BUG Fix incompatibility in Member_GroupList
Fix regressions in merges from 3.1
BUG Fix Security failing on test classes
BUG Fix postgresql compatibility
Clarify sql encoding of table names
Database abstraction broken up into controller, connector, query builder, and schema manager, each independently configurable via YAML / Injector
Creation of new DBQueryGenerator for database specific generation of SQL
Support for parameterised queries, move of code base to use these over escaped conditions
Refactor of SQLQuery into separate query classes for each of INSERT UPDATE DELETE and SELECT
Support for PDO
Installation process upgraded to use new ORM
SS_DatabaseException created to handle database errors, maintaining details of raw sql and parameter details for user code designed interested in that data.
Renamed DB static methods to conform correctly to naming conventions (e.g. DB::getConn -> DB::get_conn)
3.2 upgrade docs
Performance Optimisation and simplification of code to use more concise API
API Ability for database adapters to register extensions to ConfigureFromEnv.php
At the moment, if a user is logged in on a device (say, their phone) but has forgotten their password.
If they attempt to reset their password on their desktop, then open the email on their phone they then see the reset password form *with* the CurrentPassword field. I'm not entirely sure what happens if a DIFFERENT user is currently logged in, but I think they remain logged in and you're effectively trying to change their password.
Both scenarios are not ideal and (in fact) this happens a lot in the real world as it's a legitimate complaint we're receiving from a visitors of one of our client's websites.
With this modification we can use Object::useCustomClass() to create a
custom ChangePasswordForm form:
Object::useCustomClass('ChangePasswordForm',
'CustomChangePasswordForm');
Disables ID based partial caching for all security actions so that actions such as Security/lostpassword and Security/passwordsent work properly even if partial caching is used.
permissionDenied only works if Security::permissionFailure() is called when
there's currently no logged in Member. This fixes it so failed attempts
with logged in Member also includes the permissionDenied hook.
In addition, fix an undefined $member variable
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
Sometimes Page_Controller::init() will trigger a redirection. For example, it may redirect to a
canonical URL. In this case, the Security views, which co-opt Page_Controller, need to respect
this.
Session is not initialized by the time we need to use
the setting in DB::connect(). Cookie values get initialized
automatically for each request.
Tightened name format validation to ensure it can only
be used for temporary databases, rather than switching
the browser session to a different production database.
Encrypting token for secure cookie usage.
Added dev/generatesecuretoken to generate this token.
Not storing in YML config directly because of web access issues.
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.
This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
SecurityAdmin isn't always available for CMS users, as they might
not have permission to view that section. This fixes the problem
with session keep alive by moving the ping to Security/ping, which
is available for all users.
