Stephen Shkardoon
4f52f25d46
Failed login message translation fallback
...
Without this, if you use a locale with no translation for this (e.g. en_NZ), users will never see a "failed login" message.
2013-09-16 15:33:42 +12:00
Ingo Schommer
a914dee6d9
FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:38:59 +02:00
Ingo Schommer
ec8e8261f2
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
...
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:38:59 +02:00
Ingo Schommer
797951595b
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
...
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:38:56 +02:00
Ingo Schommer
eecd34868f
BUGFIX Keep Member.PasswordEncryption setting on empty passwords
...
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:16:25 +01:00
Mateusz Uzdowski
22095dae6c
API Hash autologin tokens before storing in the database.
...
Backported from 3.0, cc423c38fb
.
2012-11-09 12:03:55 +01:00
Ingo Schommer
de1f07045b
BUGFIX Avoid privilege escalation from EDIT_PERMISSIONS to ADMIN through TreeMultiselectField (in Member->getCMSFields()) by checking for admin groups in Member->onChangeGroups()
2011-03-09 15:54:05 +13:00
Sean Harvey
c3f915c4d5
BUGFIX #6287 open_basedir restriction breaks RandomGenerator when trying to read dev/urandom
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115314 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Ingo Schommer
397bbe7bb5
BUGFIX Avoid potential referer leaking in Security->changepassword() form by storing Member->AutoLoginHash in session instead of 'h' GET parameter (from r114758)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114760 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:05 +13:00
Ingo Schommer
25da2d1c25
MINOR Reverting Member "AutoLoginHash", "RememberLoginToken" and "Salt" to their original VARCHAR length to avoid problems with invalidated hashes due to shorter field length (from r114748)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114749 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:05 +13:00
Ingo Schommer
7280a64d6b
MINOR Reduced VARCHAR length from 1024 to 40 bytes, which fits the sha1 hashes created by RandomGenerator. 1024 bytes caused problems with index lengths on MySQL (from r114743)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114744 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:05 +13:00
Ingo Schommer
6255cdf20a
BUGFIX Limiting usage of mcrypt_create_iv() in RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114512 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:04 +13:00
Ingo Schommer
310f8f6a03
BUGFIX Using RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of 'RememberLoginToken' and 'AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114507 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:04 +13:00
Ingo Schommer
ae1d8e2e18
BUGFIX Using RandomGenerator class in PasswordEncryptor->salt() (from r114503)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114506 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:04 +13:00
Ingo Schommer
696de5d437
BUGFIX Using RandomGenerator class in SecurityToken->generate() for more random tokens
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114500 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:03 +13:00
Ingo Schommer
f8c970ec0c
ENHANCEMENT Added RandomGenerator for more secure CRSF tokens etc. (from r114497)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114499 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:03 +13:00
Ingo Schommer
30e3f08efb
MINOR Checking for class_exists() before SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114334 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:03 +13:00
Sean Harvey
28f1c20c5d
MINOR Reverted r108515
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114079 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:02 +13:00
Ingo Schommer
d6c9e18333
BUGFIX Using current controller for MemberTableField constructor in Group->getCMSFields() instead of passing in a wrong instance (Group)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@113273 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:58 +13:00
Ingo Schommer
e4d3584805
ENHANCEMENT Added SecurityToken to wrap CSRF protection via "SecurityID" request parameter
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@113272 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:58 +13:00
Sean Harvey
f3cc5a2b42
ENHANCEMENT #4903 MemberLoginForm field for "You are logged in as %s" message customisation (thanks walec51!)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@111891 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:56 +13:00
Ingo Schommer
486091e4ec
API CHANGE Member->canEdit() returns false if the editing member has lower permissions than the edited member, for example if a member with CMS_ACCESS_SecurityAdmin permissions tries to edit an ADMIN ( fixes #5651 )
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@110856 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:50 +13:00
Sean Harvey
845b821f9e
MINOR Remove whitespace if Surname field set on Member, but not FirstName
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@109334 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:47 +13:00
Will Rossiter
947aeaed81
MINOR: trim space off end of firstname if surname is not set. #5925
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@109330 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:47 +13:00
Sean Harvey
0cbde73445
API CHANGE #5873 DataObjectSet::shift() now performs a proper shift instead of unshift (wrong). Please use DataObjectSet::unshift($item) if unshifting was intended!
...
API CHANGE Added DataObjectSet::pop()
MINOR Unit tests for DataObjectSet::shift(), DataObjectSet::unshift() and DataObjectSet::pop()
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@109156 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:46 +13:00
Sam Minnee
d612dd6a2c
API CHANGE Member::set_session_regenerate_id() can now be used to disable Member::session_regenerate_id() which can break setting session cookies across all subdomains of a site
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@109103 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:46 +13:00
Sam Minnee
ce79e78de6
BUGFIX: Themed permissionFailure messages
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@109102 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:46 +13:00
Sean Harvey
6d5f83ad59
BUGFIX Group::getCMSFields() should use Tab instances with a fixed name instead of translated one, leaving the translation for the tab title instead
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@109083 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:45 +13:00
Andreas Piening
4659068c3f
MINOR: remove SQL table alias keyword AS
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108961 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:44 +13:00
Sean Harvey
72e1120168
BUGFIX #5627 Clear session on logout
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108515 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:44 +13:00
Sean Harvey
f9257a6035
ENHANCEMENT New Member records are populated with the currently set default through i18n::set_locale()
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108499 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:43 +13:00
Sean Harvey
79b6c9d9cb
BUGFIX Member_ProfileForm should fallback to english text for save button if no translation defined for current language
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108408 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:41 +13:00
Ingo Schommer
6ac852e216
BUGFIX Bypass BasicAuth when in CLI mode so unit tests can run (regression from r104962)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108193 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:40 +13:00
Sean Harvey
ae6d1c8e33
MINOR Fixed incorrect word "colon" with "dot"
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108002 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:39 +13:00
Sean Harvey
2cf33bc2d7
BUGFIX #5833 Duplicate IDs when two similar date formats in Member_DatetimeOptionsetField containing different delimiters (e.g / and .) replaced to an empty string
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@108001 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:39 +13:00
Ingo Schommer
78ac0fe3d6
ENHANCEMENT Allowing custom messages and permission codes in BasicAuth::protect_entire_site()
...
ENHANCEMENT Making $permissionCode argument optional for BasicAuth::requireLogin(). If not set the logic only checks for a valid account (but no group memberships)
ENHANCEMENT Using SS_HTTPResponse_Exception instead of header()/die() in BasicAuth::requireLogin() to make it more testable
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107867 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:38 +13:00
Ingo Schommer
7ac4a9ec4d
BUGFIX Fixed Member->PasswordEncryption defaults when writing new Member without setting a password. Fixes critical issue with MemberTableField saving in admin/security, where new members are stored with a cleartext password by default instead of using the default SHA1 (see #5772 )
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107532 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:37 +13:00
Ingo Schommer
8dee93b523
BUGFIX Allowing dev/build in "live" mode when Security::database_is_ready() returns FALSE (typically happens when an existing SilverStripe project is upgraded and database columns in Member/Permission/Group have been added) ( fixes #4957 )
...
MINOR Using Object::create() in DevelopmentAdmin to make objects mockable
ENHANCEMENT Added Security::$force_database_is_ready to mock database_is_ready() state
ENHANCEMENT Added permission check exception in TaskRunner and DatabaseAdmin if SapphireTest::is_running_test() returns TRUE (necessary for DevelopmentAdminTest)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107415 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:36 +13:00
Sean Harvey
0df0dbd12c
ENHANCEMENT Member_DatetimeOptionsetField toggle text is now translatable
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107365 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:35 +13:00
Sean Harvey
11568cf4e5
ENHANCEMENT #5352 Translatable entities for help text in Member_DatetimeOptionsetField::getFormattingHelpText()
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107334 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:35 +13:00
Sean Harvey
3be26a4cec
ENHANCEMENT #5352 Decouple date display from i18n locales, users now have access to change their date and time formats in Member::getCMSFields() using Member_DatetimeOptionsetField field
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107326 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:35 +13:00
Ingo Schommer
7dfb8dd43d
MINOR Making $Email available in Security_passwordsent.ss template ( fixes #5737 )
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@106876 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:32 +13:00
Ingo Schommer
862c5a8602
MINOR Fixed hardcoded error message in PasswordValidator ( fixes #5734 )
...
MINOR Added PasswordValidatorTest
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@106687 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:32 +13:00
Will Rossiter
c38dc3b1b4
APICHANGE: moved Group::addToGroupByName to $member->addToGroupByCode.
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@106217 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:31 +13:00
Mark Stephens
68e3ff3481
BUGFIX: get_title_sql has string concat hardcoded as ||, fixed for MSSQL which uses +, fix for #5613
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@105337 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:28 +13:00
Sam Minnee
9140742fd3
BUGFIX: Fixed bug in basicauth failover to session member.
...
BUGFIX: Don't use session member for test site protection feature.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104962 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:25 +13:00
Normann Lou
c540c3e12c
BUGFIX: after reset password, the site redirect to non-exisit page (SC #1 )
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104745 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:24 +13:00
Ingo Schommer
bdf13bd3fc
MINOR Documentation
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104610 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:22 +13:00
Ingo Schommer
17c67c7869
MINOR Fixed wrong _t() notation in ChangePasswordForm (broken in r103226 and r104596)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104598 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:22 +13:00
Mateusz Uzdowski
758d294b5d
BUGFIX: when using custom Member title, the join was failing - it had wrong parameters. Now changed to correctly handle the ansi sql join for all Member columns.
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104552 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:19:21 +13:00