Sam Minnée
7bfc872a8e
Merge pull request #2248 from hafriedlander/fix/flush_30
...
FIX: Have ParameterConfirmationToken work regardless of include path
2013-07-18 20:46:56 -07:00
Hamish Friedlander
a312cd08e1
FIX: Ignore invalid tokens instead of throwing 403
2013-07-19 14:47:05 +12:00
Hamish Friedlander
036c36a7dd
FIX: Have ParameterConfirmationToken work regardless of include path
2013-07-19 14:33:56 +12:00
Hamish Friedlander
d38bd7d5cb
Merge branch 'origin/3.0' into 3.1
2013-07-19 14:18:49 +12:00
Sam Minnée
7656a22329
Merge pull request #2243 from hafriedlander/fix/flush_30
...
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692 )
2013-07-18 17:39:10 -07:00
Hamish Friedlander
1298d4a5bd
FIX Prevent DOS by checking for env and admin on ?flush=1 ( #1692 )
2013-07-19 12:24:32 +12:00
Hamish Friedlander
b915c2364c
Merge pull request #2244 from mateusz/lockout-errors
...
BUG First error should take precedence here. No further checks needed.
2013-07-18 14:38:23 -07:00
Mateusz Uzdowski
d4a6f7304e
BUG First error should take precedence here. No further checks needed.
2013-07-19 08:54:52 +12:00
Ingo Schommer
9d764d6794
FIX Avoid infinite loops on ?isDev=1 and Deprecation class
...
If any of the functionality triggered by Director::isDev()
was causing deprecation errors, the system would go into
an infinite loop. Since the only way to cause this is the DB
checking functionality, we disable that for Deprecation.
Side effect of this change: You can't show deprecation notices
on a live site by forcing the session into dev mode.
2013-07-17 11:55:19 +02:00
Sam Minnée
2ca089532f
Merge pull request #2219 from chillu/pulls/clickjacking
...
BUG Prevent clickjacking in CMS and Security controllers (fixes #2215 )
2013-07-16 14:35:53 -07:00
Simon Welsh
d9b0d14ee9
Merge pull request #2229 from ss23/patch-6
...
FIX preg_replace_callback in emailer was broken
2013-07-14 21:55:07 -07:00
Stephen Shkardoon
999fd3901c
FIX preg_replace_callback in emailer was broken
...
Fixes bug introduced by 9deb11f9a0
Email has no content
This is what happens when we make commits without testing!
2013-07-15 16:50:41 +12:00
Ingo Schommer
d1fec14bd1
Merge pull request #2226 from Brancom/3.1
...
Updated loop/if/with to be more consistent
2013-07-14 13:58:06 -07:00
Ingo Schommer
d4a1e6d294
BUG Prevent clickjacking in CMS and Security controllers ( fixes #2215 )
2013-07-14 22:44:09 +02:00
ARNHOE
2427d57fa5
Updated loop/if/with to be more consistent
2013-07-14 20:43:52 +12:00
Ingo Schommer
920edf88e7
Test allowedExtensions in UploadField, return correct HTTP status
2013-07-12 13:16:34 +02:00
Will Rossiter
d80b16597a
Merge pull request #2224 from tractorcow/3.1-foreignkey-typo
...
Typo
2013-07-11 20:45:44 -07:00
Will Rossiter
65e9f05c36
Merge pull request #2220 from jthomerson/pulls/small_doc_fix_1
...
Small typo causing linking error
2013-07-11 20:42:36 -07:00
Damian Mooyman
7fbc752764
Typo
2013-07-12 15:07:43 +12:00
Sean Harvey
a5363aba6d
Merge pull request #2214 from chillu/pulls/password-docs
...
Member.lock_out_delay_mins, password security docs
2013-07-11 15:04:15 -07:00
Jeremy Thomerson
71f8c1306f
DOCFIX: small typo causing linking error
2013-07-11 13:40:34 +00:00
Ingo Schommer
bdbd61cb22
Merge remote-tracking branch 'origin/3.0' into 3.1
2013-07-11 15:14:07 +02:00
Ingo Schommer
c2c8498c64
BehatFixtureFactory 5.3.8 compat (wrong usage of is_a())
2013-07-11 15:13:37 +02:00
Ingo Schommer
b58e2dbe3a
Member.lock_out_delay_mins configurable, password security docs
2013-07-11 09:47:28 +02:00
Ingo Schommer
84bc3ed024
Merge pull request #2202 from tractorcow/3.1-aggregate-deprecation
...
API Deprecate Aggregate and DataObject::getComponentsQuery
2013-07-11 00:25:26 -07:00
Ingo Schommer
ed69a2bf82
Merge pull request #2212 from dhensby/patch-3
...
Adding test to prove issue with HTTP Header parsing in RestfulService
2013-07-10 08:32:04 -07:00
Daniel Hensby
ddd6a15b4a
FIX RestfulService header parsing now accepts non-title case headers
2013-07-10 13:00:40 +01:00
Daniel Hensby
378d829e8f
Adding test to prove issue with HTTP Header parsing in RestfulService
...
I have a header like:
X-BB-Auth: xxxx
and it is being given back to me as X-Bb-Auth - i want to prove the issue and the fix
2013-07-10 12:47:13 +01:00
Ingo Schommer
c3f62de0eb
Merge pull request #2208 from hafriedlander/fix/sanitise
...
Add some docs about admin-side HTML sanitisation
2013-07-10 01:33:52 -07:00
Hamish Friedlander
7b7982969b
Add some docs about admin-side HTML sanitisation
2013-07-10 16:44:51 +12:00
Simon Welsh
e5ed8f1ef2
Merge branch '3.0' into 3.1
2013-07-10 12:31:38 +12:00
Hamish Friedlander
ca2b81c6c2
Merge pull request #2207 from camspiers/config-caching-fix
...
FIX ConfigManifest regenerating every request if variantKeySpec is an empty array()
2013-07-09 17:30:33 -07:00
Simon Welsh
b506eb1b29
Use httpError() instead of non-existent HTTPResponse_Exception class
2013-07-10 12:30:27 +12:00
Cam Spiers
b44641336b
FIX ConfigManifest regenerating every request if variantKeySpec is an empty array()
2013-07-10 11:53:44 +12:00
Jeremy Thomerson
dbb2efcbb3
FIX: wrong class name being returned
...
This resulted in an error since the returned class name did not exist.
Note that this only happened when someone subclassed GridFieldDetailForm
and did not subclass GridFieldDetailForm_ItemRequest.
2013-07-09 20:59:56 +00:00
Ingo Schommer
e6011f3aae
Rewritten "extend cms" docs ( #1671 )
...
Hopefully this commit can be reverted once we fix the
layout manager to work with all four directions (north, south, east, west).
A "bookmark bar" makes more sense as an example than having the links
in the menu, and it allows us to illustrate the CMS layout techniques.
2013-07-09 22:15:43 +02:00
Mateusz Uzdowski
b24a0a567e
BUG Remove extraneous </div> breaking IE8 image embedding (os#8218)
...
Editor was not able to add images to TinyMCE - both newly uploaded and
old ones from the local assets.
2013-07-09 21:49:23 +02:00
Daniel Hensby
e225cffcf8
FIX Empty Datefield with defined min or max has non-object error thrown
...
When submitting a Datefield with no value but with a min / max config date, the validate() function attempts to access a function on $this->valueObj (which is a non-object)
2013-07-08 16:07:21 +01:00
Ingo Schommer
3bfb82d25f
Merge pull request #2203 from camspiers/config-memory
...
Improve memory performance when generating config static and class caches
2013-07-08 06:35:31 -07:00
Cam Spiers
2d30592f72
Improve memory performance when generating config static and class caches
2013-07-08 21:24:14 +12:00
Damian Mooyman
0e443bafa0
Deprecate Aggregate and DataObject::getComponentsQuery
2013-07-08 15:27:13 +12:00
Hamish Friedlander
10b55170ea
Merge pull request #2139 from jthomerson/pulls/template_includes_with_scope
...
FEATURE: <% include %> inherits scope of parent template
2013-07-07 14:01:40 -07:00
Jeremy Thomerson
f6ff39369f
FEATURE: <% include %> inherits iterator scope of parent template
2013-07-07 12:39:42 +00:00
Sam Minnée
596934b107
Merge pull request #2133 from jthomerson/pulls/fix_testcase_comments_setting
...
MINOR: fix Email class modifying SSViewer.source_file_comments config val
2013-07-06 20:32:44 -07:00
Sam Minnée
0173707cd1
Merge pull request #2164 from tractorcow/3.1-datetimefield-fixes
...
BUG Fixed DateTimeField where time value was being parsed incorrectly.
2013-07-06 19:03:33 -07:00
Sam Minnée
ecf8f273c0
Merge pull request #2201 from hafriedlander/fix/session
...
Fixes to session, primarily around cookie_secure
2013-07-06 18:59:07 -07:00
Sam Minnée
aee786b221
Merge pull request #2169 from camspiers/yml-parse-modulename
...
Allow module directories to be named with more valid characters ensuring that module names in fragment meta-data are correct
2013-07-06 16:11:31 -07:00
Hamish Friedlander
d629d9422f
FIX Session::$cookie_secure so Sessions still work via HTTP
...
Session::$cookie_secure adds the secure property to the session Set-Cookie
command, so that the browser wouldnt send it to the server over an unencrypted
link. However the server would still send the cookie to the browser
unencrypted. Also Sessions would stop working properly in HTTP,
but SilverStripe needs them for several things, such as form validation
This patch effectively causes HTTP and HTTPS requests to each have
their own session when cookie_secure is true. The two sessions are
independant from each other, so information set in the session via
HTTPS is safe from attacks on the session via HTTP, but parts
of the site that use HTTP and the session will still work
2013-07-07 09:12:10 +12:00
Hamish Friedlander
2886f6ee14
FIX Session was started every time, even if no data set
...
Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
2013-07-07 09:12:10 +12:00
Sam Minnée
be311f72a5
Merge pull request #2191 from kinglozzer/uploadfield-disable-on-edit
...
FIX: UploadField action buttons aren't disabled when editing an item
2013-07-05 23:04:49 -07:00