silverstripe-framework/docs/en/04_Changelogs/3.1.9.md
2015-01-15 18:56:09 +13:00

4.1 KiB

3.1.9

Upgrading

File permissions

This release makes an important change to File DataObject permissions in order to close a vulnerability in file modification privileges.

By default the minimum necessary permission required by any user to modify files has been changed to CMS_ACCESS_AssetAdmin. If you need unauthenticated users, or users with other rights, to edit certain files, then you will need to customise this.

E.g.

:::php
<?php
class FileSecurityExtension extends DataExtension {
	public function canEdit($member) {
		return Permission::checkMember($member, 'MyCustomPermission');
	}
}

An example use case is when you want to use UploadField on the frontend, where files could be uploaded by non-admin users, and your above logic will need to ensure that those users can edit their own files after they have uploaded it.

Security

This release includes an important security fix.

Features and Enhancements

  • 2014-11-21 31b5a9d Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)
  • 2014-12-10 fba6880 Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)
  • 2014-11-13 d7eb275 Make the record count in GridFieldFooter optional (Jeremy Shipman)

Bugfixes

  • 2015-01-08 a02adf6 Uneccessary class replacement (Michael Strong)
  • 2014-12-18 5637431 The method 'name' does not exist on 'Form' (Elvinas L)
  • 2014-12-15 6582162 How to folder on forms (Cam Findlay)
  • 2014-12-11 b5c361a GD - check file exists before getimagesize (Will Morgan)
  • 2014-12-09 6bdd30c Fix gridfield storing duplicate data in session (Damian Mooyman)
  • 2014-12-09 3ac705f Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)
  • 2014-12-09 e9fd03b use GFMD code blocks to fix code formatting consistency. (Cam Findlay)
  • 2014-11-25 01989aa Manifest flushing (Jonathon Menz)
  • 2014-11-24 7384d01 DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)
  • 2014-11-18 2bdfd65 Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)
  • 2014-11-10 85b4ba1 DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)
  • 2014-10-03 9d888d5 Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)
  • 2014-09-02 1f4f5e6 Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)

Changelog