silverstripe-framework/docs/en/changelogs/3.1.2.md

# 3.1.2 (unreleased)

## Upgrading

### Default current Versioned "stage" to "Live" rather than "Stage"

Previously only the controllers responsible for page and CMS display 
(`LeftAndMain` and `ContentController`) explicitly set a stage through
`Versioned::choose_site_stage()`. Unless this method is called,
the default stage will be "Stage", showing draft content.
Any direct subclasses of `Controller` interacting with "versioned" objects
are vulnerable to exposing unpublished content, unless `choose_site_stage()`
is called explicitly in their own logic.

In order to provide more secure default behaviour, we have changed
`choose_site_stage()` to be called on all requests, defaulting to the "Live" stage.
If your logic relies on querying draft content, use `Versioned::reading_stage('Stage')`.

Important: The `choose_site_stage()` call only deals with setting the default stage,
and doesn't check if the user is authenticated to view it. As with any other controller logic,
please use `DataObject->canView()` to determine permissions.

	:::php
	class MyController extends Controller {
		private static $allowed_actions = array('showpage');
		public function showpage($request) {
			$page = Page::get()->byID($request->param('ID'));
			if(!$page->canView()) return $this->httpError(401);
			// continue with authenticated logic...
		}
	}

### Treedropdownfield showsearch defaults to true
The showSearch option of TreedropdownField is now set to true by default. This is to provide a fallback ui for when children of a tree node fail to render (due to too many children). You may set search as false when initializing a TreedropdownField, or afterwards:

	:::php
	$treedropdownfield->setShowSearch(false);

If your data requires a specialized search function, you may specify it within:

	:::php
	$treedropdownfield->setSearchFunction();