Commit Graph

1983 Commits

Author SHA1 Message Date
Ingo Schommer
9709a5cd8c Merge remote-tracking branch 'origin/3.1.0' into 3.1 2013-10-01 01:45:27 +02:00
Ingo Schommer
deadc154ca Don't link record in GridField form message
This is no longer allows through Form->sessionMessage() to avoid XSS.
2013-10-01 00:00:37 +02:00
Ingo Schommer
298de5a67d FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007) 2013-09-30 22:53:43 +02:00
Ingo Schommer
d8d07d971e FIX Auto-escape titles in TreeDropdownField
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
2013-09-30 22:53:21 +02:00
Ingo Schommer
a338e608b8 API Escape form validation messages (SS-2013-008) 2013-09-30 22:53:07 +02:00
Daniel Hensby
6c943007a1 removeRequiredField() limits field (fixes #2165)
Added tests to RequiredFields and fixed bugs that were found

Now you:
1. Can't add the same field name many times
2. Can use append RequiredFields correctly without fear of duplicates

I've also added a Deprecation warning to $useLabels as it's not used
*anywhere* in framework
2013-09-27 19:58:59 +02:00
Ingo Schommer
d3aa38f4b4 $.data() for GridField autocomplete (fixes #2440) 2013-09-27 19:51:32 +02:00
Ingo Schommer
2e3511bc5f Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	docs/en/changelogs/3.0.6.md
	forms/Form.php
	forms/FormField.php
	forms/TreeDropdownField.php
2013-09-27 18:50:47 +02:00
Ingo Schommer
debd81d380 Merge pull request #2453 from chillu/pulls/escape-3.1.0
Escaping 3.1
2013-09-25 16:02:45 -07:00
Ingo Schommer
c243418597 API Escape form validation messages (SS-2013-008) 2013-09-24 21:54:31 +02:00
Ingo Schommer
2b7a2a289e API Escape form validation messages (SS-2013-008) 2013-09-24 21:41:21 +02:00
Ingo Schommer
f3ef04a432 FIX Auto-escape titles in TreeDropdownField
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
2013-09-24 21:41:21 +02:00
Ingo Schommer
78ce99be09 FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007) 2013-09-24 21:41:18 +02:00
Ingo Schommer
114fb59107 FIX Auto-escape titles in TreeDropdownField
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
2013-09-24 21:40:17 +02:00
Sean Harvey
b383a07f90 BUG Fixing tabindex added to CreditCardField when tabindex is NULL
The tabindex increment *should* only be done if there is a tabindex
that has been set on a CreditCardField already, otherwise it breaks
the tab ordering.
2013-09-24 21:40:17 +02:00
Ingo Schommer
48021e9fd3 Merge pull request #2166 from dhensby/patch-2
FormFields now allow setting of extra CSSClasses en masse
2013-09-24 11:50:01 -07:00
Ingo Schommer
d291a96326 Merge pull request #2152 from dhensby/patch-1
FIX Empty Datefield with defined min or max has non-object error thrown
2013-09-24 11:48:05 -07:00
Ingo Schommer
1bb993b0b3 Form errors in LeftAndMain response negotiation
The session key for form errors changed from "Form_EditForm" to "CMSForm_EditForm",
causing a mismatch. See https://github.com/silverstripe/silverstripe-framework/pull/2084/files#r6338249 for discussion
2013-09-18 14:30:37 +02:00
Ingo Schommer
c2b312d76f Merge remote-tracking branch 'origin/3.1.0' into 3.1 2013-09-12 17:24:42 +02:00
Sean Harvey
c309867a1c Merge pull request #2373 from chillu/pulls/treedropdown-searchfield-default
Default TreeDropdown to "Title" search if $labelField isn't in DB
2013-09-10 21:45:40 -07:00
Russell Michell
abcb2ef40b FIX: Modified fix for #2389 to ensure existing tests pass. 2013-09-06 08:48:32 +12:00
Russell Michell
128c33b82c FIX: Fixes #2389
- Prevent circular references in `GridFieldAddExistingAutocompleter` when linking DataObjects whose ID matches the current object to which the gridfield is attached.
2013-09-05 13:55:47 +12:00
Ingo Schommer
1c31c098ee FIX Correct Zend_Locale fallbacks in i18n/DateField/DateTimeField
Due to the recent change of translations to transifex, some
locales changed their names, which prompted a fix to
i18n::get_available_translations() (see 00ffe7294).
This caused a regression where short locales are determined
from the YAML file names (e.g. "en"), but weren't matched up
with fully qualified locales from get_available_translations() (e.g. "en_US").
Since this list is used in the admin/myprofile dropdown for the Member.Locale value,
it didn't match up with any entries and defaulted to the first one ("Africaans").

Note that the behaviour of admin/myprofile is still a bit weird:
It defaults the locale on new members to the one set for the current administrator.
So if a site defaults to en_US in _config.php, but the admin happens to view
his backend in de_DE, all members he creates default to de_DE as well.

Thanks to @tractorcow for contributing and peer reviewing!
2013-08-30 10:18:00 +02:00
Ingo Schommer
20b49e215c Merge pull request #2136 from nedmas/fix-remove-export-button-padding
FIX: GridField button styling
2013-08-30 00:24:21 -07:00
Ingo Schommer
79cab42a91 Default TreeDropdown to "Title" search if $labelField isn't in DB
This is a workaround in order to ensure the field stays operational
for SiteTree and File records with the new $showSearch=true default.
Previously it was necessary to use setSearchCallback(), otherwise
the SQL query would fail. One limitation to keep this change generic
is that "MenuTitle" won't be used to search, since its SiteTree specific,
while the "Title" and "Name" fields are generally regarded as
model conventions (e.g. they're used in DataObject->getTitle() as well).

See https://github.com/silverstripe/silverstripe-framework/pull/2364
2013-08-29 17:12:01 +02:00
Naomi Guyer
8b5f89f3b9 API: Treedropdownfield showsearch default true, provide better ui
Set search option true on treedropdown fields by default, to provide a
fallback solution when trees fail to render (too many children errors)

Provide better indication/more meaningful styling to search (match
chosen styles for consistency)
2013-08-29 16:21:04 +12:00
Ingo Schommer
40c239076b Merge remote-tracking branch 'origin/3.0' into 3.1.0
Conflicts:
	model/Hierarchy.php
2013-08-22 12:55:47 +02:00
Simon Welsh
c66cc952d2 Correct line length and indentation 2013-08-21 21:27:16 +12:00
Simon Welsh
151baeede1 Correct line length and indentation 2013-08-21 18:54:05 +12:00
Ingo Schommer
a6da1f5570 Merge pull request #2294 from wilr/fixgridexport
FIX: Remove limit on GridField export
2013-08-20 14:08:18 -07:00
Ingo Schommer
351c1168b6 Merge pull request #2314 from mateusz/required-attrs
HTML5 required attributes on default fields, add validator to the login form
2013-08-20 06:40:58 -07:00
Ingo Schommer
02cc662aaf More specific entwine rule for delete alert in GridField
The rule didn't apply in Firefox because of how it handles specificity,
so made it a bit more specific (added "button" and ".action")
2013-08-16 16:06:31 +02:00
Ingo Schommer
acc07e67ea Merge pull request #2318 from micmania1/2317-gridfieldfilterheader-duplicate-fields
Added gridField->getName() to field names to avoid duplication
2013-08-15 15:44:17 -07:00
Mateusz Uzdowski
090f07d978 BUG Apply HTML5 required attributes when fields are required. 2013-08-12 09:32:03 +12:00
micmania1
8ce50c3ae6 Added gridField->getName() to field names to avoid duplication 2013-08-09 22:57:48 +01:00
Hamish Friedlander
0918cd2092 Remove SiteTree link tracking out of HtmlEditorField 2013-08-09 11:24:10 +02:00
Will Rossiter
65d96e8d7c FIX: Remove limit on GridField export
Allow DataList::limit() to take a null value to remove the limit.

Added tests for limit(). Note the one failure, currently the ORM doesn't support unlimited values with an offset.
2013-08-05 19:59:12 +12:00
Hamish Friedlander
d38bd7d5cb Merge branch 'origin/3.0' into 3.1 2013-07-19 14:18:49 +12:00
Ingo Schommer
920edf88e7 Test allowedExtensions in UploadField, return correct HTTP status 2013-07-12 13:16:34 +02:00
Daniel Hensby
e225cffcf8 FIX Empty Datefield with defined min or max has non-object error thrown
When submitting a Datefield with no value but with a min / max config date, the validate() function attempts to access a function on $this->valueObj (which is a non-object)
2013-07-08 16:07:21 +01:00
Sam Minnée
0173707cd1 Merge pull request #2164 from tractorcow/3.1-datetimefield-fixes
BUG Fixed DateTimeField where time value was being parsed incorrectly.
2013-07-06 19:03:33 -07:00
Mateusz U
3ac22ed638 Merge pull request #2182 from hafriedlander/fix/sanitise
FIX HtmlEditorField not re-checking sanitisation server side
2013-07-04 14:56:37 -07:00
Damian Mooyman
a862b4da99 BUG Fixed missing allowed_actions on UploadField_SelectHandler 2013-07-04 12:38:57 +12:00
Hamish Friedlander
dacb2aa638 FIX HtmlEditorField not re-checking sanitisation server side 2013-07-04 08:53:23 +12:00
Ingo Schommer
d003c96c62 Fixed HTMLEditorField extension call ("updateFieldsForOembed") 2013-07-03 10:15:46 +02:00
Daniel Hensby
336ddf1a55 FormFields now allow setting of extra CSSClasses en masse
Each CSS class passed in to `addExtraClass` or `removeExtraClass` will be set as their own key in the `extraClasses` array

Also make `Form` consistent with `FormField`
2013-06-29 13:27:26 +01:00
Damian Mooyman
feb03f5443 BUG Fixed issue where time value was being parsed incorrectly in some locales 2013-06-28 16:45:33 +12:00
Ingo Schommer
09b31c642f Allow Form->forTemplate() URL access (fixes #788)
Need to specifically whitelist URL-accessible actions now.
Used in "Insert Link" form in HtmlEditorField.
Regression from 1edf45fbed
2013-06-25 16:33:00 +02:00
jonom
ffc764dc3c NEW: Allow configuration of initial insertion width for images and media
Moved default insertion dimensions logic from JS to PHP to allow setting through config API
2013-06-24 14:25:16 -06:00
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00