1.8 KiB
3.1.2 (unreleased)
Upgrading
Default current Versioned "stage" to "Live" rather than "Stage"
Previously only the controllers responsible for page and CMS display
(LeftAndMain and ContentController) explicitly set a stage through
Versioned::choose_site_stage(). Unless this method is called,
the default stage will be "Stage", showing draft content.
Any direct subclasses of Controller interacting with "versioned" objects
are vulnerable to exposing unpublished content, unless choose_site_stage()
is called explicitly in their own logic.
In order to provide more secure default behaviour, we have changed
choose_site_stage() to be called on all requests, defaulting to the "Live" stage.
If your logic relies on querying draft content, use Versioned::reading_stage('Stage').
Important: The choose_site_stage() call only deals with setting the default stage,
and doesn't check if the user is authenticated to view it. As with any other controller logic,
please use DataObject->canView() to determine permissions.
:::php
class MyController extends Controller {
private static $allowed_actions = array('showpage');
public function showpage($request) {
$page = Page::get()->byID($request->param('ID'));
if(!$page->canView()) return $this->httpError(401);
// continue with authenticated logic...
}
}
Treedropdownfield showsearch defaults to true
The showSearch option of TreedropdownField is now set to true by default. This is to provide a fallback ui for when children of a tree node fail to render (due to too many children). You may set search as false when initializing a TreedropdownField, or afterwards:
:::php
$treedropdownfield->setShowSearch(false);
If your data requires a specialized search function, you may specify it within:
:::php
$treedropdownfield->setSearchFunction();