Commit Graph

622 Commits

Author SHA1 Message Date
Sean Harvey
ffe6c34565 Merge pull request #156 from wecodenl/master
Bugfix for urls with %27 in the url
2014-08-23 11:57:43 +12:00
Juul Hobert
2e32eab6ae Bugfix for urls with %28 in the url 2014-08-22 13:21:18 +02:00
Damian Mooyman
25c0341715 Updated translations 2014-08-21 14:48:48 +12:00
Damian Mooyman
b19e86e402 Update translations 2014-08-21 14:16:12 +12:00
Sean Harvey
f27ba9094b Updating translations 2014-08-20 09:05:37 +12:00
Sean Harvey
e5ea8ebc35 Merge pull request #155 from shoaibali/master
Removed hard coding of HTTP protocol
2014-08-19 09:16:48 +12:00
Shoaib Ali
1f2cb4380d Removed hard coding of HTTP protocol 2014-08-18 21:03:52 +12:00
Damian Mooyman
a3b2be734f Merge pull request #154 from halkyon/irrelevant_permission_removal
Removing unused permission SUBSITE_ASSETS_CREATE_SUBSITE
2014-08-18 11:50:43 +12:00
Sean Harvey
1477155653 Removing unused permission SUBSITE_ASSETS_CREATE_SUBSITE
This isn't used, according to the description it would limit the list
of subsites you can choose to apply a File/Folder to. However, this
dropdown is shown to the user based on whether they have access to
that subsite, so this unused permission code isn't needed.
2014-08-18 11:31:03 +12:00
Mateusz Uzdowski
07257ddc79 Fix minor styling issue with a list. 2014-08-15 13:29:03 +12:00
Damian Mooyman
71b5842f79 Merge pull request #153 from silverstripe-rebelalliance/plat100
NEW: Adding more user documentation with a FAQ
2014-08-14 17:08:26 +12:00
Kirk Mayo
8fe6c045fa NEW: Adding more user documentation with a FAQ 2014-08-14 15:37:48 +12:00
Sean Harvey
ccf125a4d6 Merge pull request #151 from stojg/pull/prevent-xss-attacks
Security: XSS can be injected in the group edit view
2014-08-01 10:51:38 +12:00
Stig Lindqvist
bd5bd877fd Security: XSS can be injected in the group edit view 2014-08-01 10:48:44 +12:00
Damian Mooyman
f75c501e0d Merge pull request #150 from silverstripe-elliot/docs/setup
PLAT-63 update documentation for disallowed page types
2014-07-23 15:33:44 +12:00
Elliot Sawyer
1ac46b60b0 PLAT-63 update documentation for disallowed page types 2014-07-23 15:29:36 +12:00
Mateusz U
4b54951e9e Merge pull request #149 from silverstripe-elliot/SubDomain-XSS
Sanitise domain name field
2014-07-16 16:18:22 +12:00
Elliot Sawyer
205754854c Sanitise domain name field to prevent XSS attack on the CMS
PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session".
I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway.

Steps to reproduce the original issue:
1. Enter a subsite name and mark as the default site.
2. Add a new domain named <script>alert(2)</script> and mark it as primary
3. Switch to the new subsite.
4. Make a new Page. This will execute a javascript alert containing "2".

MINOR update documentation for onBeforeWrite()
MINOR add @property attributes into docblock
2014-07-16 15:43:05 +12:00
Damian Mooyman
72a457aebb Merge pull request #105 from mateusz/loadfragment-in-use
Use the new loadFragment API.
2014-07-10 11:48:41 +12:00
Mateusz Uzdowski
66d1e68b85 Use the new loadFragment API.
Only to be merged after the
https://github.com/silverstripe/silverstripe-framework/pull/2352 is
available, and only after Subsites 1.0.0 has been released.
2014-07-09 09:29:40 +12:00
Damian Mooyman
028aa11800 Merge pull request #144 from purplespider/patch-1
Fixes #139: Broken URL Segment CMS Links
2014-06-16 08:39:43 +12:00
James Cocker
47df87f62c Fixes #135: LeftAndMain switching between subsites
When trying to switch to a different subsite from a page's editing view, it wouldn't switch. This was partly due to a $record always existing due to the homepage fallback on currentPageID : https://github.com/silverstripe/silverstripe-cms/blob/3.1/code/controllers/CMSMain.php#L816

So as currentPage() couldn't actually be used to test for the existance of a current page, I've added in a check for isset($this->owner->urlParams['ID']).

I've also moved the check for $_GET['SubsiteID’] which indicated a forced subsite switch (eg. via the dropdown switcher) above the check for a current page, as it should take precedence, and it wasn't being run when both conditions matched causing the subsite not to change.

Tested changing subsites from /admin/pages, from page edit view, from a page edit URL, and from other CMS sections such as Files and Security, and all seems to be working perfectly now.
2014-06-04 16:41:28 +01:00
James Cocker
38e4bc196d Fixes #139 - Broken URL Segment CMS Links
Fixes issue #139 using normann's solution that seems to work perfectly with both long and short links.
2014-06-04 13:12:28 +01:00
TeamCity
2a6c913cd8 Updated master strings 2014-05-22 23:05:04 +12:00
Damian Mooyman
0f78671293 Updated translation masters 2014-05-20 14:50:24 +12:00
Mateusz U
a651ee2bed Merge pull request #136 from mateusz/fix-link-rewrite
BUG Fixes to link rewriting when previewing subsites.
2014-04-02 13:51:12 +13:00
Mateusz Uzdowski
9cf7a1453f BUG Fixes to link rewriting when previewing subsites.
* JS error with href-less links.
* All forms get injected hidden fields, even though the loop attempts to
check for only the ones that submit locally.
* Also check for action-less forms.

Requires
https://github.com/silverstripe/silverstripe-framework/pull/3000 to be
merged for the Framework.
https://github.com/silverstripe-labs/silverstripe-testsession/pull/11
2014-04-02 13:39:01 +13:00
TeamCity
83d52806d7 Updated master strings 2014-02-10 23:07:00 +13:00
Mateusz Uzdowski
ae38074202 Add new lang strings, convert to JS. 2014-01-24 14:37:01 +13:00
Mateusz Uzdowski
3f7a760dbf Pull language strings from Transifex. 2014-01-23 10:51:05 +13:00
Mateusz Uzdowski
6d8f852cd4 Update language strings. 2014-01-22 16:41:45 +13:00
Mateusz U
ef30571e6f Merge pull request #133 from mateusz/docs-security
Make sure the security implication of subsites is clear in docs.
2014-01-21 15:34:00 -08:00
Mateusz Uzdowski
213356d6bc Make sure the security implication of subsites is clear in docs. 2014-01-22 12:27:53 +13:00
Mateusz U
67a66dbd3d Merge pull request #129 from mandrew/docupdate
Updates to documentation
2014-01-16 14:37:25 -08:00
Michael Andrewartha
7163fbe155 Refactored some of the text to make more sense 2014-01-17 11:14:40 +13:00
Michael Andrewartha
286a570dd0 Updates to documentation, added better intro and duplicating page
content instructions

- Adding documentation on using the ‘Disallow page types’ feature.
- Fix links
- Re-word documentation to clarify important points.
- Add new content from Sig, tidy up existing content.
- MINOR: Formatting update & draw attention to links at the bottom.
2014-01-17 10:10:52 +13:00
Sean Harvey
4e20228c2e Merge pull request #132 from mateusz/session-can-edit
Make canEdit fall back to session if the object's SubsiteID not there.
2014-01-14 14:07:32 -08:00
Mateusz U
e5b72df1d4 Merge pull request #130 from madmatt/pulls/permission-fix
Allow ‘ADMIN’ and ‘CMS_ACCESS_LeftAndMain’ CMS access. Fixes CWPBUG-113
2014-01-12 12:59:56 -08:00
Mateusz Uzdowski
82159e38d3 Make canEdit fall back to session if the object's SubsiteID not there.
This problem manifests when a GridField-managed relationship tries to
create an object that references the container from canEdit - the
container in this case has empty fields.

An example of that is a HomePage with CarouselItem - if the
CarouselItem::canEdit tries to call $this->Page()->canEdit(), the "Page"
will be a dummy object, not the actual instance of the HomePage that's
doing the manipulation.

This is similar to the behaviour of SiteTree::canEdit, which solves
this situation by falling back to "return
$this->getSiteConfig()->canEdit($member);"
2014-01-10 09:58:53 +13:00
Matt Peel
fb5d791444 BUGFIX: permissions to check the ‘CMS_ACCESS_LeftAndMain’ global permission.
‘CMS_ACCESS_LeftAndMain’ is used by the PermissionCheckboxSetField to allow
applicable Members to access all CMS sections. There are then further
permissions to restrict the Members (e.g. ‘CMS_ACCESS_LeftAndMain’ will give you
access to the ‘Pages’ section, but you still need the ‘Edit any page’ permission
to actually edit anything).

This patch ensures that the subsites module follows those permissions, and
doesn’t unnecessarily deny permission to legitimate users.
2014-01-10 09:31:44 +13:00
Matt Peel
083194857e Allow ‘ADMIN’ and ‘CMS_ACCESS_LeftAndMain’ access to CMS. Fixes CWPBUG-113.
Previously, only the global ‘ADMIN’ permission was allowing users to bypass the
stricter Permission check. We also need to allow the ‘CMS_ACCESS_LeftAndMain’
permission to bypass this check, as otherwise a user who is in a Group with the
‘Access to all CMS sections’ permission set (which only sets the
CMS_ACCESS_LeftAndMain permission code and no others) would be denied access to
the CMS for that sub site.
2014-01-09 17:12:47 +13:00
Mateusz U
d21c92a9e3 Merge pull request #125 from nedmas/patch-2
FIX: Ensure that ChangeTrackerOptions doesn't get overriden
2013-12-18 16:51:41 -08:00
Tom Densham
33e50ffe6f FIX: Ensure that ChangeTrackerOptions doesn't get overriden
From @hafriedlander:
Hi. Sorry, I was going to have a look at this on the back of that issue @chillu raised but you beat me to it. There's a couple of edge cases that aren't obvious that come from ChangeTrackerOptions being an object, and might need an Entwine API extension to fix nicely.

Objects in entwine properties are a bit dangerous, because javascript always passes them by reference instead of cloning them. Entwine also doesn't clone them when using them as default values.

The result is that this patch will repeatedly add that selector to the result every time getChangeTrackerOptions is called, so it'll be there once the first time it's called, twice the second, etc.

The right fix at the moment would look like:
```php
$('.cms-edit-form').entwine({
  getChangeTrackerOptions: function() {
    // Figure out if we're still returning the default value
    var isDefault = (this.entwineData('ChangeTrackerOptions') === undefined);
    // Get the current options
    var opts = this._super();

    if (isDefault) {
      // If it is the default then...
      // clone the object (so we don't modify the original),
      var opts = $.extend({}, opts);
      // modify it,
      opts.ignoreFieldSelector +=', input[name=IsSubsite]';
      // then set the clone as the value on this element
      // (so next call to this method gets this same clone)
      this.setChangeTrackerOptions(opts);
    }

    return opts;
});
```
This is super ugly though, non-obvious, and could maybe be handled better in the entwine layer.

See https://github.com/silverstripe/silverstripe-subsites/pull/125
2013-12-16 09:39:42 +00:00
Stig Lindqvist
a0f537142f Merge pull request #127 from mateusz/refactor-access
BUG Refactor the access checks and initial subsite redirections.
2013-12-04 12:37:30 -08:00
Mateusz Uzdowski
58b926af25 BUG Refactor the access checks and initial subsite redirections.
Remove the special AJAX handling to simplify the code. Now redirection
will be forced on any request that changes the subsite to re-synchronise
with the frontend.

Introduce canAccess method, and add it to alternateAccessCheck to make
sure this subsite-specific chceck is also done in situations that are
not captured by onBeforeInit.
2013-12-04 17:34:27 +13:00
Stig Lindqvist
e6f054f55b Merge pull request #126 from mateusz/session-fix
Do not change the session-stored subsite, if session is not enabled.
2013-11-25 16:35:57 -08:00
Mateusz Uzdowski
a771e2239b Do not change the session-stored subsite, if session is not enabled.
This causes issues with Security::findAnAdmistrator which incorrectly
forces the current session-stored subsite to 0 - it uses
Subsite::currentSubsiteID before the session support is enabled, and
hence obtains wrong value.
2013-11-26 13:12:17 +13:00
Mateusz U
c04208ed79 Merge pull request #121 from stojg/pr/cleanup
Minor cleanup of subsite code
2013-11-25 16:10:55 -08:00
Damian Mooyman
d21881d7b4 Merge pull request #123 from stojg/make-subsite-domain-decoratable
SubsiteDomain don't call decorators updateCMSFields
2013-11-17 11:51:08 -08:00
Ingo Schommer
51e8d98707 Fixed translation namespacing
The TEMPLATE.ss.ENTITY wording stuffs up the YAML
parser in transifex, which made most translations
invisible to SilverStripe since they're indented wrongly.
Also removed empty FR file since Transifex complains about it on upload.
2013-11-14 23:18:01 +01:00