28 November 2019
SilverStripe version 4.4.4 is now available.
What's New in SilverStripe 4.4.4
- 2019-09-23 8b7063a8e Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See cve-2019-12617
- 2019-09-16 eccfa9b10 Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
- 2019-08-20 f98a59de install.php warning does not account for public dir (Aaron Carlino) - See cve-2019-12204
- 2019-08-17 8c7a719 Broken access control on files due to session grant (Aaron Carlino) - See cve-2019-14273
- 2019-05-21 73e0cc6 Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See cve-2019-12245
Features and Enhancements
- 2019-09-18 1308911 Add task to remove/protect _versions folders (Aaron Carlino)
- 2019-09-24 3659f2888 Add 'legal empty attributes' to allow empty alt values on i… (#9257) (Guy Marriott)
- 2019-09-23 0d27f32cc Add 'legal empty attributes' to allow empty alt values on imgs (Garion Herman)
- 2019-09-23 fc536fa Update Apache .htaccess for new access directives (Dylan Wagstaff)
- 2019-09-20 ea363fc Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
- 2019-09-16 6a1c6ecec Fix administrators not being able to see files that are restricted to groups (bergice)
- 2019-09-10 591b88a9b Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
- 2019-09-03 b0a6973 Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
- 2019-09-02 9f19a9b make the actions consistent on the grid field items to what they look like on pages (#242) (Andre Kiste)
- 2019-08-29 194ec84 content block editing breaking when editing using IE11 by adding Event constructor polyfill (bergice)
- 2019-08-29 77ba8391c Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
- 2019-08-28 73f43c6f4 Remove placeholder text on new group form (Maxime Rainville)
- 2019-08-27 2f8d847a1 make the grid field actions consistent to what they look like on pages (bergice)
- 2019-08-26 d2a07b104 Remove error when exporting a column that is not displayed in a GridField (Will Rossiter)
- 2019-08-26 314a906 Fix the jstree styles so that the selected states are more visible (bergice)
- 2019-08-26 8b22e3b Update LegacyThumbnailMigrationHelper to carry on if it hits a fileID it can't parse (Maxime Rainville)
- 2019-08-23 5845ac6 Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
- 2019-08-23 94d6c80 enter to submit form not working on Add new page (bergice)
- 2019-08-22 841c855 Ensure dataobjects are unpublished during the delete mutation (Guy Marriott)
- 2019-08-22 4cb4d46 react-select clears input on search. Monkey patch, needs upgrade (Aaron Carlino)
- 2019-08-18 ab4ccb8 Update LegacyFileIDHelper to understand pre-SS33 variant FileID (Maxime Rainville)
- 2019-08-13 1c548cb jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
- 2019-07-29 0abfed3e0 Skip md5-ing the whole contents of a stream for etags (Guy Marriott)
- 2019-04-12 7592db91 VirtualPage missing methods from target page (fixes #2408) (Loz Calver)
- Optional migration to hash-less public asset URLs
- Optional migration of legacy thumbnail locations
- Security patch for CVE-2019-12246
- Correct PHP types are now returned from database queries
- Upgrade to React 16 in CMS
- Server Requirements have been refined: MySQL 5.5 end of life reached in December 2018, thus SilverStripe 4.4 requires MySQL 5.6+.
- SilverStripe 4.3 and prior still support MySQL 5.5 for their own lifetime.
- The name of the directory where vendor module resources are exposed can now be configured by defining a extra.resources-dir key in your composer.json file. If the key is not set, it will automatically default to resources. New projects will be preset to _resources. This will avoid potential conflict with SiteTree URL Segments.
- dev/build is now non-destructive for all Enums, not just ClassNames. This means your data won't be lost if you're switching between versions, but watch out for code that breaks when it sees an unrecognised value!
- Removed File.migrate_legacy_file config option. Migration tasks now need to run via dev/tasks/, running them as part of dev/build is no longer supported
- Added navigation and new record actions to grid field detail forms. Inspired by @unclecheese's "better buttons".
- DataList::column() now returns all values and not just "distinct" values from a column as per the API docs
- DataList, ArrayList and UnsavedRalationList all have columnUnique() method for fetching distinct column values
- Take care with stageChildren() overrides. Hierarchy::numChildren() results will only make use of stageChildren() customisations that are applied to the base class and don't include record-specific behaviour.
- New React-based search UI for the CMS, Asset-Admin, GridFields and ModelAdmins.
- A new GridFieldLazyLoader component can be added to GridField. This will delay the fetching of data until the user access the container Tab of the GridField.
- SilverStripe\VersionedAdmin\Controllers\CMSPageHistoryViewerController is now the default CMS history controller and SilverStripe\CMS\Controllers\CMSPageHistoryController has been deprecated.
- PHPUnit tests no longer auto-flush, requiring manual flush parameters when changing YAML config or certain PHP code
- Disable session-based stage setting in Versioned (see #1578)
- Deprecated FunctionalTest::useDraftSite(). You should use querystring args instead for setting stage.
- Support for public webroot folder public/
- Better support for cross-platform filesystem path manipulation
- Capture changes on keyup with debounce
- debounce change events in changetracker - to reduce change event load build up with every keystroke
- Fix issue with DebugView failing on class name of existing class
- Fix critical issue with incorrectly saved session data
- Fix issue with non-asset-admin users encountering errors embedding files
- Ensure CMS authors can all see draft files by default
- Fix typo in error message
- entwine+react in case they rely on the redux store
- TreeMultiselectField in Entwine sections
- Allow cleanup marker regex to handle self closing HTML5 tags
- remove uploaded items when executing or removing search
- 'Error code' dropdown was misplaced
- Add DBFile::Link() alias for DBFile::getURL() so that it matches File::Link()
- add test for a --no-dev build
- ed Rfc3339 implementation of Date and Datetime
- Badge component test: convert to Component and add truthy test
- Allow absolute URLs be use as resources
- Remove dependency on Doctrine module breaking with --prefer-dist
- Fix cors breaking if referer header is present
- Better upload error message
- Fix invalid name generation on windows
- Non-required fields failing when empty
- booting and store initialisation so that initial state is not triggered too early in the process
- remove onDrillDown prop from td element
- Fix double casting in login authenticator name
- Make GridFieldConfig less susceptible to error when versioned isn't installed
- Add bootstrap styles to url segment field
- ing string concat CS issues
- HTTPResponse::removeHeader incorrectly converts header name to lowercase
- Prevent basic-auth from disallowing logout
- Forms run through FormHandler rather than Controllers now have access to current Request
- Prevent GridField autocomplete triggering change tracker
- Allow extension instances to be overridden by injector
- Fix incorrect ORM usage when saving siteconfig
- , adding a missing return statement.
- Provide expected argument to onBefore/AfterPublish hooks
- Implement correct subsites namespace in File extension
- Remove classmap for folder that doesn't have classes
- Update input-group-addon-bg variable
- Allow HTML 5 input tags in FunctionalTest form submissions
- Fix basic auth in PHP-CGI
- travis OS build version so that behat will function
- issue when deleting a recently uploaded files
- mouse multi-section prevent buttons from working
- Require branch alias for silverstripe/serve to ensure SS4 compatibility
- Ensure testLeftAndMainSubclasses test runs some assertions
- Allow Requirements::block to handle module resource paths
- Ensure last GridField column when non sortable has its title displayed
- Use PHP 5.3 array syntax
- Do database migrations before default records
- Fix incorrect merge of associative / non-associative summary fields
- server error responses not displaying in UI
- Less restrictive arguments for image resize
- Allow the current controller as well as injectable HTTPRequest objects
- Use Injector to retrieve the current session
- UploadField to be injectable
- TreeDropdownField layout
- travis build
- literal linting
- Only show table_name warning on dev/build
- Don't warn on table name for classes without tables
- Remove unused Behat tests from 3.6 branch
- Use baseDataClass for allVersions as with other methods
- Update meber passwordencryption to default on password change
- issue where there's no error for duplicate name
- don't try and switch out of context of the tab system
- Prevent disclosure of sensitive information via LoginAttempt
- Ensure xls formulae are safely sanitised on output
- Prevent install.php from disclosing system passwords
- SQL injection in full text search
- Remove MemberExtension, functionality is replaced by framework update
- added loadComponent fix for asset-admin entwine components
- Add ViewableData::getViewerTemplates()
- Use recipes for test configuration
- Promote portugese
- Hide Image_Backend construction behind image manipulations to improve performance
- Disable force_resample by default
- Don't request unused width / height from graphql
- Raise warning if DBField::create_field() would behave unpredictably and improve PHPDoc
- Ensure that non-writable assets files are notified during install
- VirtualPage not using target page's template
- Fix unit tests
- db autodiscover comment on loading behavior.
- Remove some unnecessary ClassInfo calls in DataObjectSchema
- Ensure that all tinymce_lang mappings are valid
- Fix broken scrutinizer
- Fix typo in Menu.scss
- Restore BackURL preservation on log out
- Issue where logging out from the CMS presents you with a login form with no BackURL
- Support self::class text collection
- Added warning for auto-generated table_name for non-test classes
- deprecated usage of getMock in unit tests
- Allow lowercase and uppercase delcaration of legacy Int class
- Fix regressions in asset resize behaviour change
- Fix _configure_database.php being ignored
- Fix added module fluid-prefix so module config will not require the full path to match
- Fix change in resampled config setting
- Ensure changetracker safely defers to other init scripts
- Fix parameter order
- Fix for buttons in change tracking and gridfield reloading
- Fix allowed children types now load properly
- fix ignore no-change-track marked fields in changetracker
- Fix postgres / PDO support
- HTTP::get_mime_type with uppercase filenames.
- for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class
- Restore missing '(Choose Page)' text in link insert modal
- Fix DBEnum ignoring empty defaults
- ManyMany link table joined with LEFT JOIN
- page header center aligns when site tree is closed
- fix show empty string title when relevant - rather than null when no options
- Fix don't treat zero-date as invalid
- Prevent .htaccess operations from users in the same group failing
- Fix shortcodes not being parsed
- unsaved change dialog display just after creating a record
- fix missing chosen sprites added to dist folder
- Fixes SapphireTest masking userland coding errors.
- Don't redirect in force_redirect() in CLI
- Remove whitespace around download link title
- Make sure plain parts are rendered when re-rendering emails
- Fix buttons in upload field to be proper button types
- Fix ContextSummary behaviour with UTF8 chars
- Fix react-select does not return the true value when the option is missing
- Fix native upload dialog appearing in entwine sections and added a canUpload condition for UploadField
- Remove usage of deprecated each()
- Remove usage of deprecated each() and use a helper method instead
- ed array/object mismatch bug in PaginatedList
- Fix usability issue, can tab to the upload field item even when it doesn't do anything by default
- Helpful warning when phpunit bootstrap appears misconfigured
- Use self::inst() for Injector/Config nest methods
- Fix wrong mouse cursor for description text in upload field area
- stop bothering people with pop-ups
- revert to this button after archiving
- UploadField overwriteWarning isn't working in AssetAdmin
- Dont use var_export for cache key generation as it fails on circular references
- TreeDropdownField showing broken page icons
- Files without extensions
- Fixes #7116 Improves server requirements docs viz: OpCaches.
This version introduces many breaking changes, which in most projects can be managed through a combination of automatic upgrade processes as well as manual code review.
- Minimum version dependencies have increased; PHP 5.5 and Internet Explorer 11 (or other modern browser) is required.
- All code earlier marked as deprecated for 4.0 has now been removed (check our deprecation process)
- All code has been migrated to follow the PSR-2 coding standard. Most significantly, all SilverStripe classes are now namespaced, and some have been renamed. This has major implications for arrangement of templates, as well as other references to classes via string literals or configuration. Automatic upgrading tools have been developed to cope with the bulk of these changes (see upgrading notes).
- Object class has been replaced with traits (details).
- Asset storage has been abstracted, and a new concept of DBFile references via database column references now exists in addition to references via the existing File dataobject. File security and protected files are now a core feature (details)
- CMS CSS has been re-developed using Bootstrap v4 as a base (blog post)
- Asset admin has been replaced with a purely ReactJS powered upgrade, and split out module called asset-admin.
- Versioning is now a much more powerful feature, with the addition of campaigns to allow batches of related or inter-dependent objects to be published as a single "changeset" (details).
- Dependencies between versioned objects can be declared using the new ownership API, so that developers can ensure that relational consistency is maintained during publishing (details) This new system can be managed via the new "Campaigns" CMS section (blog post)
- Template variable casting (e.g. <h1>$Title</h1>) is enforced by default, which will ensure safe HTML encode unless explicitly opted out (details)
- Themes are now configured to cascade, where you can specify a list of themes, and have the template engine search programatically through a prioritised list when resolving template and CSS file paths.
- Removed module path constants (e.g. FRAMEWORK_PATH) and support for hardcoded file paths (e.g. mysite/css/styles.css) (details)
- Replaced Zend_Translate with symfony/translation (details)
- Replaced Zend_Cache and the Cache API with a PSR-16 implementation (symfony/cache) (details)
- _ss_environment.php files have been removed in favour of .env and "real" environment variables (details).
- Behat support updated to v3 ( details)
- The GDBackend and ImagickBackend classes have been replaced by a unified InterventionBackend which uses the intervention/image library to power manipualations.
- Dependencies can managed via recipe-plugin. See recipe-core and recipe-cms as examples.
- Authentication has been upgraded to a modular approach using re-usable interfaces and easier to hook in to LoginHandlers (details).
- Core modules are installed in the vendor/ folder by default (other modules can opt-in, see guide)
- Renamed constant for temp folder from TEMP_FOLDER to TEMP_PATH for naming consistency with other path variables and constants