This release resolves a high level security issue in the SiteTree class, as well as the CMS controller classes which act on these objects during creation.
Any user code which overrides the SiteTree::canCreate method should be investigated to
ensure it continues to work correctly. In particular, a second parameter may now be passed
to this method in order to determine if page creation is allowed in any given context, whether
it be at the root level, or as a child of a parent page.
The creation of pages at the root level is now corrected to follow the rules specified by the SiteConfig, which in turn has been updated to ensure only valid CMS users are granted this permission (when applicable).
The creation of pages beneath parent pages will now inherit from the ability to edit this parent page.
User code which is not updated, but relies on the old implementation of SiteTree::canCreate will now assume creation at the top level.
For example see the below code as an example
E.g.
:::php
<?php
class SingletonPage extends Page {
public function canCreate($member) {
if(static::get()->count()) return false;
$context = func_num_args() > 1 ? func_get_arg(1) : array();
return parent::canCreate($member, $context);
}
}
For more information on the reason for this change please see the security announcement below.
- 2015-03-16 64955e5 Fix SiteTree / SiteConfig permissions (Damian Mooyman) - See announcement ss-2015-008
- 2014-11-25 b3407ab Fix HTTPS proxy header detection (Same as #3152) (Stephen Shkardoon)
- 2015-01-08 ac922a0 Fix tutorial index page for the new doc site (Cam Findlay)
- 2014-06-13 0f74d8c Broken links in the 'Dependent pages' tab (Stig Lindqvist)
- 2014-01-31 1661213 Opt-out pf form message escaping (fixes #2796) (Ingo Schommer)