Commit Graph

19847 Commits

Author SHA1 Message Date
Damian Mooyman
4733abd79f Merge pull request #7006 from Firesphere/patch-1
FIX Not `CascadeLogInTo` anymore, but `CascadeInTo`
2017-06-10 13:43:48 +12:00
Simon Erkelens
5c4e55b60d It's not CascadeLogInTo anymore, it's CascadeInTo
I'm mildly surprised this didn't break. I changed it to CascadeInTo, as the logout action needs to cascade into the session as well.
2017-06-10 12:58:22 +12:00
Florian Thoma
7648428fdb add extension hoot to FormField::extraClass() 2017-06-10 09:52:22 +10:00
Damian Mooyman
c7f7233c4d Merge pull request #6829 from sminnee/authenticator-refactor
Refactor Authenticators
2017-06-09 16:46:56 +12:00
Damian Mooyman
d89bd15330
Move authentication hooks to SapphireTest 2017-06-09 16:25:40 +12:00
Damian Mooyman
62753b3cb1
Cleanup and RequestFilter refactor 2017-06-09 15:07:35 +12:00
Simon Erkelens
5fce3308b4 Move LostPasswordHandler in to it's own class.
- Moved the Authenticators from statics to normal
- Moved MemberLoginForm methods to the getFormFields as they make more sense there
- Did some spring-cleaning on the LostPasswordHandler
- Removed the BuildResponse from ChangePasswordHandler after spring cleaning
2017-06-08 20:09:57 +12:00
Simon Erkelens
082db89550 Feedback from Damian.
- Move the success and message to a validationresult
- Fix tests for validationresult return
- We need to clear the session in Test logOut method
- Rename to MemberAuthenticator and CMSMemberAuthenticator for consistency.
- Unify all to getCurrentUser on Security
- ChangePasswordHandler removed from Security
- Update SapphireTest for CMS login/logout
- Get the Member ID correctly, if it's an object.
- Only enable "remember me" when it's allowed.
- Add flag to disable password logging
- Remove Subsites coupling, give it an extension hook to disable itself
- Change cascadeLogInTo to cascadeInTo for the logout method logic naming
- Docblocks
- Basicauth config
2017-06-08 17:50:20 +12:00
Loz Calver
c5eeed84e8 Merge pull request #6993 from open-sausages/pulls/3/missing-changelog-notes
Add in missing changelog notes
2017-06-07 16:51:01 +01:00
Simon Erkelens
2b26cafcff Separate out the log-out handling.
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
2017-06-07 21:11:58 +12:00
Sam Minnee
f9ea752bae NEW: Add AuthenticationHandler interface
NEW: Add IdentityStore for registering log-in / log-out data
NEW: Add AuthenticationRequestFilter for managing login
NEW: Add Security:setCurrentUser() / Security::getCurrentUser()
NEW: Add FunctionalTest::logOut()
2017-06-07 21:11:55 +12:00
Simon Erkelens
c4194f0ed2 CMS Login Handling
Move to canLogin in the authentication check. Protected isLockedOut

Enable login to be called with a different login service (CMSLogin), enabling CMS Log in. Seems the styling and/or output is still broken.

logOut could be managed from the Authenticator instead of the member
2017-06-07 21:11:54 +12:00
Sam Minnee
7af7e6719e API: Security.authenticators is now a map, not an array
Authenticators is now a map of keys -> service names. The key is used
in things such as URL segments. The “default_authenticator” value has
been replaced with the key “default” in this map, although in time a
default authenticator may not be needed.
IX: Refactor login() to avoid code duplication on single/multiple handlers
IX: Refactor LoginHandler to be more amenable to extension
IX: Fixed permissionFailure hack
his LoginHandler is expected to be the starting point for other
custom authenticators so it should be easier to repurpose components
`of it.
IX: Fix database-is-ready checks in tests.
IX: Fixed MemberAuthenticatorTest to match the new API
IX: Update security URLs in MemberTest
2017-06-07 21:11:53 +12:00
Sam Minnee
e226b67d06 Refactoring of authenticators
Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step.
Also cleaned up some minor typos I ran in to. Nothing major.

This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation.

FIX: Corrections to the multi-login-form support.

Importantly, the system provide a URL-space for each handler, e.g.
“Security/login/default” and “Security/login/other”. This is much
cleaner than identifying the active authenticator by a get parameter,
and means that the tabbed interface is only needed on the very first view.

Note that you can test this without a module simply by loading the
default authenticator twice:

SilverStripe\Security\Security:
  authenticators:
    default: SilverStripe\Security\MemberAuthenticator\Authenticator
    other: SilverStripe\Security\MemberAuthenticator\Authenticator

FIX: Refactor delegateToHandler / delegateToHandlers to have less
duplicated code.
2017-06-07 21:11:52 +12:00
Damian Mooyman
7cf7a7094c Merge pull request #7000 from kinglozzer/uploadfield-size-ini
FIX: Upload_Validator failed to fetch max size from PHP ini values (fixes #6999)
2017-06-07 15:48:27 +12:00
Daniel Hensby
856aa79892 Merge pull request #6987 from open-sausages/pull/4.0/3239-consisten-fist-last-returns
Consistent return values for first and last methods
2017-06-06 16:59:04 +01:00
Loz Calver
4ad2cae864
FIX: Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) 2017-06-06 14:28:03 +01:00
Damian Mooyman
8c0ced311f Merge pull request #6998 from AntonyThorpe/StrictFormMethodCheck
Updated Form.php & 04_Form_Security.md  - strictFormMethodCheck to true
2017-06-06 23:06:11 +12:00
Damian Mooyman
057bfdae79 Merge pull request #6991 from jacobbuck/feature/3.6/extend-file-get-url
NEW Add 'updateURL' extension hook to File::getURL()
2017-06-06 21:28:16 +12:00
Antony Thorpe
6348f2e3e8 Updated Form.php & 04_Form_Security.md
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
Damian Mooyman
ba44c4c30d Merge pull request #6988 from open-sausages/pulls/4.0/print-with-gotink
Fixes printing from crashing
2017-06-06 18:33:11 +12:00
Damian Mooyman
058ba813e6 Merge pull request #6986 from open-sausages/pulls/3.0/but-its-so-tinymce
Fix tinymce image selection issue in newer versions of Chrome
2017-06-06 17:24:31 +12:00
Saophalkun Ponlu
e267d29b9a BUG Consistent return values for first and last methods 2017-06-06 17:22:55 +12:00
Jacob
92b7341200 Call $this->extend('updateURL', $url); befor returning $url 2017-06-06 13:38:11 +12:00
Christopher Joe
d12c986dd5
Fixes printing from crashing 2017-06-06 13:31:37 +12:00
Damian Mooyman
9b965ed5fa
Add in missing changelog notes 2017-06-06 11:08:05 +12:00
Christopher Joe
5f5bfa5e70 Fix create temp folder if it does not exist 2017-06-06 09:58:51 +12:00
Jacob Buck
2305255699 Add updateURL extension hook to File::getURL 2017-06-05 15:17:37 +12:00
Loz Calver
035a9b049e Merge pull request #6990 from dhensby/pulls/3.6/constructor-fixes
FIX Upgrade old style constructors that were missed
2017-06-02 12:47:21 +01:00
Daniel Hensby
a52ed03b49
FIX Upgrade old style constructors that were missed 2017-06-02 12:22:33 +01:00
Christopher Joe
4b9d5dceb8 Fix tinymce image selection issue in newer versions of Chrome 2017-06-02 15:06:16 +12:00
Ingo Schommer
b137e91998 Internal security process docs 2017-06-02 11:30:12 +12:00
Daniel Hensby
9a0e01d4a0
NEW DB Driver defaults to PDO 2017-06-01 11:00:35 +01:00
Daniel Hensby
bf8d4252e3 Merge pull request #6983 from JustinTBrown/patch-1
Update to 00_CSV_Import.md
2017-05-31 19:17:33 +01:00
Justin Brown
ac08e16720 Update to 00_CSV_Import.md
Adding further explanation for using a custom CsvBulkLoader in ModelAdmin instead of the default one. I think some people might be able to guess at this, but others (like me) might benefit from making things a bit more explicit. This a follow up from my [question on StackOverflow](https://stackoverflow.com/questions/44271755/adding-custom-csvbulkuploader-to-modeladmin-in-silverstripe).
2017-05-31 09:05:05 -06:00
Chris Joe
44f27645bd Merge pull request #6981 from edlinklater/patch-1
Docs: Correct Stevie's name on committers page
2017-05-31 13:40:31 +12:00
Ed Linklater
f007fca51f Docs: Correct Stevie's name on committers page 2017-05-31 12:27:06 +12:00
Daniel Hensby
21d2e5cad1
Merge branch '3.6' into 3 2017-05-31 00:12:14 +01:00
Daniel Hensby
becb769167
Merge branch '3.5' into 3.6 2017-05-31 00:11:48 +01:00
Daniel Hensby
653c891f38
Merge tag '3.6.0' into 3.6
Release 3.6.0
2017-05-31 00:11:47 +01:00
Daniel Hensby
294df1320f
Merge branch '3.4' into 3.5 2017-05-31 00:11:18 +01:00
Daniel Hensby
ff0bbce326
Merge tag '3.5.4' into 3.5
Release 3.5.4
2017-05-31 00:11:18 +01:00
Daniel Hensby
cf8f781238
Merge tag '3.4.6' into 3.4
Release 3.4.6
2017-05-31 00:10:48 +01:00
Daniel Hensby
143c4a63cf
Added 3.6.0 changelog 2017-05-30 22:11:03 +00:00
Daniel Hensby
90c2a7de11 Merge pull request #6979 from dhensby/pulls/bracket-test-only
FIX Bracket should implement TestOnly
2017-05-30 23:10:16 +01:00
Daniel Hensby
2f7f761a9c
Added 3.5.4 changelog 2017-05-30 22:03:17 +00:00
Daniel Hensby
deca99a5fe
Added 3.4.6 changelog 2017-05-30 21:58:52 +00:00
Daniel Hensby
13ee3148d9
FIX Bracket should implement TestOnly 2017-05-30 22:44:24 +01:00
Daniel Hensby
11de4abe0a Merge pull request #6977 from andrewandante/FIX/move_dotenv_higher
move TRUSTED_PROXY below .env loader
2017-05-30 12:41:09 +01:00
Andrew Aitken-Fincham
8f44b8f0ba move trusted_proxy_ips below .env loader 2017-05-30 12:18:47 +01:00