Daniel Hensby
237b2d5f74
Convert array delcarations to short array syntax
2020-04-20 18:58:09 +01:00
Robbie Averill
5002f514b3
FIX Capitalisation fixes in welcome back message ( #9439 )
2020-03-23 15:54:30 +13:00
Robbie Averill
e49cec3a00
Merge pull request #9247 from jakxnz/pulls/4/record-login-attempt-outputs
...
ENHANCEMENT: MemberAuthenticator::recordLoginAttempt() outputs
2019-10-03 10:46:34 -07:00
Aaron Carlino
b002ef1171
Merge branch '4.4' into 4
2019-09-24 17:26:50 +12:00
Serge Latyntcev
eccfa9b10d
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
Jackson Darlow
a033662a3a
MemberAuthenticator::recordLoginAttempt() outputs
2019-09-24 14:24:59 +12:00
Serge Latyntsev
233e0e7aa0
ENH PasswordExpirationMiddleware implementation ( #9207 )
2019-09-12 14:34:06 +12:00
Robbie Averill
ebfab45e23
API LoginForm::authentiator_class is now deprecated, use getters or setters instead
2019-02-01 19:39:15 +03:00
Robbie Averill
83e461abbf
Merge branch '4.2' into 4
2018-08-27 16:15:57 +12:00
Robbie Averill
18fff5c16c
Remove past tense for "log in" in expired token message
2018-08-20 22:31:23 +12:00
Robbie Averill
dbab696690
FIX Message when changing password with invalid token now contains correct links to login
...
The Security controller should be used to return these links rather than the
ChangePasswordHandler
2018-08-20 22:30:12 +12:00
Ingo Schommer
2d6964c243
Merge pull request #8261 from open-sausages/pulls/4/secure-remember-me-cookie
...
NEW Option for secure "remember me" cookie
2018-07-31 09:19:15 +12:00
Ingo Schommer
114b0a5ea7
NEW Option for secure "remember me" cookie
...
Fixes #8234
2018-07-30 16:41:49 +01:00
Ingo Schommer
93b0884e19
BUG Lazy session state ( fixes #8267 )
...
Fixes regression from 3.x, where sessions where lazy started as required:
Either because an existing session identifier was sent through with the request,
or because new session data needed to be persisted as part of the request execution.
Without this lazy starting, *every* request will get a session,
which makes all those responses uncacheable by HTTP layers.
Note that 4.x also changed the $data vs. $changedData payloads:
In 3.x, they both contained key/value pairs.
In 4.x, $data contains key/value, while $changedData contains key/boolean to declare isChanged.
While this reduces duplication in the class, it also surfaced a bug which was latent in 3.x:
When an existing session is lazily resumed via start(), $data is set back to an empty array.
In 3.x, any changed data before this point was *also* retained in $changedData,
ensuring it gets merged into existing $_SESSION data.
In 4.x, this clears out data - hence the need for a more complex merge logic.
Since isset($this->data) is no longer an accurate indicator of a started session,
we introduce a separate $this->started flag.
Note that I've chosen not to make lazy an opt-in (e.g. via start($request, $lazy=false)).
We already have a distinction between lazy starting via init(), and force starting via start().
2018-07-19 13:32:04 +12:00
Daniel Hensby
560fe9820a
FIX remove personal information from password reset confirmation screen
2018-07-05 14:19:15 +12:00
Robbie Averill
ea16e28aa7
Merge branch '4.1' into 4
2018-05-28 18:33:56 +12:00
Robbie Averill
722202fef4
Merge remote-tracking branch 'origin/4.0.4' into 4.1.1
...
# Conflicts:
# src/Control/Director.php
2018-05-24 15:41:11 +12:00
Robbie Averill
beec0c0d47
[SS-2018-010] Fix regression of SS-2017-002
2018-05-14 17:12:07 +12:00
Daniel Hensby
70effc7046
Revert "ENHANCEMENT Add config var to skip confirm logout ( #7977 )"
...
This reverts commit 47bcac930d
2018-04-04 13:51:18 +01:00
Andrew Aitken-Fincham
47bcac930d
ENHANCEMENT Add config var to skip confirm logout ( #7977 )
2018-04-04 09:43:49 +12:00
Damian Mooyman
386ef27f65
Update requesthandlers with missing extension points
2018-03-23 15:28:00 +13:00
Damian Mooyman
625f7b4eee
Merge remote-tracking branch 'origin/4.0' into 4.1
2018-03-13 14:26:18 +13:00
Joe Harvey
bf2cee3989
Bugfix - Correct duplicate nesting of 'Content' to be returned to template
...
In scenarios where:
- No member is logged in
- An 'AutoLoginHash' is provided via the 't' (token) query param
- The token isn't valid (determined by Member::validateAutoLoginToken())
The message which is intended to be returned to the end-user via $Content
in the template, is mistakenly double nested in ['Content' => ['Content' => 'Message']]
this leads to "The method forTemplate() doesn't exist on ArrayData" errors.
See - https://github.com/silverstripe/silverstripe-framework/issues/7866
2018-03-07 14:14:05 +00:00
Damian Mooyman
bca47029c4
Merge remote-tracking branch 'origin/4.0' into 4
...
# Conflicts:
# src/Control/SimpleResourceURLGenerator.php
# tests/php/Control/SimpleResourceURLGeneratorTest.php
2018-01-25 12:53:15 +13:00
Damian Mooyman
a3c52f901a
Merge remote-tracking branch 'origin/4.0' into 4
...
# Conflicts:
# src/Core/TempFolder.php
# src/ORM/DataObject.php
# src/View/ThemeResourceLoader.php
# src/includes/constants.php
# tests/php/Control/SimpleResourceURLGeneratorTest.php
# tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php
# tests/php/View/RequirementsTest.php
2018-01-22 14:57:05 +13:00
Damian Mooyman
60fa7558d3
BUG Fix double casting in login authenticator name
...
Fixes #7769
2018-01-22 14:06:24 +13:00
Daniel Hensby
db610aaf3b
Fixing string concat CS issues
2018-01-16 18:39:30 +00:00
Daniel Hensby
eb55c27124
Merge branch '4.0' into 4
2017-12-05 12:14:22 +00:00
Loz Calver
c4b366828e
FIX: Restore BackURL preservation on log out ( closes #7636 )
2017-11-27 16:15:28 +00:00
Simon Erkelens
0987003053
Add the ability to redirect a user to a custom page with custom content after changing their password
2017-11-27 14:18:40 +13:00
Damian Mooyman
ad36b8f6a9
Use restart instead of destroy
2017-11-03 12:08:38 +13:00
Daniel Hensby
a61ce077c6
FIX Sessions must be destroyed on logout
2017-11-03 12:08:38 +13:00
Simon Erkelens
6506a5b958
Don't add a . when there's no extension
2017-10-16 11:56:35 +13:00
Robbie Averill
6044579a3f
MINOR Separate some areas of logic in LostPasswordHandler to make them more overridable
2017-10-05 14:17:38 +13:00
Damian Mooyman
905c4e04d5
BUG Incorrect path for requirements file
2017-09-12 10:36:48 +01:00
Sam Minnee
8c15e451c6
FIX: Removed unnecessary database_is_ready call.
...
This shaves about 45ms from every request (PHP 7.1 on a 2013 rMBP),
cutting down execution time of a “hello world” controller by about 33%.
database_is_ready is still used in dev/build and ?flush=1 to stop people
from people bypassing security by DOSing the database or otherwise
forcing a DatabaseException
2017-08-25 13:06:12 +12:00
Robbie Averill
e307f067ed
FIX Replace deprecated %s placeholders in translations with named placeholders
...
* Remove the use of sprintf and %s placeholders in the i18n tests
2017-08-02 13:03:55 +12:00
Robbie Averill
a5ca4ecb59
FIX Log in as someone else returns user back to login screen
2017-07-18 17:15:58 +12:00
Simon Erkelens
3e97b99e22
[BUG] Fix issues with multiple authenticators for a single task ( #7149 )
...
Using multiple 2FA authenticators, logging out, resetting password etc. proved to be handled wrong.
Example scenario:
The result is an error, because the `renderWrappedController` was called, despite the responses being a set of either array with Content or Form, or a redirect action.
The default action should be followed and not try to render if there is nothing to render
Because the logout (or changepassword, or resetpassword, etc.) has already been handled, the first response is the default authenticator's response. This _could_ be a form (in case of logout without valid token), a content set (reset password) or a form (change password).
This edge case only happens when there are multiple authenticators supporting the requested method that is _not_ login.
2017-07-14 09:20:58 +12:00
Damian Mooyman
f65e3627dc
BUG Implement or exclude all pending upgrader deltas
2017-07-03 12:21:47 +12:00
Daniel Hensby
30986b4ea3
[SS-2017-002] FIX Lock out users who dont exist in the DB
2017-06-29 13:58:55 +12:00
Ingo Schommer
fa568e333e
Fixed linting errors
2017-06-23 11:19:16 +12:00
Damian Mooyman
3873e4ba00
API Refactor bootstrap, request handling
...
See https://github.com/silverstripe/silverstripe-framework/pull/7037
and https://github.com/silverstripe/silverstripe-framework/issues/6681
Squashed commit of the following:
commit 8f65e5653276f95944fa9379834cb4188ce35d827ed4660e7a738f50c4976279d28e5e5c90d53a84f9b2ba47555b59a912b6e2c4a18f635d235e64f3d88d4ed4e4f7946aec3312bd31f936bba97911462a10c2397bd75a8d1d9306364af3c32a278e2953b65c21241bd1d4375c95b220534f06603704165c2f6336a15bfc7188da7da0ae723514ca03395251c66d433977f26ae75c6e001d559662de079c041d
2017-06-22 22:50:45 +12:00
Loz Calver
5d27dccd60
NEW: Add CSRF token to logout action
2017-06-21 15:42:13 +01:00
Damian Mooyman
0f90c5b63f
ENHANCEMENT Update style of CMSLogin form
2017-06-15 18:13:14 +12:00
Damian Mooyman
024371c37e
API Change authentication ValidationResult handling to pass by-reference
2017-06-15 17:25:23 +12:00
Damian Mooyman
62d095305b
API Update DefaultAdmin services
...
API Improve validation of authentication process
2017-06-15 15:53:57 +12:00
Simon Erkelens
576eee72dc
Remove DefaultAdmin things from Security and Member into the MemberAuthenticator, unifying and removing duplicate code.
2017-06-15 14:20:29 +12:00
Simon Erkelens
5c4e55b60d
It's not CascadeLogInTo anymore, it's CascadeInTo
...
I'm mildly surprised this didn't break. I changed it to CascadeInTo, as the logout action needs to cascade into the session as well.
2017-06-10 12:58:22 +12:00
Damian Mooyman
62753b3cb1
Cleanup and RequestFilter refactor
2017-06-09 15:07:35 +12:00
