Commit Graph

141 Commits

Author SHA1 Message Date
Ingo Schommer
ec325a3c7f API Fix HTTPS proxy header detection
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.

References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
2014-05-22 18:34:15 +12:00
Damian Mooyman
d06d5c113b API Injector supports nesting
BUG Resolve issue with DirectorTest breaking RequestProcessor
Injector::nest and Injector::unnest are introduced to better support sandboxing of testings.
Injector and Config ::nest and ::unnest support chaining
Test cases for both Injector::nest and Config::nest
2014-04-29 08:59:33 +12:00
Damian Mooyman
d8836fd488 Merge remote-tracking branch 'origin/3.0' into 3.1 2014-04-08 17:10:07 +12:00
Simon Welsh
1d5706f15c Correct line length and indentation 2014-03-30 21:11:56 +13:00
Ingo Schommer
d7e10e620a Merge pull request #2537 from wilr/membervalidator
FIX: Use Injector API for managing Member_Validator instance.
2013-10-23 03:01:15 -07:00
Will Rossiter
813d34b15e FIX: Use Injector API for managing Member_Validator instance.
Updates the CMS profile page and SecurityAdmin to give developers a few ways to customise the required fields.

Added extension hook updateValidator for getValidator for things like modules to inject required fields to go along with Injector for replacing the entire class for project specific use.
2013-10-16 11:29:43 +13:00
Marcus Nyeholt
7bcb180f27 BUG Director::test now calls RequestProcessor
This fixes https://github.com/silverstripe/silverstripe-framework/issues/2517
and provides some testing around the use of RequestProcessor in general.
2013-10-15 07:53:34 +11:00
Ingo Schommer
5b3f8bc04d Merge pull request #2435 from hafriedlander/fix/join_links_query_params
FIX Use last of duplicate query params in join_links
2013-09-20 02:27:49 -07:00
Hamish Friedlander
a8c1dd7f53 FIX Use last of duplicate query params in join_links
When using Controller::join_links to join two links with identical query
params, both query params would be used in the result, ending up with
links that look like `../edit/show/14?locale=en_NZ&locale=mi_NZ`

This patch eliminates duplicate query params, so only the last one
for any key is present in the output.
2013-09-20 11:33:03 +12:00
Ingo Schommer
40c239076b Merge remote-tracking branch 'origin/3.0' into 3.1.0
Conflicts:
	model/Hierarchy.php
2013-08-22 12:55:47 +02:00
Simon Welsh
c66cc952d2 Correct line length and indentation 2013-08-21 21:27:16 +12:00
Simon Welsh
151baeede1 Correct line length and indentation 2013-08-21 18:54:05 +12:00
Hamish Friedlander
2886f6ee14 FIX Session was started every time, even if no data set
Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
2013-07-07 09:12:10 +12:00
Damian Mooyman
11f4b2c620 API HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls.
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.

HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce

HTTP::absoluteURLs now handles additional cases where urls were not translated.

Test cases for HTTP::absoluteURLs added for both css and attribute links.

Cleaned up replacement expression and improved documentation.
2013-07-05 09:08:58 +12:00
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Ingo Schommer
2160fb8000 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/javascript/LeftAndMain.js
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
	tests/control/ControllerTest.php
2013-06-19 14:03:43 +02:00
Sam Minnee
526b40414a FIX: Ensure that actions inferred from templates with the "_action" suffix also respect allowed_actions.
FIX: Ensure SSViewer::hasTemplate() is aware of themes.

To do this, RequestHandler::definingClassForAction() has been created, splitting out the code that looks up the class that defines a given action into its own method.  This is then overridden in Controller to look at templates.
2013-06-19 20:11:50 +12:00
Ingo Schommer
1d402dd513 Unset test state in DirectorTest
This broke RSSFeedTest when running through 'sake'
2013-06-18 23:24:22 +02:00
Ingo Schommer
71a5615213 Test $allowed_actions on controllers with template name=action conventions 2013-06-10 12:33:30 +02:00
Stephen Shkardoon
d6c2c2e07f Fixes #1892 - Stop session hijacking with UA check 2013-05-25 19:29:08 +12:00
Jeremy Shipman
d21fd1f0bb FIX: Don't rewrite urls to be absolute, if they are a URI with a protocol.
This is determined in this fix by the existence of a colon ':', to show the uri has a protocol.
2013-05-20 11:59:04 +12:00
Will Rossiter
1325d736a0 API: Add Director::is_https() 2013-05-10 22:31:38 +12:00
Damian Mooyman
b6fc1d314e BUG HTTP will now correctly pass over mailto: links when converting relative links to absolute (e.g. in Emails) 2013-04-18 14:25:51 +12:00
Ingo Schommer
9856fcef21 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	javascript/DateField.js
	model/DataQuery.php
	model/Versioned.php
	tests/forms/RequirementsTest.php
	tests/model/DataObjectLazyLoadingTest.php
	view/Requirements.php
2013-04-09 14:45:35 +02:00
Andrew Short
1fc780ce2b API: Return a 404 error when no director rule is matched 2013-04-06 18:19:03 +11:00
Sean Harvey
6eda25a090 NEW Allow specifying the secure domain to Director::forceSSL() 2013-04-03 17:47:36 +13:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
39789529d7 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/control/HTTPResponseTest.php
	tests/travis/before_script
2013-02-27 10:27:22 +01:00
Ingo Schommer
e6fffb9ef9 API Remove content-length setting in HTTPResponse
It's not reliable. Started in c69381c33, but only partially reverted.
2013-02-27 10:07:54 +01:00
Sam Minnee
efb4760244 Fixed invalid classname in test 2013-02-25 16:44:54 +13:00
Sam Minnee
88b3901a69 Check for object type before calling method, prevent fatal error in failing test. 2013-02-25 16:33:55 +13:00
Hamish Friedlander
4b54383d68 API change request handling to be more orthogonal
RequestHandler#handleAction now exists. It takes the request, and
the action to call on itself. All calls from handleRequest to call an action
will go through this method

Controller#handleAction has had it's signature changed to
match new RequestHandler#handleAction

RequestHandler#findAction has been added, which extracts the
"match URL to rules to find action" portion of RequestHandler#handleRequest
into a separate, overrideable function

GridField#handleAction has beeen renamed to handleAlterAction and
CMSBatchActionHandler#handleAction has been renamed to handleBatchAction to
avoid name clash with new RequestHandler#handleAction

Reason for change: The exact behaviour of request handling depended heavily
on whether you inherited from RequestHandler or Controller, and whether the
rule extracted it's action directly (like "foo/$ID" => 'foo') or dynamically
(like "$Action/$ID" => "handleAction"). This cleans up behaviour so
all calls follow the same path through handleRequest and handleAction, and
the additional behaviour that Controller adds is clear.
2013-02-18 14:56:04 +13:00
Hamish Friedlander
5fd55a50f2 API Tighten up allowed_actions
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
2013-02-18 14:53:33 +13:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
14a56c18e9 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/Director.php
2013-02-07 21:45:16 +01:00
Ingo Schommer
d77e06d585 Merge pull request #1123 from chillu/pulls/revert-content-length
API Remove Content-Length setting from HTTPResponse (fixes #8010)
2013-01-31 10:19:17 -08:00
Ingo Schommer
634c91c6ff Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	email/Mailer.php
2013-01-30 12:46:24 +01:00
Sam Minnee
d8bfc0bb48 API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself. 2013-01-29 18:03:47 +01:00
Damian Mooyman
1ca15d0399 API HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls.
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.

HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce

HTTP::absoluteURLs now handles additional cases where urls were not translated.

Test cases for HTTP::absoluteURLs added for both css and attribute links.

Cleaned up replacement expression and improved documentation.
2013-01-24 09:49:44 +01:00
Ingo Schommer
c69381c33e API Remove Content-Length setting from HTTPResponse (fixes #8010)
This reverts commit 356a367eb5.
We can't use headers_sent() to determine an accurate
content length, since PHP defaults to buffering a couple of bytes
even without ob_start() (see "output_buffering" setting).
This makes the patch harmful, since it breaks any responses relying
on more structure data, like removing closing brackets from JSON.
Which in turn breaks the CMS in horrible ways (see #8010).
See #7574 for context.
2013-01-23 15:05:33 +01:00
Simon Welsh
b0121b541c Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c Add codesniffer that ensures indentation is with tabs. 2012-12-12 00:12:11 +13:00
Ingo Schommer
15a687f1e7 Merge remote-tracking branch 'origin/3.0' 2012-11-23 15:31:08 +01:00
Ingo Schommer
aa72425e84 Fixed PHPUnit assertions for incomplete tests in core
Avoid PHPUnit throwing "test didn't run any assertions"
notices in PHP. If nothing else, it keeps test output
looking less broken by default, making it more likely
that actual errors do get noticed.
2012-11-23 15:16:39 +01:00
Sean Harvey
d038cd7a65 Removing deprecated tests 2012-11-15 14:43:15 +13:00
Ingo Schommer
efabde1416 Merge remote-tracking branch 'origin/3.0'
Conflicts:
	admin/css/screen.css
	admin/scss/_style.scss
	security/Member.php
2012-10-30 17:52:49 +01:00
Simon Welsh
624f427c2a Removes line longer than 120c 2012-10-29 10:22:53 +13:00
Will Rossiter
69ea73b4ed Merge pull request #777 from halkyon/field_edit3
Member_ProfileForm respect canEdit() permissions on Member
2012-10-27 20:11:46 -07:00
Ingo Schommer
56f7ce1dcf Merge remote-tracking branch 'origin/3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	control/HTTPResponse.php
	model/Database.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	view/Requirements.php
	view/SSViewer.php
2012-10-03 16:16:19 +02:00