Ingo Schommer
f8bbc0a726
BUGFIX Escape HTML in DropdownField and ListboxField
...
Fixes reflected XSS in Group titles when using
in group selections (e.g. in "New Member" form).
2013-02-17 23:27:15 +01:00
Ingo Schommer
604ede30a4
BUGFIX Escape HTML in CMS status messages
2013-02-17 23:27:15 +01:00
Ingo Schommer
7bb0bbff0e
BUGFIX Fixed XSS in admin/security and "My Profile" forms
2013-02-17 23:27:15 +01:00
Ingo Schommer
7830b5d1b1
Merge remote-tracking branch 'origin/2.4' into 3.0
2013-02-17 22:43:56 +01:00
Ingo Schommer
ede381326b
BUG Secure composer files from web access ( fixes #8011 )
...
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00
Ingo Schommer
e21bd49462
BUG TimeField respects user choice ( fixes #8260 )
...
Regression from c969e04731
.
Also fixes width to accommodate for widest common format:
"11:11:11 AM"
2013-02-17 21:00:02 +01:00
Ingo Schommer
5d3ed12e20
Nginx docs for denying composer file access ( fixes #8011 )
2013-02-15 19:22:21 +01:00
Sean Harvey
b25b6d4769
Merge pull request #1182 from chillu/pulls/showtemplate-admin-ss3
...
API Require ADMIN for ?showtemplate=1 (3.0)
2013-02-12 15:07:34 -08:00
Sean Harvey
9337902fdd
Merge pull request #1181 from chillu/pulls/showtemplate-admin
...
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00
Ingo Schommer
d969e29d00
API Require ADMIN for ?showtemplate=1
2013-02-12 23:26:04 +01:00
Ingo Schommer
45c68d6821
API Require ADMIN for ?showtemplate=1
2013-02-12 23:21:13 +01:00
Ingo Schommer
2b05951d41
Merge pull request #1160 from uniun/patch-3
...
Incorrect Contant-Type header for RSS feeds
2013-02-07 02:14:09 -08:00
Ingo Schommer
79eacb2439
FIX Group->canEdit() correct non-admin checks ( fixes #8250 )
...
Due to changed return value of DataObject::get(),
the (negated) check always returned false.
This wasn't noticed in 3.0 because Group->canEdit() is rarely
enforced, but does become noticeable in 3.1 where GridField
checks those object-level permissions.
Thanks to @purplespider for reporting!
2013-02-07 09:19:57 +01:00
Ingo Schommer
a1beda14d1
Removed explicit pass-by-ref in DataExtension->validate()
...
Same fix as be97535b
for 3.1. Makes the method signature
more consistent with other DataExtension methods,
and comply with its subclass implementation in
Hierarchy->validate(). See accbd7f1e2
for more comments.
2013-02-06 19:00:23 +01:00
Ingo Schommer
b31dbc0b5f
Merge pull request #1163 from schwarz-computer-systeme/3.0
...
Update admin/javascript/lang/de_DE.js
2013-02-06 01:37:23 -08:00
senglmann
bb223bb35f
Update admin/javascript/lang/de_DE.js
...
fixed typo in translation
2013-02-06 10:13:49 +01:00
Will Rossiter
1db0156832
Merge pull request #1162 from dhensby/patch-1
...
NEW Add Varchar::getSize()
2013-02-05 12:19:07 -08:00
Daniel Hensby
f0621cdd91
FEATURE: Added ability to query size of Varchar
...
This allows a developer to programatically access the size of the DB Varchar field. This allows us to be a bit more DRY and to define the size in one place and limit TextFields to the same value
2013-02-05 18:41:11 +00:00
uniun
e249799e9a
Incorrect Contant-Type header for RSS feeds
...
It should be application/rss+xml but not text/xml.
2013-02-05 18:11:28 +02:00
Ingo Schommer
accbd7f1e2
Revert "FIX: Strict error warnings on DataExtension"
...
This reverts commit 1960df8bc3
.
Revert "FIX: validate doesn't take var by reference"
This reverts commit 866bb0713b
.
@ajshort has changed the method signatures in 1f6f7f08
. While it wasn't explicitly noted in the commit message, I think its a good change - objects like a FieldList are always passed by reference in PHP, no need to declare that behaviour.
2013-02-04 17:23:11 +01:00
Ingo Schommer
857d8bb8df
FIX Don't escape values on TreeDropdownField readonly views
...
They typically output TreeTitle() which is assumed to be HTML.
2013-02-04 17:15:32 +01:00
Ingo Schommer
5205a4403b
Merge pull request #1156 from mandrew/patch-1
...
FIX: Strict error warnings on DataExtension
2013-02-04 04:49:44 -08:00
Michael Andrewartha
866bb0713b
FIX: validate doesn't take var by reference
...
Got a bit carried away, validate doesn't take the var by reference
2013-02-04 12:42:39 +00:00
Michael Andrewartha
1960df8bc3
FIX: Strict error warnings on DataExtension
...
PHP is throwing strict error warnings when overriding the
updateCMSFields and other functions in custom DataExtensions due to
the fact that the abstract class doesn't declare the variables should
be passed by reference
2013-02-04 12:37:53 +00:00
Ingo Schommer
b381e9933d
Include "media" attr for module customCSS() ( fixes #8219 )
2013-02-01 10:23:16 +01:00
Ingo Schommer
d77e06d585
Merge pull request #1123 from chillu/pulls/revert-content-length
...
API Remove Content-Length setting from HTTPResponse (fixes #8010 )
2013-01-31 10:19:17 -08:00
Ingo Schommer
1bb109041f
FIX Node updates in IE without non-object error
...
Bug was most prominent after page publication,
which triggers a node reload. It iterated through
all node attributes to assign them to the existing node,
which apparently includes some non-scalar attributes
that can't simply be copied in IE.
2013-01-31 18:59:20 +01:00
ajshort
fd71a3d55e
Consistently exposed ManyManyList information through getters.
2013-01-31 15:21:46 +01:00
Ingo Schommer
3dab996c90
Excluded Postgres from Travis (breaks build due to internal errors)
...
We'll need to fix the "no space left on device" issue,
most likely caused by Postgres keeping too much of a query log,
or somehow creating a history of past data.
For now, having a Postgres build breaking the whole
build process (incl. MySQL builds) does more harm than good.
2013-01-30 13:01:37 +01:00
Simon Welsh
c9f728fefb
FIX Only check the remember token if a user exists
2013-01-30 09:17:47 +13:00
jean
c048a019f6
BUGFIX Avoid infinite redirection when logging out and when showing a custom login page after displaying the draft version of a page.
2013-01-29 19:24:37 +01:00
Sam Minnee
5f9348b016
FIX: Ensure that Security views respect redirections triggered by Page_Controller::init()
...
Sometimes Page_Controller::init() will trigger a redirection. For example, it may redirect to a
canonical URL. In this case, the Security views, which co-opt Page_Controller, need to respect
this.
2013-01-29 18:19:15 +01:00
Sam Minnee
f54697930e
API CHANGE: Add a PermissionFailureException that can be thrown to trigger a log-in.
2013-01-29 18:10:42 +01:00
Ingo Schommer
6cb1570282
Merge pull request #1078
2013-01-29 18:04:15 +01:00
Sam Minnee
c4dde9022d
NEW: Allow hashes to be passed as ArrayList items; the will be turned into ArrayData objects.
2013-01-29 18:03:49 +01:00
Sam Minnee
9a2ba483df
BUGFIX: Made CSRF-error wording friendlier.
2013-01-29 18:03:49 +01:00
Sam Minnee
b6fd27663a
MINOR: Don't throw redirection warning if redirection to the same place.
2013-01-29 18:03:49 +01:00
Sam Minnee
b43bf68f9c
MINOR: Minor fixes to FunctionalTest
2013-01-29 18:03:48 +01:00
Sam Minnee
6fcbad1a31
BUGFIX: Updated SilverStripe error handler so that log_errors still works.
2013-01-29 18:03:48 +01:00
Sam Minnee
82988d421b
BUGFIX: Better error message when 401 response is corrupted.
2013-01-29 18:03:48 +01:00
Sam Minnee
f8206d15c8
BUGFIX: Prevent notice-level error in Session code when non-array is turned into an array.
2013-01-29 18:03:48 +01:00
Sam Minnee
f72c77e984
MINOR: Fixed a glitch that causes warnings in cli-script execution.
2013-01-29 18:03:48 +01:00
Jean-Fabien
55f3ec1371
FIX: Added error message fields to default search form
2013-01-29 18:03:47 +01:00
Sam Minnee
47e037e74c
FIX: Removed notice-level error after forms w/ required fields are made readonly.
2013-01-29 18:03:47 +01:00
Sam Minnee
1e1df8c43e
BUGFIX: Improved detection of empty HTMLText fields.
2013-01-29 18:03:47 +01:00
Sam Minnee
d8bfc0bb48
API CHANGE: Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself.
2013-01-29 18:03:47 +01:00
Carlos Barberis
33a1fc7b3a
FIX: Fixed operation of inlined images in Mailer, when no inlined images actually attached.
2013-01-29 18:03:47 +01:00
Sam Minnee
b7a1db7ce3
FIX: Set up the test mailer before loading the fixture, in case fixture-creation causes emails to be generated.
2013-01-29 18:03:45 +01:00
Sam Minnee
c3a3ff4438
NEW: Added Email::send_all_emails_from() setting.
2013-01-29 18:03:30 +01:00
Sam Minnee
5e6f5f9f7e
NEW: Allow configuration of send_all_emails_to, ccs_all_emails_to, and bcc_all_emails_to via the config system.
2013-01-29 18:03:27 +01:00