Jean-Fabien Barrois
bab1f230bf
NEW Cross device "Remember Me" feature
...
At the moment, using the "Remember me" function on more than one device will only work with the last device used. Previous devices will not auto login.
This PR introduces a new DataObject for storing hashed tokens against multiple devices. Developers can configure if logging out should discard all tokens, or only the one used on the device logging out; token expiry date is 90 days by default but configurable. For added security, the old behaviour can still be enforced if multiple tokens are not desired.
See silverstripe#1574 for additional background
2016-02-10 09:42:08 +13:00
Damian Mooyman
8331171f2c
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
.scrutinizer.yml
admin/javascript/LeftAndMain.Panel.js
core/startup/ParameterConfirmationToken.php
dev/Debug.php
dev/FixtureBlueprint.php
docs/en/00_Getting_Started/05_Coding_Conventions.md
docs/en/00_Getting_Started/index.md
docs/en/02_Developer_Guides/01_Templates/01_Syntax.md
filesystem/File.php
filesystem/Folder.php
forms/FieldList.php
forms/LabelField.php
forms/MoneyField.php
forms/TextField.php
forms/TreeDropdownField.php
forms/Validator.php
forms/gridfield/GridField.php
forms/gridfield/GridFieldExportButton.php
lang/de.yml
lang/fi.yml
model/DataObject.php
model/SQLQuery.php
parsers/ShortcodeParser.php
security/ChangePasswordForm.php
security/Security.php
tests/control/DirectorTest.php
tests/core/startup/ParameterConfirmationTokenTest.php
tests/dev/FixtureBlueprintTest.php
tests/forms/FieldListTest.php
tests/forms/MoneyFieldTest.php
tests/model/SQLQueryTest.php
tests/security/SecurityTest.php
2015-06-02 19:13:38 +12:00
Damian Mooyman
22a35e48a9
BUG Fix malformed urls redirecting to external sites
2015-05-28 10:12:18 +12:00
Damian Mooyman
319b96b48b
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
docs/en/05_Contributing/01_Code.md
forms/TreeDropdownField.php
model/DataObject.php
security/Member.php
tests/model/DataObjectTest.php
2015-03-11 11:40:06 +13:00
Daniel Hensby
d2a3da2203
Making docs gender agnostic
2015-03-07 12:32:04 +00:00
Damian Mooyman
0b1f297873
Merge remote-tracking branch 'origin/3.1'
...
Conflicts:
.travis.yml
README.md
admin/code/LeftAndMain.php
admin/css/screen.css
admin/scss/screen.scss
api/RestfulService.php
conf/ConfigureFromEnv.php
control/injector/ServiceConfigurationLocator.php
control/injector/SilverStripeServiceConfigurationLocator.php
core/ClassInfo.php
core/Object.php
css/AssetUploadField.css
css/ComplexTableField_popup.css
dev/CSSContentParser.php
dev/DevelopmentAdmin.php
docs/en/changelogs/index.md
docs/en/misc/contributing/code.md
docs/en/reference/execution-pipeline.md
filesystem/GD.php
filesystem/ImagickBackend.php
filesystem/Upload.php
forms/Form.php
forms/FormField.php
forms/HtmlEditorConfig.php
forms/gridfield/GridFieldDetailForm.php
forms/gridfield/GridFieldSortableHeader.php
lang/en.yml
model/Aggregate.php
model/DataList.php
model/DataObject.php
model/DataQuery.php
model/Image.php
model/MySQLDatabase.php
model/SQLQuery.php
model/fieldtypes/HTMLText.php
model/fieldtypes/Text.php
scss/AssetUploadField.scss
search/filters/SearchFilter.php
security/Authenticator.php
security/LoginForm.php
security/Member.php
security/MemberAuthenticator.php
security/MemberLoginForm.php
security/Security.php
tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsFormsContext.php
tests/control/HTTPTest.php
tests/control/RequestHandlingTest.php
tests/filesystem/UploadTest.php
tests/forms/FormTest.php
tests/forms/NumericFieldTest.php
tests/model/DataListTest.php
tests/model/DataObjectTest.php
tests/model/TextTest.php
tests/security/MemberAuthenticatorTest.php
tests/security/SecurityDefaultAdminTest.php
tests/view/SSViewerCacheBlockTest.php
tests/view/SSViewerTest.php
2014-11-18 12:45:54 +13:00
Damian Mooyman
53c40a94fa
API Enable re-authentication within the CMS if a user session is lost
...
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Sean Harvey
0e07f1a7f5
Merge remote-tracking branch 'origin/3.0' into 3.1
2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b
FIX Opt-out pf form message escaping ( fixes #2796 )
...
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/ .
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.
We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803 .
2014-08-22 16:59:34 +12:00
Damian Mooyman
eb069e605d
Remove all redundant whitespace
2014-08-19 09:17:15 +12:00
Damian Mooyman
d8e9af8af8
API New Database abstraction layer. Ticket #7429
...
Database abstraction broken up into controller, connector, query builder, and schema manager, each independently configurable via YAML / Injector
Creation of new DBQueryGenerator for database specific generation of SQL
Support for parameterised queries, move of code base to use these over escaped conditions
Refactor of SQLQuery into separate query classes for each of INSERT UPDATE DELETE and SELECT
Support for PDO
Installation process upgraded to use new ORM
SS_DatabaseException created to handle database errors, maintaining details of raw sql and parameter details for user code designed interested in that data.
Renamed DB static methods to conform correctly to naming conventions (e.g. DB::getConn -> DB::get_conn)
3.2 upgrade docs
Performance Optimisation and simplification of code to use more concise API
API Ability for database adapters to register extensions to ConfigureFromEnv.php
2014-07-09 18:04:05 +12:00
Ingo Schommer
58445245d9
Conditionally reset MemberLoginForm.force_message
...
Avoid starting a session just because the login form is rendered,
which adds overhead to requests and makes them harder to cache.
2014-06-03 23:21:57 +12:00
Damian Mooyman
e9c3ff933f
Merge remote-tracking branch 'origin/3.1'
...
Conflicts:
.travis.yml
composer.json
2014-05-06 10:22:09 +12:00
Tim Snadden
afad65ee71
Fix 'Uncaught ReferenceError: jQuery is not defined' if jQuery is not included in template.
2014-04-30 09:30:22 +12:00
Damian Mooyman
982ad569b9
Merge remote-tracking branch 'origin/3.1'
2014-04-22 12:09:51 +12:00
Mateusz U
36d925543b
Merge pull request #3020 from tractorcow/pulls/3.1-autocomplete-username
...
API Security.remember_username to disable login form autocompletion
2014-04-11 09:17:27 +12:00
Damian Mooyman
997077ae83
API Security.remember_username to disable login form autocompletion
2014-04-11 09:05:25 +12:00
Ingo Schommer
f737922cdf
Prevent IE errors on hidden login forms
...
In order to focus a field, it needs to be visible,
which can't be guaranteed on a core level by the login form JavaScript.
Optionally check for visibility via jQuery if it exists,
and allow explicit disabling of this behaviour via a unique identifier.
2014-04-08 11:28:54 +12:00
Simon Welsh
d431e98ecf
Merge branch '3.1'
...
Conflicts:
forms/Form.php
forms/FormField.php
security/Member.php
security/MemberLoginForm.php
2014-03-10 22:58:49 +13:00
Ingo Schommer
9afcf8f01a
Allow vetoing forgot password requests
2014-02-25 13:05:32 +13:00
Ingo Schommer
60fc7e5346
Merge remote-tracking branch 'origin/3.1'
2013-10-06 19:07:39 +02:00
Damian Mooyman
5bbea12b45
BUG Issue with login form failing to login in certain situations. Fixes issue #2424
2013-10-03 17:12:30 +13:00
Ingo Schommer
a4c6ae3e90
Merge remote-tracking branch 'origin/3.1'
2013-08-22 13:56:33 +02:00
Mateusz Uzdowski
085d2e62cb
BUG MemberLoginForm fields should be tagged as required.
2013-08-12 09:32:03 +12:00
Sam Minnee
d97ca43cd0
Merge branch '3.1'
...
Conflicts:
README.md
dev/install/install.php5
forms/ConfirmedPasswordField.php
tests/forms/FormTest.php
2013-05-23 19:01:58 +12:00
Ingo Schommer
3e88c98ca5
API Restrict MemberLoginForm to POST requests for increased security
...
CVE-2013-2653 - Thanks to Fara Rustein of Deloitte Argentina for reporting.
2013-05-08 10:25:28 +02:00
Ingo Schommer
97819b3f21
Correct encoding in MemberLoginForm->forgotPassword() URLs ( fixes #6126 )
2013-04-05 11:15:34 +02:00
Ingo Schommer
3334eafcb1
API Marked statics private, use Config API instead ( #8317 )
...
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
18c9a95996
API Removed 'BadLoginURL' session var from MemberLoginForm
...
It was never set in core, and is generally undocumented,
hence just unnecessarily increases the security surface
of this sensitive class.
2013-02-05 22:49:06 +01:00
Simon Welsh
b0121b541c
Add codesniffer that ensures indentation is with tabs.
2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c
Add codesniffer that ensures indentation is with tabs.
2012-12-12 00:12:11 +13:00
Mateusz Uzdowski
a8b0e44d98
API Hash autologin tokens before storing in the database.
...
Refactor the code to make it clear the distinction is made between a
plaintext token and a hashed version. Rename fields so it is more
obvious what is being written and what sent out to the user.
This reuses the salt and algorithm from the Member, which are kept
constant throughout the Member lifetime in a normal scenario. If they do
change, users will need to re-request so the hashes can be regenerated.
2012-11-09 11:29:42 +01:00
Sam Minnee
1f7fc1f76a
FIX Remove instances of lines longer than 120c
...
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Ingo Schommer
e2f073f38a
Method visibility according to coding conventions
2012-09-20 10:46:59 +02:00
Sean Harvey
d4154dae9e
API CHANGE Deprecate Member::sendInfo(), use Member_ChangePasswordEmail and Member_ForgotPasswordEmail class directly instead.
2012-05-05 10:04:46 +12:00
Ingo Schommer
7b18d9d0da
MINOR Switching _t() calls from sprintf() to using injection parameters ( #7170 )
2012-05-01 22:17:00 +02:00
Simon Welsh
f07258f3cf
MINOR Update @package values to match renaming sapphire
2012-04-15 10:50:19 +12:00
Sean Harvey
fd3de5158d
BUGFIX Use of Link() in security classes now refers to $this->controller
...
instead of calling the instance method Link statically (which isn't
allowed for E_STRICT compliance.)
2012-04-12 12:09:39 +12:00
Sean Harvey
9f3344b355
API CHANGE Removed built-in behaviour.js client-side form validation.
...
This is no longer supported. Please use custom client-side validation instead. (see 3.0.0 changelog
for more information)
2012-03-09 12:19:57 +13:00
Fred Condo
d370423825
Clean up trailing ?> per coding standard
...
All sapphire but the lang directory
2012-02-12 12:40:16 -08:00
Sam Minnee
ff9b9e17af
MINOR: Removed use of deprecated Director::redirect* functions.
2011-10-29 17:36:37 +13:00
Stig Lindqvist
7a4c7a6e23
MINOR Redirect user to homepage if the BackURL have been set to another site.
...
This might indicatate a spoofing attack. I also extracted code into it's own method to make it easier to read.
2011-10-27 22:38:29 +02:00
Hamish Friedlander
0a3e0f15de
MINOR: Replace references to FieldSet (now deprecated) with references to FieldList
2011-10-28 15:58:55 +13:00
ajshort
1f6f7f0862
API CHANGE: Deprecated CompositeField->FieldSet() in favour of CompositeField->FieldList().
...
MINOR: Replaced usage of FieldSet with FieldList.
MINOR: Renamed FieldSetTest to FieldListTest.
2011-05-11 17:51:54 +10:00
Sam Minnee
ef8419f11d
ENHANCEMENT #4903 MemberLoginForm field for "You are logged in as %s" message customisation (thanks walec51!) (from r111891)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112941 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-19 05:05:23 +00:00
Sam Minnee
0b4e4428be
MINOR: Merges from branches/2.4
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112157 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-13 04:04:32 +00:00
Ingo Schommer
8203e5b179
BUGFIX: Don't register member IDs that don't exist in the DB as being logged in. (from r98265)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102637 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-13 03:18:26 +00:00
Ingo Schommer
b69b03b9e0
API CHANGE: Unique_identifier now accepted as the login requirement, allowing alternatives to 'Email' (from r97270)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102440 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-12 05:00:05 +00:00
Andrew O'Neil
813760108c
BUGFIX: Security::$default_login_dest isn't used ( #4179 , simon_w)
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@90023 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-10-23 00:18:10 +00:00
Ingo Schommer
d386db0bc3
ENHANCEMENT Avoid information disclosure in Security/lostpassword form by returning the same message regardless wether a matching email address was found in the database.
...
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86021 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-09-10 03:01:46 +00:00