Commit Graph

164 Commits

Author SHA1 Message Date
Damian Mooyman
1dcaf36c9b Fix merge regressions 2014-04-22 13:28:44 +12:00
Damian Mooyman
982ad569b9 Merge remote-tracking branch 'origin/3.1' 2014-04-22 12:09:51 +12:00
Damian Mooyman
997077ae83 API Security.remember_username to disable login form autocompletion 2014-04-11 09:05:25 +12:00
Simon Welsh
d431e98ecf Merge branch '3.1'
Conflicts:
	forms/Form.php
	forms/FormField.php
	security/Member.php
	security/MemberLoginForm.php
2014-03-10 22:58:49 +13:00
Damian Mooyman
0cbad41d3b Rewrote usages of error suppression operator 2014-03-05 15:48:55 +13:00
Damian Mooyman
1cc366fe23 Merge pull request #2850 from kinglozzer/2827-member-extend
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827)
2014-03-04 13:42:17 +13:00
Ingo Schommer
c047a7b990 Reset FailedLoginCount on successful password reset 2014-03-03 17:47:16 +13:00
Loz Calver
d91c7d14b8 FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827)
Fix usage of  inside closure

Can't use self:: in closure either

Basic unit tests to check extensions are applied correctly
2014-02-16 21:21:15 +00:00
Ingo Schommer
6906c9bd1a API Removed auto-detection for i18n date/time formats
Default to "yyyy-MM-dd" for date format, and "H:mm" for time_format.
Switched to config API for setting/getting values.

Avoid using "MMM" in particular, since it causes
inconsistencies in month names between jQuery UI and Zend_Locale_Format.

Fixes https://github.com/silverstripe/silverstripe-cms/issues/544
2014-02-16 23:57:49 +13:00
micmania1
229bea399b added logout url to Security and deprecated Security::set_login_url in favour of config 2013-12-20 21:55:54 +00:00
Andrew Short
bedf292612 Merge branch '3.1'
Conflicts:
	docs/en/reference/execution-pipeline.md
	lang/nl.yml
2013-11-11 18:18:25 +11:00
andrewvt
389bdb4ddf Added a unit test for removeFromGroupByCode()
Added a unit test for removeFromGroupByCode()
2013-10-31 22:05:13 -04:00
Ingo Schommer
628b920ea7 Fixed merge error in MemberTest 2013-10-23 18:26:05 +02:00
Ingo Schommer
b56ca812dc Merge remote-tracking branch 'origin/3.1'
Conflicts:
	tests/security/MemberTest.php
2013-10-23 14:53:29 +02:00
Ingo Schommer
d75f545887 Clear DB caches in SecurityTest 2013-10-20 14:23:23 +02:00
Thomas Speak
d22ca62c6f BUG FailedLoginCount reset
If you fail your maximum login attempts and are locked out, further failed login attempts add to your already existing FailedLoginCount as it is only reset if you log in successfully. This means that if you're locked out, then try again, one failure will automatically lock you out again, regardless of what you set your max limit to.

Example:

lock_out_after_incorrect_logins: 3
FailedLoginCount: 0

The user fails three login attempts.

lock_out_after_incorrect_logins: 3
FailedLoginCount: 3

The user is now locked out.

Lockout time passes.

The user fails their 4th login.

lock_out_after_incorrect_logins: 3
FailedLoginCount: 4

This will continue to happen until the user successfully logs in, without giving them the pre-defined amount of login attempts again due to this condition being met after every incorrect login:
```php
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
```

FailedLoginTestCount Test Added
2013-10-18 13:48:11 +01:00
Will Rossiter
813d34b15e FIX: Use Injector API for managing Member_Validator instance.
Updates the CMS profile page and SecurityAdmin to give developers a few ways to customise the required fields.

Added extension hook updateValidator for getValidator for things like modules to inject required fields to go along with Injector for replacing the entire class for project specific use.
2013-10-16 11:29:43 +13:00
Ingo Schommer
cfa88adf4b FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
68ca47b0dd FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:35 +02:00
Ingo Schommer
b58e2dbe3a Member.lock_out_delay_mins configurable, password security docs 2013-07-11 09:47:28 +02:00
Simon Welsh
d844c74e3c Merge branch '3.0' into 3.1
Conflicts:
	.travis.yml
	control/HTTP.php
	email/Mailer.php
	tests/control/HTTPTest.php
2013-07-05 10:17:14 +12:00
Ingo Schommer
067a94bd93 Postgres compat in MemberCsvBulkLoaderTest and GroupTest 2013-07-04 22:46:23 +02:00
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Hamish Friedlander
7efae6b95f Merge remote-tracking branch 'origin/3.0' into 3.1 2013-02-18 14:31:57 +13:00
Ingo Schommer
30096ee730 BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
634c91c6ff Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	email/Mailer.php
2013-01-30 12:46:24 +01:00
Sam Minnee
d8bfc0bb48 API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself. 2013-01-29 18:03:47 +01:00
Ingo Schommer
22eeaa4ac1 BUG Members should not be allowed to delete themselves (fixes #8121) 2012-12-16 23:53:45 +01:00
Ingo Schommer
644cc79ebb API Removed methods previously deprecated in 3.0 2012-12-14 01:16:47 +01:00
Simon Welsh
b0121b541c Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c Add codesniffer that ensures indentation is with tabs. 2012-12-12 00:12:11 +13:00
Ingo Schommer
15a687f1e7 Merge remote-tracking branch 'origin/3.0' 2012-11-23 15:31:08 +01:00
Ingo Schommer
aa72425e84 Fixed PHPUnit assertions for incomplete tests in core
Avoid PHPUnit throwing "test didn't run any assertions"
notices in PHP. If nothing else, it keeps test output
looking less broken by default, making it more likely
that actual errors do get noticed.
2012-11-23 15:16:39 +01:00
Ingo Schommer
c55c7c33f8 Merge branch '3.0'
Conflicts:
	admin/code/CMSProfileController.php
	composer.json
	tests/model/DataObjectTest.php
2012-11-22 23:51:28 +01:00
Mateusz Uzdowski
a8b0e44d98 API Hash autologin tokens before storing in the database.
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.

This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
2012-11-09 11:29:42 +01:00
Andrew O'Neil
6dd6a5c188 APICHANGE: Use late static binding for Object::remove_extension() 2012-11-07 11:07:55 +13:00
Andrew O'Neil
fdea5321c7 APICHANGE: add_extension() is now called directly on the class, instead of on Object 2012-11-07 11:07:55 +13:00
Ingo Schommer
56f7ce1dcf Merge remote-tracking branch 'origin/3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	control/HTTPResponse.php
	model/Database.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	view/Requirements.php
	view/SSViewer.php
2012-10-03 16:16:19 +02:00
Sam Minnee
1f7fc1f76a FIX Remove instances of lines longer than 120c
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit.  This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Simon Welsh
1e629f4585 Merge branch '3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	dev/Profiler.php
	view/Requirements.php
2012-09-21 14:56:56 +12:00
Ingo Schommer
e2f073f38a Method visibility according to coding conventions 2012-09-20 10:46:59 +02:00
Ingo Schommer
4b9ccabcf6 Merge pull request #603 from willrossi/trac7296
FIX: ensure permissions_for_member() accounts for denied permissions
2012-07-05 09:26:04 -07:00
Will Rossiter
f9ea5430bb API: add SecurityToken::reset() as a shortcut for regenerating a secure token.
See http://open.silverstripe.org/ticket/6303
2012-07-01 20:53:58 +12:00
Will Rossiter
9babb01a4b FIX: ensure that permissions_for_member() accounts for denied permissions.
Taken from http://open.silverstripe.org/ticket/7296. PermissionTest extended to validate that permissions_for_member() includes permissions denied pre applying patch. PermissionTest passes post patch.
2012-07-01 17:55:20 +12:00
Will Rossiter
a4bce3fc44 ENHANCEMENT: remove dependencies between framework tests and cms module. 2012-06-20 16:17:29 +02:00
Sam Minnee
09e821efc3 MINOR: Don't leave cost=31 blowfish setting dormant in code, causing timeouts. 2012-06-15 13:47:38 +12:00
Cam Spiers
9139f737b8 ENHANCEMENT: Added the ability to set a cost (the property was protected before and there were no setters and getters) and enforced the php requirements on the cost string used in the salt of crypt. Specifically, two digit from 04-31. Updated unit tests for blowfish algorithm to actually use the salt generation function and to test the newly implemented cost setting and getting functionality. 2012-06-14 15:13:11 +12:00
Stig Lindqvist
bbe3879eaa BUGFIX: Member::mapInGroups() throws SQL error
Renamed the Member::mapInGroups() to Member::map_in_groups() since it's a static method and throws deprecation message if using the old variant.
Rewrote the mapInGroups to use a more ORMy way of fetching Members for a set of groups and included a test for.
2012-05-10 13:53:54 +12:00
Sean Harvey
b1e17578c7 API CHANGE Removed assertType() and assertEmpty() workarounds. Use assertInstanceOf()
instead of assertType(), assertEmpty() is available in PHPUnit 3.5+.
PHPUnit 3.4 is no longer supported, so please upgrade your version to
work.

MINOR Removed FullTestSuite which was a workaround for PHPUnit but not
used.
2012-05-09 23:05:39 +12:00