Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Damian Mooyman
committed
Mar 19, 2015
1 parent
663f9c9
commit 11521fb
Showing
1 changed file
with
60 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # 3.0.12 | ||
|
|
||
| # Overview | ||
|
|
||
| This release resolves a high level security issue in the SiteTree class, as well as | ||
| the CMS controller classes which act on these objects during creation. | ||
|
|
||
| ## Upgrading | ||
|
|
||
| ### SiteTree::canCreate Permissions | ||
|
|
||
| Any user code which overrides the `SiteTree::canCreate` method should be investigated to | ||
| ensure it continues to work correctly. In particular, a second parameter may now be passed | ||
| to this method in order to determine if page creation is allowed in any given context, whether | ||
| it be at the root level, or as a child of a parent page. | ||
|
|
||
| The creation of pages at the root level is now corrected to follow the rules specified | ||
| by the SiteConfig, which in turn has been updated to ensure only valid CMS users are | ||
| granted this permission (when applicable). | ||
|
|
||
| The creation of pages beneath parent pages will now inherit from the ability to edit | ||
| this parent page. | ||
|
|
||
| User code which is not updated, but relies on the old implementation of SiteTree::canCreate will | ||
| now assume creation at the top level. | ||
|
|
||
| For example see the below code as an example | ||
|
|
||
| E.g. | ||
|
|
||
| :::php | ||
| <?php | ||
| class SingletonPage extends Page { | ||
| public function canCreate($member) { | ||
| if(static::get()->count()) return false; | ||
| $context = func_num_args() > 1 ? func_get_arg(1) : array(); | ||
| return parent::canCreate($member, $context); | ||
|
|
||
| } | ||
| } | ||
|
|
||
| For more information on the reason for this change please see the security announcement below. | ||
|
|
||
| ## Security | ||
|
|
||
| * 2015-03-16 [64955e5](https://github.com/silverstripe/silverstripe-cms/commit/64955e5) Fix SiteTree / SiteConfig permissions (Damian Mooyman) - See announcement [ss-2015-008](http://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability) | ||
|
|
||
| ### Bugfixes | ||
|
|
||
| * 2014-11-25 [b3407ab](https://github.com/silverstripe/sapphire/commit/b3407ab) Fix HTTPS proxy header detection (Same as #3152) (Stephen Shkardoon) | ||
| * 2015-01-08 [ac922a0](https://github.com/silverstripe/sapphire/commit/ac922a0) Fix tutorial index page for the new doc site (Cam Findlay) | ||
| * 2014-06-13 [0f74d8c](https://github.com/silverstripe/silverstripe-cms/commit/0f74d8c) Broken links in the 'Dependent pages' tab (Stig Lindqvist) | ||
| * 2014-01-31 [1661213](https://github.com/silverstripe/sapphire/commit/1661213) Opt-out pf form message escaping (fixes #2796) (Ingo Schommer) | ||
|
|
||
| ## Changelog | ||
|
|
||
| * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.12) | ||
| * [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.0.12) | ||
| * [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.0.12) |