Commit Graph

1039 Commits

Author SHA1 Message Date
Loz Calver
b7480b92a9 FIX: Hide 'Logged Passwords' tab in member CMS fields (fixes #4422) 2015-07-22 14:40:09 +01:00
Daniel Hensby
ca8d0f2818 Merge branch '3.1' into 3.2
Conflicts:
	dev/Debug.php
	docs/en/05_Contributing/01_Code.md
	forms/FormField.php
	i18n/i18nTextCollector.php
	model/DataQuery.php
2015-07-20 10:48:01 +01:00
Damian Mooyman
6fabd0122b BUG Fix potential XSS injection 2015-07-01 17:41:32 +12:00
Sean Harvey
fd755a7ff9 BUG ChangePasswordForm validation message should render HTML correctly.
HTML shows up in the form message escaped, but it shouldn't be.
2015-07-01 17:41:32 +12:00
Daniel Hensby
3507ddb0e8 FIX MemberPassword history removed with with Members
Currently Members that were deleted would still have their passwords
stored in the DB even though they were deleted. This seems unnecessary
and just increases data that could potentially be compromised later.
2015-06-24 21:04:23 +01:00
Phill Price
b2024107a9 DOCS: Typo in a block 2015-06-24 11:57:12 +01:00
Damian Mooyman
e14f743bf0 Set deprecation level for all changes in 3.x to 4.0 2015-06-19 13:07:41 +12:00
Damian Mooyman
58cc3da8d8 API Revert DataObject::validate to 3.1 method signature (protected) 2015-06-16 11:59:21 +12:00
Damian Mooyman
8331171f2c Merge remote-tracking branch 'origin/3.1' into 3
Conflicts:
	.scrutinizer.yml
	admin/javascript/LeftAndMain.Panel.js
	core/startup/ParameterConfirmationToken.php
	dev/Debug.php
	dev/FixtureBlueprint.php
	docs/en/00_Getting_Started/05_Coding_Conventions.md
	docs/en/00_Getting_Started/index.md
	docs/en/02_Developer_Guides/01_Templates/01_Syntax.md
	filesystem/File.php
	filesystem/Folder.php
	forms/FieldList.php
	forms/LabelField.php
	forms/MoneyField.php
	forms/TextField.php
	forms/TreeDropdownField.php
	forms/Validator.php
	forms/gridfield/GridField.php
	forms/gridfield/GridFieldExportButton.php
	lang/de.yml
	lang/fi.yml
	model/DataObject.php
	model/SQLQuery.php
	parsers/ShortcodeParser.php
	security/ChangePasswordForm.php
	security/Security.php
	tests/control/DirectorTest.php
	tests/core/startup/ParameterConfirmationTokenTest.php
	tests/dev/FixtureBlueprintTest.php
	tests/forms/FieldListTest.php
	tests/forms/MoneyFieldTest.php
	tests/model/SQLQueryTest.php
	tests/security/SecurityTest.php
2015-06-02 19:13:38 +12:00
Damian Mooyman
22a35e48a9 BUG Fix malformed urls redirecting to external sites 2015-05-28 10:12:18 +12:00
Stevie Mayhew
0d94cf15a5 UPDATE: change all instances of $this->request to use appropriate getter/setter 2015-04-30 11:04:08 +12:00
Daniel Hensby
c2fd18e829 FIX use config for Security::$login_url 2015-04-23 17:20:07 +01:00
Damian Mooyman
95c162ef0d API Security better respects BackURL on login
BUG Restore missing authentication message not appearing in the login form $Content area (regression from #1807)
2015-03-31 20:22:35 +13:00
Damian Mooyman
43f49e8434 Merge remote-tracking branch 'origin/3.1' into 3
Conflicts:
	admin/code/ModelAdmin.php
	control/Director.php
	model/SQLQuery.php
	security/Member.php
	tests/control/HTTPTest.php
	tests/model/SQLQueryTest.php
	tests/security/SecurityTest.php
	tests/view/SSViewerTest.php
2015-03-31 19:54:15 +13:00
Damian Mooyman
8d6cd1529f BUG Fix some database errors during dev/build where an auth token exists for the current user
Fixes #3660
2015-03-25 11:34:13 +13:00
Damian Mooyman
a775a44387 Merge pull request #4016 from guru-digital/REDIRECT_fix
HTTP basic auth fix
2015-03-19 14:55:20 +13:00
Daniel Hensby
de2aa47250 Merge pull request #4006 from kinglozzer/patch-1
FIX: Security::$default_message_set Config value unusable
2015-03-17 17:05:01 +00:00
Loz Calver
a61c08d031 FIX: Security::$default_message_set Config value unusable 2015-03-17 15:51:31 +00:00
Corey Sewell
46e61b3448 Check both $_SERVER['HTTP_AUTHORIZATION'] and $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] for HTTP Basic authentication headers 2015-03-17 14:15:54 +13:00
Loz Calver
c58f4c469d Replace core uses of DataObject::has_one/has_many/many_many 2015-03-13 16:16:12 +00:00
Damian Mooyman
319b96b48b Merge remote-tracking branch 'origin/3.1' into 3
Conflicts:
	docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
	docs/en/05_Contributing/01_Code.md
	forms/TreeDropdownField.php
	model/DataObject.php
	security/Member.php
	tests/model/DataObjectTest.php
2015-03-11 11:40:06 +13:00
Daniel Hensby
d2a3da2203 Making docs gender agnostic 2015-03-07 12:32:04 +00:00
Damian Mooyman
dff65867cc Merge remote-tracking branch 'origin/3.1' into 3
Conflicts:
	control/HTTP.php
	control/HTTPResponse.php
	docs/en/05_Contributing/01_Code.md
	forms/CompositeField.php
	forms/FormAction.php
	forms/FormField.php
	forms/InlineFormAction.php
	forms/NumericField.php
	forms/TreeDropdownField.php
	forms/TreeMultiselectField.php
	templates/forms/TreeDropdownField.ss
	tests/core/CoreTest.php
	tests/forms/NumericFieldTest.php
	tests/model/DataDifferencerTest.php
2015-02-20 10:17:19 +13:00
Damian Mooyman
49c462710d Merge pull request #3795 from uniun/patch-2
FIX. Summary fields can't be translated
2015-02-16 15:55:29 +13:00
Daniel Hensby
89c14d079d Making TreeMultiSelectField consistent with parent class
NEW TreeDropdownField sanatiser helper added
Use config for default_cast of objects
FIX Determine if Diffed value should be escaped
Forcing casting for core DB fields
Fixing permissions labels
2015-02-13 11:12:30 +13:00
Cameron Bourgeois
88ac537e96 Change date format to set AutoLoginExpired correctly 2015-02-08 19:49:54 +13:00
Elvinas L.
32ce85d9f4 FIX. Summary fields can't be translated
fieldLabels() now can find these fields and translate them.
2015-01-15 15:09:32 +02:00
Damian Mooyman
88fdc75456 Merge remote-tracking branch 'composer/3.1' into 3
Conflicts:
	.editorconfig
	docs/en/00_Getting_Started/00_Server_Requirements.md
	docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_IIS7.md
	docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Windows_Platform_Installer.md
	docs/en/00_Getting_Started/04_Directory_Structure.md
	docs/en/00_Getting_Started/index.md
	docs/en/01_Tutorials/01_Building_A_Basic_Site.md
	docs/en/01_Tutorials/02_Extending_A_Basic_Site.md
	docs/en/01_Tutorials/03_Forms.md
	docs/en/01_Tutorials/04_Site_Search.md
	docs/en/01_Tutorials/05_Dataobject_Relationship_Management.md
	docs/en/01_Tutorials/index.md
	docs/en/02_Developer_Guides/00_Model/01_Data_Model_and_ORM.md
	docs/en/02_Developer_Guides/00_Model/11_Scaffolding.md
	docs/en/02_Developer_Guides/01_Templates/06_Themes.md
	docs/en/02_Developer_Guides/03_Forms/How_Tos/Simple_Contact_Form.md
	docs/en/02_Developer_Guides/05_Extending/05_Injector.md
	docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
	docs/en/02_Developer_Guides/10_Email/index.md
	docs/en/02_Developer_Guides/11_Integration/01_RestfulService.md
	docs/en/02_Developer_Guides/12_Search/01_Searchcontext.md
	docs/en/02_Developer_Guides/14_Files/index.md
	docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/03_CMS_Layout.md
	docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/06_Javascript_Development.md
	docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_CMS_Tree.md
	docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_Site_Reports.md
	docs/en/02_Developer_Guides/18_Cookies_And_Sessions/01_Cookies.md
	docs/en/04_Changelogs/3.1.9.md
	docs/en/05_Contributing/00_Issues_and_Bugs.md
	docs/en/05_Contributing/02_Release_Process.md
	docs/en/05_Contributing/03_Documentation.md
	filesystem/File.php
	filesystem/GD.php
	model/DataDifferencer.php
	model/Versioned.php
	security/BasicAuth.php
	security/Member.php
	tests/filesystem/FileTest.php
	tests/forms/uploadfield/UploadFieldTest.php
	tests/model/VersionedTest.php
	tests/security/BasicAuthTest.php
2015-01-15 18:52:46 +13:00
Will Rossiter
220bdf342c Merge pull request #3577 from tractorcow/pulls/3.1/fix-basicauth-resetlogin
BUG Fix BasicAuth not resetting failed login counts on authentication
2015-01-15 11:03:52 +13:00
Daniel Hensby
b2ace2b76c Merge pull request #3689 from guru-digital/patch-2
Add ability to use Basic Auth when running PHP in CGI mode in Apache
2014-12-08 18:39:42 +00:00
Corey Sewell
fbebf96d66 Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule
Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode
Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md
Added notes  to docs/en/changelogs/3.1.9.md
2014-12-05 11:35:52 +13:00
Damian Mooyman
19549d620f Moved deprecation of SQLQuery to 4.0 2014-12-04 09:30:50 +13:00
JorisDebonnet
1cd54e6bdc Update Member.Email from 256 to 254 length
Fixes #3074
2014-11-29 22:30:11 +01:00
Damian Mooyman
31b5a9dc86 API Allow CMS re-authentication to be completely disabled if necessary 2014-11-21 17:43:53 +13:00
Damian Mooyman
6baf63e18c Merge remote-tracking branch 'origin/3.1'
Conflicts:
	dev/install/install.php5
	docs/en/changelogs/index.md
	security/Security.php
2014-11-19 11:16:46 +13:00
Damian Mooyman
ce93a8a98e Resolve merge regressions 2014-11-19 11:05:07 +13:00
Damian Mooyman
2bdfd65e9b BUG Security::findAnAdministrator doesn't always find an admin 2014-11-18 15:36:34 +13:00
Damian Mooyman
0b1f297873 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	.travis.yml
	README.md
	admin/code/LeftAndMain.php
	admin/css/screen.css
	admin/scss/screen.scss
	api/RestfulService.php
	conf/ConfigureFromEnv.php
	control/injector/ServiceConfigurationLocator.php
	control/injector/SilverStripeServiceConfigurationLocator.php
	core/ClassInfo.php
	core/Object.php
	css/AssetUploadField.css
	css/ComplexTableField_popup.css
	dev/CSSContentParser.php
	dev/DevelopmentAdmin.php
	docs/en/changelogs/index.md
	docs/en/misc/contributing/code.md
	docs/en/reference/execution-pipeline.md
	filesystem/GD.php
	filesystem/ImagickBackend.php
	filesystem/Upload.php
	forms/Form.php
	forms/FormField.php
	forms/HtmlEditorConfig.php
	forms/gridfield/GridFieldDetailForm.php
	forms/gridfield/GridFieldSortableHeader.php
	lang/en.yml
	model/Aggregate.php
	model/DataList.php
	model/DataObject.php
	model/DataQuery.php
	model/Image.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	model/fieldtypes/HTMLText.php
	model/fieldtypes/Text.php
	scss/AssetUploadField.scss
	search/filters/SearchFilter.php
	security/Authenticator.php
	security/LoginForm.php
	security/Member.php
	security/MemberAuthenticator.php
	security/MemberLoginForm.php
	security/Security.php
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsFormsContext.php
	tests/control/HTTPTest.php
	tests/control/RequestHandlingTest.php
	tests/filesystem/UploadTest.php
	tests/forms/FormTest.php
	tests/forms/NumericFieldTest.php
	tests/model/DataListTest.php
	tests/model/DataObjectTest.php
	tests/model/TextTest.php
	tests/security/MemberAuthenticatorTest.php
	tests/security/SecurityDefaultAdminTest.php
	tests/view/SSViewerCacheBlockTest.php
	tests/view/SSViewerTest.php
2014-11-18 12:45:54 +13:00
Damian Mooyman
9d78eb7fe6 BUG Fix BasicAuth not resetting failed login counts on authentication 2014-10-24 14:19:12 +13:00
Damian Mooyman
53c40a94fa API Enable re-authentication within the CMS if a user session is lost
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Daniel Hensby
3b9056fc01 NEW Cookie_Backend for managing cookie state
I've decoupled `Cookie` from the actual act of setting and getting
cookies. Currently there are a few limitations to how Cookie works that
this change mitigates:

0. `Cookie` currently changes the super global `$_COOKIE` when setting
to make the state of an application a bit more managable, but this is
bad because we shouldn't be modifying super globals
0. One can't actually change the `$cookie_class` once the
`Cookie::$inst` has been instantiated
0. One can't test cookies as there is no class that holds the state of
the cookies (it's just held in the super global which is reset as part
of `Director::test()`
0. One can't tell the origin of a cookie (eg: did the application set it
and it needs to be sent, or did we receive it from the browser?)
0. `time()` was used, so testing was made difficult
0. There was no way to get all the cookies at once (without accessing
the super global)

Todos are on the phpdoc and I'd like to write some tests for the backend
as well as update the docs (if there are any) around cookies.
DOCS Adding `Cookie` docs

Explains basic usage of `Cookie` as well as how the `Cookie_Backend`
controls the setting and getting of cookies and manages state of sent vs
received cookies
Fixing `Cookie` usage

`Cookie` is being used inconsistently with the API throughout framework.
Either by not using `force_expiry` to expire cookies or setting them to
null and then expiring them (which is redundant).
NEW `Director::test()` takes `Cookie_Backend` rather than `array` for `$cookies` param
2014-10-06 17:44:51 +13:00
Will Rossiter
61ec808604 Set $lock_out_after_incorrect_logins out of the box 2014-09-26 10:49:53 +12:00
Will Rossiter
4b6a03bb0b Fix deprecation warning with word_list 2014-08-31 15:59:16 +12:00
Damian Mooyman
e301279358 Merge pull request #3425 from halkyon/removing_deprecated2
Removing deprecated class/functions marked for deprecation in 3.0/3.1
2014-08-26 09:13:08 +12:00
Ingo Schommer
e56ad9b37c Don't clear BackURL after MemberAuthenticator::authenticate()
It breaks logic flow, e.g. when

Its called by BasicAuth:requireLogin() when basic auth is enabled,
before any controller logic kicks in (on every HTTP request).
This means you can't use session-based BackURLs with basic auth enabled,
breaking flows like redirection after Facebook logins.

I can't see why a clear() was necessary here, looks like a overly
cautious way to prevent infinite loops? Can't see how those
would be caused by requireLogin() though.

Been there since all the way back in 2007: a377a67e54
2014-08-25 23:12:52 +12:00
Sean Harvey
07eef2ece2 Removing deprecated class/functions marked for deprecation in 3.0/3.1 2014-08-25 12:06:05 +12:00
Sean Harvey
0e07f1a7f5 Merge remote-tracking branch 'origin/3.0' into 3.1 2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b FIX Opt-out pf form message escaping (fixes #2796)
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/.
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.

We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803.
2014-08-22 16:59:34 +12:00
Damian Mooyman
eb069e605d Remove all redundant whitespace 2014-08-19 09:17:15 +12:00
Sean Harvey
404478b07f Removing @deprecated 3.1 functionality and classes.
Changelog has been updated to include what was removed in terms of
major functionality, and what to use as a replacement.
2014-08-18 16:00:13 +12:00