Versions:

This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.

3.2.4

Upgrading

LoginForm no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with login forms or other changes. To re-enable this, you'll need to use the Injector to create a custom login form.

Define a login form:

class CustomLoginForm extends MemberLoginForm {

    public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
    {
        parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

        $this->disableSecurityToken();
    }

}

Add this to mysite/_config/config.yml

Injector:
  MemberLoginForm:
    class: CustomLoginForm

Change Log

Security

  • 2016-04-18 3c0f2e8 Add CSFR protection to tree reorganise (Daniel Hensby) - See ss-2015-029
  • 2016-04-18 a24c826 Store current page IDs as ints (Daniel Hensby) - See ss-2016-004
  • 2016-04-18 1ccd392 Properly check backurl on CMSSecurity@success (Daniel Hensby) - See ss-2016-001
  • 2016-04-18 f32c893 Apply brute force protection to default admin (Daniel Hensby) - See ss-2016-005
  • 2016-04-18 a6bd22a dont disable XSS for login forms (Daniel Hensby) - See ss-2016-006

Bugfixes

  • 2016-04-24 fde6376 Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
  • 2016-04-12 36283b8 Stop "success" message showing in CMS (Daniel Hensby)
  • 2016-03-31 6ec2656 fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
  • 2016-03-28 aeb4aa9 Dont allow plain text friendly errors (Daniel Hensby)
  • 2016-03-27 5ede516 GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
  • 2016-03-21 9d62d9d Link tracking not escaping # Fixes #1409 (Daniel Hensby)
  • 2016-03-21 5f8356d Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
  • 2016-03-18 add2ecd Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
  • 2016-03-18 57cfe3c Bad joining of links in reports (Daniel Hensby)
  • 2016-03-10 bc31d9c Use Controller::join_links() in Reports (Daniel Hensby)
  • 2016-03-08 0364204 Incorrect title attribute on CMS tabs (Loz Calver)
  • 2016-03-07 aa57427 Don't install imagick on php 5.3 (Damian Mooyman)
  • 2016-03-07 86b1c8f file sync removes folders with dot in name (Jonathon Menz)
  • 2016-03-07 6a22454 Fix FulltextsearchEnable (Damian Mooyman)
  • 2016-03-01 2079844 fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
  • 2016-03-01 817b836 getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
  • 2016-02-26 bd48d89 undeclared constant issue (Daniel Hensby)
  • 2016-02-26 cc95703 Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-25 3dc0d0e Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-22 65a0981 Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
  • 2016-02-16 644c807 Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
  • 2015-01-08 adf0f10 Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)

Was this article helpful?