Antony Thorpe
6348f2e3e8
Updated Form.php & 04_Form_Security.md
...
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting. In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf ) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]." The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)
).
Why not make this the default behaviour? Is there a scenario where this would cause a problem? Have manually tested in the CMS (alpha7) and is working fine.
Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
Saophalkun Ponlu
e267d29b9a
BUG Consistent return values for first and last methods
2017-06-06 17:22:55 +12:00
Christopher Joe
d12c986dd5
Fixes printing from crashing
2017-06-06 13:31:37 +12:00
Daniel Hensby
9a0e01d4a0
NEW DB Driver defaults to PDO
2017-06-01 11:00:35 +01:00
Daniel Hensby
11de4abe0a
Merge pull request #6977 from andrewandante/FIX/move_dotenv_higher
...
move TRUSTED_PROXY below .env loader
2017-05-30 12:41:09 +01:00
Andrew Aitken-Fincham
8f44b8f0ba
move trusted_proxy_ips below .env loader
2017-05-30 12:18:47 +01:00
Damian Mooyman
b27ef810d4
Merge pull request #6974 from colintucker/fix-csv-bulk-loader
...
Fixes a bug with split file names during CSV import
2017-05-30 16:18:06 +12:00
Damian Mooyman
e7d87add9f
API Remove legacy HTMLEditor classes
2017-05-30 11:01:28 +12:00
Nick
acb74a8577
Fix $class variable from being clobbered
...
The $class variable gets overwritten in the function.
This causes error messages to be less helpful. For example if you setup a has_many but forget the has_one on the other side the error will look something like
`[Emergency] Uncaught Exception: No has_one found on class 'SomeObject', the has_many relation from 'SilverStripe\View\ViewableData' to 'SomeObject' requires a has_one on 'SomeObject'`
fixing this gives a more useful error, like
`[Emergency] Uncaught Exception: No has_one found on class 'SomeObject', the has_many relation from 'Page' to 'SomeObject' requires a has_one on 'SomeObject'`
2017-05-29 20:31:09 +12:00
Colin Tucker
db59e51c4a
Fixes a bug with split file names during CSV import
2017-05-29 16:08:23 +10:00
Damian Mooyman
963d9197d3
API Ensure that all DataQuery joins are aliased based on relationship name
2017-05-26 13:38:58 +12:00
Daniel Hensby
893f19a5ea
DOCS Updating index definition examples
2017-05-25 23:29:12 +01:00
Daniel Hensby
3e556b5966
NEW Move index generation to DataObjectSchema and solidify index spec
2017-05-25 23:29:12 +01:00
Damian Mooyman
0cd40ca6e5
BUG Fix minor accessors of legacy ->class property
2017-05-25 11:55:12 +12:00
Damian Mooyman
29f450b1e1
Revert injector type hint to Injector
2017-05-25 11:06:48 +12:00
Damian Mooyman
906a4c444b
API Add streamable response object
2017-05-23 16:32:29 +12:00
Damian Mooyman
d15b9ee0b0
Response to feedback
2017-05-23 13:50:35 +12:00
Damian Mooyman
fba8e2c245
API Remove Object class
...
API DataObjectSchema::manyManyComponent() return array is now associative array
2017-05-23 13:50:35 +12:00
Damian Mooyman
7e2f8d1f2d
Merge pull request #6951 from sminnee/fix-2494
...
FIX: Don’t assume posix_getpwuid is available.
2017-05-23 13:10:56 +12:00
Sam Minnee
09164e7e2a
FIX: Better error checking for non-writable temp paths
...
Fixes https://github.com/silverstripe/silverstripe-framework/issues/1666
2017-05-23 10:06:48 +12:00
Sam Minnee
40d9bbfd69
FIX: Don’t assume posix_getpwuid is available.
...
Fixes https://github.com/silverstripe/silverstripe-framework/issues/2494
In Silverstripe 3.1, on some shared hosts the following bug can occur:
Warning: posix_getpwuid() has been disabled for security reasons
2017-05-23 10:00:36 +12:00
Damian Mooyman
7bc8172bc1
Merge pull request #6937 from caffeineinc/2930-checkboxfield-invalid-html
...
CheckboxField creates invalid HTML when required #2939
2017-05-22 13:44:58 +12:00
Ingo Schommer
a433e5f4a8
Find root modules with _config.php
...
When modules are installed as the webroot,
manifest generation should behave the same way as when they're in a subfolder.
Which means accepting the module folder both with a _config/ folder
and a _config.php file present.
2017-05-22 12:16:57 +12:00
Simon Gow
cdc03602ed
CheckboxField creates invalid HTML when required #2939
...
- Updated CheckboxField, CheckboxSetField, DropdownField, OptionsetField
to validate with HTML5 attributes & aria-required.
https://www.w3.org/TR/wai-aria/states_and_properties#aria-required
2017-05-22 12:15:28 +12:00
Damian Mooyman
2aa3b5d5fa
Merge pull request #6934 from robbieaverill/pulls/4.0/consistent-instance-method
...
API Consistent use of inst() naming across framework
2017-05-22 11:57:20 +12:00
Damian Mooyman
80bff0d099
Merge pull request #6932 from mikenz/pulls/4.0/treedropdownfield-orphaned
...
Bugfix: Parent treedropdownfield for an orphaned page is broken
2017-05-22 10:53:33 +12:00
Damian Mooyman
4197090e11
Merge pull request #6940 from kinglozzer/randomgenerator
...
Only use random_bytes() for RandomGenerator (closes #6397 )
2017-05-22 10:29:55 +12:00
Damian Mooyman
f35017479b
Merge pull request #6933 from robbieaverill/pulls/4.0/table-name-on-dev-build
...
Change to show created table names instead of model names in dev/build
2017-05-20 23:10:19 +12:00
Robbie Averill
4408726b6b
Change to show created table names instead of model names in dev/build
2017-05-20 16:09:49 +12:00
Loz Calver
e653e90997
Only use random_bytes() for RandomGenerator ( closes #6397 )
2017-05-19 11:18:56 +01:00
Robbie Averill
f2cbe86f03
Remove CustomMethods::createMethod and create_function implementations, replace with closures
2017-05-19 15:56:44 +12:00
Robbie Averill
ad43a82923
API Consistent use of inst() naming across framework
2017-05-19 14:38:06 +12:00
Ingo Schommer
100048da33
API PSR-11 compliance ( fixes #6594 ) ( #6931 )
...
Note that our usage of `$asSingleton` in `get()` is fine. Quote from the PSR:
> Two successive calls to get with the same identifier SHOULD return the same value. However, depending on the implementor design and/or user configuration, different values might be returned, so user SHOULD NOT rely on getting the same value on 2 successive calls.
2017-05-19 13:45:07 +12:00
Mike Cochrane
31578d4771
Bugfix: Parent treedropdownfield for an orphaned page is broken
2017-05-19 12:15:36 +12:00
Daniel Hensby
db3e3d51fd
Merge pull request #6928 from open-sausages/pulls/4.0/form-action-handler-regression
...
Process actions on Form subclasses
2017-05-18 12:09:28 +01:00
Ingo Schommer
adbf9d9f71
Process actions on Form subclasses
...
Regression introduced through https://github.com/silverstripe/silverstripe-framework/issues/6362 .
Quote from the RFC:
```
Thus the order of action precedence becomes
action callback
action on the Form
action on the FormRequestHandler
action on any parent controller (if given)
```
2017-05-18 22:47:39 +12:00
Daniel Hensby
3495c0826e
Cleanup SapphireTest and time related tests ( #6898 )
...
* Test databases now include timestamp for easier debugging
* Use classname::class instead of string literal classnames
* Remove DataObject::get_one() from SapphireTest
* More fixes to ICU DB inconsitency for time formatting
* Correctly restore PHPUnits error handler
2017-05-18 22:01:55 +12:00
Damian Mooyman
8ed675d29b
Merge pull request #4542 from patricknelson/issue-4417-validator-remove-validation-master
...
FIX for #4417 : Ensuring ->removeValidation() is defined on instances of Validator. Setup new API for enabling/disabling validation. Documentation and better type handling.
2017-05-18 09:27:48 +12:00
Nick
dddf88278c
Fix a typo in comment
...
Typo
2017-05-17 22:09:07 +12:00
Loz Calver
471166c15e
Merge pull request #6169 from open-sausages/pulls/4.0/duplicate-manymany-option
...
API Duplication of many_many relationships now defaults to many_many only
2017-05-17 09:31:09 +01:00
Christopher Joe
0534a5ec0c
Fix TreeDowndropField copying
2017-05-17 16:52:21 +12:00
Christopher Joe
287ad35f0d
Fix change API to hasEmptyDefault() to be inline with SingleSelectField
2017-05-17 10:13:54 +12:00
Christopher Joe
3927e7e248
Fix added cache key for TreeDropdownField cache
2017-05-17 10:13:54 +12:00
Christopher Joe
6869e450a0
Enhancement added customisable emptyTitle and a showRootOption property in TreeDropdownField
2017-05-17 10:13:54 +12:00
Patrick Nelson
5fa3c85280
FIX for #4417 : Ensuring ->removeValidation() is defined on instances of Validator. Setup new API for enabling/disabling validation. Documentation and better type handling.
2017-05-16 12:58:00 +01:00
Damian Mooyman
f5f6fdce12
API Duplication of many_many relationships now defaults to many_many only
...
Fixes https://github.com/silverstripe/silverstripe-cms/issues/1453
2017-05-16 23:26:39 +12:00
Damian Mooyman
259f957ce8
API Rename services to match FQN of interface / classes
2017-05-16 14:15:49 +12:00
Saophalkun Ponlu
1ec7c4e523
Fix lint error
2017-05-16 11:53:23 +12:00
Saophalkun Ponlu
a975b88661
Pass autofocus flag to front-end
2017-05-16 11:53:23 +12:00
Nick
eb0da138aa
Correct a typo when css/js file doesn't exist
...
Typo
2017-05-14 07:37:14 +12:00