Commit Graph

10090 Commits

Author SHA1 Message Date
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Ingo Schommer
303352926b 3.0.4 changelog update 2013-02-17 23:28:22 +01:00
Ingo Schommer
f8bbc0a726 BUGFIX Escape HTML in DropdownField and ListboxField
Fixes reflected XSS in Group titles when using
in group selections (e.g. in "New Member" form).
2013-02-17 23:27:15 +01:00
Ingo Schommer
604ede30a4 BUGFIX Escape HTML in CMS status messages 2013-02-17 23:27:15 +01:00
Ingo Schommer
7bb0bbff0e BUGFIX Fixed XSS in admin/security and "My Profile" forms 2013-02-17 23:27:15 +01:00
Ingo Schommer
7830b5d1b1 Merge remote-tracking branch 'origin/2.4' into 3.0 2013-02-17 22:43:56 +01:00
Ingo Schommer
ede381326b BUG Secure composer files from web access (fixes #8011)
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00
Ingo Schommer
e21bd49462 BUG TimeField respects user choice (fixes #8260)
Regression from c969e04731.
Also fixes width to accommodate for widest common format:
"11:11:11 AM"
2013-02-17 21:00:02 +01:00
Ingo Schommer
5d3ed12e20 Nginx docs for denying composer file access (fixes #8011) 2013-02-15 19:22:21 +01:00
Sean Harvey
b25b6d4769 Merge pull request #1182 from chillu/pulls/showtemplate-admin-ss3
API Require ADMIN for ?showtemplate=1 (3.0)
2013-02-12 15:07:34 -08:00
Sean Harvey
9337902fdd Merge pull request #1181 from chillu/pulls/showtemplate-admin
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00
Ingo Schommer
d969e29d00 API Require ADMIN for ?showtemplate=1 2013-02-12 23:26:04 +01:00
Ingo Schommer
45c68d6821 API Require ADMIN for ?showtemplate=1 2013-02-12 23:21:13 +01:00
Ingo Schommer
2b05951d41 Merge pull request #1160 from uniun/patch-3
Incorrect Contant-Type header for RSS feeds
2013-02-07 02:14:09 -08:00
Ingo Schommer
79eacb2439 FIX Group->canEdit() correct non-admin checks (fixes #8250)
Due to changed return value of DataObject::get(),
the (negated) check always returned false.
This wasn't noticed in 3.0 because Group->canEdit() is rarely
enforced, but does become noticeable in 3.1 where GridField
checks those object-level permissions.

Thanks to @purplespider for reporting!
2013-02-07 09:19:57 +01:00
Ingo Schommer
a1beda14d1 Removed explicit pass-by-ref in DataExtension->validate()
Same fix as be97535b for 3.1. Makes the method signature
more consistent with other DataExtension methods,
and comply with its subclass implementation in
Hierarchy->validate(). See accbd7f1e2 for more comments.
2013-02-06 19:00:23 +01:00
Ingo Schommer
b31dbc0b5f Merge pull request #1163 from schwarz-computer-systeme/3.0
Update admin/javascript/lang/de_DE.js
2013-02-06 01:37:23 -08:00
senglmann
bb223bb35f Update admin/javascript/lang/de_DE.js
fixed typo in translation
2013-02-06 10:13:49 +01:00
Will Rossiter
1db0156832 Merge pull request #1162 from dhensby/patch-1
NEW Add Varchar::getSize()
2013-02-05 12:19:07 -08:00
Daniel Hensby
f0621cdd91 FEATURE: Added ability to query size of Varchar
This allows a developer to programatically access the size of the DB Varchar field. This allows us to be a bit more DRY and to define the size in one place and limit TextFields to the same value
2013-02-05 18:41:11 +00:00
uniun
e249799e9a Incorrect Contant-Type header for RSS feeds
It should be application/rss+xml but not text/xml.
2013-02-05 18:11:28 +02:00
Ingo Schommer
accbd7f1e2 Revert "FIX: Strict error warnings on DataExtension"
This reverts commit 1960df8bc3.

Revert "FIX: validate doesn't take var by reference"
This reverts commit 866bb0713b.

@ajshort has changed the method signatures in 1f6f7f08. While it wasn't explicitly noted in the commit message, I think its a good change - objects like a FieldList are always passed by reference in PHP, no need to declare that behaviour.
2013-02-04 17:23:11 +01:00
Ingo Schommer
857d8bb8df FIX Don't escape values on TreeDropdownField readonly views
They typically output TreeTitle() which is assumed to be HTML.
2013-02-04 17:15:32 +01:00
Ingo Schommer
5205a4403b Merge pull request #1156 from mandrew/patch-1
FIX: Strict error warnings on DataExtension
2013-02-04 04:49:44 -08:00
Michael Andrewartha
866bb0713b FIX: validate doesn't take var by reference
Got a bit carried away, validate doesn't take the var by reference
2013-02-04 12:42:39 +00:00
Michael Andrewartha
1960df8bc3 FIX: Strict error warnings on DataExtension
PHP is throwing strict error warnings when overriding the
updateCMSFields and other functions in custom DataExtensions due to
the fact that the abstract class doesn't declare the variables should
be passed by reference
2013-02-04 12:37:53 +00:00
Ingo Schommer
b381e9933d Include "media" attr for module customCSS() (fixes #8219) 2013-02-01 10:23:16 +01:00
Ingo Schommer
d77e06d585 Merge pull request #1123 from chillu/pulls/revert-content-length
API Remove Content-Length setting from HTTPResponse (fixes #8010)
2013-01-31 10:19:17 -08:00
Ingo Schommer
1bb109041f FIX Node updates in IE without non-object error
Bug was most prominent after page publication,
which triggers a node reload. It iterated through
all node attributes to assign them to the existing node,
which apparently includes some non-scalar attributes
that can't simply be copied in IE.
2013-01-31 18:59:20 +01:00
ajshort
fd71a3d55e Consistently exposed ManyManyList information through getters. 2013-01-31 15:21:46 +01:00
Ingo Schommer
3dab996c90 Excluded Postgres from Travis (breaks build due to internal errors)
We'll need to fix the "no space left on device" issue,
most likely caused by Postgres keeping too much of a query log,
or somehow creating a history of past data.
For now, having a Postgres build breaking the whole
build process (incl. MySQL builds) does more harm than good.
2013-01-30 13:01:37 +01:00
Simon Welsh
c9f728fefb FIX Only check the remember token if a user exists 2013-01-30 09:17:47 +13:00
jean
c048a019f6 BUGFIX Avoid infinite redirection when logging out and when showing a custom login page after displaying the draft version of a page. 2013-01-29 19:24:37 +01:00
Sam Minnee
5f9348b016 FIX: Ensure that Security views respect redirections triggered by Page_Controller::init()
Sometimes Page_Controller::init() will trigger a redirection.  For example, it may redirect to a
canonical URL.  In this case, the Security views, which co-opt Page_Controller, need to respect
this.
2013-01-29 18:19:15 +01:00
Sam Minnee
f54697930e API CHANGE: Add a PermissionFailureException that can be thrown to trigger a log-in. 2013-01-29 18:10:42 +01:00
Ingo Schommer
6cb1570282 Merge pull request #1078 2013-01-29 18:04:15 +01:00
Sam Minnee
c4dde9022d NEW: Allow hashes to be passed as ArrayList items; the will be turned into ArrayData objects. 2013-01-29 18:03:49 +01:00
Sam Minnee
9a2ba483df BUGFIX: Made CSRF-error wording friendlier. 2013-01-29 18:03:49 +01:00
Sam Minnee
b6fd27663a MINOR: Don't throw redirection warning if redirection to the same place. 2013-01-29 18:03:49 +01:00
Sam Minnee
b43bf68f9c MINOR: Minor fixes to FunctionalTest 2013-01-29 18:03:48 +01:00
Sam Minnee
6fcbad1a31 BUGFIX: Updated SilverStripe error handler so that log_errors still works. 2013-01-29 18:03:48 +01:00
Sam Minnee
82988d421b BUGFIX: Better error message when 401 response is corrupted. 2013-01-29 18:03:48 +01:00
Sam Minnee
f8206d15c8 BUGFIX: Prevent notice-level error in Session code when non-array is turned into an array. 2013-01-29 18:03:48 +01:00
Sam Minnee
f72c77e984 MINOR: Fixed a glitch that causes warnings in cli-script execution. 2013-01-29 18:03:48 +01:00
Jean-Fabien
55f3ec1371 FIX: Added error message fields to default search form 2013-01-29 18:03:47 +01:00
Sam Minnee
47e037e74c FIX: Removed notice-level error after forms w/ required fields are made readonly. 2013-01-29 18:03:47 +01:00
Sam Minnee
1e1df8c43e BUGFIX: Improved detection of empty HTMLText fields. 2013-01-29 18:03:47 +01:00
Sam Minnee
d8bfc0bb48 API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself. 2013-01-29 18:03:47 +01:00
Carlos Barberis
33a1fc7b3a FIX: Fixed operation of inlined images in Mailer, when no inlined images actually attached. 2013-01-29 18:03:47 +01:00
Sam Minnee
b7a1db7ce3 FIX: Set up the test mailer before loading the fixture, in case fixture-creation causes emails to be generated. 2013-01-29 18:03:45 +01:00