Damian Mooyman
7367cf54c4
[ss-2015-020]: Prevent possible Privilege escalation
2015-09-10 13:01:24 +12:00
Daniel Hensby
c2fd18e829
FIX use config for Security::$login_url
2015-04-23 17:20:07 +01:00
Daniel Hensby
de2aa47250
Merge pull request #4006 from kinglozzer/patch-1
...
FIX: Security::$default_message_set Config value unusable
2015-03-17 17:05:01 +00:00
Loz Calver
a61c08d031
FIX: Security::$default_message_set Config value unusable
2015-03-17 15:51:31 +00:00
Damian Mooyman
2bdfd65e9b
BUG Security::findAnAdministrator doesn't always find an admin
2014-11-18 15:36:34 +13:00
Damian Mooyman
53c40a94fa
API Enable re-authentication within the CMS if a user session is lost
...
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Damian Mooyman
997077ae83
API Security.remember_username to disable login form autocompletion
2014-04-11 09:05:25 +12:00
Ingo Schommer
23371b01aa
"lost password" translation master ( fixes #2725 )
2013-12-19 20:00:59 +01:00
Mateusz Uzdowski
1a39f61598
BUG Fix the password reset message to be shown consistently.
...
If we detect any of the password reset GET params, it's safe to assume
that someone intended a password reset, regardless of other conditions.
2013-10-25 09:29:21 +13:00
Sean Harvey
e43ca931d6
Merge pull request #2343 from chillu/pulls/security-404
...
Returning 404 on /Security, instead of Controller.ss template
2013-09-05 18:56:23 -07:00
Simon Welsh
151baeede1
Correct line length and indentation
2013-08-21 18:54:05 +12:00
Ingo Schommer
18ae4c5db6
Returning 404 on /Security, instead of Controller.ss template
...
We shouldn't expose unsolicited content on public URLs,
mainly because it impacts SEO.
2013-08-20 21:12:55 +02:00
Julian Seidenberg
17e0432252
BUG adding a more descriptive message when the CMS session times out. It used to say "Forbidden", now it says "Not logged in".
2013-08-06 17:27:37 +12:00
Ingo Schommer
d4a1e6d294
BUG Prevent clickjacking in CMS and Security controllers ( fixes #2215 )
2013-07-14 22:44:09 +02:00
Simon Welsh
1d5ac5876b
Only redirect on logout if we're not already redirecting
2013-06-27 09:49:10 +12:00
Sean Harvey
15f7c884f8
Merge pull request #1756 from halkyon/permission_denied_hook
...
BUG Security::permissionFailure() fixing permissionDenied hook inconsistency
2013-05-13 02:15:58 -07:00
Josua2012
59be4a3be0
Allow custom ChangePasswordForm form
...
With this modification we can use Object::useCustomClass() to create a
custom ChangePasswordForm form:
Object::useCustomClass('ChangePasswordForm',
'CustomChangePasswordForm');
2013-05-08 09:39:39 +02:00
Will Morgan
8f6451612b
Use correct config variable name in encrypt_password
...
Use correct config variable name in encrypt_password
Fixes https://github.com/silverstripe/sapphire/issues/1709
2013-04-28 09:58:42 +12:00
Sean Harvey
1eadff5a4f
BUG Security::permissionFailure() fixing permissionDenied hook inconsistency
...
permissionDenied only works if Security::permissionFailure() is called when
there's currently no logged in Member. This fixes it so failed attempts
with logged in Member also includes the permissionDenied hook.
In addition, fix an undefined $member variable
2013-04-12 10:59:00 +12:00
Ingo Schommer
7d6edccb0a
Marked Security.token as private
2013-04-09 01:48:20 +02:00
Ingo Schommer
3334eafcb1
API Marked statics private, use Config API instead ( #8317 )
...
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
bea1b9002d
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
control/HTTP.php
2013-02-26 13:28:35 +01:00
Ingo Schommer
0c6ac1960e
Fixed whitespace usage
2013-02-18 15:43:52 +01:00
Hamish Friedlander
7efae6b95f
Merge remote-tracking branch 'origin/3.0' into 3.1
2013-02-18 14:31:57 +13:00
Ingo Schommer
30096ee730
BUGFIX Keep Member.PasswordEncryption setting on empty passwords
...
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
634c91c6ff
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
email/Mailer.php
2013-01-30 12:46:24 +01:00
jean
c048a019f6
BUGFIX Avoid infinite redirection when logging out and when showing a custom login page after displaying the draft version of a page.
2013-01-29 19:24:37 +01:00
Sam Minnee
5f9348b016
FIX: Ensure that Security views respect redirections triggered by Page_Controller::init()
...
Sometimes Page_Controller::init() will trigger a redirection. For example, it may redirect to a
canonical URL. In this case, the Security views, which co-opt Page_Controller, need to respect
this.
2013-01-29 18:19:15 +01:00
Sam Minnee
d8bfc0bb48
API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself.
2013-01-29 18:03:47 +01:00
Ingo Schommer
d13c53fda6
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
tests/model/DataQueryTest.php
2012-12-14 10:57:28 +01:00
Justin Martin
a355e1d03d
BUG: Set visibility on login form methods to public.
2012-12-14 13:42:11 +13:00
Ingo Schommer
c6b1d4aa6b
API Storing alternative DB name in cookie rather than session
...
Session is not initialized by the time we need to use
the setting in DB::connect(). Cookie values get initialized
automatically for each request.
Tightened name format validation to ensure it can only
be used for temporary databases, rather than switching
the browser session to a different production database.
Encrypting token for secure cookie usage.
Added dev/generatesecuretoken to generate this token.
Not storing in YML config directly because of web access issues.
2012-12-13 23:21:48 +01:00
Simon Welsh
b0121b541c
Add codesniffer that ensures indentation is with tabs.
2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c
Add codesniffer that ensures indentation is with tabs.
2012-12-12 00:12:11 +13:00
Mateusz Uzdowski
a8b0e44d98
API Hash autologin tokens before storing in the database.
...
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.
This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
2012-11-09 11:29:42 +01:00
Sean Harvey
3451da001a
BUG Fixing session keep alive for non-ADMIN users
...
SecurityAdmin isn't always available for CMS users, as they might
not have permission to view that section. This fixes the problem
with session keep alive by moving the ping to Security/ping, which
is available for all users.
2012-11-05 15:41:10 +13:00
Damian Mooyman
c99991ba7a
BUG Dummy Page_Controller initiated during login now is correctly initialised via dependency injection
2012-10-11 13:45:54 +13:00
Sam Minnee
1f7fc1f76a
FIX Remove instances of lines longer than 120c
...
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Ingo Schommer
e2f073f38a
Method visibility according to coding conventions
2012-09-20 10:46:59 +02:00
Sam Minnee
3f0136749b
API CHANGE: Add Security::ignore_disallowed_actions() to allow site features to be disabled when permissions have failed, rather than redirecting to the log-in form. (Trac #7097 )
2012-06-15 15:17:48 +12:00
Sean Harvey
45465dca91
Merge pull request #483 from halkyon/cms_ping_keepalive
...
Re-instate CMS ping to ensure sessions are kept alive
2012-05-23 15:55:22 -07:00
Sean Harvey
77c2365b87
MINOR Replacing deprecated static function calls to Director with
...
current Controller instance replacements.
2012-05-23 21:50:02 +12:00
Sean Harvey
ecf847b61c
ENHANCEMENT Re-instate pinging every 5 minutes in the CMS as a measure
...
to keep sessions alive. Moved Security/ping to admin/security/ping
2012-05-23 17:15:17 +12:00
Sean Harvey
151abde17d
Merge pull request #388 from chillu/trac/7170-i18n-sprintf-injections
...
#7170 i18n sprintf injections
2012-05-02 16:18:30 -07:00
Andrew O'Neil
fa60f9e8b2
ENHANCEMENT: Implement blowfish encryption and use it by default. ( #7111 )
2012-05-02 13:51:29 +12:00
Ingo Schommer
7b18d9d0da
MINOR Switching _t() calls from sprintf() to using injection parameters ( #7170 )
2012-05-01 22:17:00 +02:00
Sean Harvey
0882741f54
API CHANGE Renamed setModel for DataModel instances to setDataModel for
...
semantics, and also to allow a field name called "Model"
2012-05-01 14:45:44 +12:00
Ingo Schommer
d44f6b3e1f
MINOR Removed deprecated usage of $priority argument in _t() calls
2012-04-15 17:17:17 +02:00
Simon Welsh
f07258f3cf
MINOR Update @package values to match renaming sapphire
2012-04-15 10:50:19 +12:00
Simon Welsh
3a6341a251
API-CHANGE sapphire folder can now be renamed.
2012-04-15 10:50:19 +12:00