Daniel Hensby
83e3302c04
[SS-2016-013] FIX Uncasted member name
2016-08-15 15:02:47 +12:00
Daniel Hensby
6d41db77fa
[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
...
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
2016-08-15 15:02:41 +12:00
Daniel Hensby
f85dea2e6d
[SS-2016-008] Reset Member::Salt
on password change
2016-08-15 15:02:36 +12:00
Daniel Hensby
b1f449762b
[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled
2016-08-15 14:07:57 +12:00
Daniel Hensby
281b0de571
[SS-2016-013] FIX Uncasted member name
2016-08-15 14:07:51 +12:00
Daniel Hensby
2b30ade44d
[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
...
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
2016-08-15 14:07:40 +12:00
Daniel Hensby
dc47f7ec9a
[SS-2016-008] Reset Member::Salt
on password change
2016-08-15 14:07:24 +12:00
Daniel Hensby
1c7d5de51b
[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled
2016-08-15 13:24:06 +12:00
Daniel Hensby
6817c57f64
[SS-2016-013] FIX Uncasted member name
2016-08-15 13:21:14 +12:00
Daniel Hensby
6606d98663
[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
...
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
2016-08-15 13:20:02 +12:00
Daniel Hensby
298f61521c
[SS-2016-008] Reset Member::Salt
on password change
2016-08-15 13:19:02 +12:00
Damian Mooyman
3c1a5d2a46
Merge pull request #5872 from dhensby/pulls/3/injector-for-cmslogin
...
FIX Use create syntax for CMSMemberLoginForm remember me form
2016-08-12 14:10:56 +12:00
Daniel Hensby
86add3e021
FIX Use create syntax for CMSMemberLoginForm remember me form
2016-08-07 20:20:20 +01:00
Damian Mooyman
7de5b998e1
Merge 3.4 into 3
2016-08-05 19:12:25 +12:00
Damian Mooyman
ca754eb887
Merge 3.3 into 3.4
...
# Conflicts:
# admin/javascript/lang/fa_IR.js
# admin/javascript/lang/it.js
# admin/javascript/lang/src/fa_IR.js
# admin/javascript/lang/src/it.js
# lang/cs.yml
# lang/eo.yml
# lang/fa_IR.yml
# lang/fi.yml
# lang/it.yml
# lang/sk.yml
2016-08-05 16:48:26 +12:00
Damian Mooyman
0d5ae23f2b
Merge 3.2 into 3.3
2016-08-05 14:36:35 +12:00
Andrew Aitken-Fincham
66f2e6811b
modify getAuthenticator to fall back to get_default_authenticator
2016-08-03 10:36:43 +12:00
Damian Mooyman
d08ab6ac81
API Allow X-Frame-Options to be configured
...
Fixes #2970
2016-07-15 14:08:14 +12:00
Daniel Hensby
a449045b09
Merge branch '3.4' into 3
2016-07-04 23:54:27 +01:00
Daniel Hensby
c35dc508cb
Merge branch '3.3' into 3.4
2016-07-04 23:53:55 +01:00
Daniel Hensby
ee326f6394
Merge branch 'hailwood/patch-5' into 3
2016-07-01 14:53:02 +01:00
Matthew Hailwood
4f0969f119
Make lost password url a config option like login_url and logout_url
...
Also makes the login_url, logout_url and new lost_password_url functions
return their link relative to the base url rather than assuming the base tag
2016-07-01 14:47:51 +01:00
Damian Mooyman
f1a0aef0d7
BUG fix CMS_ACCESS permission being ignored if in incorrect order in array
2016-06-28 17:45:15 +12:00
Daniel Hensby
19b9413432
NEW Use injector for MemberLoginForm fields
2016-06-10 22:50:38 +01:00
Stevie Mayhew
b1df9dcb1d
BUGFIX: check that we have a token and a UID before attempting a member auto login
2016-05-20 09:19:08 +12:00
Damian Mooyman
4d1ddf0e62
BUG Prevent session hijackers from resetting a user password
...
BUG Member::checkPassword incorrect for default admin
2016-05-16 10:54:18 +12:00
Damian Mooyman
4f06a43986
Merge 3.3 into 3
...
# Conflicts:
# admin/javascript/lang/src/cs.js
# admin/javascript/lang/src/de.js
# admin/javascript/lang/src/en.js
# admin/javascript/lang/src/eo.js
# admin/javascript/lang/src/es.js
# admin/javascript/lang/src/fi.js
# admin/javascript/lang/src/fr.js
# admin/javascript/lang/src/id.js
# admin/javascript/lang/src/id_ID.js
# admin/javascript/lang/src/it.js
# admin/javascript/lang/src/ja.js
# admin/javascript/lang/src/lt.js
# admin/javascript/lang/src/mi.js
# admin/javascript/lang/src/nb.js
# admin/javascript/lang/src/nl.js
# admin/javascript/lang/src/pl.js
# admin/javascript/lang/src/ro.js
# admin/javascript/lang/src/ru.js
# admin/javascript/lang/src/sk.js
# admin/javascript/lang/src/sl.js
# admin/javascript/lang/src/sr.js
# admin/javascript/lang/src/sr@latin.js
# admin/javascript/lang/src/sr_RS.js
# admin/javascript/lang/src/sr_RS@latin.js
# admin/javascript/lang/src/sv.js
# admin/javascript/lang/src/zh.js
# javascript/lang/fr.js
# javascript/lang/src/ar.js
# javascript/lang/src/cs.js
# javascript/lang/src/de.js
# javascript/lang/src/en.js
# javascript/lang/src/eo.js
# javascript/lang/src/es.js
# javascript/lang/src/fi.js
# javascript/lang/src/fr.js
# javascript/lang/src/id.js
# javascript/lang/src/id_ID.js
# javascript/lang/src/it.js
# javascript/lang/src/ja.js
# javascript/lang/src/lt.js
# javascript/lang/src/mi.js
# javascript/lang/src/nb.js
# javascript/lang/src/nl.js
# javascript/lang/src/pl.js
# javascript/lang/src/ru.js
# javascript/lang/src/sk.js
# javascript/lang/src/sl.js
# javascript/lang/src/sr.js
# javascript/lang/src/sr@latin.js
# javascript/lang/src/sr_RS.js
# javascript/lang/src/sr_RS@latin.js
# javascript/lang/src/sv.js
# javascript/lang/src/zh.js
# lang/it.yml
2016-05-11 14:06:23 +12:00
Daniel Hensby
d1751e3310
Merge remote-tracking branch '3.2.4' into 3.3.2
2016-05-05 12:33:21 +01:00
Daniel Hensby
cf29b2c146
Merge remote-tracking branch '3.1.19' into 3.2.4
2016-05-05 11:17:45 +01:00
Daniel Hensby
92599727b9
Merge remote-tracking branch 'security/patch/3.1/ss-2016-006' into 3.1.19
2016-05-05 01:01:49 +01:00
Daniel Hensby
7af7f8dd65
Merge remote-tracking branch 'security/patch/3.1/ss-2016-005' into 3.1.19
2016-05-05 01:01:44 +01:00
Daniel Hensby
457931d664
Merge branch '3.3' into 3
2016-05-04 23:32:10 +01:00
Damian Mooyman
2a5ba397e6
BUG Fix SS_HTTPResponse being cast as string ( #5413 )
...
Fixes #5335
2016-05-02 08:54:19 +12:00
Daniel Hensby
1ccd3926e3
[SS-2016-001] FIX Properly check backurl on CMSSecurity@success
2016-04-20 23:58:50 +01:00
Daniel Hensby
a6bd22ab2f
[SS-2016-006] FIX dont disable XSS for login forms
2016-04-20 23:57:59 +01:00
Daniel Hensby
f32c893546
[SS-2016-005] FIX Apply brute force protection to default admin
2016-04-19 23:20:29 +01:00
Damian Mooyman
e1865151c5
Merge pull request #5098 from bummzack/5086-fix-member-validator
...
Fix for issue #5086
2016-02-26 14:39:53 +13:00
Roman Schmid
f691a5da32
Improve Member_Validator
to:
...
- properly check for existing members.
- allow extensions.
- remove old code and replace with new syntax and add config API.
Fix issue in Group code where Member_Validator was instantiated via "new" which didn't allow injector overrides.
Added unit-tests.
Establish a link between the member and the validator for said member.
2016-02-25 16:10:52 +01:00
Damian Mooyman
8c1cafd1a0
Merge remote-tracking branch 'origin/3.3' into 3
...
# Conflicts:
# admin/scss/_forms.scss
# admin/scss/_style.scss
# admin/scss/_tree.scss
# javascript/TreeDropdownField.js
2016-01-19 17:08:26 +13:00
Damian Mooyman
5d240feaec
Merge remote-tracking branch 'origin/3.2' into 3.3
2016-01-19 15:08:24 +13:00
Damian Mooyman
46cbe809ac
Merge remote-tracking branch 'origin/3.1' into 3.2
...
# Conflicts:
# docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
# docs/en/02_Developer_Guides/14_Files/01_Image.md
# docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_CMS_Menu.md
# docs/en/03_Upgrading/index.md
# docs/en/05_Contributing/01_Code.md
# forms/TreeMultiselectField.php
# security/Permission.php
2016-01-19 14:00:19 +13:00
Denise Rivera
7e32268ede
display filtered roles when not an admin
2016-01-11 13:05:10 +13:00
Sam Minnee
3ee8f505b7
MINORE: Remove training whitespace.
...
The main benefit of this is so that authors who make use of
.editorconfig don't end up with whitespace changes in their PRs.
Spaces vs. tabs has been left alone, although that could do with a
tidy-up in SS4 after the switch to PSR-1/2.
The command used was this:
for match in '*.ss' '*.css' '*.scss' '*.html' '*.yml' '*.php' '*.js' '*.csv' '*.inc' '*.php5'; do
find . -path ./thirdparty -not -prune -o -path ./admin/thirdparty -not -prune -o -type f -name "$match" -exec sed -E -i '' 's/[[:space:]]+$//' {} \+
find . -path ./thirdparty -not -prune -o -path ./admin/thirdparty -not -prune -o -type f -name "$match" | xargs perl -pi -e 's/ +$//'
done
2016-01-07 10:15:54 +13:00
Damian Mooyman
21e1e938eb
Merge pull request #4893 from dhensby/pulls/member-regenerate-session-id
...
FIX session_regenerate_id uses config system
2016-01-06 15:16:31 +13:00
Daniel Hensby
00544ff100
FIX session_regenerate_id uses config system
2016-01-05 22:31:58 +00:00
Daniel Hensby
4335d8ed22
FIX Members with no ID inherit logged in user permission
2016-01-05 08:16:18 +00:00
Damian Mooyman
19b10044ec
Merge remote-tracking branch 'origin/3.2' into 3
2015-12-22 17:05:07 +13:00
Damian Mooyman
6ac83f02c9
Merge pull request #4819 from SilverStripers/3
...
parse the string to be converted to group codes.
2015-12-22 16:53:31 +13:00
Damian Mooyman
48a30909f3
Merge remote-tracking branch 'origin/3.2' into 3
...
# Conflicts:
# admin/javascript/LeftAndMain.BatchActions.js
# css/UploadField.css
# forms/HtmlEditorField.php
2015-12-22 14:07:52 +13:00
Mateusz Uzdowski
5a21b2fb15
BUG Guard against users being added to all groups on unsaved Group.
...
If ->Members()->add() is called on an unsaved group (with ID 0), the
collateFamilyIDs() will errorneously return all root Groups thinking
it's looking for Groups with ParentID=0. As a result, the Member will be
added to all root groups, instead of just the selected group and all its
children.
2015-12-11 14:51:51 +13:00
Damian Mooyman
38e154af0a
API Disable get parameter access to site stage mode
...
BUG Fix missing and undocumented response from Security::permissionFailure()
2015-12-07 17:39:18 +13:00
Nivanka Fonseka
411f168f00
parse the string to be converted to group codes.
...
Two fixes.
1. parse the group code by using Convert::raw2url() as it creates duplicate records if the group code is given in upper case letters, spaces etc.
2. assigning to the $_cache_groupByCode has to be really done in the if condition rather than out of it.
2015-12-02 10:01:25 +05:30
Novusvetus
6266f909e0
API Increased Permission.Code db field to 255 characters
2015-11-27 13:54:37 +13:00
Damian Mooyman
94742fa3e2
BUG Revert method visibility regression
2015-11-27 13:10:52 +13:00
Manuel Teuber
666ce26929
FIX: Permission::checkMember() use of undefined variable $codes
2015-10-07 16:02:36 +13:00
Manuel Teuber
5224fc460c
FIX: Permission::checkMember() use of undefined variable $codes
2015-09-29 23:49:29 +02:00
Damian Mooyman
71b8aec306
Merge remote-tracking branch 'origin/3.2' into 3
2015-09-15 13:35:51 +12:00
Damian Mooyman
c4710b2272
Merge remote-tracking branch 'origin/3.1' into 3.2
...
Conflicts:
admin/code/GroupImportForm.php
admin/code/MemberImportForm.php
tests/model/DataListTest.php
2015-09-15 13:18:47 +12:00
Damian Mooyman
7e76f769b1
Merge pull request #4600 from patricknelson/issue-4597-gridfieldconfig-injector
...
FIX for #4597 : Ensuring GridFieldConfig_RelationEditor is instantiated via Injector, not via "new" keyword.
2015-09-14 10:14:05 +12:00
Patrick Nelson
5cc0878dc1
FIX for #4597 : Ensuring GridFieldConfig_RelationEditor is instantiated via Injector, not via "new" keyword.
2015-09-11 17:57:13 -04:00
Damian Mooyman
7367cf54c4
[ss-2015-020]: Prevent possible Privilege escalation
2015-09-10 13:01:24 +12:00
Damian Mooyman
f10785350e
Merge remote-tracking branch 'origin/3.2' into 3
...
Conflicts:
docs/en/02_Developer_Guides/02_Controllers/01_Introduction.md
2015-09-09 14:50:47 +12:00
Damian Mooyman
309ac0d196
Merge remote-tracking branch 'origin/3.1' into 3.2
...
Conflicts:
.travis.yml
admin/code/CMSProfileController.php
admin/tests/LeftAndMainTest.php
control/HTTP.php
security/Permission.php
tests/forms/FormTest.php
tests/model/ArrayListTest.php
tests/security/PermissionTest.php
2015-09-09 14:35:29 +12:00
Sam Minnée
f4b7cd3f68
Merge pull request #4500 from stevie-mayhew/pulls/get-response
...
FEATURE: implement getter and setter usage for response
2015-08-29 15:35:55 +12:00
Stevie Mayhew
1b57e0ca5b
FEATURE: implement getter and setter usage for response
2015-08-29 10:24:06 +12:00
Daniel Hensby
2d4b743090
FIX Members can access their own profiles in CMS
2015-08-26 15:47:51 +01:00
Damian Mooyman
4a011303b9
Add missing packages
2015-08-24 16:15:38 +12:00
Damian Mooyman
1686c83826
Revert #3425 #3396 to restore deprecated functionality
...
Fixes #4514
2015-08-24 11:26:25 +12:00
Daniel Hensby
ab0572e7cc
DOCS Permission comments made a bit clearer
2015-08-21 09:16:46 +01:00
Daniel Hensby
6eede57ff2
Fix issue where Access All CMS Sections doesnt work
2015-08-20 22:30:43 +01:00
Damian Mooyman
4ca5237185
Merge pull request #4321 from dhensby/pulls/formfield-docs
...
DOCS Fixing docs (and bad API usage)
2015-07-30 15:29:28 +12:00
Loz Calver
b7480b92a9
FIX: Hide 'Logged Passwords' tab in member CMS fields ( fixes #4422 )
2015-07-22 14:40:09 +01:00
Daniel Hensby
79c4f63855
DOCS Fixing docs (and bad API usage)
2015-07-20 16:42:33 +01:00
Daniel Hensby
ca8d0f2818
Merge branch '3.1' into 3.2
...
Conflicts:
dev/Debug.php
docs/en/05_Contributing/01_Code.md
forms/FormField.php
i18n/i18nTextCollector.php
model/DataQuery.php
2015-07-20 10:48:01 +01:00
Damian Mooyman
6fabd0122b
BUG Fix potential XSS injection
2015-07-01 17:41:32 +12:00
Sean Harvey
fd755a7ff9
BUG ChangePasswordForm validation message should render HTML correctly.
...
HTML shows up in the form message escaped, but it shouldn't be.
2015-07-01 17:41:32 +12:00
Daniel Hensby
3507ddb0e8
FIX MemberPassword history removed with with Members
...
Currently Members that were deleted would still have their passwords
stored in the DB even though they were deleted. This seems unnecessary
and just increases data that could potentially be compromised later.
2015-06-24 21:04:23 +01:00
Phill Price
b2024107a9
DOCS: Typo in a block
2015-06-24 11:57:12 +01:00
Damian Mooyman
e14f743bf0
Set deprecation level for all changes in 3.x to 4.0
2015-06-19 13:07:41 +12:00
Damian Mooyman
58cc3da8d8
API Revert DataObject::validate to 3.1 method signature (protected)
2015-06-16 11:59:21 +12:00
Damian Mooyman
8331171f2c
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
.scrutinizer.yml
admin/javascript/LeftAndMain.Panel.js
core/startup/ParameterConfirmationToken.php
dev/Debug.php
dev/FixtureBlueprint.php
docs/en/00_Getting_Started/05_Coding_Conventions.md
docs/en/00_Getting_Started/index.md
docs/en/02_Developer_Guides/01_Templates/01_Syntax.md
filesystem/File.php
filesystem/Folder.php
forms/FieldList.php
forms/LabelField.php
forms/MoneyField.php
forms/TextField.php
forms/TreeDropdownField.php
forms/Validator.php
forms/gridfield/GridField.php
forms/gridfield/GridFieldExportButton.php
lang/de.yml
lang/fi.yml
model/DataObject.php
model/SQLQuery.php
parsers/ShortcodeParser.php
security/ChangePasswordForm.php
security/Security.php
tests/control/DirectorTest.php
tests/core/startup/ParameterConfirmationTokenTest.php
tests/dev/FixtureBlueprintTest.php
tests/forms/FieldListTest.php
tests/forms/MoneyFieldTest.php
tests/model/SQLQueryTest.php
tests/security/SecurityTest.php
2015-06-02 19:13:38 +12:00
Damian Mooyman
22a35e48a9
BUG Fix malformed urls redirecting to external sites
2015-05-28 10:12:18 +12:00
Stevie Mayhew
0d94cf15a5
UPDATE: change all instances of $this->request to use appropriate getter/setter
2015-04-30 11:04:08 +12:00
Jamie Barker
06e087d0f3
Check that LastVisited field exists before making it readonly
2015-04-29 11:34:32 +12:00
Daniel Hensby
c2fd18e829
FIX use config for Security::$login_url
2015-04-23 17:20:07 +01:00
Damian Mooyman
95c162ef0d
API Security better respects BackURL on login
...
BUG Restore missing authentication message not appearing in the login form $Content area (regression from #1807 )
2015-03-31 20:22:35 +13:00
Damian Mooyman
43f49e8434
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
admin/code/ModelAdmin.php
control/Director.php
model/SQLQuery.php
security/Member.php
tests/control/HTTPTest.php
tests/model/SQLQueryTest.php
tests/security/SecurityTest.php
tests/view/SSViewerTest.php
2015-03-31 19:54:15 +13:00
Damian Mooyman
8d6cd1529f
BUG Fix some database errors during dev/build where an auth token exists for the current user
...
Fixes #3660
2015-03-25 11:34:13 +13:00
Damian Mooyman
a775a44387
Merge pull request #4016 from guru-digital/REDIRECT_fix
...
HTTP basic auth fix
2015-03-19 14:55:20 +13:00
Daniel Hensby
de2aa47250
Merge pull request #4006 from kinglozzer/patch-1
...
FIX: Security::$default_message_set Config value unusable
2015-03-17 17:05:01 +00:00
Loz Calver
a61c08d031
FIX: Security::$default_message_set Config value unusable
2015-03-17 15:51:31 +00:00
Corey Sewell
46e61b3448
Check both $_SERVER['HTTP_AUTHORIZATION'] and $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] for HTTP Basic authentication headers
2015-03-17 14:15:54 +13:00
Loz Calver
c58f4c469d
Replace core uses of DataObject::has_one/has_many/many_many
2015-03-13 16:16:12 +00:00
Damian Mooyman
319b96b48b
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
docs/en/05_Contributing/01_Code.md
forms/TreeDropdownField.php
model/DataObject.php
security/Member.php
tests/model/DataObjectTest.php
2015-03-11 11:40:06 +13:00
Daniel Hensby
d2a3da2203
Making docs gender agnostic
2015-03-07 12:32:04 +00:00
Damian Mooyman
dff65867cc
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
control/HTTP.php
control/HTTPResponse.php
docs/en/05_Contributing/01_Code.md
forms/CompositeField.php
forms/FormAction.php
forms/FormField.php
forms/InlineFormAction.php
forms/NumericField.php
forms/TreeDropdownField.php
forms/TreeMultiselectField.php
templates/forms/TreeDropdownField.ss
tests/core/CoreTest.php
tests/forms/NumericFieldTest.php
tests/model/DataDifferencerTest.php
2015-02-20 10:17:19 +13:00
Damian Mooyman
49c462710d
Merge pull request #3795 from uniun/patch-2
...
FIX. Summary fields can't be translated
2015-02-16 15:55:29 +13:00
Daniel Hensby
89c14d079d
Making TreeMultiSelectField consistent with parent class
...
NEW TreeDropdownField sanatiser helper added
Use config for default_cast of objects
FIX Determine if Diffed value should be escaped
Forcing casting for core DB fields
Fixing permissions labels
2015-02-13 11:12:30 +13:00
Cameron Bourgeois
88ac537e96
Change date format to set AutoLoginExpired correctly
2015-02-08 19:49:54 +13:00
Elvinas L.
32ce85d9f4
FIX. Summary fields can't be translated
...
fieldLabels() now can find these fields and translate them.
2015-01-15 15:09:32 +02:00