Commit Graph

188 Commits

Author SHA1 Message Date
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Ingo Schommer
2160fb8000 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/javascript/LeftAndMain.js
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
	tests/control/ControllerTest.php
2013-06-19 14:03:43 +02:00
Ingo Schommer
94b4237372 Merge remote-tracking branch 'origin/3.1' 2013-06-19 11:17:33 +02:00
Sam Minnee
526b40414a FIX: Ensure that actions inferred from templates with the "_action" suffix also respect allowed_actions.
FIX: Ensure SSViewer::hasTemplate() is aware of themes.

To do this, RequestHandler::definingClassForAction() has been created, splitting out the code that looks up the class that defines a given action into its own method.  This is then overridden in Controller to look at templates.
2013-06-19 20:11:50 +12:00
Ingo Schommer
1d402dd513 Unset test state in DirectorTest
This broke RSSFeedTest when running through 'sake'
2013-06-18 23:24:22 +02:00
Ingo Schommer
71a5615213 Test $allowed_actions on controllers with template name=action conventions 2013-06-10 12:33:30 +02:00
Ingo Schommer
88536998b9 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	.travis.yml
2013-05-31 18:08:59 +02:00
Stephen Shkardoon
d6c2c2e07f Fixes #1892 - Stop session hijacking with UA check 2013-05-25 19:29:08 +12:00
Sam Minnee
d97ca43cd0 Merge branch '3.1'
Conflicts:
	README.md
	dev/install/install.php5
	forms/ConfirmedPasswordField.php
	tests/forms/FormTest.php
2013-05-23 19:01:58 +12:00
Jeremy Shipman
d21fd1f0bb FIX: Don't rewrite urls to be absolute, if they are a URI with a protocol.
This is determined in this fix by the existence of a colon ':', to show the uri has a protocol.
2013-05-20 11:59:04 +12:00
Will Rossiter
1325d736a0 API: Add Director::is_https() 2013-05-10 22:31:38 +12:00
Ingo Schommer
6c2e791a48 Merge remote-tracking branch 'origin/3.1' 2013-04-29 08:59:06 +02:00
Damian Mooyman
b6fc1d314e BUG HTTP will now correctly pass over mailto: links when converting relative links to absolute (e.g. in Emails) 2013-04-18 14:25:51 +12:00
Ingo Schommer
0343a77d30 Merge remote-tracking branch 'origin/3.1' 2013-04-11 11:42:04 +02:00
Ingo Schommer
9856fcef21 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	javascript/DateField.js
	model/DataQuery.php
	model/Versioned.php
	tests/forms/RequirementsTest.php
	tests/model/DataObjectLazyLoadingTest.php
	view/Requirements.php
2013-04-09 14:45:35 +02:00
Andrew Short
1fc780ce2b API: Return a 404 error when no director rule is matched 2013-04-06 18:19:03 +11:00
Sean Harvey
6eda25a090 NEW Allow specifying the secure domain to Director::forceSSL() 2013-04-03 17:47:36 +13:00
Ingo Schommer
b0d3f7f3a2 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	api/RSSFeed.php
	dev/SapphireTest.php
	tests/control/RequestHandlingTest.php
2013-03-26 10:46:41 +01:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
ce66bc1eaf Merge remote-tracking branch 'origin/3.1'
Conflicts:
	tests/travis/before_script
2013-02-27 13:34:03 +01:00
Ingo Schommer
39789529d7 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/control/HTTPResponseTest.php
	tests/travis/before_script
2013-02-27 10:27:22 +01:00
Ingo Schommer
e6fffb9ef9 API Remove content-length setting in HTTPResponse
It's not reliable. Started in c69381c33, but only partially reverted.
2013-02-27 10:07:54 +01:00
Sam Minnee
50f36447a9 Merge branch '3.1' 2013-02-25 16:59:37 +13:00
Sam Minnee
efb4760244 Fixed invalid classname in test 2013-02-25 16:44:54 +13:00
Sam Minnee
88b3901a69 Check for object type before calling method, prevent fatal error in failing test. 2013-02-25 16:33:55 +13:00
Ingo Schommer
bb724c43b9 Merge pull request #1142 from chillu/pulls/remove-auto-controller-routing
API Removed auto-routing of controller name
2013-02-18 05:30:37 -08:00
Ingo Schommer
957469d770 API Removed auto-routing of controller name
Use custom routing rules to achieve this effect (see changelog)
2013-02-18 14:29:47 +01:00
Hamish Friedlander
4b54383d68 API change request handling to be more orthogonal
RequestHandler#handleAction now exists. It takes the request, and
the action to call on itself. All calls from handleRequest to call an action
will go through this method

Controller#handleAction has had it's signature changed to
match new RequestHandler#handleAction

RequestHandler#findAction has been added, which extracts the
"match URL to rules to find action" portion of RequestHandler#handleRequest
into a separate, overrideable function

GridField#handleAction has beeen renamed to handleAlterAction and
CMSBatchActionHandler#handleAction has been renamed to handleBatchAction to
avoid name clash with new RequestHandler#handleAction

Reason for change: The exact behaviour of request handling depended heavily
on whether you inherited from RequestHandler or Controller, and whether the
rule extracted it's action directly (like "foo/$ID" => 'foo') or dynamically
(like "$Action/$ID" => "handleAction"). This cleans up behaviour so
all calls follow the same path through handleRequest and handleAction, and
the additional behaviour that Controller adds is clear.
2013-02-18 14:56:04 +13:00
Hamish Friedlander
5fd55a50f2 API Tighten up allowed_actions
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
2013-02-18 14:53:33 +13:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
14a56c18e9 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/Director.php
2013-02-07 21:45:16 +01:00
Ingo Schommer
d77e06d585 Merge pull request #1123 from chillu/pulls/revert-content-length
API Remove Content-Length setting from HTTPResponse (fixes #8010)
2013-01-31 10:19:17 -08:00
Ingo Schommer
634c91c6ff Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	email/Mailer.php
2013-01-30 12:46:24 +01:00
Sam Minnee
d8bfc0bb48 API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself. 2013-01-29 18:03:47 +01:00
Damian Mooyman
1ca15d0399 API HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls.
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.

HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce

HTTP::absoluteURLs now handles additional cases where urls were not translated.

Test cases for HTTP::absoluteURLs added for both css and attribute links.

Cleaned up replacement expression and improved documentation.
2013-01-24 09:49:44 +01:00
Ingo Schommer
c69381c33e API Remove Content-Length setting from HTTPResponse (fixes #8010)
This reverts commit 356a367eb5.
We can't use headers_sent() to determine an accurate
content length, since PHP defaults to buffering a couple of bytes
even without ob_start() (see "output_buffering" setting).
This makes the patch harmful, since it breaks any responses relying
on more structure data, like removing closing brackets from JSON.
Which in turn breaks the CMS in horrible ways (see #8010).
See #7574 for context.
2013-01-23 15:05:33 +01:00
Simon Welsh
d795b191ec Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:39:34 +13:00
Simon Welsh
b0121b541c Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c Add codesniffer that ensures indentation is with tabs. 2012-12-12 00:12:11 +13:00
Ingo Schommer
15a687f1e7 Merge remote-tracking branch 'origin/3.0' 2012-11-23 15:31:08 +01:00
Ingo Schommer
aa72425e84 Fixed PHPUnit assertions for incomplete tests in core
Avoid PHPUnit throwing "test didn't run any assertions"
notices in PHP. If nothing else, it keeps test output
looking less broken by default, making it more likely
that actual errors do get noticed.
2012-11-23 15:16:39 +01:00
Sean Harvey
d038cd7a65 Removing deprecated tests 2012-11-15 14:43:15 +13:00
Ingo Schommer
efabde1416 Merge remote-tracking branch 'origin/3.0'
Conflicts:
	admin/css/screen.css
	admin/scss/_style.scss
	security/Member.php
2012-10-30 17:52:49 +01:00
Simon Welsh
624f427c2a Removes line longer than 120c 2012-10-29 10:22:53 +13:00
Will Rossiter
69ea73b4ed Merge pull request #777 from halkyon/field_edit3
Member_ProfileForm respect canEdit() permissions on Member
2012-10-27 20:11:46 -07:00
Ingo Schommer
56f7ce1dcf Merge remote-tracking branch 'origin/3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	control/HTTPResponse.php
	model/Database.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	view/Requirements.php
	view/SSViewer.php
2012-10-03 16:16:19 +02:00
Sam Minnee
1f7fc1f76a FIX Remove instances of lines longer than 120c
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit.  This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Ingo Schommer
356a367eb5 BUG Setting response length directly before output (fixes #7574)
Complying to HTTP1.1/RFC2616 in terms of when to
set 'Content-Length' in the first place
2012-09-29 17:24:33 +02:00
Sam Minnee
39952f4a5c API: Added 'onBeforeHTTPError' and 'onBeforeHTTPError<code>' extension points to RequestHandler::httpError().
These APIs are primarily intended to let developers write custom 404 handlers.  They can define an onBeforeHTTPError404() method on an Extension that gets added to Controller or RequestHandler.

The SS_HTTPResponse_Exception object has also been tidied up to override the status info of any SS_HTTPResponse object that might get passed.  This is mainly to make it easier for callers (such as ContentController and ModelAsController) to use RequestHandler::httpError() more consistently.
2012-09-27 12:26:25 +12:00
Simon Welsh
1e629f4585 Merge branch '3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	dev/Profiler.php
	view/Requirements.php
2012-09-21 14:56:56 +12:00
Ingo Schommer
e2f073f38a Method visibility according to coding conventions 2012-09-20 10:46:59 +02:00
Sean Harvey
e73d28b24e Fixing unit test to restore extensions after test 2012-09-10 14:09:40 +12:00
Ingo Schommer
1088d044c5 Merge remote-tracking branch 'origin/3.0'
Conflicts:
	.travis.yml
2012-09-07 17:21:41 +02:00
Sean Harvey
5cbd2dbeb4 BUG CMSProfileController::Member_ProfileForm() respecting canEdit() permissions on Member
CMSProfileController currently checks canView() which ensures that a logged in CMS
Member can access the profile controller, but when saving the record on Member_ProfileForm
there is no check for canEdit(), so extended permissions don't get respected.

This adds a check for canEdit() in Member_ProfileForm, and adds some functional tests
to check permissions.
2012-09-07 11:24:47 +12:00
Damian Mooyman
9b6216d967 FIXED: Error in test case deprecation 2012-08-27 11:04:16 +12:00
Damian Mooyman
c2a8eec43c APICHANGE: Changed behaviour of HTTP_Request::params to include route table params (as per 2.4 behaviour, see FIX: below).
ADDED: HTTP_Request::params() to retrieve all (shifted) params used in the request
FIXED: Issue where route-table level arguments would not be accessible without using non-deprecated API.
ADDED: Test case to test the above items
UPDATED: Extended Director::test to allow for the retrieval of the request object
UPDATED: Deprecated notice on Director::urlParam and Director::urlParams
REMOVED: Unused variable
FIXED: Coding convention conformity
2012-08-27 10:56:59 +12:00
Simon Welsh
f1db583fb4 NEW Allow arguments to be passed to allowed_action checkers
This allows arguments to be passed along in an $allowed_actions deceleration of
the form 'action' => '->method' in the same way that arguments can be passed to
extension constructors when adding them using $extensions or
Object::add_extension.

I.e. 'action' => '->checkerMethod(false, 7, 2, "yesterday") would call the
checkerMethod method with the boolean false the numbers 7 and 2 and  the string
"yesterday" as its arguments.
2012-08-23 17:05:12 +12:00
Ingo Schommer
5a2247a440 Merge pull request #589 from simonwelsh/absolute_url
FIX Director::is_absolute_url() now ignores query string
2012-08-16 11:50:29 -07:00
Tim Klein
a67b964267 FIX: improve Director::makeRelative() to ignore SSL changes.
See http://open.silverstripe.org/ticket/6672. Expanded on initial patch with test coverage. Fixes another one of the commented out cases in the test by picking up URL's which do not include a protocol.
2012-07-01 22:08:09 +12:00
Simon Welsh
e0505406a7 FIX Director::is_absolute_url() now ignores query and fragment strings
Director::is_absolute_url() checks for //. It used to include the
entire URI, now it ignores the query and fragment strings.
2012-06-30 23:48:43 +12:00
Will Rossiter
16cb504d8e API: add $includeGetVars flag for SS_HTTPRequest() to return the URL with the attached GET parameters. 2012-06-29 22:02:30 +12:00
Ingo Schommer
417c03716c BUGFIX Avoid Session::set() clearing on existing val (fixes #7487) 2012-06-17 23:46:52 +02:00
carlos barberis
856991d644 BUGFIX: Ticket #6069 Checking of URLSegment can end in an infinite loop (when saving Page in CMS) 2012-06-15 11:27:58 +12:00
Ingo Schommer
8ecdd0b082 Merge branch 'pjax-set-fragments' of https://github.com/mateusz/sapphire into mateusz-pjax-set-fragments 2012-06-13 10:31:09 +02:00
Mateusz Uzdowski
377ac50773 ENHNANCEMENT: allow overriding of PJAX fragments included in the response. 2012-06-13 12:57:11 +12:00
Ingo Schommer
b4fb174809 MINOR Fixed PjaxResponseNegotiatorTest 2012-06-05 14:22:00 +02:00
Ingo Schommer
473eda43cb ENHANCEMENT Allowing multiple fragments to be returned by PjaxResponseNegotiator through JSON 2012-05-30 15:07:13 +02:00
Sean Harvey
f446547cd7 MINOR Using Config system instead of Director::addRules() in tests 2012-05-22 17:13:05 +12:00
Sean Harvey
91c356a0c6 MINOR Disabling offending MIME type test case on multiple operating systems. See
pull request #432 for more information.
2012-05-12 10:21:23 +12:00
Stig Lindqvist
dffae1a2e7 API CHANGE: Do not rely on a specific OS mime type detection, use PHP finfo
This also removes the $global_mimetypes that was generating weird errors when both HTTP and Mailer classes tried to modify and use it.

Support of finfo should be straightforward since PHP 5.3 includes that module that default
2012-05-11 11:34:07 +12:00
Sean Harvey
b1e17578c7 API CHANGE Removed assertType() and assertEmpty() workarounds. Use assertInstanceOf()
instead of assertType(), assertEmpty() is available in PHPUnit 3.5+.
PHPUnit 3.4 is no longer supported, so please upgrade your version to
work.

MINOR Removed FullTestSuite which was a workaround for PHPUnit but not
used.
2012-05-09 23:05:39 +12:00
Ingo Schommer
d5b3dbc6fb SECURITY Return true for Director::is_absolute_url() checks if they're prefixed with two or more slashes (as browsers interpret this as a valid URL)
SECURITY More solid URL checks in Director::is_site_url(), using a conservative parse_url() hostname comparison rather than Director::makeRelative(), which is not designed for security purposes
2012-05-04 12:10:59 +02:00
Sean Harvey
f63d137d49 ENHANCEMENT Session::start() now only called when there is changed
session data to be saved, and started on Director::direct() when there
is a cookie (or request var) containing the current PHP session name.
2012-04-27 16:28:46 +12:00
Simon Welsh
f07258f3cf MINOR Update @package values to match renaming sapphire 2012-04-15 10:50:19 +12:00
Simon Welsh
3a6341a251 API-CHANGE sapphire folder can now be renamed. 2012-04-15 10:50:19 +12:00
Simon Welsh
f8082e4814 MINOR Add newline to end of files without one 2012-04-15 10:50:19 +12:00
Sam Minnee
e01b0aa3d0 ENHANCEMENT PjaxResponseNegotiator for more structured partial ajax refreshes, applied in CMS and GridField. Also fixes issues with history.pushState() and pseudo-redirects on form submissions (e.g. from page/add to page/edit/show/<new-record-id>) 2012-04-05 23:00:22 +02:00
Ingo Schommer
a44b67bae2 API CHANGE Moved RequestHandler->isAjax() to SS_HTTPRequest->isAjax() 2012-04-05 23:00:22 +02:00
Sean Harvey
e097f6e1a8 MINOR Fixes to method arguments in core classes for E_STRICT support.
API CHANGE Remove abstract static function and just use static functions
in Authenticator (PHP 5.3+ doesn't support abstract static functions)
2012-03-28 22:41:42 +13:00
Ingo Schommer
f9323b398c BUGFIX Type-safe checks for Controller::join_links(), allowing arguments with a value of "0" 2012-03-08 22:20:37 +01:00
Hamish Friedlander
927dbbe717 API-CHANGE: Global template variables can now be called directly using SSViewer_DataPresenter instead of needing to inherit off ViewableData 2012-03-06 09:11:46 +13:00
Stig Lindqvist
3c516b7b97 API CHANGE: Refactored GridField modifiers into GridField_ColumnProvider, GridField_HTMLProvider, GridField_ActionProvider, and GridField_DataModifier interfaces, all added as components in the config.
API CHANGE: Simplified state handling so that it's just a key store. Affectors are replaced with GridField_ActionProviders. API CHANGE: Removed GridField state manipulation actions instead opting for GridField_ActionProvider actions.
API CHANGE: Removed support for modifiers that add "body" rows, instead having core support for generating the body rows hardcoded into the GridField.
API CHANGE: Allow modification of columns across the whole GridField with the GridField_ColumnProvider interface.
API CHANGE: Renamed GridField_AlterAction to GridField_Action, and added actionName/args parameters, since it can be used for all actions (including batch actions and row actions)
API CHANGE: Removed GridFieldRow class.
2012-01-09 13:30:34 +13:00
Ingo Schommer
b3c08dba12 API CHANGE Deprecated FieldSet-specific methods from Form, namely dateFieldByName(), unsetDataFieldByName(), unsetFieldFromTab(), resetField() 2012-01-02 16:47:59 +01:00
Simon Welsh
dd546a9888 BUGFIX Merge request arrays recursively 2011-12-23 17:48:49 +13:00
Sam Minnee
3e3188f81a MINOR: Update tests for deprecated functions to explicitly disable deprecation errors. 2011-10-29 17:34:32 +13:00
Will Rossiter
1732a17114 Merged new-orm into datagrid 2011-09-26 16:47:54 +13:00
Ingo Schommer
2651a1ba81 MINOR Marking Director::extract_request_headers() public because we can't unit test protected methods in PHP 5.2 2011-09-19 16:01:33 +02:00
ajshort
a60f03f28e ENHANCEMENT Sapphire Doesn't Read HTTP Headers (fixes #6311) 2011-09-19 14:49:55 +02:00
Ingo Schommer
ce8e72cf0e MINOR Removing executable flag from all files (thanks miiihi) 2011-09-18 22:04:02 +02:00
Ingo Schommer
dfb0504d0d BUGFIX Setting "Content-Length" header in HTTPResponse to avoid problems with proxies timing out 2011-07-26 08:25:09 +02:00
ajshort
1f6f7f0862 API CHANGE: Deprecated CompositeField->FieldSet() in favour of CompositeField->FieldList().
MINOR: Replaced usage of FieldSet with FieldList.
MINOR: Renamed FieldSetTest to FieldListTest.
2011-05-11 17:51:54 +10:00
Ingo Schommer
9b29616710 API CHANGE Rearranged files in sapphire to reflect core dependencies more accurately, and have the tests/ folder mirror its folder structure 2011-03-31 09:56:21 +13:00
Ingo Schommer
5bf5b744d8 MINOR Moved ContentController, ModelAsController, NestedController, RootURLController (and related tests) to "cms" module 2011-03-29 18:07:55 +13:00
Ingo Schommer
2184acf17d Revert "MINOR Replaced assertType() calls with assertInstanceOf(), deprecated in PHPUnit 3.6 (throws warnings as of 3.5.10)" - cased too many problems with mixed build environments that require PHP 3.4
This reverts commit 65f6104cd6.
2011-03-11 15:06:09 +13:00
Ingo Schommer
65f6104cd6 MINOR Replaced assertType() calls with assertInstanceOf(), deprecated in PHPUnit 3.6 (throws warnings as of 3.5.10) 2011-02-21 18:49:09 +13:00
Ingo Schommer
f056abc818 ENHANCEMENT Added NullHTTPRequest as a placeholder for new RequestHandler/Controller instances that haven't handled a URL yet. This means RequestHandler->request can be safely called from singleton controllers
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@115116 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-12-16 04:06:13 +00:00
Ingo Schommer
b15019a95f ENHANCEMENT Added SS_HTTPResponse->setStatusDescription() as equivalent to setStatusCode(). Added documentation.
BUGFIX Strip newlines and carriage returns from SS_HTTPResponse->getStatusDescription() (fixes #6222, thanks mattclegg)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@114082 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-11-23 19:38:15 +00:00
Sam Minnee
83e31e1f8a MINOR Fixed DirectorTest to restore it's REQUEST_URI state to the original one after each test method is run (from r108665)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112764 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-19 00:50:15 +00:00
Sam Minnee
6a83da1455 MINOR Fixed Director::forceSSL() breaking unit tests because headers were already sent (from r108435)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112749 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-19 00:36:06 +00:00