299 Commits

Author SHA1 Message Date
Hamish Friedlander
5fd55a50f2 API Tighten up allowed_actions
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
2013-02-18 14:53:33 +13:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
37b8034462 Fixed changelog 2013-02-18 01:34:51 +01:00
Ingo Schommer
ad9f26a00f Updated changelog 2013-02-18 01:29:30 +01:00
Ingo Schommer
62987139d4 Updated changelog 2013-02-18 01:19:33 +01:00
Ingo Schommer
56ad1d027e Updated changelog 2013-02-18 01:03:57 +01:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
303352926b 3.0.4 changelog update 2013-02-17 23:28:22 +01:00
Ingo Schommer
50995fbecb BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Ingo Schommer
ede381326b BUG Secure composer files from web access (fixes #8011)
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00
Ingo Schommer
d969e29d00 API Require ADMIN for ?showtemplate=1 2013-02-12 23:26:04 +01:00
Ingo Schommer
634c91c6ff Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	email/Mailer.php
2013-01-30 12:46:24 +01:00
Nicolaas
7f4541e9f0 Update docs/en/changelogs/3.0.0.md
minor typo
2013-01-29 17:11:47 +01:00
Will Rossiter
503ad4a2e2 Added note about reports API change in 3.2.0 changelog 2013-01-17 21:54:33 +13:00
Ingo Schommer
f72a024af5 Updated changelog notes 2012-12-18 10:40:05 +01:00
Ingo Schommer
0d37cd3e69 Updated changelog 2012-12-17 16:40:33 +01:00
Ingo Schommer
407a19cdb6 Beta changelog links 2012-12-17 14:27:31 +01:00
Ingo Schommer
75b0c3ec8f Added 3.1.0-beta1 changelog 2012-12-17 00:47:36 +01:00
Ingo Schommer
1848d7e90a API Check model permissions in GridField 2012-12-17 00:46:51 +01:00
Ingo Schommer
d13c53fda6 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/model/DataQueryTest.php
2012-12-14 10:57:28 +01:00
Ingo Schommer
6f9d01f621 API FormField->setDescription() visible in default template
Renders into <span class="description"> instead of "title" attribute
2012-12-14 01:58:04 +01:00
Ingo Schommer
b65180a7f6 Changelog update for grouped CMS buttons 2012-12-14 01:56:24 +01:00
Hamish Friedlander
27113f82c3 API Make DataList and ArrayList immutable
In 3.0 there was some confusion about whether DataLists and ArrayLists
were mutable or not. If DataLists were immutable, they'd return the result, and your code
would look like

  $list = $list->filter(....);

If DataLists were mutable, they'd operate on themselves, returning nothing, and your code
would look like

 $list->filter(....);

This makes all DataLists and ArrayList immutable for all _searching_ operations.
Operations on DataList that modify the underlying SQL data store remain mutating.

- These functions no longer mutate the existing object, and if you do not capture the value
returned by them will have no effect:

  ArrayList#reverse
  ArrayList#sort
  ArrayList#filter
  ArrayList#exclude

  DataList#dataQuery (use DataList#alterDataQuery to modify dataQuery in a safe manner)
  DataList#where
  DataList#limit
  DataList#sort
  DataList#addFilter
  DataList#applyFilterContext
  DataList#innerJoin
  DataList#leftJoin
  DataList#find
  DataList#byIDs
  DataList#reverse

- DataList#setDataQueryParam has been added as syntactic sugar around the most common
cause of accessing the dataQuery directly - setting query parameters

- RelationList#setForeignID has been removed. Always use RelationList#forForeignID
when querying, and overload RelationList#foreignIDList when subclassing.

- Relatedly,the protected variable RelationList->foreignID has been removed, as the ID is
now stored on a query parameter. Use RelationList#getForeignID to read it.
2012-12-14 13:30:35 +13:00
Ingo Schommer
644cc79ebb API Removed methods previously deprecated in 3.0 2012-12-14 01:16:47 +01:00
Ingo Schommer
c6b1d4aa6b API Storing alternative DB name in cookie rather than session
Session is not initialized by the time we need to use
the setting in DB::connect(). Cookie values get initialized
automatically for each request.

Tightened name format validation to ensure it can only
be used for temporary databases, rather than switching
the browser session to a different production database.

Encrypting token for secure cookie usage.
Added dev/generatesecuretoken to generate this token.
Not storing in YML config directly because of web access issues.
2012-12-13 23:21:48 +01:00
Ingo Schommer
5fed5b91c9 API Moved email bounce handling to new 'emailbouncehandler' module 2012-12-12 23:36:42 +01:00
Ingo Schommer
548ad503ed API Removed keyed arrays for title/value setting in SelectionGroup
Use SelectionGroup_Item class instead. Necessary because
of removal of array key support from ArrayList (see d12b49702).
2012-12-11 11:06:06 +01:00
Ingo Schommer
fb076c0396 API Deprecated global email methods, moved to Mailer class
Code reorganization to reduce global scope pollution.
Removed non-functional `$inlineImages` option for sending emails.
2012-12-09 22:09:35 +01:00
Ingo Schommer
3fad49e2c0 2.4.9 changelog 2012-12-04 22:47:47 +01:00
Sean Harvey
6ce6f9a2c1 Merge branch '3.0' 2012-11-26 17:17:41 +13:00
Hamish Friedlander
e934030bc1 Merge changes for 3.0.3 release into 3.0 2012-11-26 11:34:28 +13:00
Hamish Friedlander
77f7778b4a Add 3.0.3 changelog 2012-11-26 11:20:21 +13:00
Ingo Schommer
c55c7c33f8 Merge branch '3.0'
Conflicts:
	admin/code/CMSProfileController.php
	composer.json
	tests/model/DataObjectTest.php
2012-11-22 23:51:28 +01:00
Hamish Friedlander
5edf86fe7a Merge branch '3.0.3' into 3.0 2012-11-16 14:57:50 +13:00
Hamish Friedlander
fb7db6de6d Add 3.0.3-rc2 changelog 2012-11-16 14:45:20 +13:00
Sean Harvey
4ea5bc5679 adding notes about deprecated things in the core 2012-11-16 11:57:53 +13:00
Sean Harvey
078a8e9c2b Adding note about Object::add_extension() and has_extension() changes 2012-11-07 11:07:56 +13:00
Sean Harvey
169366a011 Merge branch '3.0' 2012-11-06 13:04:21 +13:00
Sean Harvey
34f9c8e866 adding 3.0.3-rc1 to changelog index 2012-11-06 10:58:55 +13:00
Sean Harvey
896ce60432 Adding changelog for 3.0.3-rc1 2012-11-06 10:41:24 +13:00
Sean Harvey
0f55a11a5a Merge pull request #872 from chillu/pulls/file-permission
API File->canEdit() returns TRUE by default (not checking CMS perms)
2012-11-04 19:33:18 -08:00
Sean Harvey
fbc6e3366b Merge branch '3.0' 2012-11-05 15:11:48 +13:00
Ingo Schommer
a7753dfa5b Moved GridField docs to reference 2012-10-30 18:59:26 +01:00
Ingo Schommer
efabde1416 Merge remote-tracking branch 'origin/3.0'
Conflicts:
	admin/css/screen.css
	admin/scss/_style.scss
	security/Member.php
2012-10-30 17:52:49 +01:00
Ingo Schommer
a502b222cc Merge remote-tracking branch 'origin/2.4' into 3.0 2012-10-30 17:24:52 +01:00
Ingo Schommer
9e595db7f3 Changelogs 2012-10-30 17:00:41 +01:00
Juan Molina
f6f96a630e Update docs/en/changelogs/3.0.0.md
Fixed broken links. Hash links were not working. I don’t know how to hide heading-anchor-link links. Tried to correct some layout errors (code quotes).
2012-10-25 17:21:31 +03:00
Ingo Schommer
f365134375 Added 2.4.8-rc1 changelog 2012-10-16 11:09:26 +02:00
Ingo Schommer
a3295e2a37 API File->canEdit() returns TRUE by default (not checking CMS perms)
This is a measure to support form fields and controllers
interacting with files in different contexts,
for example an UploadField used in a ModelAdmin,
or a website frontend. The check for 'CMS_ACCESS_AssetAdmin'
was too restricting. This wasn't a problem in 2.x simply because
the old FileField/Upload classes didn't respect File->can*()
permissions.
2012-10-12 15:42:06 +02:00
Ingo Schommer
38e7df2e91 NEW Enable SiteTree::$nested_urls by default 2012-10-08 17:05:05 +02:00