tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
21,722 Commits 31 Branches 527 Tags 162 MiB
bb03d314ff
Commit Graph

1672 Commits

Author SHA1 Message Date
Serge Latyntcev
88fde6e7c3 Merge branch '4.4' into 4 2019-09-24 17:29:06 +12:00
Serge Latyntcev
50a1aa4c4d Merge branch '4.3' into 4.4 2019-09-24 17:28:31 +12:00
Aaron Carlino
b002ef1171 Merge branch '4.4' into 4 2019-09-24 17:26:50 +12:00
Serge Latyntcev
8b7063a8e2 [CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution 2019-09-24 16:03:48 +12:00
Serge Latyntcev
eccfa9b10d [CVE-2019-12203] Session fixation in "change password" form 
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
 2019-09-24 16:03:48 +12:00
Serge Latyntcev
5af205993d [CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution 2019-09-24 16:00:51 +12:00
Serge Latyntcev
569237c0f4 [CVE-2019-12203] Session fixation in "change password" form 
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
 2019-09-24 16:00:51 +12:00
Jackson Darlow
a033662a3a MemberAuthenticator::recordLoginAttempt() outputs 2019-09-24 14:24:59 +12:00
Garion Herman
0d27f32cc9 FIX Add 'legal empty attributes' to allow empty alt values on imgs 
In some situations, a caption is used in place of a value in the alt
attribute, and in others an image may be cosmetic and not in need of an
alt attribute value (though the alt attribute must still be rendered in
this case).
 2019-09-24 11:44:12 +12:00
Robbie Averill
3cfc21c405
Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission 
Fix administrators not being able to see files that are restricted to groups
 2019-09-23 11:13:26 -07:00
Guy Marriott
aa7c057422
FIX: Don't force-add view button to readonly GridField (fixes #… (#9254) 
FIX: Don't force-add view button to readonly GridField (fixes #9249)
 2019-09-23 10:31:25 -07:00
Loz Calver
efdb9cc718 FIX: run member CMS validator when editing via groups (fixes #9184) 2019-09-23 16:59:58 +01:00
Loz Calver
d85ff3bc44 FIX: Don't force-add view button to readonly GridField (fixes #9249) 2019-09-23 16:52:47 +01:00
bergice
6a1c6ecec6 Fix administrators not being able to see files that are restricted to groups 
Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777
 2019-09-23 16:44:28 +12:00
Guy Marriott
6ff97821ed Merge branch '4.4' into 4 2019-09-18 15:52:36 -07:00
Guy Marriott
7877ffcc85 Merge branch '4.3' into 4.4 2019-09-18 15:52:18 -07:00
Hayden Shaw
daf9d55ecb Allow non summary fields to be used as export fields 
Fixes regression in 3d989a6eae.
 2019-09-19 10:00:54 +12:00
Michal Kleiner
bcbf90a837 NEW Introduce supported database transaction mode check 2019-09-16 14:44:15 +12:00
Robbie Averill
aa6b244db9 Merge branch '4.4' into 4 2019-09-13 18:11:46 -07:00
Robbie Averill
592ab6abc1 Merge branch '4.3' into 4.4 2019-09-13 18:11:34 -07:00
Robbie Averill
066ce8e01c Merge branch '4.2' into 4.3 
# Conflicts:
 #	src/View/ThemeResourceLoader.php
 2019-09-13 18:10:37 -07:00
Robbie Averill
cfe86ad5a1
Merge pull request #9153 from creative-commoners/pulls/4.4/stream-ree-tags 
FIX Skip md5-ing the whole contents of a stream for etags
 2019-09-13 17:59:26 -07:00
Robbie Averill
9a76d4adb4
Merge pull request #9181 from kinglozzer/8762-shortcode-templates 
NEW: Use templates to render embed shortcodes (closes #8762)
 2019-09-13 17:58:32 -07:00
Serge Latyntsev
233e0e7aa0 ENH PasswordExpirationMiddleware implementation (#9207) 2019-09-12 14:34:06 +12:00
Aaron Carlino
da6582f593 NEW: Remove web installer, move to separate package (#9231) 
* Remove installer

* Remove exposed install files

* Replace Dev/Install classes still in use

* Update changelog

* FIX make the grid field actions consistent to what they look like on pages

Resolves https://github.com/silverstripe/silverstripe-admin/issues/904

* Docs changes
 2019-09-11 13:10:25 +12:00
Maxime Rainville
591b88a9bc BUG Allow infinite loop when calling DataObject::writeComponent() recursively 2019-09-10 14:15:28 +12:00
Robbie Averill
e8c2f963fd FIX Member::getLastName() now correctly returns the Member surname 2019-09-06 12:12:27 -07:00
Robbie Averill
41a766d135
Merge pull request #9085 from kinglozzer/9084-path-join-exception 
Catch Path::join() exceptions in findTemplate() (fixes #9084)
 2019-09-06 12:00:39 -07:00
Robbie Averill
42dd02ef78
Merge pull request #9122 from aNickzz/4 
Add onBeforeRenderHolder extension point for FormField
 2019-09-06 11:53:10 -07:00
Hels666
22a6a5b1e3 NEW Add getLastName() method to Member.php (#9222) 
* Add getLastName() method to Member.php

Add getLastName() method to Silverstripe\Security\Member.php to allow use of $LastName instead of $Surname in templates as it is a common mistake made

this is for issue #9219
as discussed in Slack on 04-Sep-2019

* Minor doc block clean-up

* Update src/Security/Member.php - typo fix

Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
 2019-09-06 20:31:22 +12:00
Maxime Rainville
dd40d53e6b Merge branch '4.4' into 4 2019-09-04 09:46:33 +12:00
Maxime Rainville
24015c7767 Merge branch '4.3' into 4.4 2019-09-04 09:42:09 +12:00
Robbie Averill
aec5051a24
Merge pull request #9206 from creative-commoners/pulls/4.3/strip-bom-on-csv-import 
FIX Byte Order Marks (BOM) are now stripped when importing CSV files
 2019-09-03 09:55:38 -07:00
Damian Mooyman
6759af3767
Escape strings a bit safer for doc generation 2019-09-03 19:38:19 +12:00
Damian Mooyman
f649657182
Clarify Director::absoluteURL behaviour 
Fixes #9111
 2019-09-03 19:34:16 +12:00
Robbie Averill
ef49dcf726
Merge pull request #9164 from sminnee/fix-9162 
FIX: Write relations when saving in grid-field item edit form
 2019-09-01 20:44:13 -07:00
Maxime Rainville
a2a202c016
Merge pull request #9200 from open-sausages/pulls/4.4.3/consistent-actions 
FIX make the grid field actions consistent to what they look like on pages
 2019-09-02 14:07:22 +12:00
bergice
2f8d847a10 FIX make the grid field actions consistent to what they look like on pages 
Resolves https://github.com/silverstripe/silverstripe-admin/issues/904
 2019-09-02 12:22:32 +12:00
Robbie Averill
0b991cc039
Merge pull request #9198 from elabuwa/pulls/4.3/bug-fix-html-entities-breadcrumbs-in-group 
Bug : Add html_entity_decode to group parents
 2019-08-30 09:51:52 +12:00
Dileep Ratnayake
fe4eb5dd2a
Update src/Security/Group.php 
Co-Authored-By: Maxime Rainville <maxime@rainville.me>
 2019-08-29 15:44:41 +12:00
Robbie Averill
77ba8391c4 FIX Byte Order Marks (BOM) are now stripped when importing CSV files 2019-08-29 14:54:57 +12:00
Maxime Rainville
73f43c6f42 BUG Remove placeholder text on new group form 2019-08-28 17:14:19 +12:00
Dileep Ratnayake
9b7075ed5d
Update Group.php 2019-08-27 16:22:00 +12:00
Dileep Ratnayake
a976a1688b
Update Group.php 
move to private method
 2019-08-27 16:21:08 +12:00
Dileep Ratnayake
40e5c4ec59
Update Group.php 
use of convert::raw2xml, rename $grp to $group
 2019-08-27 16:19:40 +12:00
Dileep Ratnayake
4f8240bd48
Update src/Security/Group.php 
Co-Authored-By: Andre Kiste <bergice@users.noreply.github.com>
 2019-08-27 12:19:03 +12:00
Will Rossiter
d2a07b1047
FIX Remove error when exporting a column that is not displayed in a GridField 2019-08-27 11:54:31 +12:00
Dileep Ratnayake
f7a602137a
add html_entity_decode to breadcrumbs 2019-08-27 11:49:17 +12:00
Loz Calver
759601741d NEW: Use templates to render embed shortcodes (closes #8762) 2019-08-21 09:32:16 +01:00
Robbie Averill
a5d6b998fc Merge branch '4.4' into 4 2019-08-16 16:40:39 +12:00
Robbie Averill
bae7e32680 FIX Member::changePassword() no longer applies password validation rules to the hashed value 2019-08-16 09:06:07 +12:00
Robbie Averill
45f86658ca Merge branch '4.4' into 4 2019-08-14 09:31:05 +12:00
Robbie Averill
4b44272367 Merge branch '4.3' into 4.4 2019-08-14 09:30:53 +12:00
Robbie Averill
d63e4b520c Merge branch '4.2' into 4.3 2019-08-14 09:30:41 +12:00
Nicholas Sorokin
4a32b3418a Add onBeforeRenderHolder extension point for FormField 2019-08-09 14:43:14 +09:30
Guy Marriott
3d989a6eae
FIX Use content generated by DataColumns component for print and csv export 2019-08-09 15:04:38 +12:00
Guy Marriott
f3132c89d7
Merge pull request #9170 from open-sausages/pulls/4/add-option-to-disable-user-agent-session-check 
API Add option to disable user-agent header session validation
 2019-08-08 11:47:07 +12:00
Aaron Carlino
b3093b7a1a BUGFIX: Allow state to be shared across nested GridFields 2019-08-07 23:09:51 +12:00
Maxime Rainville
4380d7d155 API Add option to disable user-agent header session validation 2019-08-06 22:00:01 +12:00
Robbie Averill
4268db069d
Merge pull request #9165 from sminnee/fix-multiline-gridfield 
FIX: Allow multi-line content in grid field cells
 2019-08-05 09:59:22 +12:00
Sam Minnee
6ec02da577 FIX: Allow multi-line content in grid field cells 
It’s amazing that this but has been present for 7 years, but there you
go!
 2019-08-02 17:46:56 +12:00
Sam Minnee
d088354f46 FIX: Write relations when saving in grid-field item edit form 
Fixes https://github.com/silverstripe/silverstripe-framework/issues/9162
 2019-08-02 16:17:42 +12:00
Robbie Averill
0672f8b76b NEW HTTPRequest now has hasSession() to determine whether a session exists for it 2019-08-02 11:29:23 +12:00
Robbie Averill
3224c9971b Merge branch '4.4' into 4 2019-08-02 11:24:54 +12:00
Robbie Averill
3b96c51688 Merge branch '4.3' into 4.4 2019-08-02 11:24:45 +12:00
Will Rossiter
82cc8b40a4 Create SearchContext via Injector (#9156) 2019-08-01 14:39:58 +12:00
Guy Marriott
0abfed3e06
FIX Skip md5-ing the whole contents of a stream for etags 2019-07-30 08:25:03 +12:00
Robbie Averill
5c794dfcdd FIX Prevent setting session value when no session exists yet 2019-07-29 17:16:01 +02:00
UndefinedOffset
40cd66852e BUGFIX: Fixed issue where multiple relationship sort order columns would be lost in favor of only the last relationship column in the sort order 2019-07-26 11:54:10 -03:00
Robbie Averill
89eb6c88b2 FIX Do not try and load fixtures from directories, fixes PHP 7.4 build errors 2019-07-26 10:13:47 +02:00
Robbie Averill
d1c927ff23 FIX Remove curly brace access to string offsets, deprecated in PHP 7.4 2019-07-24 12:17:49 +02:00
Chee Wai
cb91f5fa06 NEW Added SRI support for Requirements::css, Requirements::javascript (#9139) 2019-07-21 09:51:22 +02:00
Robbie Averill
79fa61edf8 FIX Type safety on nullable argument, fixes PHP 7.4 test 2019-07-19 12:05:27 +02:00
Robbie Averill
2a1394bed7 Merge branch '4.4' into 4 2019-07-19 10:46:00 +02:00
Robbie Averill
40f06fafa9 Merge branch '4.3' into 4.4 2019-07-19 10:45:44 +02:00
Robbie Averill
c7b15eaef5 Merge branch '4.2' into 4.3 2019-07-19 10:45:29 +02:00
Simon Gow
22b514c421 #9114 - DBText::ContextSummary() cuts line breaks 
ContextSummary() was cutting the HTML which was added by nl2br because
it expected plain text elements as it's stripping and replacing text.
Instead this fix changes the behaviour to apply the nl2br after the text
changes have been made. That way we can't cut anything in the middle of
a HTML tag, but new lines, or paragraphs are replaced by BRs after,
should they exist.

- Added tests to ensure text is not cut in the middle of a sentence.
- Added test to ensure that <br>'s are added in the correct place should
the summary span between new lines.
 2019-07-19 12:43:20 +12:00
Serge Latyntcev
29a663c65d Merge branch '4.4' into 4 2019-07-15 09:24:49 +12:00
Serge Latyntcev
d667d64f13 Merge branch '4.3' into 4.4 2019-07-15 09:18:17 +12:00
Guy Marriott
ec66d366d2
NEW: Deprecated PDO in favour of native drivers (#9052) 
NEW: Deprecated PDO in favour of native drivers
 2019-07-08 12:41:13 +12:00
Serge Latyntsev
7ef13e7ef6 FIX Confirmation components to respect SS_BASE_URL (#9074) 2019-07-05 16:05:41 +12:00
Robbie Averill
844d2ef134 NEW DBDate and DBDatetime now support modify() with a strtotime() style adjustment string (#9105) 2019-07-05 15:57:23 +12:00
Sam Minnee
404366909e FIX: Fix MysqlStatement::rewind() 
Its implementation is more naive than Query’s and leads to unnecessary
seek()ing. This causes issues with the previous commit.
 2019-07-03 14:28:31 +12:00
Sam Minnee
96e7914f23 FIX: Fix MySQLQuery::seek() and Query::rewind() to fix repeated iteration 
API: Query::seek() and Query::rewind() no longer return a value.

Although breaking an API inside a patch release may seem odd, this in
fact is correcting a long-standing bug in our implementation of 
Iterator::rewind(), so I think it’s appropriate.

https://github.com/silverstripe/silverstripe-framework/issues/9097
 2019-07-03 09:20:05 +12:00
UndefinedOffset
571a4d9ace NEW: Added support for config condition if PHP extension is loaded 2019-07-02 14:55:36 -03:00
Robbie Averill
ad050997fd
Merge pull request #9070 from kinglozzer/email-plaintext 
FIX: Email::render() generating object instead of string for plaintext part (fixes #9069)
 2019-07-02 18:47:18 +12:00
Robbie Averill
fd88003646
Merge pull request #9100 from creative-commoners/pulls/4.4/dataobject-scaffolding-freedom 
Allow extensions to modify form scaffolder in DataObject
 2019-07-02 18:46:39 +12:00
Guy Marriott
59ba9a717d
FIX Allow extensions to update form scaffolding on DataObjects 2019-06-28 16:11:16 +12:00
Guy Marriott
aeefb920e1
Allow displaying partial/full query message for debugging (#9020) 
Allow displaying partial/full query message for debugging
 2019-06-28 15:15:33 +12:00
Robbie Averill
c76d3a5db1 FIX Protect against undefined index when using nullifyEmpty option 2019-06-26 09:26:36 +12:00
Loz Calver
b1551a687d Catch Path::join() exceptions in findTemplate() (fixes #9084) 2019-06-21 09:40:18 +01:00
Saophalkun Ponlu
6a8c6703d1 Remove use_gzip from HTMLEditorField since it's been removed by TinyMCE codebase (#7261) 
* Remove `use_gzip` from HTMLEditorField

* DOCS Mention remove use_gzip in changelog
 2019-06-21 09:27:48 +12:00
Mario Sommereder
260c89fd54 Fix of delimiter not used bug 
See issue https://github.com/silverstripe/silverstripe-framework/issues/8881
 2019-06-20 11:11:27 +12:00
Guy Marriott
bb5b610636
Merge branch '4.4' into 4 2019-06-17 08:58:50 +12:00
3Dgoo
7e12bee86a
Requirements_Backend.php API documentation fix 
The API documentation for Requirements_Backend is currently broken:
https://api.silverstripe.org/4/SilverStripe/View/Requirements_Backend.html#method_customScript

This is because there are unescaped start tags in the function documentation. 

This is the same as the recent #9060 PR, but for the Requirements_Backend class this time.

This fix changes the tags to be escaped.
 2019-06-15 10:37:49 +09:30
Loz Calver
8e87264864 FIX: Email::render() generating object instead of string for plaintext part (fixes #9069) 2019-06-14 11:39:47 +01:00
3Dgoo
8dcfa53109
Requirements.php API documentation fix 
The API documentation for Requirements is currently broken:
https://api.silverstripe.org/4/SilverStripe/View/Requirements.html#method_customScript

This is because there are unescaped start tags in the function documentation. 

This fix changes the tags to be escaped.
 2019-06-13 09:21:12 +09:30
Sam Minnee
27ace03273 NEW: Deprecated PDO in favour of native drivers 
https://github.com/silverstripe/silverstripe-framework/issues/8598
 2019-06-11 16:17:30 +12:00
Aaron Carlino
d04e54c1be Merge branch '4.4' into 4 2019-06-10 17:33:30 +12:00
Aaron Carlino
c747b1f8d3 Merge branch '4.3' into 4.4 2019-06-10 17:32:07 +12:00