Commit Graph

12231 Commits

Author SHA1 Message Date
Ingo Schommer
7c99cb4668 Merge branch 'pulls/security-issues-august-3.0' into 3.0 2013-09-12 15:45:13 +02:00
Ingo Schommer
5e0315dc62 Safety note on DataObject::validation_enabled 2013-09-12 15:42:43 +02:00
Ingo Schommer
f803704d91 FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
8b5c8eab72 Linking to older security issue in change log
Mainly for consistency with the newer format
2013-09-12 15:42:43 +02:00
Ingo Schommer
05757efceb FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
6cff9671d4 FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)
See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
2013-09-12 15:42:43 +02:00
Ingo Schommer
720c149aee FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Ingo Schommer
cb517fda9e Safety note on DataObject::$validation_enabled 2013-09-12 15:42:36 +02:00
Ingo Schommer
091c096dbf FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
a492d56f7c 3.1.0-rc2 changelog 2013-09-12 15:42:36 +02:00
Ingo Schommer
cfa88adf4b FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:36 +02:00
Ingo Schommer
46556b609e FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)
See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
2013-09-12 15:42:35 +02:00
Ingo Schommer
68ca47b0dd FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:35 +02:00
Ingo Schommer
d747334737 Merge pull request #2401 from adrexia/tree-value
BUG: TreeDropdownField remove call to get value on search
2013-09-11 01:30:32 -07:00
Sean Harvey
a1939dccd1 Merge pull request #2400 from jbridson/patch-9
Update 2-extending-a-basic-site.md
2013-09-10 21:47:36 -07:00
Sean Harvey
c309867a1c Merge pull request #2373 from chillu/pulls/treedropdown-searchfield-default
Default TreeDropdown to "Title" search if $labelField isn't in DB
2013-09-10 21:45:40 -07:00
Sean Harvey
58da57dd1b Merge pull request #2390 from phptek/2389
Prevent circular refs in `GridFieldAddExistingAutocompleter` when linking DataObjects whose ID == current object's ID
2013-09-10 21:43:31 -07:00
Naomi Guyer
697972699d BUG: TreeDropdownField remove call to get value on search
This call was placing the id of the currently selected record into the
search box. Related to
https://github.com/silverstripe/silverstripe-framework/commit/93ea066f53
d5d2b2a19cf0dd2e9479a3fc5796f7
2013-09-11 13:22:27 +12:00
Simon Welsh
c2105db6d0 Count, not Length 2013-09-11 12:05:43 +12:00
jbridson
a4fbff4df5 Update 2-extending-a-basic-site.md
Fixed a few wording issues and added some clarity to links eg: Tutorial One (Building a basic site)
2013-09-11 11:20:41 +12:00
ARNHOE
68141b6ca0 i18n documentation - added note for caching in multi language modules 2013-09-07 16:10:52 +02:00
Ingo Schommer
8864256601 Merge pull request #2391 from halkyon/orderby_limit_aggregate
BUG Fixing SQLQuery::aggregate() adding ORDER BY when no limit.
2013-09-06 02:21:30 -07:00
Sean Harvey
95bb799e6f BUG Fixing SQLQuery::aggregate() adding ORDER BY when no limit.
DataQuery::initialiseQuery() will add a default sort to a query,
and when calling up an aggregate it will make a query like this
which doesn't make sense:

SELECT MAX("LastEdited") FROM "Member" ORDER BY "ID"

In this case there is no need to add the ORDER BY, and it will
break databases like MSSQL in cases such as
GenericTemplateGlobalProvider
which provides a default List() function for adding aggregates
into SSViewer template cacheblocks.

If we add a limit, however, then it does make sense:

SELECT MAX("LastEdited") FROM "Member" ORDER BY "ID" LIMIT 10

This fixes SQLQuery::aggregate() to NOT add an ORDER BY to an
aggregate call if there is no limit.
2013-09-06 18:11:11 +12:00
Sean Harvey
e43ca931d6 Merge pull request #2343 from chillu/pulls/security-404
Returning 404 on /Security, instead of Controller.ss template
2013-09-05 18:56:23 -07:00
Russell Michell
abcb2ef40b FIX: Modified fix for #2389 to ensure existing tests pass. 2013-09-06 08:48:32 +12:00
Ingo Schommer
ef2fc46eb2 Merge pull request #2386 from adrexia/tinymce-image-resize
BUG: Image resize allows skewing of image in IE (fixes CMS #791)
2013-09-05 04:08:06 -07:00
Ingo Schommer
9872a52a8d SecurityToken docs 2013-09-05 12:54:31 +02:00
Russell Michell
128c33b82c FIX: Fixes #2389
- Prevent circular references in `GridFieldAddExistingAutocompleter` when linking DataObjects whose ID matches the current object to which the gridfield is attached.
2013-09-05 13:55:47 +12:00
Naomi Guyer
52ef14a9ec BUG: Image resize allows skewing of image in IE (fixes CMS #791)
Including this plugin seemed like the most complete solution to this
problem, and allows it to be removed when tinymce is upgraded (assuming
they have fixed this issue). Uses a compressed version of the
advimagescale fork from sourceforge
(http://sourceforge.net/p/tinymce/plugins/186/), as it allowed for
multiple tinymce instances.
2013-09-04 15:01:46 +12:00
Will Rossiter
daa0b3cb79 Merge pull request #2383 from ryanwachtl/patch-1
Update requirements.md
2013-09-02 23:20:36 -07:00
Ryan Wachtl
15a1d96e5b Update requirements.md
Missing semicolon in example code.
2013-09-03 01:18:58 -05:00
Ingo Schommer
62608a7772 "edit" form expansion in AssetUploadField
Form wasn't expanding because of fixed heights. Backported fix from 3.1.
2013-09-02 16:48:11 +02:00
Ingo Schommer
1f84db1c54 Merge pull request #2357 from phptek/cms-access-checkbox-toggle
BUGFIX: CMS permissions checkbox won't untoggle once selected
2013-09-02 03:15:34 -07:00
Will Rossiter
0a795952b9 Merge pull request #2377 from phptek/issue/2375
UploadField showed 2 descriptions in CMS
2013-09-01 22:57:29 -07:00
Russell Michell
0f1ae7a00b BUGFIX:
- Fixes issue with CMS permissions checkbox, which won't un-toggle checked-checkboxes, after being clicked a 2nd time
2013-09-02 12:46:31 +12:00
Russell Michell
a1b04cb371 BUGFIX: Issue #2375
- UploadField showed 2 descriptions in CMS with one call to setDescription().
- Removed UploadField-specific template ref to $Description, in favour of using the "default" in FormField_holder.ss
2013-09-02 12:31:33 +12:00
Ingo Schommer
1c31c098ee FIX Correct Zend_Locale fallbacks in i18n/DateField/DateTimeField
Due to the recent change of translations to transifex, some
locales changed their names, which prompted a fix to
i18n::get_available_translations() (see 00ffe7294).
This caused a regression where short locales are determined
from the YAML file names (e.g. "en"), but weren't matched up
with fully qualified locales from get_available_translations() (e.g. "en_US").
Since this list is used in the admin/myprofile dropdown for the Member.Locale value,
it didn't match up with any entries and defaulted to the first one ("Africaans").

Note that the behaviour of admin/myprofile is still a bit weird:
It defaults the locale on new members to the one set for the current administrator.
So if a site defaults to en_US in _config.php, but the admin happens to view
his backend in de_DE, all members he creates default to de_DE as well.

Thanks to @tractorcow for contributing and peer reviewing!
2013-08-30 10:18:00 +02:00
Ingo Schommer
5f0329c6f2 Re-added entwine src/ in order to use inspector in dev mode 2013-08-30 10:12:50 +02:00
Ingo Schommer
93ea066f53 Remove TreeDropdownField placeholder support (see #2364)
It breaks the semantics of getValue(), leading to a broken field.
Regression from 8b5f89f. In the end, placeholder support is
considered "progressive enhancement", the search box should
be pretty obvious to IE8/IE9 users either way, given the main
field label is called "choose or search".
2013-08-30 09:50:07 +02:00
Ingo Schommer
20b49e215c Merge pull request #2136 from nedmas/fix-remove-export-button-padding
FIX: GridField button styling
2013-08-30 00:24:21 -07:00
Ingo Schommer
b2f207af30 Merge pull request #2223 from tractorcow/3.1-belongs_to-docs
Documentation for belongs_to
2013-08-29 16:34:37 -07:00
Damian Mooyman
55a7cf6040 Documentation for belongs_to 2013-08-30 10:47:11 +12:00
Ingo Schommer
79cab42a91 Default TreeDropdown to "Title" search if $labelField isn't in DB
This is a workaround in order to ensure the field stays operational
for SiteTree and File records with the new $showSearch=true default.
Previously it was necessary to use setSearchCallback(), otherwise
the SQL query would fail. One limitation to keep this change generic
is that "MenuTitle" won't be used to search, since its SiteTree specific,
while the "Title" and "Name" fields are generally regarded as
model conventions (e.g. they're used in DataObject->getTitle() as well).

See https://github.com/silverstripe/silverstripe-framework/pull/2364
2013-08-29 17:12:01 +02:00
Ingo Schommer
4ff7b43c44 Merge pull request #2364 from adrexia/tree-dropdown-search
API: Treedropdownfield showsearch default true, provide better ui
2013-08-29 05:00:14 -07:00
Will Rossiter
cd8e643357 Merge pull request #2369 from PutmanMedia/pulls/paginatedlist-getvar
Only allow positive start values in PaginatedList
2013-08-29 02:10:56 -07:00
Naomi Guyer
8b5f89f3b9 API: Treedropdownfield showsearch default true, provide better ui
Set search option true on treedropdown fields by default, to provide a
fallback solution when trees fail to render (too many children errors)

Provide better indication/more meaningful styling to search (match
chosen styles for consistency)
2013-08-29 16:21:04 +12:00
Ingo Schommer
07db2e1fd1 Only allow positive start values in PaginatedList
Otherwise the ORM query will fail.
2013-08-28 17:34:40 +02:00
Ingo Schommer
eaa78b98b8 Merge pull request #2366 from johannesx75/Cached-Images-Path2
BUG Cached images stored in wrong folder
2013-08-28 06:48:49 -07:00
Ingo Schommer
71b987edb2 Merge pull request #2363 from jbridson/patch-8
BUGFIX: fixed grammatical errors and formatting issues
2013-08-28 02:21:46 -07:00
Ingo Schommer
f23526d08f Merge pull request #2362 from tazzydemon/3.1
Update ImagickBackend.php
2013-08-28 02:16:58 -07:00