# 3.0.6 (Not yet released)

## Overview

 * Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
 ([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))

## Details

### Security: Require ADMIN for ?flush=1 (SS-2013-001)

Flushing the various manifests (class, template, config) is performed through a GET
parameter (`flush=1`). Since this action requires more server resources than normal requests,
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

 * The [environment](/topics/environment-management) is in "dev mode"
 * A user is logged in with ADMIN permissions
 * An error occurs during startup

This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
but only through web requests made through main.php - CLI requests, or any other request that goes through
a custom start up script will still process all flush requests as normal.

### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)

### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)

### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)

## Upgrading

 * If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
   an object (usually DataObject) as well as an array.
 * If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web
   request, you should ensure that you limit use of the flush parameter
 * Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format. 
 * Translation entities defined in templates now use their fully qualified entity name without dots.
   Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
   files or uses of those entities in custom code.
 * If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
   to ensure correct operation (it has changed its locale identifier)