silverstripe-framework

mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-18 23:46:21 +02:00

Author	SHA1	Message	Date
Daniel Hensby	17097a4d11	[SS-2016-016] FIX Properly escape backURL for template injection	2016-11-10 17:00:03 +00:00
Daniel Hensby	5a7cde0e10	Merge branch '3.4' into 3.5.0	2016-11-09 16:14:40 +00:00
Loz Calver	6bf36fbd30	FIX: Correct return type for Member::currentUser()	2016-11-09 14:20:44 +00:00
Daniel Hensby	beeed8155a	Merge branch '3.4' into 3	2016-09-16 11:56:01 +01:00
Thomas Portelange	995d07756d	cache currentUser query (#6007 ) * cache currentUser query Various modules can call a lot of time Member::currentUser(). We can avoid querying the database multiple times. Cache is implemented as a static array inside the method and store the data byID, in case the currentUserID changes within the same request (not very likely, but..)	2016-09-15 15:45:40 +01:00
Daniel Hensby	3fd9fe3aa0	Merge branch '3.4' into 3	2016-09-07 09:22:06 +01:00
Daniel Hensby	060bf6b327	Merge branch '3.3' into 3.4	2016-08-22 16:22:37 +01:00
Daniel Hensby	088d88e978	Merge branch '3.2' into 3.3	2016-08-22 16:22:02 +01:00
Daniel Hensby	229a2b9217	Merge pull request #4133 from nimeso/patch-1	2016-08-22 11:52:47 +01:00
Damian Mooyman	d88516203c	Merge 3.4 into 3	2016-08-15 19:05:20 +12:00
Daniel Hensby	d1163d87b7	[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled	2016-08-15 15:52:10 +12:00
Daniel Hensby	8bbf1caae6	[SS-2016-013] FIX Uncasted member name	2016-08-15 15:52:04 +12:00
Daniel Hensby	782c18fd13	[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login	2016-08-15 15:51:53 +12:00
Daniel Hensby	08384bb4d6	[SS-2016-008] Reset `Member::Salt` on password change	2016-08-15 15:50:56 +12:00
Daniel Hensby	fa7f5af861	[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled	2016-08-15 15:02:53 +12:00
Daniel Hensby	83e3302c04	[SS-2016-013] FIX Uncasted member name	2016-08-15 15:02:47 +12:00
Daniel Hensby	6d41db77fa	[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts	2016-08-15 15:02:41 +12:00
Daniel Hensby	f85dea2e6d	[SS-2016-008] Reset `Member::Salt` on password change	2016-08-15 15:02:36 +12:00
Daniel Hensby	b1f449762b	[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled	2016-08-15 14:07:57 +12:00
Daniel Hensby	281b0de571	[SS-2016-013] FIX Uncasted member name	2016-08-15 14:07:51 +12:00
Daniel Hensby	2b30ade44d	[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts	2016-08-15 14:07:40 +12:00
Daniel Hensby	dc47f7ec9a	[SS-2016-008] Reset `Member::Salt` on password change	2016-08-15 14:07:24 +12:00
Daniel Hensby	1c7d5de51b	[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled	2016-08-15 13:24:06 +12:00
Daniel Hensby	6817c57f64	[SS-2016-013] FIX Uncasted member name	2016-08-15 13:21:14 +12:00
Daniel Hensby	6606d98663	[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts	2016-08-15 13:20:02 +12:00
Daniel Hensby	298f61521c	[SS-2016-008] Reset `Member::Salt` on password change	2016-08-15 13:19:02 +12:00
Damian Mooyman	3c1a5d2a46	Merge pull request #5872 from dhensby/pulls/3/injector-for-cmslogin FIX Use create syntax for CMSMemberLoginForm remember me form	2016-08-12 14:10:56 +12:00
Daniel Hensby	86add3e021	FIX Use create syntax for CMSMemberLoginForm remember me form	2016-08-07 20:20:20 +01:00
Damian Mooyman	7de5b998e1	Merge 3.4 into 3	2016-08-05 19:12:25 +12:00
Damian Mooyman	ca754eb887	Merge 3.3 into 3.4 # Conflicts: # admin/javascript/lang/fa_IR.js # admin/javascript/lang/it.js # admin/javascript/lang/src/fa_IR.js # admin/javascript/lang/src/it.js # lang/cs.yml # lang/eo.yml # lang/fa_IR.yml # lang/fi.yml # lang/it.yml # lang/sk.yml	2016-08-05 16:48:26 +12:00
Damian Mooyman	0d5ae23f2b	Merge 3.2 into 3.3	2016-08-05 14:36:35 +12:00
Andrew Aitken-Fincham	66f2e6811b	modify getAuthenticator to fall back to get_default_authenticator	2016-08-03 10:36:43 +12:00
Damian Mooyman	d08ab6ac81	API Allow X-Frame-Options to be configured Fixes #2970	2016-07-15 14:08:14 +12:00
Daniel Hensby	a449045b09	Merge branch '3.4' into 3	2016-07-04 23:54:27 +01:00
Daniel Hensby	c35dc508cb	Merge branch '3.3' into 3.4	2016-07-04 23:53:55 +01:00
Daniel Hensby	ee326f6394	Merge branch 'hailwood/patch-5' into 3	2016-07-01 14:53:02 +01:00
Matthew Hailwood	4f0969f119	Make lost password url a config option like login_url and logout_url Also makes the login_url, logout_url and new lost_password_url functions return their link relative to the base url rather than assuming the base tag	2016-07-01 14:47:51 +01:00
Damian Mooyman	f1a0aef0d7	BUG fix CMS_ACCESS permission being ignored if in incorrect order in array	2016-06-28 17:45:15 +12:00
Daniel Hensby	19b9413432	NEW Use injector for MemberLoginForm fields	2016-06-10 22:50:38 +01:00
Stevie Mayhew	b1df9dcb1d	BUGFIX: check that we have a token and a UID before attempting a member auto login	2016-05-20 09:19:08 +12:00
Damian Mooyman	4d1ddf0e62	BUG Prevent session hijackers from resetting a user password BUG Member::checkPassword incorrect for default admin	2016-05-16 10:54:18 +12:00
Damian Mooyman	4f06a43986	Merge 3.3 into 3 # Conflicts: # admin/javascript/lang/src/cs.js # admin/javascript/lang/src/de.js # admin/javascript/lang/src/en.js # admin/javascript/lang/src/eo.js # admin/javascript/lang/src/es.js # admin/javascript/lang/src/fi.js # admin/javascript/lang/src/fr.js # admin/javascript/lang/src/id.js # admin/javascript/lang/src/id_ID.js # admin/javascript/lang/src/it.js # admin/javascript/lang/src/ja.js # admin/javascript/lang/src/lt.js # admin/javascript/lang/src/mi.js # admin/javascript/lang/src/nb.js # admin/javascript/lang/src/nl.js # admin/javascript/lang/src/pl.js # admin/javascript/lang/src/ro.js # admin/javascript/lang/src/ru.js # admin/javascript/lang/src/sk.js # admin/javascript/lang/src/sl.js # admin/javascript/lang/src/sr.js # admin/javascript/lang/src/sr@latin.js # admin/javascript/lang/src/sr_RS.js # admin/javascript/lang/src/sr_RS@latin.js # admin/javascript/lang/src/sv.js # admin/javascript/lang/src/zh.js # javascript/lang/fr.js # javascript/lang/src/ar.js # javascript/lang/src/cs.js # javascript/lang/src/de.js # javascript/lang/src/en.js # javascript/lang/src/eo.js # javascript/lang/src/es.js # javascript/lang/src/fi.js # javascript/lang/src/fr.js # javascript/lang/src/id.js # javascript/lang/src/id_ID.js # javascript/lang/src/it.js # javascript/lang/src/ja.js # javascript/lang/src/lt.js # javascript/lang/src/mi.js # javascript/lang/src/nb.js # javascript/lang/src/nl.js # javascript/lang/src/pl.js # javascript/lang/src/ru.js # javascript/lang/src/sk.js # javascript/lang/src/sl.js # javascript/lang/src/sr.js # javascript/lang/src/sr@latin.js # javascript/lang/src/sr_RS.js # javascript/lang/src/sr_RS@latin.js # javascript/lang/src/sv.js # javascript/lang/src/zh.js # lang/it.yml	2016-05-11 14:06:23 +12:00
Daniel Hensby	d1751e3310	Merge remote-tracking branch '3.2.4' into 3.3.2	2016-05-05 12:33:21 +01:00
Daniel Hensby	cf29b2c146	Merge remote-tracking branch '3.1.19' into 3.2.4	2016-05-05 11:17:45 +01:00
Daniel Hensby	92599727b9	Merge remote-tracking branch 'security/patch/3.1/ss-2016-006' into 3.1.19	2016-05-05 01:01:49 +01:00
Daniel Hensby	7af7f8dd65	Merge remote-tracking branch 'security/patch/3.1/ss-2016-005' into 3.1.19	2016-05-05 01:01:44 +01:00
Daniel Hensby	457931d664	Merge branch '3.3' into 3	2016-05-04 23:32:10 +01:00
Damian Mooyman	2a5ba397e6	BUG Fix SS_HTTPResponse being cast as string (#5413 ) Fixes #5335	2016-05-02 08:54:19 +12:00
Daniel Hensby	1ccd3926e3	[SS-2016-001] FIX Properly check backurl on CMSSecurity@success	2016-04-20 23:58:50 +01:00
Daniel Hensby	a6bd22ab2f	[SS-2016-006] FIX dont disable XSS for login forms	2016-04-20 23:57:59 +01:00
Daniel Hensby	f32c893546	[SS-2016-005] FIX Apply brute force protection to default admin	2016-04-19 23:20:29 +01:00
Damian Mooyman	e1865151c5	Merge pull request #5098 from bummzack/5086-fix-member-validator Fix for issue #5086	2016-02-26 14:39:53 +13:00
Roman Schmid	f691a5da32	Improve `Member_Validator` to: - properly check for existing members. - allow extensions. - remove old code and replace with new syntax and add config API. Fix issue in Group code where Member_Validator was instantiated via "new" which didn't allow injector overrides. Added unit-tests. Establish a link between the member and the validator for said member.	2016-02-25 16:10:52 +01:00
Damian Mooyman	8c1cafd1a0	Merge remote-tracking branch 'origin/3.3' into 3 # Conflicts: # admin/scss/_forms.scss # admin/scss/_style.scss # admin/scss/_tree.scss # javascript/TreeDropdownField.js	2016-01-19 17:08:26 +13:00
Damian Mooyman	5d240feaec	Merge remote-tracking branch 'origin/3.2' into 3.3	2016-01-19 15:08:24 +13:00
Damian Mooyman	46cbe809ac	Merge remote-tracking branch 'origin/3.1' into 3.2 # Conflicts: # docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md # docs/en/02_Developer_Guides/14_Files/01_Image.md # docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Customise_CMS_Menu.md # docs/en/03_Upgrading/index.md # docs/en/05_Contributing/01_Code.md # forms/TreeMultiselectField.php # security/Permission.php	2016-01-19 14:00:19 +13:00
Denise Rivera	7e32268ede	display filtered roles when not an admin	2016-01-11 13:05:10 +13:00
Sam Minnee	3ee8f505b7	MINORE: Remove training whitespace. The main benefit of this is so that authors who make use of .editorconfig don't end up with whitespace changes in their PRs. Spaces vs. tabs has been left alone, although that could do with a tidy-up in SS4 after the switch to PSR-1/2. The command used was this: for match in '.ss' '.css' '.scss' '.html' '.yml' '.php' '.js' '.csv' '.inc' '.php5'; do find . -path ./thirdparty -not -prune -o -path ./admin/thirdparty -not -prune -o -type f -name "$match" -exec sed -E -i '' 's/[[:space:]]+$//' {} \+ find . -path ./thirdparty -not -prune -o -path ./admin/thirdparty -not -prune -o -type f -name "$match" \| xargs perl -pi -e 's/ +$//' done	2016-01-07 10:15:54 +13:00
Damian Mooyman	21e1e938eb	Merge pull request #4893 from dhensby/pulls/member-regenerate-session-id FIX session_regenerate_id uses config system	2016-01-06 15:16:31 +13:00
Daniel Hensby	00544ff100	FIX session_regenerate_id uses config system	2016-01-05 22:31:58 +00:00
Daniel Hensby	4335d8ed22	FIX Members with no ID inherit logged in user permission	2016-01-05 08:16:18 +00:00
Damian Mooyman	19b10044ec	Merge remote-tracking branch 'origin/3.2' into 3	2015-12-22 17:05:07 +13:00
Damian Mooyman	6ac83f02c9	Merge pull request #4819 from SilverStripers/3 parse the string to be converted to group codes.	2015-12-22 16:53:31 +13:00
Damian Mooyman	48a30909f3	Merge remote-tracking branch 'origin/3.2' into 3 # Conflicts: # admin/javascript/LeftAndMain.BatchActions.js # css/UploadField.css # forms/HtmlEditorField.php	2015-12-22 14:07:52 +13:00
Mateusz Uzdowski	5a21b2fb15	BUG Guard against users being added to all groups on unsaved Group. If ->Members()->add() is called on an unsaved group (with ID 0), the collateFamilyIDs() will errorneously return all root Groups thinking it's looking for Groups with ParentID=0. As a result, the Member will be added to all root groups, instead of just the selected group and all its children.	2015-12-11 14:51:51 +13:00
Damian Mooyman	38e154af0a	API Disable get parameter access to site stage mode BUG Fix missing and undocumented response from Security::permissionFailure()	2015-12-07 17:39:18 +13:00
Nivanka Fonseka	411f168f00	parse the string to be converted to group codes. Two fixes. 1. parse the group code by using Convert::raw2url() as it creates duplicate records if the group code is given in upper case letters, spaces etc. 2. assigning to the $_cache_groupByCode has to be really done in the if condition rather than out of it.	2015-12-02 10:01:25 +05:30
Novusvetus	6266f909e0	API Increased Permission.Code db field to 255 characters	2015-11-27 13:54:37 +13:00
Damian Mooyman	94742fa3e2	BUG Revert method visibility regression	2015-11-27 13:10:52 +13:00
Manuel Teuber	666ce26929	FIX: Permission::checkMember() use of undefined variable $codes	2015-10-07 16:02:36 +13:00
Manuel Teuber	5224fc460c	FIX: Permission::checkMember() use of undefined variable $codes	2015-09-29 23:49:29 +02:00
Damian Mooyman	71b8aec306	Merge remote-tracking branch 'origin/3.2' into 3	2015-09-15 13:35:51 +12:00
Damian Mooyman	c4710b2272	Merge remote-tracking branch 'origin/3.1' into 3.2 Conflicts: admin/code/GroupImportForm.php admin/code/MemberImportForm.php tests/model/DataListTest.php	2015-09-15 13:18:47 +12:00
Damian Mooyman	7e76f769b1	Merge pull request #4600 from patricknelson/issue-4597-gridfieldconfig-injector FIX for #4597: Ensuring GridFieldConfig_RelationEditor is instantiated via Injector, not via "new" keyword.	2015-09-14 10:14:05 +12:00
Patrick Nelson	5cc0878dc1	FIX for #4597 : Ensuring GridFieldConfig_RelationEditor is instantiated via Injector, not via "new" keyword.	2015-09-11 17:57:13 -04:00
Damian Mooyman	7367cf54c4	[ss-2015-020]: Prevent possible Privilege escalation	2015-09-10 13:01:24 +12:00
Damian Mooyman	f10785350e	Merge remote-tracking branch 'origin/3.2' into 3 Conflicts: docs/en/02_Developer_Guides/02_Controllers/01_Introduction.md	2015-09-09 14:50:47 +12:00
Damian Mooyman	309ac0d196	Merge remote-tracking branch 'origin/3.1' into 3.2 Conflicts: .travis.yml admin/code/CMSProfileController.php admin/tests/LeftAndMainTest.php control/HTTP.php security/Permission.php tests/forms/FormTest.php tests/model/ArrayListTest.php tests/security/PermissionTest.php	2015-09-09 14:35:29 +12:00
Sam Minnée	f4b7cd3f68	Merge pull request #4500 from stevie-mayhew/pulls/get-response FEATURE: implement getter and setter usage for response	2015-08-29 15:35:55 +12:00
Stevie Mayhew	1b57e0ca5b	FEATURE: implement getter and setter usage for response	2015-08-29 10:24:06 +12:00
Daniel Hensby	2d4b743090	FIX Members can access their own profiles in CMS	2015-08-26 15:47:51 +01:00
Damian Mooyman	4a011303b9	Add missing packages	2015-08-24 16:15:38 +12:00
Damian Mooyman	1686c83826	Revert #3425 #3396 to restore deprecated functionality Fixes #4514	2015-08-24 11:26:25 +12:00
Daniel Hensby	ab0572e7cc	DOCS Permission comments made a bit clearer	2015-08-21 09:16:46 +01:00
Daniel Hensby	6eede57ff2	Fix issue where Access All CMS Sections doesnt work	2015-08-20 22:30:43 +01:00
Damian Mooyman	4ca5237185	Merge pull request #4321 from dhensby/pulls/formfield-docs DOCS Fixing docs (and bad API usage)	2015-07-30 15:29:28 +12:00
Loz Calver	b7480b92a9	FIX: Hide 'Logged Passwords' tab in member CMS fields (fixes #4422 )	2015-07-22 14:40:09 +01:00
Daniel Hensby	79c4f63855	DOCS Fixing docs (and bad API usage)	2015-07-20 16:42:33 +01:00
Daniel Hensby	ca8d0f2818	Merge branch '3.1' into 3.2 Conflicts: dev/Debug.php docs/en/05_Contributing/01_Code.md forms/FormField.php i18n/i18nTextCollector.php model/DataQuery.php	2015-07-20 10:48:01 +01:00
Damian Mooyman	6fabd0122b	BUG Fix potential XSS injection	2015-07-01 17:41:32 +12:00
Sean Harvey	fd755a7ff9	BUG ChangePasswordForm validation message should render HTML correctly. HTML shows up in the form message escaped, but it shouldn't be.	2015-07-01 17:41:32 +12:00
Daniel Hensby	3507ddb0e8	FIX MemberPassword history removed with with Members Currently Members that were deleted would still have their passwords stored in the DB even though they were deleted. This seems unnecessary and just increases data that could potentially be compromised later.	2015-06-24 21:04:23 +01:00
Phill Price	b2024107a9	DOCS: Typo in a block	2015-06-24 11:57:12 +01:00
Damian Mooyman	e14f743bf0	Set deprecation level for all changes in 3.x to 4.0	2015-06-19 13:07:41 +12:00
Damian Mooyman	58cc3da8d8	API Revert DataObject::validate to 3.1 method signature (protected)	2015-06-16 11:59:21 +12:00
Damian Mooyman	8331171f2c	Merge remote-tracking branch 'origin/3.1' into 3 Conflicts: .scrutinizer.yml admin/javascript/LeftAndMain.Panel.js core/startup/ParameterConfirmationToken.php dev/Debug.php dev/FixtureBlueprint.php docs/en/00_Getting_Started/05_Coding_Conventions.md docs/en/00_Getting_Started/index.md docs/en/02_Developer_Guides/01_Templates/01_Syntax.md filesystem/File.php filesystem/Folder.php forms/FieldList.php forms/LabelField.php forms/MoneyField.php forms/TextField.php forms/TreeDropdownField.php forms/Validator.php forms/gridfield/GridField.php forms/gridfield/GridFieldExportButton.php lang/de.yml lang/fi.yml model/DataObject.php model/SQLQuery.php parsers/ShortcodeParser.php security/ChangePasswordForm.php security/Security.php tests/control/DirectorTest.php tests/core/startup/ParameterConfirmationTokenTest.php tests/dev/FixtureBlueprintTest.php tests/forms/FieldListTest.php tests/forms/MoneyFieldTest.php tests/model/SQLQueryTest.php tests/security/SecurityTest.php	2015-06-02 19:13:38 +12:00
Damian Mooyman	22a35e48a9	BUG Fix malformed urls redirecting to external sites	2015-05-28 10:12:18 +12:00
Stevie Mayhew	0d94cf15a5	UPDATE: change all instances of $this->request to use appropriate getter/setter	2015-04-30 11:04:08 +12:00
Jamie Barker	06e087d0f3	Check that LastVisited field exists before making it readonly	2015-04-29 11:34:32 +12:00
Daniel Hensby	c2fd18e829	FIX use config for Security::$login_url	2015-04-23 17:20:07 +01:00

1 2 3 4 5 ...

1177 Commits