Version 3 end of life
This version of Silverstripe CMS will not recieve any additional bug fixes or documentation updates. Go to documentation for the most recent stable version.


Upgrading notes

New permission model for Versioned DataObjects

When adding the Versioned extension to dataobjects, typically it's necessary to explicitly declare permissions on these objects in order to prevent un-published content surfacing to unauthenticated users.

In order to better support this, versioned by default will now deny canView permissions on objects that are not published.

For more information on how to customise the permission model for versioned dataobjects then please refer to the versioned extension documentation.

Block ?stage=Stage for unauthenticated users

By default users must now be logged in with CMS access permissions in order to change the viewing mode of the site frontend using the ?stage querystring parameter.

This permission can be customised by altering the Versioned.non_live_permissions config by assigning a different set of permissions.

Change Log


  • 2016-02-17 893e497 Hostname, IP and Protocol Spoofing through HTTP Headers (Ingo Schommer) - See ss-2016-003
  • 2016-02-17 3398f67 Block unauthenticated access to dev/build/defaults (Damian Mooyman) - See ss-2015-028
  • 2016-02-17 56e92f5 Ensure Gridfield actions respect CSRF (Damian Mooyman) - See ss-2016-002

API Changes

  • 2015-12-07 38e154a Disable get parameter access to site stage mode (Damian Mooyman)
  • 2015-12-02 5353ac5 Refactor versioned security into core module (Damian Mooyman)
  • 2015-12-02 6089a7c Create default security permission model for versioned data objects (Damian Mooyman)
  • 2015-11-26 6266f90 Increased Permission.Code db field to 255 characters (Novusvetus)
  • 2015-07-20 ea9434f Lazy load template parser (Loz Calver)

Features and Enhancements

  • 2015-12-14 9467ab9 Implement unshift() in field list classes (closes #4834) (Loz Calver)
  • 2015-12-01 f7c270a Use Config for determining Vary header (Marcus Nyeholt)
  • 2015-11-10 603cacc CurrencyField to use Currency.currency_symbol (muskie9)
  • 2015-09-25 5c04dc5 - Added new method to display the number of total items in a paginated list within templates (Marco Kernler)
  • 2015-08-14 1b57e0c implement getter and setter usage for response (Stevie Mayhew)


  • 2016-02-09 2ad490c Prevent folders deleted on the filesystem from breaking asset interface (Damian Mooyman)
  • 2016-01-22 f80467a Don't keep stale treeview data when refreshing Content area (Damian Mooyman)
  • 2016-01-21 e364fdb Fix incorrect "Add Page" button selector (Damian Mooyman)
  • 2016-01-20 abc5556 Fix legacy breadcrumbs appearing on page save (Damian Mooyman)
  • 2016-01-20 df76d78 Fix VersionedTest sometimes failing given certain querystring arguments (Damian Mooyman)
  • 2016-01-20 7c4e6f4 prevent "Home page" being selected when no selection was made (Damian Mooyman)
  • 2016-01-02 b30d335 Adding context parameter to canCreate-check in getClassDropdown of SiteTree (fixes #1334) (Stephan Bauer)
  • 2016-01-02 95e96fa jquery.jstree patched to improve drag-and-drop handling (fixes #4881) (Stephan Bauer)
  • 2015-12-22 706877d Get locale from <html> element for i18n.js (fixes #4854) (Loz Calver)
  • 2015-12-22 54ae002 FIx merge regressions in versioned tests (Damian Mooyman)
  • 2015-12-22 fce8251 Workaround for issues in testing version (Damian Mooyman)
  • 2015-12-17 36241d5 Fix regressions is SS_Report::canView (Damian Mooyman)
  • 2015-12-15 cd66917 Vimeo oEmbed endpoint redirecting to no www (UndefinedOffset)
  • 2015-12-15 5d0f833 SS_Report canView should check permissions (Christopher Darling)
  • 2015-12-09 fa0160a Fix regression in canViewStage (Damian Mooyman)
  • 2015-11-24 15ae37c Image_Cached record class name (Jonathon Menz)
  • 2015-10-31 275ecfd Use Object-&gt;hasMethod() instead of method_exists() (madmatt)
  • 2015-10-07 71defe7 for #5 to facilitate validation on SiteConfig via DataExtension's. (Patrick Nelson)
  • 2015-10-06 a71d99c for #4663 ensuring return values from TabSet are retained from parent. Removing useless override. Cleaning up documentation in TabSet and return types. (Patrick Nelson)
  • 2015-10-05 12c4239 (partial) for #3181 where non-submit buttons are being activated on "enter" key press (relates to CMS issue at (Patrick Nelson)
  • 2015-10-05 332e490 (partial) for #1288 where non-submit buttons are being activated on "enter" key press (relates to framework issue at (Patrick Nelson)
  • 2015-10-05 4a70ffe Typo in cur methods PHPDoc (Corey Sewell)
  • 2015-09-29 5224fc4 Permission::checkMember() use of undefined variable $codes (Manuel Teuber)
  • 2015-09-24 c0be44d fix response regression in initiation of request handler (Stevie Mayhew)
  • 2015-09-17 c9ba6e5 Fix ClassInfo::table_for_object_field (Damian Mooyman)
  • 2015-09-11 5cc0878 for #4597: Ensuring GridFieldConfig_RelationEditor is instantiated via Injector, not via "new" keyword. (Patrick Nelson)
  • 2015-09-02 2ae5d83 Resampled images inherit source properties (Jonathon Menz)
  • 2015-08-24 80ce549 disable archived pages from being droppable (Damian Mooyman)
  • 2015-08-21 b14794b Fix bulk actions making sitetree unclickable (Damian Mooyman)
  • 2015-08-19 a19fe39 Avoid PHP 5.6 deprecation with access to HTTP_RAW_POST_DATA. Fixed #4511 (Sam Minnee)
  • 2015-07-31 6a45f4a fix mismatched quotes (Damian Mooyman)
  • 2015-06-15 ca039e1 Fix regressions in changes to batch action feature (David Craig)
  • 2015-06-11 8a4c518 allow for increase_time_limit_to to work if $_increase_time_limit_max is not yet set (Stevie Mayhew)