This PR fixed unable to create subsite problm.
I was unable to create a subsite, because of no themes been shown in Theme dropdown menu.
How to test:
1> Use composer to install a fresh copy of Silverstripe 3.2
2> Use composer to install subsite module.
3> Try to create a subsite.
4> No themes loaded into Theme dropdown menu.
5> Apply this PR.
6> fresh page / or dev/build, now, themes loaded into The dropdown menu.
When trying to switch to a different subsite from a page's editing view, it wouldn't switch. This was partly due to a $record always existing due to the homepage fallback on currentPageID : https://github.com/silverstripe/silverstripe-cms/blob/3.1/code/controllers/CMSMain.php#L816
So as currentPage() couldn't actually be used to test for the existance of a current page, I've added in a check for isset($this->owner->urlParams['ID']).
I've also moved the check for $_GET['SubsiteID’] which indicated a forced subsite switch (eg. via the dropdown switcher) above the check for a current page, as it should take precedence, and it wasn't being run when both conditions matched causing the subsite not to change.
Tested changing subsites from /admin/pages, from page edit view, from a page edit URL, and from other CMS sections such as Files and Security, and all seems to be working perfectly now.
This isn't used, according to the description it would limit the list
of subsites you can choose to apply a File/Folder to. However, this
dropdown is shown to the user based on whether they have access to
that subsite, so this unused permission code isn't needed.
PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session".
I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway.
Steps to reproduce the original issue:
1. Enter a subsite name and mark as the default site.
2. Add a new domain named <script>alert(2)</script> and mark it as primary
3. Switch to the new subsite.
4. Make a new Page. This will execute a javascript alert containing "2".
MINOR update documentation for onBeforeWrite()
MINOR add @property attributes into docblock
When trying to switch to a different subsite from a page's editing view, it wouldn't switch. This was partly due to a $record always existing due to the homepage fallback on currentPageID : https://github.com/silverstripe/silverstripe-cms/blob/3.1/code/controllers/CMSMain.php#L816
So as currentPage() couldn't actually be used to test for the existance of a current page, I've added in a check for isset($this->owner->urlParams['ID']).
I've also moved the check for $_GET['SubsiteID’] which indicated a forced subsite switch (eg. via the dropdown switcher) above the check for a current page, as it should take precedence, and it wasn't being run when both conditions matched causing the subsite not to change.
Tested changing subsites from /admin/pages, from page edit view, from a page edit URL, and from other CMS sections such as Files and Security, and all seems to be working perfectly now.
This problem manifests when a GridField-managed relationship tries to
create an object that references the container from canEdit - the
container in this case has empty fields.
An example of that is a HomePage with CarouselItem - if the
CarouselItem::canEdit tries to call $this->Page()->canEdit(), the "Page"
will be a dummy object, not the actual instance of the HomePage that's
doing the manipulation.
This is similar to the behaviour of SiteTree::canEdit, which solves
this situation by falling back to "return
$this->getSiteConfig()->canEdit($member);"
‘CMS_ACCESS_LeftAndMain’ is used by the PermissionCheckboxSetField to allow
applicable Members to access all CMS sections. There are then further
permissions to restrict the Members (e.g. ‘CMS_ACCESS_LeftAndMain’ will give you
access to the ‘Pages’ section, but you still need the ‘Edit any page’ permission
to actually edit anything).
This patch ensures that the subsites module follows those permissions, and
doesn’t unnecessarily deny permission to legitimate users.
Previously, only the global ‘ADMIN’ permission was allowing users to bypass the
stricter Permission check. We also need to allow the ‘CMS_ACCESS_LeftAndMain’
permission to bypass this check, as otherwise a user who is in a Group with the
‘Access to all CMS sections’ permission set (which only sets the
CMS_ACCESS_LeftAndMain permission code and no others) would be denied access to
the CMS for that sub site.
Remove the special AJAX handling to simplify the code. Now redirection
will be forced on any request that changes the subsite to re-synchronise
with the frontend.
Introduce canAccess method, and add it to alternateAccessCheck to make
sure this subsite-specific chceck is also done in situations that are
not captured by onBeforeInit.
This causes issues with Security::findAnAdmistrator which incorrectly
forces the current session-stored subsite to 0 - it uses
Subsite::currentSubsiteID before the session support is enabled, and
hence obtains wrong value.
Disables transparent subsite switch on AJAX requests.
Makes sure the subsite is appropriately set up when opening up the CMS
with a link to subsited object.
Tries to find an accessible section in the current site, falls back to
searching across all sites and all sections.
Also adds more powerful and generic functionss:
Subsites::all_sites - get the full list
Subsites::all_accessible_sites - get Member accessible list
LeftAndMainExtension::sectionSites - get section-specific list
* Hide admins without subsite support from subsites menu
* Add subsite support to default site areas
* Enable reloading of subsites switcher dropdown when navigating the
site, and when editing subsite areas
API Fix parallel pjax menu fetching for subsites.
- thanks Mateusz!
Delint LeftAndMain_Subsites.js
Users with non-ADMIN permissions won't see the dropdown of available
subsites, because LeftAndMainSubsites::Subsites() will check if
the user has a non-existent code CMS_ACCESS_CMSPagesController.
Fallback to checking required_permission_codes first, and failing
that, check for CMS_ACCESS_LeftAndMain
Tries to access i18n::$likely_subtags directly. Config changes in
3.1 now prevent this from happening and fails.
i18n::get_locale_from_lang() is used instead to provide the locale.
Currently, using the Subsites dropdown in the admin interface causes the CMS to reload to admin/pages. This can cause issues if you have set another interface as your default (other than CMSMain).
This is also the only UI-facing way to set a master page
after the initial copy action when creating a new subsite.
Shows "edit" link when master page is already set.
