Damian Mooyman
dd4eb6ce44
Merge pull request #6960 from open-sausages/pulls/4.0/security-process-docs
...
Internal security process docs
2017-06-16 13:50:58 +12:00
Damian Mooyman
62d095305b
API Update DefaultAdmin services
...
API Improve validation of authentication process
2017-06-15 15:53:57 +12:00
Simon Erkelens
2b26cafcff
Separate out the log-out handling.
...
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
2017-06-07 21:11:58 +12:00
Antony Thorpe
6348f2e3e8
Updated Form.php & 04_Form_Security.md
...
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting. In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf ) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]." The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)
).
Why not make this the default behaviour? Is there a scenario where this would cause a problem? Have manually tested in the CMS (alpha7) and is working fine.
Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8
.
2017-06-06 21:10:49 +12:00
Ingo Schommer
b137e91998
Internal security process docs
2017-06-02 11:30:12 +12:00
Ed Linklater
f007fca51f
Docs: Correct Stevie's name on committers page
2017-05-31 12:27:06 +12:00
Damian Mooyman
e7d87add9f
API Remove legacy HTMLEditor classes
2017-05-30 11:01:28 +12:00
Nick
318b0248b7
Update 05_Dataobject_Relationship_Management.md
...
Correct a naffed up code block and a typo
2017-05-29 20:54:50 +12:00
Aaron Carlino
06615e3d76
Resample doc images for react di
2017-05-26 11:08:07 +12:00
Chris Joe
5ec8d40c19
Merge pull request #6957 from open-sausages/pulls/4/react-di-documentation
...
Docs for React DI
2017-05-26 10:59:42 +12:00
Daniel Hensby
893f19a5ea
DOCS Updating index definition examples
2017-05-25 23:29:12 +01:00
Aaron Carlino
bfc373cf0f
update docs with new api
2017-05-25 16:34:32 +12:00
Aaron Carlino
75981989b0
Docs for React DI
2017-05-25 14:58:55 +12:00
Christopher Joe
e327bf3c70
Enhancement add contribution notes about releasing to NPM
2017-05-24 17:07:05 +12:00
Damian Mooyman
fba8e2c245
API Remove Object class
...
API DataObjectSchema::manyManyComponent() return array is now associative array
2017-05-23 13:50:35 +12:00
Damian Mooyman
2aa3b5d5fa
Merge pull request #6934 from robbieaverill/pulls/4.0/consistent-instance-method
...
API Consistent use of inst() naming across framework
2017-05-22 11:57:20 +12:00
Damian Mooyman
4197090e11
Merge pull request #6940 from kinglozzer/randomgenerator
...
Only use random_bytes() for RandomGenerator (closes #6397 )
2017-05-22 10:29:55 +12:00
Loz Calver
e653e90997
Only use random_bytes() for RandomGenerator ( closes #6397 )
2017-05-19 11:18:56 +01:00
Robbie Averill
f2cbe86f03
Remove CustomMethods::createMethod and create_function implementations, replace with closures
2017-05-19 15:56:44 +12:00
Robbie Averill
ad43a82923
API Consistent use of inst() naming across framework
2017-05-19 14:38:06 +12:00
Ingo Schommer
100048da33
API PSR-11 compliance ( fixes #6594 ) ( #6931 )
...
Note that our usage of `$asSingleton` in `get()` is fine. Quote from the PSR:
> Two successive calls to get with the same identifier SHOULD return the same value. However, depending on the implementor design and/or user configuration, different values might be returned, so user SHOULD NOT rely on getting the same value on 2 successive calls.
2017-05-19 13:45:07 +12:00
Loz Calver
471166c15e
Merge pull request #6169 from open-sausages/pulls/4.0/duplicate-manymany-option
...
API Duplication of many_many relationships now defaults to many_many only
2017-05-17 09:31:09 +01:00
Damian Mooyman
f5f6fdce12
API Duplication of many_many relationships now defaults to many_many only
...
Fixes https://github.com/silverstripe/silverstripe-cms/issues/1453
2017-05-16 23:26:39 +12:00
Colm McBarron
8666d4abb2
Update YAML format to use namespace
2017-05-16 11:49:39 +01:00
Damian Mooyman
259f957ce8
API Rename services to match FQN of interface / classes
2017-05-16 14:15:49 +12:00
Damian Mooyman
0b70b008b3
API Implement InheritedPermission calculator ( #6877 )
...
* API Implement InheritedPermission calculator
* API Rename RootPermissions to DefaultPermissionChecker
API Refactor inherited permission fields into InheritedPermissionExtension
API Introduce PermissionChecker interface
2017-05-11 21:07:27 +12:00
Aaron Carlino
7fa47e234f
New API for minified files using injectable service
2017-05-11 10:14:16 +12:00
Ingo Schommer
da3236b0e7
Merge pull request #6887 from open-sausages/pulls/4.0/docs-calendar-year-format
...
Doc dateformats with calendar year
2017-05-09 23:07:25 +12:00
Sam Minnée
33119a1f36
Merge branch 'master' into pulls/4.0/remove-deprecated-methods
2017-05-09 15:31:53 +12:00
Ingo Schommer
7c2f49d443
API Removed RootURLController:set_default_homepage_link()
2017-05-09 11:38:35 +12:00
Ingo Schommer
cec983b628
API Removed deprecated ModelAsController::find_old_page()
2017-05-09 11:38:35 +12:00
Ingo Schommer
5784a7d2d7
API Removed deprecated Security::set_login_recording()
2017-05-09 11:38:35 +12:00
Ingo Schommer
2a7c76e9e9
API Removed deprecated DatabaseAdmin#clearAllData()
2017-05-09 11:38:35 +12:00
Ingo Schommer
81e5c7ac40
API Removed deprecated Session::set_config()
2017-05-09 11:38:35 +12:00
Ingo Schommer
1d438d3fb5
API Remove deprecated FormAction::createTag()
2017-05-09 11:38:35 +12:00
Ingo Schommer
0d9b383631
API Removed legacy form fields ( fixes #6099 )
2017-05-09 11:16:41 +12:00
Ingo Schommer
20e57e9dec
Doc dateformats with calendar year
...
https://github.com/silverstripe/silverstripe-framework/issues/3749
http://stackoverflow.com/questions/1978051/zend-datetostring-outputs-the-wrong-year-bug-in-my-code-or-zend-date
https://en.wikipedia.org/wiki/ISO_week_date#Disadvantages
2017-05-08 22:08:14 +12:00
Damian Mooyman
942c0257b7
API Upgrade to behat 3
2017-05-05 14:32:07 +12:00
Damian Mooyman
edcb46bd3a
Merge pull request #6836 from sminnee/cli-error-fix
...
FIX: Show detailed errors on CLI for live environments
2017-05-03 15:49:09 +12:00
Aaron Carlino
dd7777321f
Added 4.0.0-alpha7 changelog
2017-05-02 13:16:17 +12:00
Sam Minnee
4c772c80c3
FIX: Show detailed errors on CLI for live environments
...
API: Add HTTPOutputHandler::setCLIFormatter
Fixes https://github.com/silverstripe/silverstripe-framework/issues/6835
This provides detailed errors (but not warnings or notices) in CLI calls
on live environments.
It does this by adding a 2nd argument to our output handler,
CliFormatter. This formatter will be used when Director::is_cli() is
true.
2017-05-01 15:28:48 +12:00
Damian Mooyman
61388b153f
API Rewrite Date and Time fields to support HTML5
2017-04-28 10:06:37 +12:00
Ingo Schommer
a73abbfcb8
unit test cleanup
2017-04-27 09:18:38 +12:00
Ingo Schommer
1ec2abe75f
Fixed timezone and normalised ISO handling
...
A few observations:
- ISO says “T” is optional (https://en.wikipedia.org/wiki/ISO_8601#cite_note-21 ),
- WHATWG says in the HTML5 spec that it’s optional (https://html.spec.whatwg.org/multipage/infrastructure.html#local-dates-and-times )
- W3C says it’s reqiured in 1997 (https://www.w3.org/TR/NOTE-datetime ), but then later says it’s optional in its HTML5 spec (https://www.w3.org/TR/html5/infrastructure.html#floating-dates-and-times ).
- Chrome doesn’t parse values with whitespace separators (requires "T")
- DataObject DBDatetime values and database columns use whitespace separators (and will have many devs relying on this format)
- MySQL only supports whitespace separators (https://dev.mysql.com/doc/refman/5.7/en/datetime.html )
- SQLite can parse both ways (https://sqlite.org/lang_datefunc.html )
So the goal here is to retain ORM/database compatibility with 3.x (whitespace separator),
while exposing "T" separators to the browser in HTML5 mode.
Regarding timezones, this fixes a regression where setValue() would not actually
apply the timezone (last $value assignment is ineffective now that sub fields are removed).
2017-04-26 22:55:29 +12:00
Saophalkun Ponlu
507add8566
Update changelogs
2017-04-26 22:45:07 +12:00
Robbie Averill
0391596786
DOCS Remove tabs from JSON examples to fix code blocks
2017-04-23 21:14:12 +12:00
Simon Erkelens
ff3ad6eb6b
Use Config
for authenticator settings
2017-04-22 14:48:56 +12:00
Damian Mooyman
c21f71405f
Merge pull request #6823 from open-sausages/pulls/4.0/remove-TeamCityListener
...
Removed TeamCityListener
2017-04-21 15:56:20 +12:00
Damian Mooyman
629465584e
Merge pull request #6825 from open-sausages/pulls/4.0/skip-without-phpunit
...
Don't fail dev/build without phpunit
2017-04-21 15:38:22 +12:00
Chris Joe
430c7ad79a
Merge pull request #6824 from micmania1/patch-13
...
DOCS Corrected logger documentation
2017-04-21 15:18:22 +12:00