Commit Graph

11396 Commits

Author SHA1 Message Date
Ingo Schommer
190e0b8a47 Add ContentController->handleWidget() to $allowed_actions
Required by recent $allowed_actions security fix
2013-02-18 00:10:06 +01:00
Ingo Schommer
30096ee730 BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
d51e0bc2ec Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:30:40 +01:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
303352926b 3.0.4 changelog update 2013-02-17 23:28:22 +01:00
Ingo Schommer
f8bbc0a726 BUGFIX Escape HTML in DropdownField and ListboxField
Fixes reflected XSS in Group titles when using
in group selections (e.g. in "New Member" form).
2013-02-17 23:27:15 +01:00
Ingo Schommer
604ede30a4 BUGFIX Escape HTML in CMS status messages 2013-02-17 23:27:15 +01:00
Ingo Schommer
7bb0bbff0e BUGFIX Fixed XSS in admin/security and "My Profile" forms 2013-02-17 23:27:15 +01:00
Ingo Schommer
eecd34868f BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:16:25 +01:00
Ingo Schommer
3e27d27f7a Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:16:25 +01:00
Ingo Schommer
50995fbecb BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Hamish Friedlander
2335c074b3 NEW Make shortcode parser more clever about placement
Shortcodes have traditionally had a problem that they are inside <p> tags,
but generate block level elements. This breaks HTML compliance.

This makes the shortcode parser now mutate the DOM based on the "class" attribute on
the shortcode to insert the generated block level element at the right place in the DOM

 - for "left" and "right" elements it puts them just before the block level
   element they are inside

 - for "leftAlone" and "center" elements it splits the DOM around the shortcode.

The trade off is that shortcodes are no longer "text level" features. They need
knowledge of the HTML they are in to perform this transformation, so they can
only be used in (valid) HTML
2013-02-18 10:49:52 +13:00
Ingo Schommer
7830b5d1b1 Merge remote-tracking branch 'origin/2.4' into 3.0 2013-02-17 22:43:56 +01:00
Ingo Schommer
ede381326b BUG Secure composer files from web access (fixes #8011)
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00
Ingo Schommer
e21bd49462 BUG TimeField respects user choice (fixes #8260)
Regression from c969e04731.
Also fixes width to accommodate for widest common format:
"11:11:11 AM"
2013-02-17 21:00:02 +01:00
Ingo Schommer
5a4d5e10d2 Merge pull request #1189 from ajshort/namespaced-tasks
Support running namespaced build tasks.
2013-02-17 11:47:26 -08:00
ajshort
889e39cf55 Support running namespaced build tasks. 2013-02-17 18:05:35 +11:00
Ingo Schommer
d4b7763cab Merge pull request #1154 from silverstripe-rebelalliance/open8231
BUGFIX:fixed styling of asset upload page and dialog in the asset admin ...

Conflicts:
	css/AssetUploadField.css
	scss/AssetUploadField.scss
2013-02-15 19:52:47 +01:00
Ingo Schommer
fd4d39984d Merge pull request #1176 from uniun/drop-area-css-fix
Long drop area title overlaps upload icon
2013-02-15 10:49:24 -08:00
Ingo Schommer
d9cecd9e83 Merge pull request #1168 from ajshort/task-creation-injector
Use the injector for creating tasks.
2013-02-15 10:47:02 -08:00
Ingo Schommer
37e10d14f3 Merge pull request #1184 from ajshort/named-services
BUG: Fixed the injection of named services.
2013-02-15 10:46:33 -08:00
Ingo Schommer
6ff1f9050d Merge pull request #1187 from dhensby/restfulservice-improvements
API Restfulservice improvements
2013-02-15 10:45:43 -08:00
Ingo Schommer
5d3ed12e20 Nginx docs for denying composer file access (fixes #8011) 2013-02-15 19:22:21 +01:00
Daniel Hensby
920fd71a2f Adding default curl options
Because I removed completely the static setting of SSL_VERIFYPEER I've
added the ability to declare default curl options on the class. This
means that users that really want to one line turn off SSL_VERIFYPEER
can do so without needing to pass a custom option in every request()
call.
2013-02-15 11:45:52 +00:00
Daniel Hensby
f003359047 RestfulService_Response now gets response headers
Before now, the RestfulService_Response object was never sent the
response headers. For APIs that rely on the response headers to send
back information (signatures, pagination info, etc).

This change makes the curl response have the full HTTP response
(including Headers). We then extract the body and the header information
and assign them to relevant vars and then construct the response as
before (with the addition of the headers array).

This change required two new functions:
extractResponse: This extracts the HTTP Headers and the payload from the
curl response and assigns it to the relevany vars that are passed by
reference
parseRawHeaders: This was designed to mimic http_parse_headers (a
non-standard php class). It converts the headers into an associative
array.
2013-02-15 11:45:36 +00:00
Daniel Hensby
7c189731e3 Better cache key generation
All of the arguments supplied to the request function can impact what is
returned by a restful service.

This takes account of that and makes the cache key more specific,
including basic auth details, so we don't rely on *just* the absolute
URL for caching.
2013-02-15 11:16:46 +00:00
Marcus Nyeholt
428cbe4b03 FIX issue with Injector::create not passing args
If creating an object using Injector::create() and constructor arguments
are passed through, in some cases where the object being created had a yml
configuration set for it, the passed in constructor arguments weren't being
passed through to the instantiation of the object.
2013-02-15 10:24:47 +11:00
Ingo Schommer
f4068371fc Merge pull request #1159 from chillu/pulls/datetimefield-field-setters
DatetimeField->setDateField()/setTimeField()
2013-02-14 11:31:31 -08:00
Julian Seidenberg
10199f908a API Data corruption on Versioned due to lazy loading
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.

API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)

See https://github.com/silverstripe/sapphire/pull/1178 for context.
2013-02-14 14:28:42 +01:00
jean
e2bf9649f3 FIX 7934 When lazy loading fields respect version of the record 2013-02-14 14:27:44 +01:00
Julian Seidenberg
f931b8d326 API Data corruption on Versioned due to lazy loading
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.

API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)

See https://github.com/silverstripe/sapphire/pull/1178 for context.
2013-02-14 14:18:10 +01:00
Simon Welsh
be8482aa73 Merge pull request #1173 from ajshort/include-object-argument
BUG: Pass named include argument as objects.
2013-02-13 23:44:29 -08:00
ajshort
d3629be344 BUG: Pass named include argument as objects.
This means you can pass objects such as lists as named parameters, not
just strings.
2013-02-14 18:31:40 +11:00
Zauberfisch
54237d5b10 NEW Return $this on setters in DataObject 2013-02-13 18:18:37 +01:00
ajshort
ff19f3b11a BUG: Fixed the injection of named services. 2013-02-13 23:06:15 +11:00
Ingo Schommer
923ad8861f Layout regression in "add pages"
Unrelated fields affected by changes to CMS tooltips. See 1ca3883a76.
2013-02-13 10:15:06 +01:00
Sean Harvey
15a156955b Merge pull request #1172 from robert-h-curry/preview-pane-refresh
Force preview window to refresh on every save
2013-02-12 15:09:19 -08:00
Sean Harvey
b25b6d4769 Merge pull request #1182 from chillu/pulls/showtemplate-admin-ss3
API Require ADMIN for ?showtemplate=1 (3.0)
2013-02-12 15:07:34 -08:00
Sean Harvey
9337902fdd Merge pull request #1181 from chillu/pulls/showtemplate-admin
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00
Ingo Schommer
d969e29d00 API Require ADMIN for ?showtemplate=1 2013-02-12 23:26:04 +01:00
Ingo Schommer
45c68d6821 API Require ADMIN for ?showtemplate=1 2013-02-12 23:21:13 +01:00
Ingo Schommer
b44720179c Merge pull request #1180 from mateusz/css-combining-media
API Add possibility to combine media-targeting stylesheets.
2013-02-12 14:13:45 -08:00
Mateusz Uzdowski
53feb3a5ae API Add possibility to combine media-targeting stylesheets. 2013-02-13 11:04:05 +13:00
Sean Harvey
02d58b1015 Merge pull request #1177 from mateusz/session-set-form-message
BUG Adjust Session::setFormMessage to fit with underlying API.
2013-02-11 15:14:12 -08:00
Mateusz Uzdowski
d52d5f71c5 BUG Adjust Session::setFormMessage to fit with underlying API. 2013-02-12 11:00:36 +13:00
uniun
8ea805e60b Long drop area title overlaps upload icon 2013-02-11 15:13:42 +02:00
ajshort
a4096ecc70 Add a self method to the SSViewer scope.
This returns the current object, and resets the scope.
2013-02-11 17:53:14 +11:00
Robert Curry
7ff8d35be0 Force preview window to refresh on every save 2013-02-08 12:04:18 +13:00
Ingo Schommer
14a56c18e9 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/Director.php
2013-02-07 21:45:16 +01:00
Jeremy Bridson
2e77e87ed3 BUGFIX: fix for broken layout in insert media dialog - Trac #8232 2013-02-07 21:43:34 +01:00