Commit Graph

10257 Commits

Author SHA1 Message Date
Ingo Schommer
37b8034462 Fixed changelog 2013-02-18 01:34:51 +01:00
Ingo Schommer
ad9f26a00f Updated changelog 2013-02-18 01:29:30 +01:00
Ingo Schommer
eafafb31e3 Fixed screen.css (wrong compilation) 2013-02-18 01:28:17 +01:00
Ingo Schommer
62987139d4 Updated changelog 2013-02-18 01:19:33 +01:00
Ingo Schommer
d3d0b21e80 Updated translations 2013-02-18 01:17:30 +01:00
Ingo Schommer
56ad1d027e Updated changelog 2013-02-18 01:03:57 +01:00
Ingo Schommer
190e0b8a47 Add ContentController->handleWidget() to $allowed_actions
Required by recent $allowed_actions security fix
2013-02-18 00:10:06 +01:00
Ingo Schommer
30096ee730 BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
d51e0bc2ec Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:30:40 +01:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
303352926b 3.0.4 changelog update 2013-02-17 23:28:22 +01:00
Ingo Schommer
f8bbc0a726 BUGFIX Escape HTML in DropdownField and ListboxField
Fixes reflected XSS in Group titles when using
in group selections (e.g. in "New Member" form).
2013-02-17 23:27:15 +01:00
Ingo Schommer
604ede30a4 BUGFIX Escape HTML in CMS status messages 2013-02-17 23:27:15 +01:00
Ingo Schommer
7bb0bbff0e BUGFIX Fixed XSS in admin/security and "My Profile" forms 2013-02-17 23:27:15 +01:00
Ingo Schommer
eecd34868f BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:16:25 +01:00
Ingo Schommer
3e27d27f7a Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:16:25 +01:00
Ingo Schommer
50995fbecb BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Ingo Schommer
7830b5d1b1 Merge remote-tracking branch 'origin/2.4' into 3.0 2013-02-17 22:43:56 +01:00
Ingo Schommer
ede381326b BUG Secure composer files from web access (fixes #8011)
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00
Ingo Schommer
e21bd49462 BUG TimeField respects user choice (fixes #8260)
Regression from c969e04731.
Also fixes width to accommodate for widest common format:
"11:11:11 AM"
2013-02-17 21:00:02 +01:00
Ingo Schommer
5d3ed12e20 Nginx docs for denying composer file access (fixes #8011) 2013-02-15 19:22:21 +01:00
Marcus Nyeholt
428cbe4b03 FIX issue with Injector::create not passing args
If creating an object using Injector::create() and constructor arguments
are passed through, in some cases where the object being created had a yml
configuration set for it, the passed in constructor arguments weren't being
passed through to the instantiation of the object.
2013-02-15 10:24:47 +11:00
Julian Seidenberg
10199f908a API Data corruption on Versioned due to lazy loading
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.

API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)

See https://github.com/silverstripe/sapphire/pull/1178 for context.
2013-02-14 14:28:42 +01:00
jean
e2bf9649f3 FIX 7934 When lazy loading fields respect version of the record 2013-02-14 14:27:44 +01:00
Sean Harvey
b25b6d4769 Merge pull request #1182 from chillu/pulls/showtemplate-admin-ss3
API Require ADMIN for ?showtemplate=1 (3.0)
2013-02-12 15:07:34 -08:00
Sean Harvey
9337902fdd Merge pull request #1181 from chillu/pulls/showtemplate-admin
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00
Ingo Schommer
d969e29d00 API Require ADMIN for ?showtemplate=1 2013-02-12 23:26:04 +01:00
Ingo Schommer
45c68d6821 API Require ADMIN for ?showtemplate=1 2013-02-12 23:21:13 +01:00
Ingo Schommer
2b05951d41 Merge pull request #1160 from uniun/patch-3
Incorrect Contant-Type header for RSS feeds
2013-02-07 02:14:09 -08:00
Ingo Schommer
79eacb2439 FIX Group->canEdit() correct non-admin checks (fixes #8250)
Due to changed return value of DataObject::get(),
the (negated) check always returned false.
This wasn't noticed in 3.0 because Group->canEdit() is rarely
enforced, but does become noticeable in 3.1 where GridField
checks those object-level permissions.

Thanks to @purplespider for reporting!
2013-02-07 09:19:57 +01:00
Ingo Schommer
a1beda14d1 Removed explicit pass-by-ref in DataExtension->validate()
Same fix as be97535b for 3.1. Makes the method signature
more consistent with other DataExtension methods,
and comply with its subclass implementation in
Hierarchy->validate(). See accbd7f1e2 for more comments.
2013-02-06 19:00:23 +01:00
Ingo Schommer
b31dbc0b5f Merge pull request #1163 from schwarz-computer-systeme/3.0
Update admin/javascript/lang/de_DE.js
2013-02-06 01:37:23 -08:00
senglmann
bb223bb35f Update admin/javascript/lang/de_DE.js
fixed typo in translation
2013-02-06 10:13:49 +01:00
Will Rossiter
1db0156832 Merge pull request #1162 from dhensby/patch-1
NEW Add Varchar::getSize()
2013-02-05 12:19:07 -08:00
Daniel Hensby
f0621cdd91 FEATURE: Added ability to query size of Varchar
This allows a developer to programatically access the size of the DB Varchar field. This allows us to be a bit more DRY and to define the size in one place and limit TextFields to the same value
2013-02-05 18:41:11 +00:00
uniun
e249799e9a Incorrect Contant-Type header for RSS feeds
It should be application/rss+xml but not text/xml.
2013-02-05 18:11:28 +02:00
Ingo Schommer
accbd7f1e2 Revert "FIX: Strict error warnings on DataExtension"
This reverts commit 1960df8bc3.

Revert "FIX: validate doesn't take var by reference"
This reverts commit 866bb0713b.

@ajshort has changed the method signatures in 1f6f7f08. While it wasn't explicitly noted in the commit message, I think its a good change - objects like a FieldList are always passed by reference in PHP, no need to declare that behaviour.
2013-02-04 17:23:11 +01:00
Ingo Schommer
857d8bb8df FIX Don't escape values on TreeDropdownField readonly views
They typically output TreeTitle() which is assumed to be HTML.
2013-02-04 17:15:32 +01:00
Ingo Schommer
5205a4403b Merge pull request #1156 from mandrew/patch-1
FIX: Strict error warnings on DataExtension
2013-02-04 04:49:44 -08:00
Michael Andrewartha
866bb0713b FIX: validate doesn't take var by reference
Got a bit carried away, validate doesn't take the var by reference
2013-02-04 12:42:39 +00:00
Michael Andrewartha
1960df8bc3 FIX: Strict error warnings on DataExtension
PHP is throwing strict error warnings when overriding the
updateCMSFields and other functions in custom DataExtensions due to
the fact that the abstract class doesn't declare the variables should
be passed by reference
2013-02-04 12:37:53 +00:00
Ingo Schommer
b381e9933d Include "media" attr for module customCSS() (fixes #8219) 2013-02-01 10:23:16 +01:00
Ingo Schommer
d77e06d585 Merge pull request #1123 from chillu/pulls/revert-content-length
API Remove Content-Length setting from HTTPResponse (fixes #8010)
2013-01-31 10:19:17 -08:00
Ingo Schommer
1bb109041f FIX Node updates in IE without non-object error
Bug was most prominent after page publication,
which triggers a node reload. It iterated through
all node attributes to assign them to the existing node,
which apparently includes some non-scalar attributes
that can't simply be copied in IE.
2013-01-31 18:59:20 +01:00
ajshort
fd71a3d55e Consistently exposed ManyManyList information through getters. 2013-01-31 15:21:46 +01:00
Ingo Schommer
3dab996c90 Excluded Postgres from Travis (breaks build due to internal errors)
We'll need to fix the "no space left on device" issue,
most likely caused by Postgres keeping too much of a query log,
or somehow creating a history of past data.
For now, having a Postgres build breaking the whole
build process (incl. MySQL builds) does more harm than good.
2013-01-30 13:01:37 +01:00
Simon Welsh
c9f728fefb FIX Only check the remember token if a user exists 2013-01-30 09:17:47 +13:00
jean
c048a019f6 BUGFIX Avoid infinite redirection when logging out and when showing a custom login page after displaying the draft version of a page. 2013-01-29 19:24:37 +01:00
Sam Minnee
5f9348b016 FIX: Ensure that Security views respect redirections triggered by Page_Controller::init()
Sometimes Page_Controller::init() will trigger a redirection.  For example, it may redirect to a
canonical URL.  In this case, the Security views, which co-opt Page_Controller, need to respect
this.
2013-01-29 18:19:15 +01:00
Sam Minnee
f54697930e API CHANGE: Add a PermissionFailureException that can be thrown to trigger a log-in. 2013-01-29 18:10:42 +01:00