Commit Graph

2211 Commits

Author SHA1 Message Date
Damian Mooyman
dd4eb6ce44 Merge pull request #6960 from open-sausages/pulls/4.0/security-process-docs
Internal security process docs
2017-06-16 13:50:58 +12:00
Damian Mooyman
62d095305b
API Update DefaultAdmin services
API Improve validation of authentication process
2017-06-15 15:53:57 +12:00
Simon Erkelens
2b26cafcff Separate out the log-out handling.
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
2017-06-07 21:11:58 +12:00
Antony Thorpe
6348f2e3e8 Updated Form.php & 04_Form_Security.md
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
Ingo Schommer
b137e91998 Internal security process docs 2017-06-02 11:30:12 +12:00
Ed Linklater
f007fca51f Docs: Correct Stevie's name on committers page 2017-05-31 12:27:06 +12:00
Damian Mooyman
e7d87add9f API Remove legacy HTMLEditor classes 2017-05-30 11:01:28 +12:00
Nick
318b0248b7 Update 05_Dataobject_Relationship_Management.md
Correct a naffed up code block and a typo
2017-05-29 20:54:50 +12:00
Aaron Carlino
06615e3d76 Resample doc images for react di 2017-05-26 11:08:07 +12:00
Chris Joe
5ec8d40c19 Merge pull request #6957 from open-sausages/pulls/4/react-di-documentation
Docs for React DI
2017-05-26 10:59:42 +12:00
Daniel Hensby
893f19a5ea
DOCS Updating index definition examples 2017-05-25 23:29:12 +01:00
Aaron Carlino
bfc373cf0f update docs with new api 2017-05-25 16:34:32 +12:00
Aaron Carlino
75981989b0 Docs for React DI 2017-05-25 14:58:55 +12:00
Christopher Joe
e327bf3c70 Enhancement add contribution notes about releasing to NPM 2017-05-24 17:07:05 +12:00
Damian Mooyman
fba8e2c245 API Remove Object class
API DataObjectSchema::manyManyComponent() return array is now associative array
2017-05-23 13:50:35 +12:00
Damian Mooyman
2aa3b5d5fa Merge pull request #6934 from robbieaverill/pulls/4.0/consistent-instance-method
API Consistent use of inst() naming across framework
2017-05-22 11:57:20 +12:00
Damian Mooyman
4197090e11 Merge pull request #6940 from kinglozzer/randomgenerator
Only use random_bytes() for RandomGenerator (closes #6397)
2017-05-22 10:29:55 +12:00
Loz Calver
e653e90997 Only use random_bytes() for RandomGenerator (closes #6397) 2017-05-19 11:18:56 +01:00
Robbie Averill
f2cbe86f03 Remove CustomMethods::createMethod and create_function implementations, replace with closures 2017-05-19 15:56:44 +12:00
Robbie Averill
ad43a82923 API Consistent use of inst() naming across framework 2017-05-19 14:38:06 +12:00
Ingo Schommer
100048da33 API PSR-11 compliance (fixes #6594) (#6931)
Note that our usage of `$asSingleton` in `get()` is fine. Quote from the PSR:

> Two successive calls to get with the same identifier SHOULD return the same value. However, depending on the implementor design and/or user configuration, different values might be returned, so user SHOULD NOT rely on getting the same value on 2 successive calls.
2017-05-19 13:45:07 +12:00
Loz Calver
471166c15e Merge pull request #6169 from open-sausages/pulls/4.0/duplicate-manymany-option
API Duplication of many_many relationships now defaults to many_many only
2017-05-17 09:31:09 +01:00
Damian Mooyman
f5f6fdce12
API Duplication of many_many relationships now defaults to many_many only
Fixes https://github.com/silverstripe/silverstripe-cms/issues/1453
2017-05-16 23:26:39 +12:00
Colm McBarron
8666d4abb2 Update YAML format to use namespace 2017-05-16 11:49:39 +01:00
Damian Mooyman
259f957ce8 API Rename services to match FQN of interface / classes 2017-05-16 14:15:49 +12:00
Damian Mooyman
0b70b008b3 API Implement InheritedPermission calculator (#6877)
* API Implement InheritedPermission calculator

* API Rename RootPermissions to DefaultPermissionChecker
API Refactor inherited permission fields into InheritedPermissionExtension
API Introduce PermissionChecker interface
2017-05-11 21:07:27 +12:00
Aaron Carlino
7fa47e234f New API for minified files using injectable service 2017-05-11 10:14:16 +12:00
Ingo Schommer
da3236b0e7 Merge pull request #6887 from open-sausages/pulls/4.0/docs-calendar-year-format
Doc dateformats with calendar year
2017-05-09 23:07:25 +12:00
Sam Minnée
33119a1f36 Merge branch 'master' into pulls/4.0/remove-deprecated-methods 2017-05-09 15:31:53 +12:00
Ingo Schommer
7c2f49d443 API Removed RootURLController:set_default_homepage_link() 2017-05-09 11:38:35 +12:00
Ingo Schommer
cec983b628 API Removed deprecated ModelAsController::find_old_page() 2017-05-09 11:38:35 +12:00
Ingo Schommer
5784a7d2d7 API Removed deprecated Security::set_login_recording() 2017-05-09 11:38:35 +12:00
Ingo Schommer
2a7c76e9e9 API Removed deprecated DatabaseAdmin#clearAllData() 2017-05-09 11:38:35 +12:00
Ingo Schommer
81e5c7ac40 API Removed deprecated Session::set_config() 2017-05-09 11:38:35 +12:00
Ingo Schommer
1d438d3fb5 API Remove deprecated FormAction::createTag() 2017-05-09 11:38:35 +12:00
Ingo Schommer
0d9b383631 API Removed legacy form fields (fixes #6099) 2017-05-09 11:16:41 +12:00
Ingo Schommer
20e57e9dec Doc dateformats with calendar year
https://github.com/silverstripe/silverstripe-framework/issues/3749
http://stackoverflow.com/questions/1978051/zend-datetostring-outputs-the-wrong-year-bug-in-my-code-or-zend-date
https://en.wikipedia.org/wiki/ISO_week_date#Disadvantages
2017-05-08 22:08:14 +12:00
Damian Mooyman
942c0257b7 API Upgrade to behat 3 2017-05-05 14:32:07 +12:00
Damian Mooyman
edcb46bd3a Merge pull request #6836 from sminnee/cli-error-fix
FIX: Show detailed errors on CLI for live environments
2017-05-03 15:49:09 +12:00
Aaron Carlino
dd7777321f Added 4.0.0-alpha7 changelog 2017-05-02 13:16:17 +12:00
Sam Minnee
4c772c80c3 FIX: Show detailed errors on CLI for live environments
API: Add HTTPOutputHandler::setCLIFormatter

Fixes https://github.com/silverstripe/silverstripe-framework/issues/6835

This provides detailed errors (but not warnings or notices) in CLI calls
on live environments.

It does this by adding a 2nd argument to our output handler,
CliFormatter. This formatter will be used when Director::is_cli() is
true.
2017-05-01 15:28:48 +12:00
Damian Mooyman
61388b153f API Rewrite Date and Time fields to support HTML5 2017-04-28 10:06:37 +12:00
Ingo Schommer
a73abbfcb8 unit test cleanup 2017-04-27 09:18:38 +12:00
Ingo Schommer
1ec2abe75f Fixed timezone and normalised ISO handling
A few observations:
- ISO says “T” is optional (https://en.wikipedia.org/wiki/ISO_8601#cite_note-21),
- WHATWG says in the HTML5 spec that it’s optional (https://html.spec.whatwg.org/multipage/infrastructure.html#local-dates-and-times)
- W3C says it’s reqiured in 1997 (https://www.w3.org/TR/NOTE-datetime), but then later says it’s optional in its HTML5 spec (https://www.w3.org/TR/html5/infrastructure.html#floating-dates-and-times).
- Chrome doesn’t parse values with whitespace separators (requires "T")
- DataObject DBDatetime values and database columns use whitespace separators (and will have many devs relying on this format)
- MySQL only supports whitespace separators (https://dev.mysql.com/doc/refman/5.7/en/datetime.html)
- SQLite can parse both ways (https://sqlite.org/lang_datefunc.html)

So the goal here is to retain ORM/database compatibility with 3.x (whitespace separator),
while exposing "T" separators to the browser in HTML5 mode.

Regarding timezones, this fixes a regression where setValue() would not actually
apply the timezone (last $value assignment is ineffective now that sub fields are removed).
2017-04-26 22:55:29 +12:00
Saophalkun Ponlu
507add8566 Update changelogs 2017-04-26 22:45:07 +12:00
Robbie Averill
0391596786 DOCS Remove tabs from JSON examples to fix code blocks 2017-04-23 21:14:12 +12:00
Simon Erkelens
ff3ad6eb6b Use Config for authenticator settings 2017-04-22 14:48:56 +12:00
Damian Mooyman
c21f71405f Merge pull request #6823 from open-sausages/pulls/4.0/remove-TeamCityListener
Removed TeamCityListener
2017-04-21 15:56:20 +12:00
Damian Mooyman
629465584e Merge pull request #6825 from open-sausages/pulls/4.0/skip-without-phpunit
Don't fail dev/build without phpunit
2017-04-21 15:38:22 +12:00
Chris Joe
430c7ad79a Merge pull request #6824 from micmania1/patch-13
DOCS Corrected logger documentation
2017-04-21 15:18:22 +12:00