Versions:

This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.

3.1.19

Upgrading

LoginForm no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with login forms or other changes. To re-enable this, you'll need to use the Injector to create a custom login form.

Define a login form:

class CustomLoginForm extends MemberLoginForm {

    public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
    {
        parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

        $this->disableSecurityToken();
    }

}

Add this to mysite/_config/config.yml

Injector:
  MemberLoginForm:
    class: CustomLoginForm

Change Log

Security

  • 2016-04-18 3c0f2e8 Add CSFR protection to tree reorganise (Daniel Hensby) - See ss-2015-029
  • 2016-04-18 a24c826 Store current page IDs as ints (Daniel Hensby) - See ss-2016-004
  • 2016-04-18 1ccd392 Properly check backurl on CMSSecurity@success (Daniel Hensby) - See ss-2016-001
  • 2016-04-18 f32c893 Apply brute force protection to default admin (Daniel Hensby) - See ss-2016-005
  • 2016-04-18 a6bd22a dont disable XSS for login forms (Daniel Hensby) - See ss-2016-006

Bugfixes

  • 2016-04-24 fde6376 Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
  • 2016-04-12 36283b8 Stop "success" message showing in CMS (Daniel Hensby)
  • 2016-03-31 6ec2656 fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
  • 2016-03-18 add2ecd Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
  • 2016-03-10 bc31d9c Use Controller::join_links() in Reports (Daniel Hensby)
  • 2016-03-08 0364204 Incorrect title attribute on CMS tabs (Loz Calver)
  • 2016-03-01 817b836 getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
  • 2015-01-08 adf0f10 Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)

Was this article helpful?