but generate block level elements. This breaks HTML compliance.

This makes the shortcode parser now mutate the DOM based on the "class" attribute on
the shortcode to insert the generated block level element at the right place in the DOM

 - for "left" and "right" elements it puts them just before the block level
   element they are inside

 - for "leftAlone" and "center" elements it splits the DOM around the shortcode.

The trade off is that shortcodes are no longer "text level" features. They need
knowledge of the HTML they are in to perform this transformation, so they can
only be used in (valid) HTML
2013-02-18 10:49:52 +13:00
Ingo Schommer
7830b5d1b1 Merge remote-tracking branch 'origin/2.4' into 3.0 2013-02-17 22:43:56 +01:00
Ingo Schommer
ede381326b BUG Secure composer files from web access (fixes #8011)
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00
Ingo Schommer
e21bd49462 BUG TimeField respects user choice (fixes #8260)
Regression from c969e04731.
Also fixes width to accommodate for widest common format:
"11:11:11 AM"
2013-02-17 21:00:02 +01:00
Ingo Schommer
5a4d5e10d2 Merge pull request #1189 from ajshort/namespaced-tasks
Support running namespaced build tasks.
2013-02-17 11:47:26 -08:00
ajshort
889e39cf55 Support running namespaced build tasks. 2013-02-17 18:05:35 +11:00
Ingo Schommer
d4b7763cab Merge pull request #1154 from silverstripe-rebelalliance/open8231
BUGFIX:fixed styling of asset upload page and dialog in the asset admin ...

Conflicts:
	css/AssetUploadField.css
	scss/AssetUploadField.scss
2013-02-15 19:52:47 +01:00
Ingo Schommer
fd4d39984d Merge pull request #1176 from uniun/drop-area-css-fix
Long drop area title overlaps upload icon
2013-02-15 10:49:24 -08:00
Ingo Schommer
d9cecd9e83 Merge pull request #1168 from ajshort/task-creation-injector
Use the injector for creating tasks.
2013-02-15 10:47:02 -08:00
Ingo Schommer
37e10d14f3 Merge pull request #1184 from ajshort/named-services
BUG: Fixed the injection of named services.
2013-02-15 10:46:33 -08:00
Ingo Schommer
6ff1f9050d Merge pull request #1187 from dhensby/restfulservice-improvements
API Restfulservice improvements
2013-02-15 10:45:43 -08:00
Ingo Schommer
5d3ed12e20 Nginx docs for denying composer file access (fixes #8011) 2013-02-15 19:22:21 +01:00
Daniel Hensby
920fd71a2f Adding default curl options
Because I removed completely the static setting of SSL_VERIFYPEER I've
added the ability to declare default curl options on the class. This
means that users that really want to one line turn off SSL_VERIFYPEER
can do so without needing to pass a custom option in every request()
call.
2013-02-15 11:45:52 +00:00
Daniel Hensby
f003359047 RestfulService_Response now gets response headers
Before now, the RestfulService_Response object was never sent the
response headers. For APIs that rely on the response headers to send
back information (signatures, pagination info, etc).

This change makes the curl response have the full HTTP response
(including Headers). We then extract the body and the header information
and assign them to relevant vars and then construct the response as
before (with the addition of the headers array).

This change required two new functions:
extractResponse: This extracts the HTTP Headers and the payload from the
curl response and assigns it to the relevany vars that are passed by
reference
parseRawHeaders: This was designed to mimic http_parse_headers (a
non-standard php class). It converts the headers into an associative
array.
2013-02-15 11:45:36 +00:00
Daniel Hensby
7c189731e3 Better cache key generation
All of the arguments supplied to the request function can impact what is
returned by a restful service.

This takes account of that and makes the cache key more specific,
including basic auth details, so we don't rely on *just* the absolute
URL for caching.
2013-02-15 11:16:46 +00:00
Marcus Nyeholt
428cbe4b03 FIX issue with Injector::create not passing args
If creating an object using Injector::create() and constructor arguments
are passed through, in some cases where the object being created had a yml
configuration set for it, the passed in constructor arguments weren't being
passed through to the instantiation of the object.
2013-02-15 10:24:47 +11:00
Ingo Schommer
f4068371fc Merge pull request #1159 from chillu/pulls/datetimefield-field-setters
DatetimeField->setDateField()/setTimeField()
2013-02-14 11:31:31 -08:00
Julian Seidenberg
10199f908a API Data corruption on Versioned due to lazy loading
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.

API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)

See https://github.com/silverstripe/sapphire/pull/1178 for context.
2013-02-14 14:28:42 +01:00
jean
e2bf9649f3 FIX 7934 When lazy loading fields respect version of the record 2013-02-14 14:27:44 +01:00
Julian Seidenberg
f931b8d326 API Data corruption on Versioned due to lazy loading
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.

API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)

See https://github.com/silverstripe/sapphire/pull/1178 for context.
2013-02-14 14:18:10 +01:00
Simon Welsh
be8482aa73 Merge pull request #1173 from ajshort/include-object-argument
BUG: Pass named include argument as objects.
2013-02-13 23:44:29 -08:00
ajshort
d3629be344 BUG: Pass named include argument as objects.
This means you can pass objects such as lists as named parameters, not
just strings.
2013-02-14 18:31:40 +11:00
Zauberfisch
54237d5b10 NEW Return $this on setters in DataObject 2013-02-13 18:18:37 +01:00
ajshort
ff19f3b11a BUG: Fixed the injection of named services. 2013-02-13 23:06:15 +11:00
Ingo Schommer
923ad8861f Layout regression in "add pages"
Unrelated fields affected by changes to CMS tooltips. See 1ca3883a76.
2013-02-13 10:15:06 +01:00
Sean Harvey
15a156955b Merge pull request #1172 from robert-h-curry/preview-pane-refresh
Force preview window to refresh on every save
2013-02-12 15:09:19 -08:00
Sean Harvey
b25b6d4769 Merge pull request #1182 from chillu/pulls/showtemplate-admin-ss3
API Require ADMIN for ?showtemplate=1 (3.0)
2013-02-12 15:07:34 -08:00
Sean Harvey
9337902fdd Merge pull request #1181 from chillu/pulls/showtemplate-admin
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00
Ingo Schommer
d969e29d00 API Require ADMIN for ?showtemplate=1 2013-02-12 23:26:04 +01:00
Ingo Schommer
45c68d6821 API Require ADMIN for ?showtemplate=1 2013-02-12 23:21:13 +01:00