This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.



This release resolves a high level security issue in the SiteTree class, as well as the CMS controller classes which act on these objects during creation.


SiteTree::canCreate Permissions

Any user code which overrides the SiteTree::canCreate method should be investigated to ensure it continues to work correctly. In particular, a second parameter may now be passed to this method in order to determine if page creation is allowed in any given context, whether it be at the root level, or as a child of a parent page.

The creation of pages at the root level is now corrected to follow the rules specified by the SiteConfig, which in turn has been updated to ensure only valid CMS users are granted this permission (when applicable).

The creation of pages beneath parent pages will now inherit from the ability to edit this parent page.

User code which is not updated, but relies on the old implementation of SiteTree::canCreate will now assume creation at the top level.

For example see the below code as an example


class SingletonPage extends Page {
    public function canCreate($member) {
        if(static::get()->count()) return false;

        $context = func_num_args() > 1 ? func_get_arg(1) : array();
        return parent::canCreate($member, $context);


For more information on the reason for this change please see the security announcement below.


  • 2015-03-16 64955e5 Fix SiteTree / SiteConfig permissions (Damian Mooyman) - See announcement [ss-2015-008](


  • 2014-11-25 b3407ab Fix HTTPS proxy header detection (Same as #3152) (Stephen Shkardoon)
  • 2015-01-08 ac922a0 Fix tutorial index page for the new doc site (Cam Findlay)
  • 2014-06-13 0f74d8c Broken links in the 'Dependent pages' tab (Stig Lindqvist)
  • 2014-01-31 1661213 Opt-out pf form message escaping (fixes #2796) (Ingo Schommer)


Was this article helpful?