Session::$cookie_secure adds the secure property to the session Set-Cookie
command, so that the browser wouldnt send it to the server over an unencrypted
link. However the server would still send the cookie to the browser
unencrypted. Also Sessions would stop working properly in HTTP,
but SilverStripe needs them for several things, such as form validation
This patch effectively causes HTTP and HTTPS requests to each have
their own session when cookie_secure is true. The two sessions are
independant from each other, so information set in the session via
HTTPS is safe from attacks on the session via HTTP, but parts
of the site that use HTTP and the session will still work
Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
If you have a Varnish box in front of a SilverStripe install, and
you call forceSSL, the Vary header wouldnt get sent. As a result
Varnish would respond with the same redirect reponse after the
redirect, leading to an infinite loop
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.
HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce
HTTP::absoluteURLs now handles additional cases where urls were not translated.
Test cases for HTTP::absoluteURLs added for both css and attribute links.
Cleaned up replacement expression and improved documentation.
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk
Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.
Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
FIX: Ensure SSViewer::hasTemplate() is aware of themes.
To do this, RequestHandler::definingClassForAction() has been created, splitting out the code that looks up the class that defines a given action into its own method. This is then overridden in Controller to look at templates.
Without this change, a call to Cookie::get() immediately after Cookie::set()
won't return the value provided. This creates some unintuitive edge-cases,
although to date it looks like they have been worked around.
The patch doesn't have a test because our testing framework doesn't deal
with cookies well.
By default, the Session.timeout configuration option specifies the total
session time, regardless of the amount of activity. This change means
that the timeout specifies how long without any further dynamic requests
before the session cookie expires.
The way it does this is to re-set the session cookie expiry with a
subsequent Set-Cookie command each time a request that necessitates
a session is called.
Strictly speaking, it's a change in session timeout semantics, but I think
it's a good one, because total-session-time-regardless-of-activity is a
stupid timeout to include, and has more to do with the mechanics of the
internet than with application security requirements.
Cleanup of framework's use of @package and @subpackage labels and additional of labels for classes missing packages.
Moved all GridField related components to the one name.
Countless spelling fixes, grammar for other comments.
Link ClassName references in file headers.
In 3.0, doing $Action => SomeController would redirect all action requests
to that default controller. In 3.1, you need to do //$Action => SomeController
but it didnt work - those initial slashes broke matching
Regression introduced by Config API static changes.
Effectively meant that you can no longer log in to the CMS
since the cookie path is set for each URL individually...
This means that you dont have to worry about casting it
as HTMLText again when using the result in a template or other context
However in some situations code might be assuming it can
check with is_string, in which case you now need to use instanceof HTMLText
RequestHandler#handleAction now exists. It takes the request, and
the action to call on itself. All calls from handleRequest to call an action
will go through this method
Controller#handleAction has had it's signature changed to
match new RequestHandler#handleAction
RequestHandler#findAction has been added, which extracts the
"match URL to rules to find action" portion of RequestHandler#handleRequest
into a separate, overrideable function
GridField#handleAction has beeen renamed to handleAlterAction and
CMSBatchActionHandler#handleAction has been renamed to handleBatchAction to
avoid name clash with new RequestHandler#handleAction
Reason for change: The exact behaviour of request handling depended heavily
on whether you inherited from RequestHandler or Controller, and whether the
rule extracted it's action directly (like "foo/$ID" => 'foo') or dynamically
(like "$Action/$ID" => "handleAction"). This cleans up behaviour so
all calls follow the same path through handleRequest and handleAction, and
the additional behaviour that Controller adds is clear.
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.
Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
If creating an object using Injector::create() and constructor arguments
are passed through, in some cases where the object being created had a yml
configuration set for it, the passed in constructor arguments weren't being
passed through to the instantiation of the object.
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.
HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce
HTTP::absoluteURLs now handles additional cases where urls were not translated.
Test cases for HTTP::absoluteURLs added for both css and attribute links.
Cleaned up replacement expression and improved documentation.
This reverts commit 356a367eb5.
We can't use headers_sent() to determine an accurate
content length, since PHP defaults to buffering a couple of bytes
even without ob_start() (see "output_buffering" setting).
This makes the patch harmful, since it breaks any responses relying
on more structure data, like removing closing brackets from JSON.
Which in turn breaks the CMS in horrible ways (see #8010).
See #7574 for context.
Fixed issue where convertServiceProperty is called when creating objects
with user-supplied constructor arguments, so that it's only called when
creating objects using injector configuration. This reduces the overhead
of unnecessary calls to convertServiceProperty.
Updated test cases to validate behaviour
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
These APIs are primarily intended to let developers write custom 404 handlers. They can define an onBeforeHTTPError404() method on an Extension that gets added to Controller or RequestHandler.
The SS_HTTPResponse_Exception object has also been tidied up to override the status info of any SS_HTTPResponse object that might get passed. This is mainly to make it easier for callers (such as ContentController and ModelAsController) to use RequestHandler::httpError() more consistently.
ADDED: HTTP_Request::params() to retrieve all (shifted) params used in the request
FIXED: Issue where route-table level arguments would not be accessible without using non-deprecated API.
ADDED: Test case to test the above items
UPDATED: Extended Director::test to allow for the retrieval of the request object
UPDATED: Deprecated notice on Director::urlParam and Director::urlParams
REMOVED: Unused variable
FIXED: Coding convention conformity
This allows arguments to be passed along in an $allowed_actions deceleration of
the form 'action' => '->method' in the same way that arguments can be passed to
extension constructors when adding them using $extensions or
Object::add_extension.
I.e. 'action' => '->checkerMethod(false, 7, 2, "yesterday") would call the
checkerMethod method with the boolean false the numbers 7 and 2 and the string
"yesterday" as its arguments.
filters was a DI property that could only be set via constructor. This meant that modules couldnt add a
filter without interfering with other modules. With this change you can now add a config block like:
Injector:
RequestProcessor:
properties:
filters:
- "%$MyFilter"
Which will add a filter to RequestProcessors list of filters