When trying to switch to a different subsite from a page's editing view, it wouldn't switch. This was partly due to a $record always existing due to the homepage fallback on currentPageID : https://github.com/silverstripe/silverstripe-cms/blob/3.1/code/controllers/CMSMain.php#L816
So as currentPage() couldn't actually be used to test for the existance of a current page, I've added in a check for isset($this->owner->urlParams['ID']).
I've also moved the check for $_GET['SubsiteID’] which indicated a forced subsite switch (eg. via the dropdown switcher) above the check for a current page, as it should take precedence, and it wasn't being run when both conditions matched causing the subsite not to change.
Tested changing subsites from /admin/pages, from page edit view, from a page edit URL, and from other CMS sections such as Files and Security, and all seems to be working perfectly now.
This isn't used, according to the description it would limit the list
of subsites you can choose to apply a File/Folder to. However, this
dropdown is shown to the user based on whether they have access to
that subsite, so this unused permission code isn't needed.
PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session".
I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway.
Steps to reproduce the original issue:
1. Enter a subsite name and mark as the default site.
2. Add a new domain named <script>alert(2)</script> and mark it as primary
3. Switch to the new subsite.
4. Make a new Page. This will execute a javascript alert containing "2".
MINOR update documentation for onBeforeWrite()
MINOR add @property attributes into docblock
When trying to switch to a different subsite from a page's editing view, it wouldn't switch. This was partly due to a $record always existing due to the homepage fallback on currentPageID : https://github.com/silverstripe/silverstripe-cms/blob/3.1/code/controllers/CMSMain.php#L816
So as currentPage() couldn't actually be used to test for the existance of a current page, I've added in a check for isset($this->owner->urlParams['ID']).
I've also moved the check for $_GET['SubsiteID’] which indicated a forced subsite switch (eg. via the dropdown switcher) above the check for a current page, as it should take precedence, and it wasn't being run when both conditions matched causing the subsite not to change.
Tested changing subsites from /admin/pages, from page edit view, from a page edit URL, and from other CMS sections such as Files and Security, and all seems to be working perfectly now.
