Commit Graph

63 Commits

Author SHA1 Message Date
Sam Minnee
d97ca43cd0 Merge branch '3.1'
Conflicts:
	README.md
	dev/install/install.php5
	forms/ConfirmedPasswordField.php
	tests/forms/FormTest.php
2013-05-23 19:01:58 +12:00
Ingo Schommer
3e88c98ca5 API Restrict MemberLoginForm to POST requests for increased security
CVE-2013-2653 - Thanks to Fara Rustein of Deloitte Argentina for reporting.
2013-05-08 10:25:28 +02:00
Ingo Schommer
97819b3f21 Correct encoding in MemberLoginForm->forgotPassword() URLs (fixes #6126) 2013-04-05 11:15:34 +02:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
18c9a95996 API Removed 'BadLoginURL' session var from MemberLoginForm
It was never set in core, and is generally undocumented,
hence just unnecessarily increases the security surface
of this sensitive class.
2013-02-05 22:49:06 +01:00
Simon Welsh
b0121b541c Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:33:31 +13:00
Mateusz Uzdowski
a8b0e44d98 API Hash autologin tokens before storing in the database.
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.

This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
2012-11-09 11:29:42 +01:00
Sam Minnee
1f7fc1f76a FIX Remove instances of lines longer than 120c
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit.  This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Ingo Schommer
e2f073f38a Method visibility according to coding conventions 2012-09-20 10:46:59 +02:00
Sean Harvey
d4154dae9e API CHANGE Deprecate Member::sendInfo(), use Member_ChangePasswordEmail and Member_ForgotPasswordEmail class directly instead. 2012-05-05 10:04:46 +12:00
Ingo Schommer
7b18d9d0da MINOR Switching _t() calls from sprintf() to using injection parameters (#7170) 2012-05-01 22:17:00 +02:00
Simon Welsh
f07258f3cf MINOR Update @package values to match renaming sapphire 2012-04-15 10:50:19 +12:00
Sean Harvey
fd3de5158d BUGFIX Use of Link() in security classes now refers to $this->controller
instead of calling the instance method Link statically (which isn't
allowed for E_STRICT compliance.)
2012-04-12 12:09:39 +12:00
Sean Harvey
9f3344b355 API CHANGE Removed built-in behaviour.js client-side form validation.
This is no longer supported. Please use custom client-side validation instead. (see 3.0.0 changelog
for more information)
2012-03-09 12:19:57 +13:00
Fred Condo
d370423825 Clean up trailing ?> per coding standard
All sapphire but the lang directory
2012-02-12 12:40:16 -08:00
Sam Minnee
ff9b9e17af MINOR: Removed use of deprecated Director::redirect* functions. 2011-10-29 17:36:37 +13:00
Stig Lindqvist
7a4c7a6e23 MINOR Redirect user to homepage if the BackURL have been set to another site.
This might indicatate a spoofing attack. I also extracted code into it's own method to make it easier to read.
2011-10-27 22:38:29 +02:00
Hamish Friedlander
0a3e0f15de MINOR: Replace references to FieldSet (now deprecated) with references to FieldList 2011-10-28 15:58:55 +13:00
ajshort
1f6f7f0862 API CHANGE: Deprecated CompositeField->FieldSet() in favour of CompositeField->FieldList().
MINOR: Replaced usage of FieldSet with FieldList.
MINOR: Renamed FieldSetTest to FieldListTest.
2011-05-11 17:51:54 +10:00
Sam Minnee
ef8419f11d ENHANCEMENT #4903 MemberLoginForm field for "You are logged in as %s" message customisation (thanks walec51!) (from r111891)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112941 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-19 05:05:23 +00:00
Sam Minnee
0b4e4428be MINOR: Merges from branches/2.4
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112157 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-13 04:04:32 +00:00
Ingo Schommer
8203e5b179 BUGFIX: Don't register member IDs that don't exist in the DB as being logged in. (from r98265)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102637 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-13 03:18:26 +00:00
Ingo Schommer
b69b03b9e0 API CHANGE: Unique_identifier now accepted as the login requirement, allowing alternatives to 'Email' (from r97270)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102440 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-12 05:00:05 +00:00
Andrew O'Neil
813760108c BUGFIX: Security::$default_login_dest isn't used (#4179, simon_w)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@90023 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-10-23 00:18:10 +00:00
Ingo Schommer
d386db0bc3 ENHANCEMENT Avoid information disclosure in Security/lostpassword form by returning the same message regardless wether a matching email address was found in the database.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86021 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-09-10 03:01:46 +00:00
Sean Harvey
a5e82ddff1 Merged from branches/2.3
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@75590 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-04-29 01:20:24 +00:00
Sean Harvey
13b358a8dd Merged from branches/2.3
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@75582 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-04-29 00:07:39 +00:00
Ingo Schommer
a96ca0eacc BUGFIX Checking for Director::is_site_url() before redirecting in Controller->redirectBack() and MemberLoginForm
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@73252 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-03-17 22:24:50 +00:00
Sam Minnee
08a5a7c387 Merged from branches/2.3
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@72803 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-03-10 22:08:52 +00:00
Ingo Schommer
6d708765fe BUGFIX Fixed redirection to external URLs through Security/login with BackURL parameter
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@71708 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-02-11 21:08:28 +00:00
Andrew O'Neil
60f75c5ca4 Merged changes from 2.3 branch
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@71172 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-02-01 23:49:53 +00:00
Ingo Schommer
b7d394008e MINOR Merged from branches/2.3
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@69957 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-01-10 11:35:50 +00:00
Sam Minnee
96c5be8252 Updating queries to be more DB agnostic
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66507 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-11-24 09:31:14 +00:00
Sam Minnee
2984355f43 Merged branches/2.3 into trunk
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66395 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-11-22 03:33:00 +00:00
Sam Minnee
3d9532db83 Merged branches/2.3
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66108 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-11-18 01:48:37 +00:00
Sam Minnee
58dbe416ee Merged from branches/2.2
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@65523 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-11-10 03:51:35 +00:00
Ingo Schommer
692bd4c835 BUGFIX Using PasswordField instead of deprecated EncryptField
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@64427 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-10-16 13:43:31 +00:00
Sean Harvey
d6680e300d ENHANCEMENT Added ID to allow CSS styling of forgot password link on MemberLoginForm
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@64408 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-10-16 11:35:43 +00:00
Sean Harvey
0d8e5708c0 MINOR Tidied up code formatting for MemberLoginForm->forgotPassword() to be clearer
ENHANCEMENT Added a message if no email address was specified, for user feedback purposes on MemberLoginForm->forgotPassword()

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@64406 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-10-16 11:29:43 +00:00
Sean Harvey
85bcedf9e6 ENHANCEMENT Changed the "I've lost my password" action to a link instead, since the button is too prominent, and usability is poor having this as a form submit button.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@64405 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-10-16 11:10:56 +00:00
Hayden Smith
634ed7b70c Merged from branches/nzct-trunk. Use 'svn log -c <changeset> -g' for full commit message. Merge includes stability fixes and minor refactor of TableListField and ComplexTableField.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@63806 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-10-08 02:00:12 +00:00
Sam Minnee
6915ac9bc7 Turned dos line endings into unix
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@63113 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-26 02:22:51 +00:00
Ingo Schommer
28699c3550 BUGFIX Changed URL format for password sent confirmation display, to avoid issues with new request handling trying to detect the email-TLD as a pseudo-file-extension (which resulted in truncated email-addresses in display). Old: /Security/passwordsent/myemailaddress. New: Security/passwordsent/?email=myemailaddress
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@62701 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-18 23:00:36 +00:00
Sam Minnee
c20c4ae6b0 Added Secuirty::set_default_login_dest() for developers to specify the default page to direct to after the log in
This results in more reliable log-in redirection

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@62653 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-18 03:53:36 +00:00
Sam Minnee
00677d8cb7 Passed controller argument to ChangedPasswordForm constructor
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@60586 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-08-13 01:58:54 +00:00
Hayden Smith
ca6c248de1 Merged [47069]: Replaced explicit calls to AccessLogEntry::create with more flexible calls to extensions. AccessLogEntry to be refactored into separate module.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@60504 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-08-12 20:59:32 +00:00
Ingo Schommer
60860cc1b9 MINOR Unified @package PHPdoc (added where missing, removed duplicates)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@56212 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-06-15 13:33:53 +00:00
Sam Minnee
eb60b67732 Merged revisions 52121 via svnmerge from
http://svn.silverstripe.com/open/modules/sapphire/branches/govtsecurity

........
  r52121 | sminnee | 2008-04-03 22:04:33 +1300 (Thu, 03 Apr 2008) | 4 lines
  
  Added DataObject::validate() for specifying DataObject-level validators.
  Added DataObject::onAfterWrite(), a complement of DataObject::onBeforeWrite()
  Added password strength testing to security system
  Added password expiry to security system
........


git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@53465 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-04-26 06:31:52 +00:00
Matt Peel
7d13ba7fb8 Reverted geoffm's accidental commit to /open
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@50107 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-02-25 02:10:37 +00:00
Geoff Munn
bf3c09bec6 First post
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@50105 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-02-25 01:06:39 +00:00