created by: Simon
created at: 2011-04-19
original ticket: http://open.silverstripe.org/ticket/6604

The AjaxUniqueTextField.php does not keep in mind its current page/object. If you want to change a value on a page or dataobject, it will return an error, even though the value is unique.

I've added the check on current ID, so it'll ignore itself. This way, the check is actually on if it is unique.

http://sspaste.com/paste/show/4dad640063ad0

In this little change, the $this->ID needs to be in the AjaxUniqueTextField call at position 5.
Becoming:
new AjaxUniqueTextField($name, $title, $restrictedField, $restrictedTable, $id, $value, $maxLength, $validationURL, $restrictedRegex)

It could probably be done better, but it works.

created by: swaiba
created at: 2011-04-04
original ticket: http://open.silverstripe.org/ticket/6581

in DataObject function dbObject the first test looks for the item within the "record" shouldn't it look within the "db"?

I've added a temporary DataObject field to a DataObject in the controller before being used in the template. this then throws an error in DataObject->hasValue as dbObject returns the object instead of null and then calls hasValue on the object itself - which in this case because it's a custom created DataObject errors.

dataobject...
class MyObj extends DataObject {
static $db = array('Name'=>'Text');
}
controller...
function MyObjs() {
$dos = DataObject::get('MyObj');
if ($dos) foreach ($dos as $do) {
$doNew = new DataObject();
$doNew->NewDataString = 'stuff';
$do->NewData = $doNew;
}
}
template...
<% control MyObjs %>
<% if NewData %><% control NewData %> <-- error occurs here
$NewDataString
<% end_if %><% end_control %>
<% end_control %>

created by: hamish
assigned to: @ajoneil (aoneil)
created at: 2009-02-10
original ticket: http://open.silverstripe.org/ticket/3525

If the user is logged in, an API GET query for an object will return a DataObjectSet containing the found DataObjects. If the user is not logged in, RestfulServer should return a permission failure. Instead, if the user is logged out, an empty DataObjectSet is returned, with the totalSize attribute. This is dangerous, as it allows logged out users to trawl api-visible objects.

Example with a site I am working on. URL requested is: http://xxxx/api/v1/CompanyObject

If I am logged in as an administrator, this returns:

<DataObjectSet totalSize="1"> 
<CompanyObject href="http://xxxx/api/v1/CompanyObject/1.xml"> 
<Name>test0</Name> 
<Address1>test1</Address1> 
<Address2>test2</Address2> 
<Address3>test3</Address3> 
<PostCode>test4</PostCode> 
<ImportKey>999</ImportKey> 
<ID>1</ID> 
<Staff linktype="has_many" href="http://xxxx/api/v1/CompanyObject/1/Staff.xml"> 
</Staff> 
</CompanyObject></DataObjectSet>

If I am not logged in, I get:

<DataObjectSet totalSize="1"></DataObjectSet>

''I've come across a few security issues with RestfulService. Suggest a review of how security is maintained in exposed objects''

created by: @chillu (ischommer)
assigned to: trix
created at: 2009-05-25
original ticket: http://open.silverstripe.org/ticket/4126

See #1373 for similiar ticket on Date and SSDateTime.

== Features ==

• Store dates in 24h format internally.
• Add setLocale() and getLocale()
• Fix setValue() to parse times according to locale
• Allow different formats in setValue(): Unix timestamp, ISO 8601 string, or Time DBField
• Set current locale upon construction based on i18n::get_current_locale(). Allow explicit passing in of locale in constructor
• Add setOptions() which is passed through to Zend_Date
• Add validate() method using Zend_Date_Validate->isValid(). Make sure to set locale and format on Zend_Date_Validate whenever passed into the class, e.g. through setLocale(). Use Zend_Date_Validate->setFormat('HH:ii:ss') or similiar to provide time only.

== Out of scope ==

• No support for timezones
• No support for 12h format (not sure about this one...)
• No parsing of system/php date, locale or timezone settings - this can be handled by the i18n class later.
• Assumption: All databases return dates in SQL92 standard (HH:MM:SS).
• Storage into database columns doesn't require db abstraction hooks, and is always done in ISO 8601. The TIME datatype exists in all supported databases (MySQL, PostgreSQL, MSSQL)
• See http://www.sqlteam.com/article/using-the-time-data-type-in-sql-server-2008 for SQL Server 2008 TIME support

created by: @oddnoc (fcondo)
created at: 2011-04-14
original ticket: http://open.silverstripe.org/ticket/6598

With a very long content field, the shortcode parser silently fails and emits no output. Shortening the content or removing the shortcode (for example, changing a link from internal to external) enables the content to render.

created by: nicolaas
created at: 2011-07-19
original ticket: http://open.silverstripe.org/ticket/6683

when I create a new field in a dataobject then I expect the default for the existing records to be set to the default (if a default is defined of course).

//just added these two lines to my Data Object:
public static $db = array("MyNewField" => "Varchar");
public static $defaults = array("MyNewField" => "YYY");

The same thing should perhaps also apply later, when I add a default like this

//I just added this line
public static $defaults = array("MyNewField" => "YYY");

that is, if the existing records of the dataobject are NULL or a zero length string then perhaps they should bet set to YYY?

created by: @MarcusDalgren (smurkas)
created at: 2009-09-04
original ticket: http://open.silverstripe.org/ticket/4546

Currently the code for figuring out the table name from the belongs_many_many side (line 26 to 31) returns an incorrect table name.

Since the name of the joining table is defined by the many_many class the belongs_many_many class will have to look up it's related class and then check the relationship again from that end to determine the table name.

This is of course doable but a simpler solution would be to change the naming convention for joining tables. Right now a joining table gets the name of the many_many class + _ + whatever the developer decides to call the connection to the belongs_many_many class. The simple solution here would be to simply name the joining table to many_many class + _ + belongs_many_many class.

That way figuring out the name of the joining table would be less of a hassle. If this breaks to much/isn't feasible then I have a patch for the first solution I proposed.

created by: @chillu (ischommer)
created at: 2011-03-21
original ticket: http://open.silverstripe.org/ticket/6534

Given that you can trigger a sync() from the UI (button at bottom left of AssetAdmin), this means a normal user action can cause PHP to exceed its memory, or in the worst case bring down a server running out of memory when having couple of thousand pages.

Rewrite to either find affected pages for link/image tracking, or iterate through sitetree in batches for ~100. This will most likely be eased by the ORM rewrite in 3.0, but would still create/cache large in memory footprints - so really we need to avoid a full DataObject::get().

created by: paradigmincarnate
created at: 2011-04-12
original ticket: http://open.silverstripe.org/ticket/6597

My code uses FieldSet::insertBefore() to add a field.

A third party changed their code so the other field no longer exists.

My field now isn't inserted at all.

FieldSet::insertBefore() takes 2 parameters. The first is a field to insert, the second is the name of another field before which to insert it.

If a second parameter is passed, and there's no existing field by that name, the first field will not be inserted.

I propose that FieldSet::insertBefore() will always add the field (either first or last) if the "existing field" doesn't exist.

In the alternative, an exception should be thrown to indicate that the "existing field" could not be found.

Any time insertBefore() is called, the developer expects that their field will be inserted. To silently not do so is unintuitive.

created by: @chillu (ischommer)
created at: 2009-03-09
original ticket: http://open.silverstripe.org/ticket/3686

Turn SSViewer into a facade for different backends (similiar to Requirements class).

Template engines should be selectable by "site mode" - as the CMS backend will most likely stay in standard SSViewer syntax, while the frontend templates are exchangeable.

Each template engine would register one or more file extensions (.ss=SSViewer,.tpl=Smarty). This is a necessary convention to avoid confusion in any "autodetection" and fallbacks.

Ideally, templates would fall back to the "default implementation" (SSViewer) - otherwise its hard to use templates from external modules - e.g. a website might render Page.ss in Smarty, but include BlogHolder->TagCloud(), which renders TagCloud.ss via SSViewer.

Some requirements for the facade:

• Pass in context object (mostly a Controller object with fallbacks to the model)
• Set template cache folders
• Passing in of selected theme folder
• Location of template path by filename (manifest)
• Setting of "debug" parameters (?debug_request and ?showtemplate)
• Allow manual "assigning" of template variables in addition to auto-assigning all public properties and methods available in the context object

How about naming this facade View, and keeping SSViewer as a specific renderer implementation? We would need to pass SSViewer::process(), ::current_theme() etc. through to the new View implementation though for legacy reasons, which might be more trouble than its worth...

created by: sdf
created at: 2011-04-26
original ticket: http://open.silverstripe.org/ticket/6611

Trying to run the PHPUnit tests on some platforms in certain configurations will cause a Fatal error to stop any testing from proceeding. The common output is similar to below:

PHP Catchable fatal error:  Argument 1 passed to Email::set_mailer() must be an instance of Mailer, null given, called in /mnt/hgfs/OU Annotate/app/www/sapphire/dev/SapphireTest.php on line 368 and defined in /mnt/hgfs/OU Annotate/app/www/sapphire/email/Email.php on line 75

The issue is caused due to the SapphireTest::tearDown() method not doing proper type checking before assigning the old mailer. The patch attached fixes this issue.

created by: lhudson
created at: 2010-04-01
original ticket: http://open.silverstripe.org/ticket/5327

Methods such as the following should be defined (abstract ideally) in SS_Database, partly as a contract for subclasses to fill, partly to inform developers of cross-platform methods.

e.g. These functions should exist across all DB platforms (and should be used more!)

datetimeDifferenceClause($date1, $date2)

datetimeIntervalClause($date1, $interval)

created by: @oddnoc (fcondo)
created at: 2011-04-06
original ticket: http://open.silverstripe.org/ticket/6586

If a form has a SelectionGroup, the JS for RequiredFields throws an error:

$("''some_form_id''").validate is not a function

This can be corrected by also loading jquery_improvements.js

created by: @halkyon (sharvey)
assigned to: @halkyon (sharvey)
created at: 2010-07-15
original ticket: http://open.silverstripe.org/ticket/5835

In cms, sapphire, there's an .htaccess file which blocks access to various PHP scripts for security reasons.

IIS is a popular web server, so having a web.config that does the equivalent of this out of the box might be a good idea too.

e.g. http://localhost/ss24/cms/_config.php should not be allowed on IIS.

It's unclear whether IIS supports blocking requests by extension, but there should be some sort of request filtering that could achieve the same effect as the current .htaccess files in the cms and sapphire directories.

created by: omarkohl
created at: 2011-04-11
original ticket: http://open.silverstripe.org/ticket/6594

In the Text class (sapphire/core/model/fieldtypes/Text.php) the function ContextSummary handles UTF-8 characters such as german Umlauts wrongly when those characters belong to words that get cut in half (because of the length of the context).

For example with $characters = 10 and searching for string 'abc' in this content 'abc def ghijkl' the result is 'abc def gh?'.

My fix is changing line 292 from:

$summary = substr($text, $position, $characters);

to:

$summary = utf8_encode(substr(utf8_decode($text), $position, $characters));

created by: @chillu (ischommer)
created at: 2009-03-20
original ticket: http://open.silverstripe.org/ticket/3746

Followup on http://www.silverstripe.org/migrating-a-site-to-silverstripe/show/256159?start=0#post256720

We use UTF-8 for internal storage and output, but using non-multibyte-safe methods to process them inbetween, which can lead to problems. Best example: strlen() will give you wrong lenghts on a multibyte string.

Nice summary of the problem scope and solutions:
http://www.nicknettleton.com/zine/php/php-utf-8-cheatsheet

Some points to fix:

• The mbstring extension is already a requirement to run SilverStripe (see http://doc.silverstripe.com/doku.php?id=server-requirements). Its not a default in PHP, but widely available
• Set mbstring function overloading via ini_set(), if possible. This way we don't need to replace method calls like strlen() with mb_strlen(). See http://se2.php.net/manual/en/mbstring.overload.php
  • NOTE: This isn't possible. We need to either move to using mb_xxx, or recommend that people enable this setting themselves.
• Update our Email mailers to send UTF-8 by default (and quoted-printable or base64)
• Update htmlentities()
• Write some unit tests to save UTF-8 data from a form and directly through DataObject->write(), read it out from the database through the ORM, and assert that you get the same string
• Ensure that we are in fact dealing solely with UTF-8 strings, and use utf8_encode() where appropriate - this will be the most tricky part.

Additional reads about UTF-8 handling in PHP5 on PHPWACT:

• http://www.phpwact.org/php/i18n/utf-8
• http://www.phpwact.org/php/i18n/charsets
• http://www.phpwact.org/php/i18n/charsets#common_problem_areas_with_utf-8

created by: @chillu (ischommer)
assigned to: @sminnee (sminnee)
created at: 2010-04-15
original ticket: http://open.silverstripe.org/ticket/5415

= Changelog =

API CHANGE Checking for SiteTree->canView() permissions in the cms tree (via LeftAndMain->getSiteTreeFor() and Hierarchy->getChildrenAsUL())
ENHANCEMENT Using SiteTree::can_view_multiple() in SiteTree->canView() (similar to canEdit())
ENHANCEMENT Checking for SiteTree->canView() permissions in LeftAndMain->show()
BUGFIX Don't return false in SiteTree::back_permission_check() automatically if no valid member is passed - the permission might still be granted (e.g. for SiteTree->canView())
BUGFIX Allowing explicitly checking for permissions without current member fallbacks via passing $member=FALSE in SiteTree->canView()/canEdit()
BUGFIX Passing $globalPermission and $useCached parameters to recursive calls in SiteTree::back_permission_check()
BUGFIX Checking for can_view_multiple() in SiteTree::can_edit_multiple() - if view permissions are declined, we assume edit permissions are denied automatically as well (this was a regression from canEdit() behaviour prior to the batch permission changes)

= Notes =

• I'm doing the filtering in Hierarchy->getChildrenAsUL() to avoid having it repeatedly in different ORM level methods. This means that you can't enforce viewing of restricted records outside of canView() or through certain marking filters. For ADMINs, canView() will usually return true, so that shouldn't be an issue.
• Hiearchy->Children() already checks for canView(), as its used for frontend menus - thats a bit inconsistent I think.
• I've confirmed this also works with sitetree filtering in the CMS
• All UTs pass on 2.4 (including cmsworkflow), but i'm not 100% sure about the changed SQL filtering in $uninheritedPermissions - Sam, could you review?

created by: @halkyon (sharvey)
created at: 2010-10-18
original ticket: http://open.silverstripe.org/ticket/6117

When modifying the default value of an "Enum" DBField type in sapphire, the default value never gets fixed when dev/build is called. The reason for this is because MySQL uses enum data types, whereas MSSQL and PostgreSQL use constraints "CHECK" and "IN" keywords to check the values.

This code in particular not work with MSSQLDatabase, or PostgreSQLDatabase because it assumes the data type will always be an enum.

        } else if($fieldValue != $specValue) {
            // If enums/sets are being modified, then we need to fix existing data in the table.
            // Update any records where the enum is set to a legacy value to be set to the default.
            // One hard-coded exception is SiteTree - the default for this is Page.
            foreach(array('enum','set') as $enumtype) {
                if(preg_match("/^$enumtype/i",$specValue)) {
                    $newStr = preg_replace("/(^$enumtype\s*\(')|('$\).*)/i","",$spec_orig);
                    $new = preg_split("/'\s*,\s*'/", $newStr);

                    $oldStr = preg_replace("/(^$enumtype\s*\(')|('$\).*)/i","", $fieldValue);
                    $old = preg_split("/'\s*,\s*'/", $newStr);

                    $holder = array();
                    foreach($old as $check) {
                        if(!in_array($check, $new)) {
                            $holder[] = $check;
                        }
                    }
                    if(count($holder)) {
                        $default = explode('default ', $spec_orig);
                        $default = $default[1];
                        if($default == "'SiteTree'") $default = "'Page'";
                        $query = "UPDATE \"$table\" SET $field=$default WHERE $field IN (";
                        for($i=0;$i+1<count($holder);$i++) {
                            $query .= "'{$holder[$i]}', ";
                        }
                        $query .= "'{$holder[$i]}')";
                        DB::query($query);
                        $amount = DB::affectedRows();
                        $this->alterationMessage("Changed $amount rows to default value of field $field (Value: $default)");
                    }
                }
            }
            Profiler::mark('alterField');
            $this->transAlterField($table, $field, $spec_orig);
            Profiler::unmark('alterField');
            $this->alterationMessage("Field $table.$field: changed to $specValue <i style=\"color: #AAA\">(from {$fieldValue})</i>","changed");
        }

I think having this work with CHECK and IN clauses would be helpful, as MySQL is the only supported database we have which supports the enum data type and so this is not useful being in the abstract Database class if it doesn't work for other databases.

created by: hamish
created at: 2009-11-18
original ticket: http://open.silverstripe.org/ticket/4734

The attached patch contains a new "CompositeSearchFilter" that encapsulates multiple filters to be attached to a single SearchContext filter.

Because search context filters are keyed by their source name (eg "Name"), you cannot easily apply multiple filters to the single source.

This filter will apply the value of the source field to each of it's contained filters, returning the modified SQLQuery.

For example, this SearchContext allows the user to search the "Name", "Aliases" and "Number" fields from a single "Reference" field. This is tested and working 'in the wild':

function getDefaultSearchContext() {
    $fields = new FieldSet(new TextField('Reference'));
    $filters = array(
        'Reference' =>  $f = new CompositeSearchFilter(
            array(
                new PartialMatchFilter('Name'),
                new PartialMatchFilter('Aliases'),
                new PartialMatchFilter('Number'),
            )
        )
    );
    $context = new SearchContext(
        $this->class, 
        $fields, 
        $filters
    );
    $context->connective = "OR";
    return $context;
}

As a follow up, would it be appropriate to extend this class slightly to allow more complex queries with nested ANDs and ORs? At the moment, you are basically stuck with either a universial AND or OR set at the SearchContext level.

CompositeSearchContexts could create empty SQLQueries with either conjuctive or adjunctive filters. On apply($query) they then add their local $query->getFilter() to the passed $query.

Wouldn't be much work to implement and gives ModelAdmin users a lot more power, not to mention more versatile search contexts in general.

Conceptually, for example, the following SearchContext would allow a general filter on Blog posts

function getDefaultSearchContext() {
    $fields = new FieldSet(
        new TextField('Content'),
        new TextField('Person')
    );
    $filters = array(
        'Content' =>  new CompositeSearchFilter(
            array(
                new PartialMatchFilter('Title'),
                new PartialMatchFilter('Content'),
                new PartialMatchFilter('Tags'),
            ), "OR")
        ),
        'Person' => new CompositeSearchFilter(
            array(
                new PartialMatchFilter('Author'),
                new PartialMatchFilter('Comments.Author')
            ), "OR"
        )
    );
    $context = new SearchContext(
        $this->class, 
        $fields, 
        $filters
    );
    $context->connective = "AND";
    return $context;
}

created by: @chillu (ischommer)
assigned to: hfried
created at: 2010-07-11
original ticket: http://open.silverstripe.org/ticket/5807

Currently its too complicated to invalidate partial caches in templates (you basically have to comment out the <% cache %> part. I've talked to Hamish a while ago, we think it'd be more intuitive to invalidate caches on ?flush=all as well (it roughly fits in the "clear template cache" thinking). This has to be limited to ADMIN access of course, to avoid denial of service attacks.

created by: @chillu (ischommer)
assigned to: @chillu (ischommer)
created at: 2009-05-25
original ticket: http://open.silverstripe.org/ticket/4125

Add Zend_Date as an internal object instance to handle all actual conversion.

== Features ==

• Store dates and datetimes internally as unix timestamps. Zend_Date should automatically handle dates outside of the timestamp range through the PHP bcmath extension.
• Add setLocale() and getLocale()
• Fix setValue() to parse dates according to locale
• Allow different formats in setValue(): Unix timestamp, ISO 8601 string, or Date DBField
• Add compare() and equals() which takes a DBField argument (rather than Zend_Date) and passes through current value to Zend_Date
• Set current locale upon construction based on i18n::get_current_locale(). Allow explicit passing in of locale in constructor
• Add setOptions() which is passed through to Zend_Date
• Deprecate NiceUS() and FormatI18n()
• Fix all methods dealing with $this->value to use Zend_Date instead of strotime() etc.
• Use Zend_Date for RangeString()
• Replace all $this->value references with $this->getValue().
• Use Zend_Date->isLater()for InFuture()
• Use Zend_Date->isEarlier forInPast()```
• Pass through Zend_Date->isTomorrow(), Zend_Date->isYesterday(), Zend_Date->isLeapYear()
• Add validate() method using Zend_Date_Validate->isValid(). Make sure to set locale and format on Zend_Date_Validate whenever passed into the class, e.g. through setLocale()

== Out of scope ==

• No support for timezones
• No parsing of system/php date, locale or timezone settings - this can be handled by the i18n class later.
• Assumption: All databases return dates in SQL92 standard (YYYY-MM-DD HH:MM:SS).
• Storage into database columns doesn't require db abstraction hooks, and is always done in ISO 8601

== Optional ==

• Support Zend's array notation for passing in dates

== Notes ==

• See Money class for example usage of Zend components in DBFields.
• Important: Unit test all new APIs and API changes.

created by: @chillu (ischommer)
assigned to: @sminnee (sminnee)
created at: 2008-11-09
original ticket: http://open.silverstripe.org/ticket/3043

Ingo: canView() doesn't seem to make sense in a File/Folder context as you can view those items through a URL without sapphire intervention.

Sam: It would be good to have an execution mode for the site where all assets/* URLs were mediated by sapphire - you could do that with another URL-rewriting rule...

RewriteCond %{REQUEST_URI} ^(assets/.*)$
RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]

created by: [email protected]
created at: 2011-04-19
original ticket: http://open.silverstripe.org/ticket/6605

Text.ContextSummary changes case of the original text. I.e. A search for "John Key" will highlight as "john key". This is a problem with proper names and brand names.

The search term should highlighted without changing the inner text.

created by: @chillu (ischommer)
created at: 2010-11-25
original ticket: http://open.silverstripe.org/ticket/6232

Followup from http://open.silverstripe.org/ticket/6177

Zend_Currency is a mature library that builds on the Unicode library with couple of dozen definitions for currency display, formatting, symbols, etc. - see http://framework.zend.com/manual/en/zend.currency.html

It should replace the currently hardcoded formatting in CurrencyField and Currency classes.

• Add an internal Currency reference ($valueObj) to CurrencyField, which gets written in setValue() and read in dataValue() - see DateField for a similiar implementation
• Allow setting of locale on instance, fall back to i18n::get_locale()
• Allow setting default currency symbols on Currency (which is also used by CurrencyField)
• Remove hardcoding of "$" sign
• Write wrappers passing through to Zend where appropriate (mainly setFormat())
• Ensure that MoneyField can get to its internal CurrencyField to settings can be overwritten there
• We can probably deprecate setCurrencySymbol(), should be handled through setFormat()

created by: @halkyon (sharvey)
assigned to: @halkyon (sharvey)
created at: 2010-12-15
original ticket: http://open.silverstripe.org/ticket/6269

Uploads are not viewable directly in the URL, causing TinyMCE to show a broken image when you insert a new image.

Steps to reproduce:

1. Upload a file using Files & Images in CMS to a folder
2. Go back to the Pages tab in CMS and open a page
3. Insert that image onto the page [broken image box appears or nothing at all]
4. Click Save and Publish [image appears on refresh]

PHP is able to create the file with the correct permissions, but when you view the URL you get a "URL Rewrite Module Error".

Interestingly enough, resampling the file works fine. I've checked permssions and they appear to be correct.

If you remove the section of the web.config file, the file can then be viewed.
However, that doesn't appear to be the cause of the issue.

The cause I can see is newly uploaded files are missing the IIS_IUSRS group. This essentially means the file wasn't created inside the Uploads folder to inherit the parent permissions, but instead moved directly from temp which files inherit from very limited permissions in the system temp.

Reference: http://silverstripe.org/installing-silverstripe/show/15172#post296738

created by: @chillu (ischommer)
assigned to: @chillu (ischommer)
created at: 2008-11-25
original ticket: http://open.silverstripe.org/ticket/3153

This is a frequently used field with poor code structure, virtually no documentation, and lots of permutations ($source and $value as SQLMap, array, CSV-string, DataObjectSet). Document the different usages and unit test them.

created by: @sminnee (sminnee)
assigned to: @sminnee (sminnee)
created at: 2008-10-08
original ticket: http://open.silverstripe.org/ticket/2914

= Installer updates =

== Contact ==

• Sam Minnee (sam at silverstripe dot com)

== Status ==
Brainstorming

== Motivation ==

• The installer is a piece of code that we never use, and consequently is more at risk of bugs and usability issues.
• The installer doesn't take care of upgrading at all.
• For our own projects, we don't have any kind of environment checker - for instance, when new developers
• Distribution of our own projects (such as sscmap) is tricky because it really needs the installer.

== Spec ==

In essence, the installer is responsible for the following things:

• Database configuration
• .htaccess generation
• Running db/build
• Checking the build environment for all the dependencies

=== Installer re-bundling ===

Instead of setting the installer up as a separate package, it should be bundled into the Sapphire package, handled with a controller such as dev/install or dev/update. Obviously, there would be some work needed to ensure that the installer can successfully give a "your system isn't configured properly" line, but there are some techniques that we can follow.

• Redirect to sapphire/main.php?url=dev/update instead of just dev/update
• Tell Sapphire not to make a database connection if no database is configured.
• Avoid any memory-hungry activities; manifest creation might be an issue here. Perhaps an installer-only bypassing of the manifest & autoloader can be used.

Alternatively, we might have a sapphire/safe-mode.php, which runs a more conservative version of Sapphire.

As an alternative to RootURLController could perform this check: this would mean that if a SilverStripe developer checks out a project, it's going to automatically run db/build the first time they visit the site - could be very cool. You could even have some kind of system where the current svn revision was compared to the svn revision that a database update was last executed on - could be very powerful indeed!

=== _ss_environment.php Management ===

Instead of updating mysite/_config.php, the installer should manage _ss_environment.php. It should let people manage an _ss_environment.php file for a single site, or a shared file for all sites.

The only thing that should be written to mysite/_config.php is the database name, and it should be done in a manner that preserves other content in the file.

=== .htaccess Generation ===

Create a build task that is responsible for generating and/or updating a SilverStripe .htaccess file. This isn't needed just by the installer for 3rd parties; for example, .htaccess updates are required for static caching.

=== Module Manager ===

As part of all this work, a module manager for upgrading and installing modules would be particularly handy. You could use this to upgrade the version of SilverStripe you were using, as well as install modules.

== Results ==

• 3rd party developers will be taught to use _ss_environment.php from day one. Multiple SilverStripe installations will be easily set to use the same database config.
• SS developers can use dev/update as a more full featured replacement of db/build.
• SS developers have have their local environments tested to ensure that everything is working.
• The installer can be used for upgrades as well as installations: replace the files and then visit dev/update.
• SilverStripe staff will be making use of SilverStripe in the same way as the rest of the world.

== Plans ==

• Implement dev/update in trunk, bringing features from the installer one by one that.
• Once it's full featured and robust, look at refactoring the PHP installer to use.

created by: @chillu (ischommer)
assigned to: @chillu (ischommer)
created at: 2009-01-25
original ticket: http://open.silverstripe.org/ticket/3427

Currently we have our own (procedural SilverStripe 1) code for sending html and plaintext emails. It contains all kinds of funky exceptions and tweaks which are not tested nor understood by many ;) There's also a lot of redundancy (and slight differences) between the plaintext and html implementations. We also see increased demand in sending unicode emails in all kinds of flavours, which increases the scenarios which we most likely haven't tested in full before.

I'd suggest we move to a solid, documented and unit tested Mailer implementation.
Originally I've suggested PHPMailer (http://phpmailer.codeworxtech.com), but its license incompatible (GPL).
Main candidate is Zend_Mail - http://framework.zend.com/manual/en/zend.mail.html (would fit well with our other use of Zend).

The main task here is to identify which features overlap and what we need to re-implement - which I expect is very little.

We should make the base mailer implementation pluggable, although it might not be feasible to support all potential options through a wrapper (e.g. adding attachments).

Some examples of the weirdness that is the current implementation:

$subjectIsUnicode = (strpos($subject,"&#") !== false);

function QuotedPrintable_encode($quotprint) {       
        $quotprint = (string) str_replace('\r\n',chr(13).chr(10),$quotprint);
        $quotprint = (string) str_replace('\n',  chr(13).chr(10),$quotprint);
        $quotprint = (string) preg_replace("~([\x01-\x1F\x3D\x7F-\xFF])~e", "sprintf('=%02X', ord('\\1'))", $quotprint);
        //$quotprint = (string) str_replace('\=0D=0A',"=0D=0A",$quotprint);
        $quotprint = (string) str_replace('=0D=0A',"\n",$quotprint);    
        $quotprint = (string) str_replace('=0A=0D',"\n",$quotprint);    
        $quotprint = (string) str_replace('=0D',"\n",$quotprint);   
        $quotprint = (string) str_replace('=0A',"\n",$quotprint);   
        return (string) $quotprint;
}

created by: toddvalentine
created at: 2011-07-20
original ticket: http://open.silverstripe.org/ticket/6684

I noticed that when I was using the HTML5

created by: @halkyon (sharvey)
created at: 2011-04-07
original ticket: http://open.silverstripe.org/ticket/6590

If you combine CSS files at the moment, the combined file is stored in assets by default.

However, any relative URL references to images in CSS are no longer valid, and cause 404s when a page is rendered.

Either we remove the ability to combine CSS or we fix the combiner to rewrite the URLs to the proper base of where the combined file is located.

What stated in documentation http://doc.silverstripe.org/framework/en/3.1/topics/i18n#usage-in-template-files doesn't work.

• Template file: http://pastie.org/7280012

• sake /dev/tasks/i18nTextCollectorTask --- Running Task i18n Textcollector Task --- (no more output)

• themes/mySimple/lang/en.yml is updated like this: http://pastie.org/7280023
• copied it into it.yml: http://pastie.org/7280032

• sake /dev/build "flush=all"

not working...

created by: wakeless
assigned to: @sminnee (sminnee)
created at: 2008-08-20
original ticket: http://open.silverstripe.org/ticket/2752

If a subclass of Page/SiteTree overrides getCMSFields like:

function getCMSFields() {
  $fields = parent::getCMSFields();
  dostuff with $fields
  return $fields;
}

updateCMSFields gets called on all extensions before the dostuff with fields section of the code. This interfers with using Translatable for subclasses of Page for 1 thing.

created by: employboy
created at: 2011-04-05
original ticket: http://open.silverstripe.org/ticket/6584

LINE 92 OF CheckboxSetField.php WHERE else is reached

    if(is_a($values, 'DataObjectSet') || is_array($values)) {
        $items = $values;
    } else {
        $items = explode(',', $values);
        $items = str_replace('{comma}', ',', $items);
    }

What's happening here is that when the else is reached them $items are exploded whether $items is empty or not, or null of that matter. When using explode in php (I don't know this may depend on the install) even empty items when exploded result in an array with an empty value. This registers as an empty value if you have 0 as item in the source resulting in
'checked="checked"' for the item.

My suggested fix would be:

            if(is_a($values, 'DataObjectSet') || is_array($values)) {
                $items = $values;
            } else {
                if($values == null){
                    $items = array();
                }else{
                    $items = explode(',', $values);
                    $items = str_replace('{comma}', ',', $items);
                }
            }

created by: doubledotmedia
created at: 2010-09-21
original ticket: http://open.silverstripe.org/ticket/6022

If the core post-rewrite url is hit directly, silverstripe does nothing to correct it.

e.g.
http://silverstripe.org/sapphire/main.php?url=silverstripe-cms

This can cause issue with duplicate content in search engines and means pages can be accessed at urls which you didn't intend (ie I can link to this page
http://silverstripe.org/sapphire/main.php?url=silverstripe-cms which will then index it and cause issues within Google)

Need to check and force (301 redirect) to 'clean' url which in the example above would be http://silverstripe.org/silverstripe-cms

Due to some people actually needed this (if they can't use mod_rewrite) might need a config setting in the _ss_environment file to enable this forced correction.

created by: @chillu (ischommer)
created at: 2009-03-17
original ticket: http://open.silverstripe.org/ticket/3734

See http://www.phpro.org/tutorials/PHP-Security.html http://open.silverstripe.org/ticket/4

The underlying classes in Mailer.php seem to be vulnerable to this when working with $customheaders. I think stripping newlines in processHeaders() is enough to prevent this, right?

created by: gordonbanderson
created at: 2011-04-24
original ticket: http://open.silverstripe.org/ticket/6608

I initially thought this problem was due to memory limitations (90M) on Dreamhost, but I managed to recreate the problem locally.

To recreate the problem:

1. Edit any page
2. Click on the image icon
3. Select'Choose File'
4. Try to upload the attached image.

Nothing appears to happen visually.

When I change the name of the file to say 'fred.jpg' then the upload works

The workaround for the moment is to rename the files as English

created by: nzmkey
created at: 2011-06-06
original ticket: http://open.silverstripe.org/ticket/6655

Summary:
An existing level 1 page that has been moved in draft will change the order of the item in the live menu if another level is published to live.

Test case:
-Create 3 pages in level 1 (PageA, PageB, PageC) and publish to Live
-You should see live menu with 3 items in the follow order: PageA, PageB, PageC
-Move PageC as a child of PageB and Save (Do Not Publish)
-You should see draft menu with 2 items: PageA, PageB
-You should see live menu with 3 items: PageA, PageB, PageC
-Publish PageA with no changes

Expected results:
-You should see draft menu with 2 items: PageA, PageB
-You should see live menu with 3 items: PageA, PageB, PageC

Actual Results:
-You should see draft menu with 2 items: PageA, PageB
-You should see live menu with 3 items: PageC, PageA, PageB

I have replicated this in open.silverstripe.org on 7 June 2011

created by: @chillu (ischommer)
assigned to: trix
created at: 2009-05-25
original ticket: http://open.silverstripe.org/ticket/4127

See #1373 and #1374 for similiar tickets.

Essentially, numbers in their "nice" display have to be formatted according to the locale (decimal and thousands separators).

== Features ==

• Add setLocale() and getLocale()
• Fix setValue() to parse times according to locale
• Set current locale upon construction based on i18n::get_current_locale(). Allow explicit passing in of locale in constructor
• Add setOptions() which is passed through to Zend_Locale
• Use Zend_Locale_Format::getNumber() for any formatting in Nice(), Round(), NiceRound(). Replace all calls to number_format()
• Use Zend_Locale_Format::isNumber() in setValue() and any other occurrence of is_numeric()
• For any conversions on Float, use prevision value set in requireField()

== Out of scope ==

• No support for non-western number systems (e.g. arabic)

== Notes ==

• See http://framework.zend.com/manual/en/zend.locale.parsing.html

created by: burnbright
created at: 2011-05-30
original ticket: http://open.silverstripe.org/ticket/6649

The is_cli function on Director.php only functions correctly when php_sapi_name() returns 'cli', however some setups run cron jobs with 'cgi-fcgi', causing the function to return false.

The execution will therefore act as a web-based rather than command-line, resulting in html output of the secuirty login page being returned to the cron output.

created by: neilcreagh
created at: 2011-07-14
original ticket: http://open.silverstripe.org/ticket/6680

Silverstripe is generating a bad HTTP header. The content-type header has quotes around the charset value. For example,

content-type: text/xml; charset="utf-8"

is used when it should be

content-type: text/xml; charset=utf-8

Most modern browsers are lenient and allow the bad header, but Adobe BrowserLab is tripped up by the quotes and will not work for ANY Silverstripe websites.

created by: @chillu (ischommer)
created at: 2009-06-03
original ticket: http://open.silverstripe.org/ticket/4192

This problem pops up when using Database->dontRequireField(). It is basically useless for the first dev/build on a new database, as it tries to list all fields in a table that doesn't exist yet. Tables are created "transactional" using Database->transCreateTable(), but other commands are not transactional:

• renameField()
• renameTable()

Create Database->transRenameField() and transRenameTable(), or hook them into transAlterField() etc.

To test this behaviour, please implement the attached patch for Versioned.php. At the moment, certain columns in Versioned are not marked as obsolete, hence continue filling versioned queries with redundant and wrong data (see r78358 for details)

created by: samthejarvis
created at: 2011-06-07
original ticket: http://open.silverstripe.org/ticket/6657

If you put nothing in the search box, you get a MySQL error.

created by: @chillu (ischommer)
assigned to: @chillu (ischommer)
created at: 2010-07-01
original ticket: http://open.silverstripe.org/ticket/5768

There's 1001 methods in SilverStripe to do logging, debugging and output. Some of them respect CLI mode, others enforce HTML, some of them render differently with Ajax requests. All in all: Its a mess. I would like to make this more consistent, ideally around Zend_Log. We also need to distinguish more clearly between output helpers like Debug::show() and logging (SS_Log::log()).

For the moment, I'm just collecting what we have - its unclear how this will be solved.

== Context ==

Context should really be handled by the requested Content-Type in the HTTP header. Any CLI scripts should ensure that "text/plain" is set. One use case is dev/build, which can be run through a URL with differently coloured HTML (and a header with linked breadcrumbs), but also on CLI with plaintext output.

• CLI (plaintext, newlines, coloured output)
• text/html: HTML tags, inline CSS
• text/html: Ajax mode (no tags)
• Output supression: E.g. when running unit tests, no output might be desired at all (regardless of content-type)

== Methods: Output/Log ==

• Debug::message() - Shows message through echo(), with optional header traceback and HTML styling
• Debug::log() - Writes to a hardcoded file location in some non-standard log format
• Debug::header() - Sends an HTTP header
• Debug::show() - Does Debug::text() with more context around it
• Debug::showError() - Uses DebugView class to write detailed error info.
• Debug::emailError() - Uses SS_Log::log() and SS_LogEmailWriter
• DebugView->writeInfo() - Writes HTML with optional header (and breadcrumbs!)
• DebugView->writeError() - Wtites error as HTML
• SS_Log::log() - Writes to one or more Zend_Log_Writer interface (can be email, HTML, etc)

== Methods: Inspection/Debugging ==

• ViewableData::Debug()/ViewableData_Debugger - Lists methods/params about an object
• Object::__toString() - Returns $this->class
• DataObject/DataObjectSet->debug()/ - Returns HTML with Debug::text(). Not consistently implemented across objects.
• Debug::text() - Outputs a value/object in HTML
• Debug::dump() - Kinda like Debug::text()
• SS_Backtrace::backtrace() - HTMLized version of PHP's built-in debug_backtrace()

created by: @chillu (ischommer)
created at: 2010-09-19
original ticket: http://open.silverstripe.org/ticket/6013

Should also fall back to using Zend_Locale on Nice() if no format override is defined, rather than hardcoding 'd/m/Y'. Once thats implemented, we can also deprecated locale specific stuff like NiceUS().

created by: @chillu (ischommer)
created at: 2010-05-04
original ticket: http://open.silverstripe.org/ticket/5535

At the moment the ShortcodeParser just applies in HTMLText/HTMLVarchar->forTemplate(). This getter is not used when further processing the output or using an alternative, e.g. through FirstParagraph().

SHortcodes should be respected in all those getters, specifically:

• StringField->forTemplate() ?
• Varchar->LimitCharacters()
• Text->FirstParagraph(), LimitWordCount(), LimitWordCountXML(), LimitSentences(), FirstSentence(), Summary(), BigSummary(), ContextSummary()
• HTMLText->LimitCharacters(), Summary, FirstSentence()

Also, its unclear why its limited to HTML fields only - text fields should be able to have shortcodes as well, right? Best example being the bbcode style enforced on BlogEntry.Content.

created by: @chillu (ischommer)
assigned to: @kmayo-ss (kmayo)
created at: 2009-03-09
original ticket: http://open.silverstripe.org/ticket/3684

This is an interesting one, raised by one of our partners: you can redirect to different internal URLs by using the "url" GET parameter.

Example (works on standard installation): /about-us/?url=contact-us will show the "contact-us" page, not "about-us". This has several implications:

• On a sufficiently long URL, this might be used to obfuscate the target page
• It might be used to create attacks on the page-rank of a target page - Google will index these links and rate them as duplicate content, which decreases pagerank

I would suggest to limit parsing of the ?url parameter to scenarios where REQUEST_URI starts with /sapphire/main.php

@sam: Thoughts? How does this get influenced by your work on URLs without mod-rewrite (index.php/about-us)?

created by: nicolaas
created at: 2011-06-25
original ticket: http://open.silverstripe.org/ticket/6670

I got a strange error - I installed a new project and I could not save it... on the live server I got: out of memory; on my dev server I got - out of time (30 seconds).

Check out this code in SiteTree.php

        // Ensure that this object has a non-conflicting URLSegment value.
        $count = 2;
        while(!$this->validURLSegment()) {
            $this->URLSegment = preg_replace('/-[0-9]+$/', null, $this->URLSegment) . '-' . $count;
            $count++;
        }

If the function validURLSegment always returns false then it keeps going up and up.

The reason I got this error:

Object::add_extension('ContentController', 'BrowseBusinessDecorator_Controller');


class BrowseBusinessDecorator_Controller extends Extension {
    static $allowed_actions = array(

        "createnewbusinesslistingfrompoint" => true

    );
}

As soon as I removed

I recommend we at least have a check on the loop in sitetree, so that it stops counting after 100 pages or something.... Otherwise you can not even run /dev/build/ (in case any pages are written).

created by: @chillu (ischommer)
created at: 2009-04-23
original ticket: http://open.silverstripe.org/ticket/3911

See test below, which is currently failing. When changing the ClassName of an existing record to a new class with more fields (and hence sub-tables), no row is created for the record in the new tables. It is only created when actual rows are written for this record.

DataObjectTest.php

function testClassNameChangeCreatesNewTables() {
        // create original
        $orig = new DataObjectTest_Team();
        $orig->write();
        $origID = $orig->ID;

        // change page type to subclass with new database fields
        $orig->ClassName = 'DataObjectTest_SubTeam';
        // save without changing any subclass-specific fields
        // (which would trigger creation of the database row in the subclass table)
        $_REQUEST['showqueries'] = 1;
        //$orig->forceChange();
        $orig->write();

        // Getting a new record, to give the ORM a chance to initialize it properly
        // querying parent class, but testing subclass later on
        $new = DataObject::get_by_id('DataObjectTest_SubTeam', $origID);

        $this->assertNotNull($new);
        $this->assertEquals(
            DB::query(sprintf('SELECT "ID" FROM "DataObjectTest_SubTeam" WHERE "ID" = %d', $origID))->column(),
            array($origID),
            'Row in sub-table is created even if all values are NULL after changing the class name'
        );
    }

created by: taro
created at: 2011-07-06
original ticket: http://open.silverstripe.org/ticket/6676

If i use the ssimage, ssflash, ... the sidebar doesn't work if i use Google Chrome. There is no JS Error but the overlaying container (i think it's "Form_EditForm") doesn't shrink, so the image, flash or link-form is not visible.

created by: paradigmincarnate
created at: 2011-04-07
original ticket: http://open.silverstripe.org/ticket/6588

The Problem

SilverStripe uses webserver rules (e.g. .htaccess, mod_rewrite) to put the path into a query parameter named 'url'.

In sapphire/main.php some adjustments are made to this to ensure it's uniform across all web servers.

The fixed/normalised value then resides in $_GET['url']

SilverStripe then goes on to use $_REQUEST['url'] in some places to represent the page url.

This is a problem for 2 reasons.

1. $_REQUEST['url'] isn't subject to any fixing.
2. The url shouldn't ever come from somewhere other than $_GET['url'].

The Fix

Surely the easiest way to fix this is to replace all use of $_REQUEST['url'] with $_GET['url'] or SS_HTTPRequest::getUrl()

Special Considerations

The url shouldn't come from a query anyway, but should be grabbed form REQUEST_URI since putting it in the query causes all sorts of encode/decode issues.