Commit Graph

21955 Commits

Author SHA1 Message Date
Serge Latyntcev
5af205993d [CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution 2019-09-24 16:00:51 +12:00
Serge Latyntcev
569237c0f4 [CVE-2019-12203] Session fixation in "change password" form
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:00:51 +12:00
Aaron Carlino
99ab3c6421 DOCS: Add FileShortcodeProvider change to changelog 2019-09-24 16:00:51 +12:00
Jackson Darlow
a033662a3a MemberAuthenticator::recordLoginAttempt() outputs 2019-09-24 14:24:59 +12:00
Guy Marriott
3659f2888d
FIX Add 'legal empty attributes' to allow empty alt values on i… (#9257)
FIX Add 'legal empty attributes' to allow empty alt values on imgs
2019-09-23 17:03:01 -07:00
Garion Herman
0d27f32cc9 FIX Add 'legal empty attributes' to allow empty alt values on imgs
In some situations, a caption is used in place of a value in the alt
attribute, and in others an image may be cosmetic and not in need of an
alt attribute value (though the alt attribute must still be rendered in
this case).
2019-09-24 11:44:12 +12:00
Robbie Averill
3cfc21c405
Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission
Fix administrators not being able to see files that are restricted to groups
2019-09-23 11:13:26 -07:00
Guy Marriott
aa7c057422
FIX: Don't force-add view button to readonly GridField (fixes #… (#9254)
FIX: Don't force-add view button to readonly GridField (fixes #9249)
2019-09-23 10:31:25 -07:00
Guy Marriott
190b2f2842
FIX: run member CMS validator when editing via groups (fixes #9… (#9255)
FIX: run member CMS validator when editing via groups (fixes #9184)
2019-09-23 10:28:38 -07:00
Loz Calver
efdb9cc718 FIX: run member CMS validator when editing via groups (fixes #9184) 2019-09-23 16:59:58 +01:00
Loz Calver
d85ff3bc44 FIX: Don't force-add view button to readonly GridField (fixes #9249) 2019-09-23 16:52:47 +01:00
bergice
6a1c6ecec6 Fix administrators not being able to see files that are restricted to groups
Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777
2019-09-23 16:44:28 +12:00
Guy Marriott
6ff97821ed Merge branch '4.4' into 4 2019-09-18 15:52:36 -07:00
Guy Marriott
7877ffcc85 Merge branch '4.3' into 4.4 2019-09-18 15:52:18 -07:00
Guy Marriott
109ac3f75f
Allow non summary fields to be used as grid field export fields (#9248)
Allow non summary fields to be used as grid field export fields
2019-09-18 15:33:25 -07:00
Hayden Shaw
daf9d55ecb Allow non summary fields to be used as export fields
Fixes regression in 3d989a6eae.
2019-09-19 10:00:54 +12:00
Robbie Averill
5f59d0e6d5
Merge pull request #9245 from open-sausages/pulls/4/docs-sec-release-is-core-release
DOC Clarify that Security release is a SilverStripe Core release
2019-09-17 16:44:58 -07:00
Serge Latyntcev
f185dfb2c5 DOC Clarify that Security release is a SilverStripe Core release 2019-09-18 11:19:55 +12:00
Michal Kleiner
bcbf90a837 NEW Introduce supported database transaction mode check 2019-09-16 14:44:15 +12:00
Robbie Averill
ed64adf12a
Merge pull request #9238 from christopherdarling/patch-15
DOCS fix DataList::exclude() code example
2019-09-15 12:36:10 -07:00
Christopher Darling
c8f274de80
DOCS fix DataList::exclude() code example 2019-09-15 20:34:18 +01:00
Robbie Averill
aa6b244db9 Merge branch '4.4' into 4 2019-09-13 18:11:46 -07:00
Robbie Averill
592ab6abc1 Merge branch '4.3' into 4.4 2019-09-13 18:11:34 -07:00
Robbie Averill
066ce8e01c Merge branch '4.2' into 4.3
# Conflicts:
 #	src/View/ThemeResourceLoader.php
2019-09-13 18:10:37 -07:00
Robbie Averill
b8e81983b9 DOCS Update PSR-12 compliance in GridField_ActionProvider docs code examples
[ci skip]
2019-09-13 18:09:10 -07:00
Robbie Averill
ed47f43133
Merge pull request #9169 from jakxnz/patch-1
Update 04_Create_a_GridField_ActionProvider.md
2019-09-13 18:05:51 -07:00
Robbie Averill
750818ba9b Merge branch 'pulls/4/docs-file-header-upgrade-warning' into 4 2019-09-13 18:02:40 -07:00
Ingo Schommer
229df95fe9 DOCS Warning about protected file serving in 4.x 2019-09-13 18:01:44 -07:00
Robbie Averill
cfe86ad5a1
Merge pull request #9153 from creative-commoners/pulls/4.4/stream-ree-tags
FIX Skip md5-ing the whole contents of a stream for etags
2019-09-13 17:59:26 -07:00
Robbie Averill
9a76d4adb4
Merge pull request #9181 from kinglozzer/8762-shortcode-templates
NEW: Use templates to render embed shortcodes (closes #8762)
2019-09-13 17:58:32 -07:00
Andre Kiste
cf90cfdd2a
Merge pull request #9221 from open-sausages/pulls/4.3/recursive-writeComponent
BUG Allow infinite loop when calling DataObject::writeComponent() recursively
2019-09-12 17:18:08 +12:00
Serge Latyntsev
233e0e7aa0 ENH PasswordExpirationMiddleware implementation (#9207) 2019-09-12 14:34:06 +12:00
Robbie Averill
6d6c4c652c
Merge pull request #9234 from chrometoasters/pulls/update-sqlite3-for-travis
Update sqlite3 dependency for Travis tests using SQLite to 2.2.x
2019-09-11 16:17:47 -07:00
Michal Kleiner
7a0c07906a
Update sqlite3 dependency for Travis tests using SQLite 2019-09-12 11:00:41 +12:00
Aaron Carlino
da6582f593 NEW: Remove web installer, move to separate package (#9231)
* Remove installer

* Remove exposed install files

* Replace Dev/Install classes still in use

* Update changelog

* FIX make the grid field actions consistent to what they look like on pages

Resolves https://github.com/silverstripe/silverstripe-admin/issues/904

* Docs changes
2019-09-11 13:10:25 +12:00
Andre Kiste
75cd9dc944
Merge pull request #9202 from open-sausages/pulls/4/document-ss32-variant-migration
DOC Explain how to mgirate SS3.2 variants
2019-09-11 11:47:28 +12:00
Maxime Rainville
591b88a9bc BUG Allow infinite loop when calling DataObject::writeComponent() recursively 2019-09-10 14:15:28 +12:00
Robbie Averill
b6fb6a6461
Merge pull request #9229 from silverstripe/pulls/secure-coding-docs
Update secure coding standards
2019-09-09 18:34:36 -07:00
Matt Peel
7083f016c1
Update secure coding standards
As of SS4.0.0 and the introduction of TrustedProxyMiddleware, the default now if no trusted proxies are defined is that nothing is a trusted proxy, whereas in SS3 a missing declaration was treated as everything being allowed.
2019-09-10 12:55:24 +12:00
Andre Kiste
23719af2a1
Apply suggestions from code review
Typos
2019-09-09 13:36:53 +12:00
Maxime Rainville
c165561580
Fix typos
Co-Authored-By: Robbie Averill <robbie@averill.co.nz>
2019-09-09 09:06:40 +12:00
Guy Marriott
f788a8a927
FIX Member::getLastName() now correctly returns the Member surn… (#9226)
FIX Member::getLastName() now correctly returns the Member surname
2019-09-07 09:12:50 +12:00
Robbie Averill
e8c2f963fd FIX Member::getLastName() now correctly returns the Member surname 2019-09-06 12:12:27 -07:00
Robbie Averill
41a766d135
Merge pull request #9085 from kinglozzer/9084-path-join-exception
Catch Path::join() exceptions in findTemplate() (fixes #9084)
2019-09-06 12:00:39 -07:00
Robbie Averill
66ca1c925f
Merge pull request #9217 from silverstripe/doc-node10
Update recommended node version in contrib docs
2019-09-06 11:54:41 -07:00
Robbie Averill
23b40557e8
Reduce version for Node 10 to SilverStripe 4.4
[ci skip]

Co-Authored-By: Garion Herman <garion@silverstripe.com>
2019-09-06 11:54:14 -07:00
Robbie Averill
42dd02ef78
Merge pull request #9122 from aNickzz/4
Add onBeforeRenderHolder extension point for FormField
2019-09-06 11:53:10 -07:00
Hels666
22a6a5b1e3 NEW Add getLastName() method to Member.php (#9222)
* Add getLastName() method to Member.php

Add getLastName() method to Silverstripe\Security\Member.php to allow use of $LastName instead of $Surname in templates as it is a common mistake made

this is for issue #9219
as discussed in Slack on 04-Sep-2019

* Minor doc block clean-up

* Update src/Security/Member.php - typo fix

Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
2019-09-06 20:31:22 +12:00
Guy Marriott
25de735a9f
Merge pull request #9224 from open-sausages/pulls/4/docs-uservoice-removal
DOCS Remove uservoice mentions
2019-09-06 16:26:26 +12:00
Ingo Schommer
e3f06c4468 DOCS Remove uservoice mentions
See https://forum.silverstripe.org/t/a-new-way-to-manage-feature-ideas/2264
2019-09-06 16:01:30 +12:00