Commit Graph

195 Commits

Author SHA1 Message Date
Ingo Schommer
97e6108fa9 Changelog note on form method limitations
See 14c59be85e.
Raised by Fara Rustein of Deloitte Argentina (CVE-2013-2653).
2013-08-01 15:48:51 +02:00
Hamish Friedlander
d38bd7d5cb Merge branch 'origin/3.0' into 3.1 2013-07-19 14:18:49 +12:00
Hamish Friedlander
1298d4a5bd FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:24:32 +12:00
Hamish Friedlander
dacb2aa638 FIX HtmlEditorField not re-checking sanitisation server side 2013-07-04 08:53:23 +12:00
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Sean Harvey
726e4c313e Merge pull request #2084 from chillu/pulls/cmsform
Handle ValidationException on CMS forms
2013-06-18 14:41:51 -07:00
vikas srivastava
2f16d93d48 Update 3.1.0.md
I was trying 
Member:
  extensions:
    MyMemberExtension

And it didn't work then someone on IRC pointed that I need to put a '-' before values. So this works.
Member:
  extensions:
    - MyMemberExtension
Hope will help someone else.
2013-06-17 14:21:46 +05:30
CheeseSucker
091e34e2e8 [MINOR] Typo 2013-06-15 02:49:52 +03:00
Ingo Schommer
9d4b8f61ca Note about IE10 support 2013-06-13 10:27:19 +02:00
Ingo Schommer
bfff11eb9c API New CMSForm class to allow validation responses in CMS (fixes #1777)
Thanks to @willmorgan for getting this discussion started
(see https://github.com/silverstripe/sapphire/pull/1814).
2013-06-13 07:51:05 +02:00
Damian Mooyman
163917b83e Fixed scrutiniser issues 2013-05-27 15:42:10 +12:00
Damian Mooyman
7f057ce343 API UploadField functions on new records
Fixed regression from 1e5d40474d (UploadField::canPreviewFolder).
Merged in pull request #2009 - (6018bdd631).
Merged pull request #1259 (34bfc862ee).
2013-05-27 15:22:59 +12:00
Simon Welsh
e90012787d Merge branch 'hackfest_may_2013' of https://github.com/NightJar/sapphire into 3.1
Conflicts:
	docs/en/changelogs/3.1.0.md
2013-05-25 20:07:54 +12:00
Nightjar
5ec8158977 Check that Webserver is not Apache/1.x in light of installer assets/.htaccess alterations 2013-05-25 20:03:36 +12:00
Stephen Shkardoon
5e5b892043 Note for magic quotes change 2013-05-25 20:02:51 +12:00
Damian Mooyman
6e0e3564e1 NEW Added beforeExtending, afterExtending, and beforeUpdateCMSFields to allow user code better control over interaction with extending methods 2013-05-16 10:34:45 +12:00
Ingo Schommer
3b02d22989 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	dev/CsvBulkLoader.php
2013-05-09 10:34:20 +02:00
Sam Minnee
eb583c5f14 NEW: Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap()
API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array.

These changes provide a 15% - 20% performance improvement, and as such justify an small API change in the 3.0 branch. It will likely affect anyone who has created their own composite fields, which is fortunately not all that common.
2013-04-21 13:39:11 +12:00
Ingo Schommer
6e3a150424 3.1.0-beta3 changelog 2013-04-18 19:28:13 +02:00
Ingo Schommer
d877c1063d Updated changelog, moved "statics in Page.php" to top
Its going to be a fatal error on every upgrade unless tended to,
so we need to ensure people don't overlook it in the guide.
2013-04-18 18:28:09 +02:00
Ingo Schommer
ae09301c8c Revert deprecation of Object::add_extension() usage
This reverts commit 14b997eea3.
Its just not practical to use the Config API as it stands,
the add_extension() wrapper does more than just a Config->update().

Most use cases can be covered via YML, but any conditional
additions (e.g. in unit tests) can still benefit from the
add_extensions() shorthand.
2013-04-11 11:40:53 +02:00
Ingo Schommer
14b997eea3 API Deprecated Object::add_extension() usage (as of 3.2) 2013-04-09 15:00:34 +02:00
Ingo Schommer
baca12bf37 3.1 changelog summaries 2013-04-09 13:36:39 +02:00
Ingo Schommer
01f46d039f NEW Enforce max node counts to avoid excessive resource usage
Rendering potentially 1000s of nodes can exceed the CPU and memory constraints
of a normal PHP process, as well as the rendering capabilities of browsers.
Set a hard maximum for the renderable nodes, deferring to a "show as list" action
in the main CMS tree. For TreeDropdownField, we don't have the list fallback option,
so ask the user to search for the node title instead.

Also makes both the "node_threshold_total" and "node_threshold_leaf" values configurable
2013-04-09 10:24:18 +12:00
s-m
6a95db0eff API: Support inequalities in templates
This adds support for <, <=, >, >= in templates
2013-04-08 17:07:39 +02:00
Ingo Schommer
f296439a24 NEW Hints for scaffolded date/time fields 2013-04-08 19:38:50 +12:00
Ingo Schommer
828ac7fe4f API Replaced SSViewer.custom_theme with SSViewer.theme_enabled
Since we can't influence the setting of configuration values,
we also can't set/unset the 'custom_theme' value based on which
theme is set. This means the 'custom_theme' value goes stale,
and we can't rely on it e.g. in FilesystemPublisher.

The 'theme_enabled' toggle is a cleaner solution to the same problem,
since the 'custom_theme' was really just a way to remember the original
theme, while still disabling it. The toggle makes this more explicit,
but also requires users of the 'theme' setting to check for it.
2013-04-07 23:59:10 +02:00
Ingo Schommer
e97c034922 API i18n::$common_languages and i18n::$common_locales converted to Config API
They are now accessed via the Config API, and contain associative rather than indexed arrays.
Before: `array('de_DE' => array('German', 'Deutsch'))`, after: `array('de_DE' => array('name' => 'German', 'native' => 'Deutsch'))`.

Also fixed a i18n.js_i18n config accessor
2013-03-27 20:42:46 +01:00
Ingo Schommer
8b4fb6ef0f Clarified 3.1 upgrading docs 2013-03-26 19:01:36 +01:00
Ingo Schommer
4ea98ae440 Removed Object::*_extension() non-LSB deprecation
Its just a simplication, and unnecessarily complicates
module compatibilities.
2013-03-26 00:31:25 +01:00
Ingo Schommer
7470f5e0b6 More upgrading notes about 3.1 and statics 2013-03-25 22:09:21 +01:00
Ingo Schommer
c8f26e673a 3.1 changelog improvements 2013-03-25 09:52:55 +01:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
81a51331d6 IX Load _config.php's after static config manifest
This allows more sophisticated handling of config alterations
in _config.php. One example is additions to DataObject::$db
based on configuration which requires some processing.

See https://github.com/unclecheese/TranslatableDataObject/blob/master/TranslatableDataObject.php
2013-03-21 00:16:36 +01:00
Ingo Schommer
5b83de4049 Added note about deprecations to 3.1 upgrading guide 2013-03-20 10:28:39 +01:00
Ingo Schommer
53c84ee1fe Merge remote-tracking branch 'origin/3.0' into 3.1 2013-03-19 14:04:29 +01:00
Ingo Schommer
99ca0471f7 Merge remote-tracking branch 'origin/2.4' into 3.0
Conflicts:
	control/RequestHandler.php
	core/control/ContentController.php
	dev/CsvBulkLoader.php
	docs/en/changelogs/index.md
	docs/en/reference/execution-pipeline.md
	docs/en/topics/commandline.md
	docs/en/topics/controller.md
	docs/en/topics/form-validation.md
	docs/en/topics/forms.md
	docs/en/topics/security.md
	model/MySQLDatabase.php
	security/Security.php
	tests/control/ControllerTest.php
	tests/control/RequestHandlingTest.php
2013-03-19 13:56:04 +01:00
Ingo Schommer
250834d9d2 Updated browser requirements, dropping IE7 support
See https://groups.google.com/forum/?fromgroups=#!topic/silverstripe-dev/GahZfDLvb-I
2013-03-18 14:33:43 +01:00
Hamish Friedlander
a2845735b0 Update 3.1.0 upgrading notes for casting changes 2013-03-14 12:49:34 +13:00
Sam Minnée
09377f0ba4 Added upgrade note for config static immutability
Config statics are now immutable for performance, this requires an upgrade change.
2013-03-13 11:22:41 +13:00
Ingo Schommer
53e988bb09 Merge remote-tracking branch 'origin/3.1.0-beta2' into 3.1 2013-03-12 10:45:44 +01:00
Ingo Schommer
bea1b9002d Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/HTTP.php
2013-02-26 13:28:35 +01:00
Ingo Schommer
9ceef6be07 Added changelog 2013-02-20 00:39:00 +01:00
Ingo Schommer
876c660018 Merge pull request #1195 from chillu/pulls/deprecate-scheduled-tasks
API Deprecated ScheduledTask and subclasses
2013-02-19 01:01:53 -08:00
Ingo Schommer
43fb566388 Note about RestfulService SSL verification in upgrading guide 2013-02-18 15:59:15 +01:00
Ingo Schommer
88867cdd23 API Deprecated ScheduledTask and subclasses
Base CliController or BuildTask instead, with custom cron job intervals.
2013-02-18 14:01:15 +01:00
Hamish Friedlander
7ec8ebbf9e Add 3.1.0-beta2 changelog 2013-02-18 17:09:22 +13:00
Hamish Friedlander
5fd55a50f2 API Tighten up allowed_actions
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
2013-02-18 14:53:33 +13:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
37b8034462 Fixed changelog 2013-02-18 01:34:51 +01:00