tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-08 02:31:35 +02:00
Code Issues Projects Releases Wiki Activity
28057e3a71
silverstripe-framework/docs/en/04_Changelogs/4.3.5.md
Aaron Carlino 1f92b21a04 DOCS: Add FileShortcodeProvider change to changelog
2019-09-24 16:03:48 +12:00

990 B
Raw Blame History

4.3.5

Embedding files with shortcodes (FileShortcodeProvider) no longer provides a session grant by default. This is because it has the potential to escalate file access to users who otherwise should not have viewing permissions for the file.

There is a minor performance trade-off for disabling these grants. If you have a page with a lot of images that are in a draft state or have custom viewing permissions, it adds an extra database query for each embedded image. With session grants enabled, the first permission check persists the grant into the session, meaning there is no need to query the database on every single file.

Unless you have a lot of shortcode images embedded with protected or draft status on a single page, this setting is best left to its default value of false.

To revert to the old behaviour:

SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
  allow_session_grant: true