tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
22,896 Commits 31 Branches 527 Tags 162 MiB
59f23ad2aa
Commit Graph

290 Commits

Author SHA1 Message Date
Guy Marriott
53cb804929
Merge branch '4.2' into 4.3 2019-05-13 15:56:23 +12:00
matt-in-a-hat
db0e6f7104 Fix password validation min length message 
When relying on static config instead of an explicitly set minLength then this message would show without the value, like "it must be  or more characters long".
 2019-05-13 13:43:29 +12:00
Indy Griffiths
5dc57518c2
NEW Filter out authenticators that are falsy 
Use-case: if a module is defining its own authenticator and you want to disable it, as it seems we don't have `unregister_authenticator()` anymore and I can't spot how to remove YAML-based injected properties, then this lets you mark it as null or false to prevent it from erroring out when it attempts to call `supportedServices()`
 2019-05-04 20:58:48 +12:00
Robbie Averill
7775f82584 FIX Handle falsy return value when setting form field value in setAuthenticatorClass() 2019-02-01 19:39:15 +03:00
Robbie Averill
ebfab45e23 API LoginForm::authentiator_class is now deprecated, use getters or setters instead 2019-02-01 19:39:15 +03:00
Maxime Rainville
868258926f
Implement feedback on PSR-19 compatibility 2019-01-30 11:57:17 +13:00
Robbie Averill
b0fc161235
Merge branch '4' into pulls/4/deprecating-declared-permissions 2019-01-29 09:33:44 +02:00
Robbie Averill
47fbaebb92
Alter deprecation version numbers 
Co-Authored-By: ScopeyNZ <guy@scopey.co.nz>
 2018-11-06 00:07:24 +13:00
Guy Marriott
2ff7ee6752
NEW Deprecate RandomGenerator::generateEntropy in favour of using random_bytes directly 2018-11-01 19:51:15 +13:00
Maxime Rainville
0703c1a94e API Deprecating Permission::$declared_permissions and related methods/props 2018-11-01 09:28:05 +13:00
micmania1
1e83dff4ed BUGFIX #828 optimised query in graphql asset admin 2018-10-18 18:34:03 +13:00
Robbie Averill
ee24413c30 Merge branch '4.2' into 4 2018-10-03 15:28:05 +02:00
Robbie Averill
231d6d9a9f FIX New members now receive the configured default locale, not the current locale 2018-09-28 16:25:10 +02:00
Robbie Averill
4d14e9b6b1
Merge pull request #8421 from creative-commoners/pulls/4.3/psr-5-deprecations 
Update deprecation PHPDocs to be PSR-5 compliant
 2018-09-28 14:18:54 +02:00
Robbie Averill
f842ee2eec Update deprecation PHPDocs to be PSR-5 compliant 
See: https://github.com/php-fig/fig-standards/blob/master/proposed/phpdoc-tags.md#55-deprecated
 2018-09-28 10:49:14 +02:00
Robbie Averill
adb4d1f92d MINOR Reduce some code complexity, update array syntax and injected SQLSelect etc 2018-09-27 16:40:23 +02:00
Simon Gow
c269a987d5 Performance issues with BasicAuth and LoginAttempts 
Two functions interact with the LoginAttempt object which when used in conjunction with BasicAuth result in significant performance degradation over time, as the LoginAttempts Table fills.

This fix adds an index to the lookup column EmailHashed and removes the Email filter part of getByEmail() so it can use the index resulting in a much faster query.

For more information see https://github.com/silverstripe/silverstripe-framework/issues/8389
 2018-09-20 13:34:03 +12:00
Robbie Averill
373a8afeb5 Merge branch '4.2' into 4 2018-09-06 13:26:46 +02:00
Ingo Schommer
f7d85fe794 Make sure that CMS requests disable caching 
Original author: @dhensby

Forward port from 3.7 fix at https://github.com/silverstripe/silverstripe-framework/pull/8318
 2018-09-05 11:38:41 +12:00
Robbie Averill
83e461abbf Merge branch '4.2' into 4 2018-08-27 16:15:57 +12:00
Robbie Averill
373326e49c
Merge pull request #8324 from creative-commoners/pulls/4.2/request-before-init 
FIX Pass request to dummy controller before calling init
 2018-08-21 12:08:14 +12:00
Robbie Averill
18fff5c16c Remove past tense for "log in" in expired token message 2018-08-20 22:31:23 +12:00
Robbie Averill
dbab696690 FIX Message when changing password with invalid token now contains correct links to login 
The Security controller should be used to return these links rather than the
ChangePasswordHandler
 2018-08-20 22:30:12 +12:00
Robbie Averill
873873dc30 FIX Pass request to dummy controller before calling init 2018-08-15 10:14:25 +12:00
Anh Le
68f75a9e25
Password changing notification issue on new member 
With `notify_password_change = true`, new member is receiving notification email regarding password changing when they should not.
 2018-08-13 14:13:05 +07:00
Ingo Schommer
2d6964c243
Merge pull request #8261 from open-sausages/pulls/4/secure-remember-me-cookie 
NEW Option for secure "remember me" cookie
 2018-07-31 09:19:15 +12:00
Ingo Schommer
114b0a5ea7
NEW Option for secure "remember me" cookie 
Fixes #8234
 2018-07-30 16:41:49 +01:00
Ingo Schommer
93b0884e19 BUG Lazy session state (fixes #8267) 
Fixes regression from 3.x, where sessions where lazy started as required:
Either because an existing session identifier was sent through with the request,
or because new session data needed to be persisted as part of the request execution.

Without this lazy starting, *every* request will get a session,
which makes all those responses uncacheable by HTTP layers.

Note that 4.x also changed the $data vs. $changedData payloads:
In 3.x, they both contained key/value pairs.
In 4.x, $data contains key/value, while $changedData contains key/boolean to declare isChanged.
While this reduces duplication in the class, it also surfaced a bug which was latent in 3.x:
When an existing session is lazily resumed via start(), $data is set back to an empty array.
In 3.x, any changed data before this point was *also* retained in $changedData,
ensuring it gets merged into existing $_SESSION data.
In 4.x, this clears out data - hence the need for a more complex merge logic.

Since isset($this->data) is no longer an accurate indicator of a started session,
we introduce a separate $this->started flag.

Note that I've chosen not to make lazy an opt-in (e.g. via start($request, $lazy=false)).
We already have a distinction between lazy starting via init(), and force starting via start().
 2018-07-19 13:32:04 +12:00
Daniel Hensby
560fe9820a FIX remove personal information from password reset confirmation screen 2018-07-05 14:19:15 +12:00
Robbie Averill
e0993043f8 Merge branch '4.1' into 4 2018-05-30 15:08:39 +12:00
Robbie Averill
c8b0bc0ad7 Merge branch '4.0' into 4.1 
# Conflicts:
  #	src/ORM/DataObject.php
  #	tests/php/ORM/DataObjectDuplicationTest.php
  #	tests/php/ORM/DataObjectDuplicationTest/Class1.php
 2018-05-30 14:52:07 +12:00
Robbie Averill
ea16e28aa7 Merge branch '4.1' into 4 2018-05-28 18:33:56 +12:00
Robbie Averill
6d98a912c9 Merge branch 'heads/4.1.1' into 4.1 2018-05-28 18:26:20 +12:00
Robbie Averill
3a537bc745 Merge branch 'heads/4.0.4' into 4.0 2018-05-28 17:50:07 +12:00
Robbie Averill
722202fef4 Merge remote-tracking branch 'origin/4.0.4' into 4.1.1 
# Conflicts:
  #	src/Control/Director.php
 2018-05-24 15:41:11 +12:00
Robbie Averill
5887201dd5
Merge pull request #64 from silverstripe-security/pulls/4.0/ss-2018-010 
[SS-2018-010] Fix regression of SS-2017-002
 2018-05-14 17:12:45 +12:00
Robbie Averill
beec0c0d47 [SS-2018-010] Fix regression of SS-2017-002 2018-05-14 17:12:07 +12:00
Damian Mooyman
e409d6f673 [ss-2018-001] Restrict non-admins from being assigned to admin groups 2018-05-14 17:10:22 +12:00
Daniel Hensby
d5e2d3fa67
Merge branch '3.6' into 4.0 2018-05-01 21:47:17 +01:00
azt3k
6b39b25e20
Fixes a count() php warning without an api change 
Warning: count(): Parameter must be an array or an object that implements Countable in /path/to/vendor/silverstripe/framework/src/Security/Member.php on line 1355
 2018-04-27 09:31:07 +01:00
Damian Mooyman
9a12fac218
BUG Prevent password validator min score producing false negatives 
Replaces #7995
 2018-04-18 10:35:31 +12:00
Daniel Hensby
70effc7046
Revert "ENHANCEMENT Add config var to skip confirm logout (#7977)" 
This reverts commit 47bcac930d.
 2018-04-04 13:51:18 +01:00
Andrew Aitken-Fincham
47bcac930d ENHANCEMENT Add config var to skip confirm logout (#7977) 2018-04-04 09:43:49 +12:00
Damian Mooyman
386ef27f65
Update requesthandlers with missing extension points 2018-03-23 15:28:00 +13:00
Damian Mooyman
625f7b4eee
Merge remote-tracking branch 'origin/4.0' into 4.1 2018-03-13 14:26:18 +13:00
Joe Harvey
bf2cee3989 Bugfix - Correct duplicate nesting of 'Content' to be returned to template 
In scenarios where:

- No member is logged in
- An 'AutoLoginHash' is provided via the 't' (token) query param
- The token isn't valid (determined by Member::validateAutoLoginToken())

The message which is intended to be returned to the end-user via $Content
in the template, is mistakenly double nested in ['Content' => ['Content' => 'Message']]
this leads to "The method forTemplate() doesn't exist on ArrayData" errors.

See - https://github.com/silverstripe/silverstripe-framework/issues/7866
 2018-03-07 14:14:05 +00:00
JorisDebonnet
3e0984db49
Delete orphaned Group_Members records after deleting a Member 2018-02-27 19:47:26 +01:00
Daniel Hensby
c04ff8c55a
Merge branch '4.0' into 4.1 2018-02-21 13:40:30 +00:00
Damian Mooyman
0e26c06644
BUG Fix behaviour towards versioned but unstagable records 2018-02-20 12:20:18 +13:00
Daniel Hensby
7ec5fa2c8d
Merge branch '4.0' into 4.1 2018-02-09 15:19:15 +00:00
Daniel Hensby
e298fcc345
Merge branch '3.6' into 4.0 2018-02-09 14:32:58 +00:00
Damian Mooyman
2f1f5c0caa
Merge remote-tracking branch 'origin/4.0' into 4 2018-02-07 11:48:46 +13:00
Daniel Hensby
660dfd34a8
FIX Issue where default admin has no password encryption 2018-02-06 20:18:32 +00:00
Damian Mooyman
e359948eb3
Merge remote-tracking branch 'origin/4.0' into 4 
# Conflicts:
#	src/Core/CoreKernel.php
 2018-02-05 17:52:38 +13:00
Simon Erkelens
a071672b48 [bugfix] $request == null breaks 
The $request incoming as null was not properly detected by the if/elseif structure.
 2018-02-05 13:02:07 +13:00
Damian Mooyman
bc2fc7f2db
BUG Prevent invalid members being written to database if validation_enabled is false 2018-02-01 16:24:31 +13:00
Christopher Joe
456871fd91 Enhancement Updated PasswordValidator to fallback to config options - still retains instance variables 2018-01-31 10:54:43 +13:00
Damian Mooyman
bca47029c4
Merge remote-tracking branch 'origin/4.0' into 4 
# Conflicts:
#	src/Control/SimpleResourceURLGenerator.php
#	tests/php/Control/SimpleResourceURLGeneratorTest.php
 2018-01-25 12:53:15 +13:00
Damian Mooyman
a3c52f901a
Merge remote-tracking branch 'origin/4.0' into 4 
# Conflicts:
#	src/Core/TempFolder.php
#	src/ORM/DataObject.php
#	src/View/ThemeResourceLoader.php
#	src/includes/constants.php
#	tests/php/Control/SimpleResourceURLGeneratorTest.php
#	tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php
#	tests/php/View/RequirementsTest.php
 2018-01-22 14:57:05 +13:00
Damian Mooyman
60fa7558d3
BUG Fix double casting in login authenticator name 
Fixes #7769
 2018-01-22 14:06:24 +13:00
Daniel Hensby
db610aaf3b
Fixing string concat CS issues 2018-01-16 18:39:30 +00:00
Damian Mooyman
f86b855c90
BUG Prevent basic-auth from disallowing logout 
Fixes #7555
 2018-01-16 15:24:20 +13:00
Damian Mooyman
c4ff8443bb
API Shift basic auth checking into middleware 
Fixes #7554
 2017-12-20 11:39:04 +13:00
Chris Joe
4ad9ceca6b
Merge pull request #7702 from open-sausages/pulls/4/fix-message-casting-permissions 
BUG Fix message casting for html security messages
 2017-12-18 15:43:35 +13:00
Daniel Hensby
e4bf9a31ed
Merge branch '4.0' into 4 2017-12-14 21:20:11 +00:00
Daniel Hensby
1c72d6946d
Merge branch '3.6' into 4.0 2017-12-14 21:01:35 +00:00
Damian Mooyman
140ed72e2a
BUG Fix message casting for html security messages 2017-12-14 14:49:58 +13:00
Damian Mooyman
529e341dbc
Merge pull request #7699 from open-sausages/pulls/4/html-in-security-msg 
ENHANCEMENT Allow html in security failure message
 2017-12-14 14:30:09 +13:00
Damian Mooyman
8b1b9f022b
Fix linting issues 2017-12-14 13:50:52 +13:00
Saophalkun Ponlu
31e04c8491 ENHANCEMENT Allow html in security failure message 2017-12-13 17:10:16 +13:00
Damian Mooyman
a2fa9f0943
Merge pull request #7694 from creative-commoners/pulls/4.0/injection-session 
FIX Use Injector to retrieve the current session
 2017-12-12 16:47:36 +13:00
Robbie Averill
eb6c1fc6de FIX Allow the current controller as well as injectable HTTPRequest objects 2017-12-12 16:35:53 +13:00
Robbie Averill
097d0697c5 FIX Use Injector to retrieve the current session 2017-12-12 16:03:16 +13:00
Damian Mooyman
33b2d50d59
Cache warming in InheritedPermissions::getCachePermissions() 
Simplify Group::Members() code
Remove cms-only config
 2017-12-12 09:01:43 +13:00
Aaron Carlino
2be902ef2f Adapt to new MemberCacheFlusher interface 2017-12-11 17:50:11 +13:00
Aaron Carlino
45999e1133 Revisions per robbieaverill 2017-12-11 17:50:11 +13:00
Aaron Carlino
aefb0aeaa8 Make InheritedPermissions use cache and implement cache flushing 2017-12-11 17:50:11 +13:00
Damian Mooyman
ee27329728 Minor linting / style updates 2017-12-11 16:46:59 +13:00
Aaron Carlino
8b429bf47b update docblock 2017-12-11 16:46:59 +13:00
Aaron Carlino
86458941be Refactor to MemberCacheFlusher 2017-12-11 16:46:59 +13:00
Aaron Carlino
4857816c9e Revisions per robbieaverill 2017-12-11 16:46:59 +13:00
Aaron Carlino
eecb9f64d3 Add new InheritedPermissionFlusher extension, CacheFlusher service 2017-12-11 16:46:59 +13:00
Damian Mooyman
6b384f4b35
Merge branch '4.0' into 4 2017-12-07 13:52:00 +13:00
Daniel Hensby
eb55c27124
Merge branch '4.0' into 4 2017-12-05 12:14:22 +00:00
Damian Mooyman
f1dd3d6f03
[ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt 2017-11-30 17:00:49 +13:00
Loz Calver
c4b366828e FIX: Restore BackURL preservation on log out (closes #7636) 2017-11-27 16:15:28 +00:00
Simon Erkelens
0987003053 Add the ability to redirect a user to a custom page with custom content after changing their password 2017-11-27 14:18:40 +13:00
Damian Mooyman
6a73466b41 BUG Fix basicauth 2017-11-03 12:08:38 +13:00
Damian Mooyman
ad36b8f6a9 Use restart instead of destroy 2017-11-03 12:08:38 +13:00
Daniel Hensby
a61ce077c6 FIX Sessions must be destroyed on logout 2017-11-03 12:08:38 +13:00
Robbie Averill
897cba55cb FIX Move Member log out extension points to non-deprecated methods 2017-11-02 11:39:02 +13:00
Damian Mooyman
3c8848a090
Update code style and fix tests 2017-10-30 17:34:15 +13:00
Christopher Joe
f6b7cf8889 Feature disable current user from removing their admin permission 2017-10-30 12:34:06 +13:00
Oly Su
4d85da179f 291 checks if ->value is iterable 2017-10-27 10:46:20 +13:00
Damian Mooyman
b9cb1e69e6 BUG Replace phpdotenv with thread-safe replacement 2017-10-20 18:43:11 +13:00
Simon Erkelens
6506a5b958 Don't add a . when there's no extension 2017-10-16 11:56:35 +13:00
Damian Mooyman
6a55dcfc16
Fix references to resource paths / urls 2017-10-10 16:51:47 +13:00
Chris Joe
566d7baa48 Merge pull request #7437 from open-sausages/pulls/4.0/stateless-extensions 
API Extensions are now stateless
 2017-10-09 11:45:33 +13:00
Ingo Schommer
7406318f03 Merge pull request #7436 from creative-commoners/pulls/4.0/consistent-change-password-api 
NEW Ensure changePassword is called by onBeforeWrite for a consistent API
 2017-10-06 11:26:37 +01:00
Damian Mooyman
b996e2c22c
API Extensions are now stateless 
ENHANCEMENT Injector now lazy-loads services more intelligently
 2017-10-06 14:53:44 +13:00
Daniel Hensby
16cac4e3bd
Merge branch '3' into 4 2017-10-05 16:40:31 +01:00
Robbie Averill
413034f684 Remove psuedo-property SetPassword from Member 2017-10-05 16:55:24 +13:00
Robbie Averill
cdf6ae45a3 NEW Ensure changePassword is called by onBeforeWrite for a consistent API 2017-10-05 16:14:15 +13:00
Robbie Averill
6044579a3f MINOR Separate some areas of logic in LostPasswordHandler to make them more overridable 2017-10-05 14:17:38 +13:00
Robbie Averill
6b52412693 NEW Make Member::changePassword extensible 2017-10-05 11:18:34 +13:00
Chris Joe
b219e40ff7 Merge pull request #7414 from open-sausages/pulls/4.0/basic-auth-var 
BUG Restore SS_USE_BASIC_AUTH env var
 2017-10-02 15:11:19 +13:00
Damian Mooyman
e2750c03fc
BUG Restore SS_USE_BASIC_AUTH env var 
Fixes #7268
 2017-09-29 16:56:56 +13:00
Damian Mooyman
f4b1417612
ENHANCEMENT Use less expensive i18n defaults in Member::populateDefaults() 
Fixes #7381
 2017-09-29 16:40:17 +13:00
Mike Cochrane
b8e5a2ce32 FIX readonly PermissionCheckboxSetField 
A readonly PermissionCheckboxSetField (eg in Security when viewing a member without permission to edit it) can result in calling "getRecord()" on null.  Add is_object check, consistent with line 98.
 2017-09-25 15:25:10 +13:00
Loz Calver
7431122b58
Make auto login token expiry configurable (closes #7278) 2017-09-18 14:06:13 +01:00
Damian Mooyman
905c4e04d5
BUG Incorrect path for requirements file 2017-09-12 10:36:48 +01:00
Christopher Joe
25380eb454 Fix permission check for admin role 2017-09-06 10:21:01 +12:00
Sam Minnee
8c15e451c6 FIX: Removed unnecessary database_is_ready call. 
This shaves about 45ms from every request (PHP 7.1 on a 2013 rMBP), 
cutting down execution time of a “hello world” controller by about 33%.

database_is_ready is still used in dev/build and ?flush=1 to stop people
from people bypassing security by DOSing the database or otherwise
forcing a DatabaseException
 2017-08-25 13:06:12 +12:00
Loz Calver
ecc619248b Merge pull request #7298 from robbieaverill/pulls/4.0/replace-stat-usage 
Replace use of Configurable stat() with config()->get(), will be deprecated in future
 2017-08-23 10:12:40 +01:00
Damian Mooyman
14761a9246
Remove mcrypt 
Use session for alternativeDatabaseName instead
Fixes #7280
 2017-08-23 12:13:32 +12:00
Robbie Averill
8ebc13ae4e Replace use of Configurable stat() with config()->get(), will be deprecated in future 2017-08-23 09:42:10 +12:00
Damian Mooyman
9b4d689bb2 Lazy-load custom methods and extensions on CustomMethods and Extensible traits 
No longer need constructExtensions()
 2017-08-22 15:47:24 +12:00
Damian Mooyman
b6a8e45888
BUG Ensure mocked controller has request assigned 
Fixes #7237
 2017-08-03 15:52:31 +12:00
Damian Mooyman
e64acef53a BUG Fix invalid i18n yaml 2017-08-03 10:13:09 +12:00
Damian Mooyman
8418011456
Fix linting issues 2017-08-02 14:08:59 +12:00
Robbie Averill
e307f067ed FIX Replace deprecated %s placeholders in translations with named placeholders 
* Remove the use of sprintf and %s placeholders in the i18n tests
 2017-08-02 13:03:55 +12:00
Robbie Averill
a5ca4ecb59 FIX Log in as someone else returns user back to login screen 2017-07-18 17:15:58 +12:00
Simon Erkelens
3e97b99e22 [BUG] Fix issues with multiple authenticators for a single task (#7149) 
Using multiple 2FA authenticators, logging out, resetting password etc. proved to be handled wrong.
Example scenario:
The result is an error, because the `renderWrappedController` was called, despite the responses being a set of either array with Content or Form, or a redirect action.

The default action should be followed and not try to render if there is nothing to render

Because the logout (or changepassword, or resetpassword, etc.) has already been handled, the first response is the default authenticator's response. This _could_ be a form (in case of logout without valid token), a content set (reset password) or a form (change password).

This edge case only happens when there are multiple authenticators supporting the requested method that is _not_ login.
 2017-07-14 09:20:58 +12:00
Damian Mooyman
85359ad59e
BUG Ensure that installer can create an initial admin account 
Fixes #7124
 2017-07-06 13:30:04 +12:00
Damian Mooyman
4b23205838
Fix unnamespaced i18n keys 
Fixes https://github.com/silverstripe/silverstripe-framework/issues/6862
 2017-07-04 14:18:47 +12:00
Damian Mooyman
f65e3627dc
BUG Implement or exclude all pending upgrader deltas 2017-07-03 12:21:47 +12:00
Daniel Hensby
c69a565b08 Merge pull request #7046 from andrewandante/FEAT/add_inGroup_to_Group 
add inGroup(s) methods to Group
 2017-06-30 16:38:55 +01:00
Andrew Aitken-Fincham
ab60a167e6 add inGroup(s) methods to Group 2017-06-30 12:47:37 +01:00
Daniel Hensby
30986b4ea3
[SS-2017-002] FIX Lock out users who dont exist in the DB 2017-06-29 13:58:55 +12:00
Damian Mooyman
d20ab50f9d API Stronger Injector service unregistration 
BUG Fix up test regressions
FIX director references to request object
API Move all middlewares to common namespace
API Implement RequestHandlerMiddlewareAdapter
ENHANCEMENT Improve IP address parsing
Fix up PHPDoc / psr2 linting
BUG Fix property parsing in TrustedProxyMiddleware
BUG Fix Director::is_https()
 2017-06-27 13:32:39 +12:00
Sam Minnee
254204a3a6 NEW: Replace AuthenticationRequestFilter with AuthenticationMiddleware 2017-06-27 13:32:39 +12:00
Ingo Schommer
fa568e333e Fixed linting errors 2017-06-23 11:19:16 +12:00
Damian Mooyman
3873e4ba00 API Refactor bootstrap, request handling 
See https://github.com/silverstripe/silverstripe-framework/pull/7037
and https://github.com/silverstripe/silverstripe-framework/issues/6681

Squashed commit of the following:

commit 8f65e56532
Author: Ingo Schommer <me@chillu.com>
Date:   Thu Jun 22 22:25:50 2017 +1200

    Fixed upgrade guide spelling

commit 76f95944fa
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 16:38:34 2017 +1200

    BUG Fix non-test class manifest including sapphiretest / functionaltest

commit 9379834cb4
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 15:50:47 2017 +1200

    BUG Fix nesting bug in Kernel

commit 188ce35d82
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 15:14:51 2017 +1200

    BUG fix db bootstrapping issues

commit 7ed4660e7a
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 14:49:07 2017 +1200

    BUG Fix issue in DetailedErrorFormatter

commit 738f50c497
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 11:49:19 2017 +1200

    Upgrading notes on mysite/_config.php

commit 6279d28e5e
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 11:43:28 2017 +1200

    Update developer documentation

commit 5c90d53a84
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 10:48:44 2017 +1200

    Update installer to not use global databaseConfig

commit f9b2ba4755
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 21:04:39 2017 +1200

    Fix behat issues

commit 5b59a912b6
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 17:07:11 2017 +1200

    Move HTTPApplication to SilverStripe\Control namespace

commit e2c4a18f63
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 16:29:03 2017 +1200

    More documentation
    Fix up remaining tests
    Refactor temp DB into TempDatabase class so it’s available outside of unit tests.

commit 5d235e64f3
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 12:13:15 2017 +1200

    API HTTPRequestBuilder::createFromEnvironment() now cleans up live globals
    BUG Fix issue with SSViewer
    Fix Security / View tests

commit d88d4ed4e4
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 20 16:39:43 2017 +1200

    API Refactor AppKernel into CoreKernel

commit f7946aec33
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 20 16:00:40 2017 +1200

    Docs and minor cleanup

commit 12bd31f936
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 20 15:34:34 2017 +1200

    API Remove OutputMiddleware
    API Move environment / global / ini management into Environment class
    API Move getTempFolder into TempFolder class
    API Implement HTTPRequestBuilder / CLIRequestBuilder
    BUG Restore SS_ALLOWED_HOSTS check in original location
    API CoreKernel now requires $basePath to be passed in
    API Refactor installer.php to use application to bootstrap
    API move memstring conversion globals to Convert
    BUG Fix error in CoreKernel nesting not un-nesting itself properly.

commit bba9791146
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 18:07:53 2017 +1200

    API Create HTTPMiddleware and standardise middleware for request handling

commit 2a10c2397b
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 17:42:42 2017 +1200

    Fixed ORM tests

commit d75a8d1d93
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 17:15:07 2017 +1200

    FIx i18n tests

commit 06364af3c3
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 16:59:34 2017 +1200

    Fix controller namespace
    Move states to sub namespace

commit 2a278e2953
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 12:49:45 2017 +1200

    Fix forms namespace

commit b65c21241b
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 15 18:56:48 2017 +1200

    Update API usages

commit d1d4375c95
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 15 18:41:44 2017 +1200

    API Refactor $flush into HTPPApplication
    API Enforce health check in Controller::pushCurrent()
    API Better global backup / restore
    Updated Director::test() to use new API

commit b220534f06
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 22:05:57 2017 +1200

    Move app nesting to a test state helper

commit 603704165c
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 21:46:04 2017 +1200

    Restore kernel stack to fix multi-level nesting

commit 2f6336a15b
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 17:23:21 2017 +1200

    API Implement kernel nesting

commit fc7188da7d
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 15:43:13 2017 +1200

    Fix core tests

commit a0ae723514
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 15:23:52 2017 +1200

    Fix manifest tests

commit ca03395251
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 15:00:00 2017 +1200

    API Move extension management into test state

commit c66d433977
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 14:10:59 2017 +1200

    API Refactor SapphireTest state management into SapphireTestState
    API Remove Injector::unregisterAllObjects()
    API Remove FakeController

commit f26ae75c6e
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 12 18:04:34 2017 +1200

    Implement basic CLI application object

commit 001d559662
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 12 17:39:38 2017 +1200

    Remove references to SapphireTest::is_running_test()
    Upgrade various code

commit de079c041d
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 7 18:07:33 2017 +1200

    API Implement APP object
    API Refactor of Session
 2017-06-22 22:50:45 +12:00
Loz Calver
5d27dccd60 NEW: Add CSRF token to logout action 2017-06-21 15:42:13 +01:00
Damian Mooyman
0f90c5b63f ENHANCEMENT Update style of CMSLogin form 2017-06-15 18:13:14 +12:00
Damian Mooyman
024371c37e
API Change authentication ValidationResult handling to pass by-reference 2017-06-15 17:25:23 +12:00
Damian Mooyman
62d095305b
API Update DefaultAdmin services 
API Improve validation of authentication process
 2017-06-15 15:53:57 +12:00
Simon Erkelens
576eee72dc Remove DefaultAdmin things from Security and Member into the MemberAuthenticator, unifying and removing duplicate code. 2017-06-15 14:20:29 +12:00
Damian Mooyman
0dcfa5fa9d FIX CMSSecurity doesn't have Authenticators assigned. 2017-06-12 10:10:34 +12:00
Simon Erkelens
3fe837dad7 Fix for CMS Authenticator. Should only apply to CMSSecurity 2017-06-10 14:47:53 +12:00
Simon Erkelens
5c4e55b60d It's not CascadeLogInTo anymore, it's CascadeInTo 
I'm mildly surprised this didn't break. I changed it to CascadeInTo, as the logout action needs to cascade into the session as well.
 2017-06-10 12:58:22 +12:00
Damian Mooyman
62753b3cb1
Cleanup and RequestFilter refactor 2017-06-09 15:07:35 +12:00
Simon Erkelens
5fce3308b4 Move LostPasswordHandler in to it's own class. 
- Moved the Authenticators from statics to normal
- Moved MemberLoginForm methods to the getFormFields as they make more sense there
- Did some spring-cleaning on the LostPasswordHandler
- Removed the BuildResponse from ChangePasswordHandler after spring cleaning
 2017-06-08 20:09:57 +12:00
Simon Erkelens
082db89550 Feedback from Damian. 
- Move the success and message to a validationresult
- Fix tests for validationresult return
- We need to clear the session in Test logOut method
- Rename to MemberAuthenticator and CMSMemberAuthenticator for consistency.
- Unify all to getCurrentUser on Security
- ChangePasswordHandler removed from Security
- Update SapphireTest for CMS login/logout
- Get the Member ID correctly, if it's an object.
- Only enable "remember me" when it's allowed.
- Add flag to disable password logging
- Remove Subsites coupling, give it an extension hook to disable itself
- Change cascadeLogInTo to cascadeInTo for the logout method logic naming
- Docblocks
- Basicauth config
 2017-06-08 17:50:20 +12:00
Simon Erkelens
2b26cafcff Separate out the log-out handling. 
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
 2017-06-07 21:11:58 +12:00
Sam Minnee
f9ea752bae NEW: Add AuthenticationHandler interface 
NEW: Add IdentityStore for registering log-in / log-out data
NEW: Add AuthenticationRequestFilter for managing login
NEW: Add Security:setCurrentUser() / Security::getCurrentUser()
NEW: Add FunctionalTest::logOut()
 2017-06-07 21:11:55 +12:00
Simon Erkelens
c4194f0ed2 CMS Login Handling 
Move to canLogin in the authentication check. Protected isLockedOut

Enable login to be called with a different login service (CMSLogin), enabling CMS Log in. Seems the styling and/or output is still broken.

logOut could be managed from the Authenticator instead of the member
 2017-06-07 21:11:54 +12:00
Sam Minnee
7af7e6719e API: Security.authenticators is now a map, not an array 
Authenticators is now a map of keys -> service names. The key is used
in things such as URL segments. The “default_authenticator” value has
been replaced with the key “default” in this map, although in time a
default authenticator may not be needed.
IX: Refactor login() to avoid code duplication on single/multiple handlers
IX: Refactor LoginHandler to be more amenable to extension
IX: Fixed permissionFailure hack
his LoginHandler is expected to be the starting point for other
custom authenticators so it should be easier to repurpose components
`of it.
IX: Fix database-is-ready checks in tests.
IX: Fixed MemberAuthenticatorTest to match the new API
IX: Update security URLs in MemberTest
 2017-06-07 21:11:53 +12:00
Sam Minnee
e226b67d06 Refactoring of authenticators 
Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step.
Also cleaned up some minor typos I ran in to. Nothing major.

This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation.

FIX: Corrections to the multi-login-form support.

Importantly, the system provide a URL-space for each handler, e.g.
“Security/login/default” and “Security/login/other”. This is much
cleaner than identifying the active authenticator by a get parameter,
and means that the tabbed interface is only needed on the very first view.

Note that you can test this without a module simply by loading the
default authenticator twice:

SilverStripe\Security\Security:
  authenticators:
    default: SilverStripe\Security\MemberAuthenticator\Authenticator
    other: SilverStripe\Security\MemberAuthenticator\Authenticator

FIX: Refactor delegateToHandler / delegateToHandlers to have less
duplicated code.
 2017-06-07 21:11:52 +12:00
Damian Mooyman
fba8e2c245 API Remove Object class 
API DataObjectSchema::manyManyComponent() return array is now associative array
 2017-05-23 13:50:35 +12:00