Skip to content

Latest commit

 

History

History
442 lines (364 loc) · 62 KB

5.4.0.md

File metadata and controls

442 lines (364 loc) · 62 KB
title
5.4.0 (unreleased)

5.4.0 (unreleased)

Overview

Security considerations {#security-considerations}

Three security fixes that were previously released in the January security release are mentioned in the Silverstripe CMS security patches January 2025 blog post are listed below.

Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.

We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can read the severity rating definitions in the Silverstripe CMS release process.

Features and enhancements

Sudo mode for sensitive data {#form-sudo-mode}

Some data managed by the CMS is always considered sensitive from a security point of view, such as member data and permissions assigned to groups. Data of this nature is now protected by default by "sudo mode" in the CMS. When a user tries to edit sensitive data, they will be prompted to enter their password to confirm their identity.

This change was made to provide an extra layer of protection against cross site scripting (XSS) attacks, as well as people maliciously using someone elses computer left unattended in a logged-in state.

Users will still be able to view sensitive data without entering their password as they could before. Previously "sudo mode" only protected a member's MFA settings. Now the following DataObject subclasses are also protected by sudo mode:

  • Member
  • Group
  • PermissionRole
  • PermissionRoleCode

You can also add sudo mode to your own DataObject subclass by setting the DataObject.require_sudo_mode configuration property to true. For example:

SomeModule\Model\Player:
  require_sudo_mode: true

Previously sudo mode was automatically activated when a user logged in, which largely negated the value the feature provided. This has now been changed so that users will always have to enter their password to activate sudo mode the first time they reach a sensitive area of the CMS.

There is still a configurable grace period where, after entering your password to activate sudo mode, it will remain active for a short time.

If you run end-to-end tests on the CMS which involve editing sensitive data you may need to update your tests to account for this change. If you use behat there are instructions for how to use an extension to automatically activate sudo mode in a feature file.

Learn more about sudo mode in the developer docs.

Logged warning if allowed hosts have not been configured {#allowed-hosts-warning}

If your site does not have one of the following configured, then a warning will now be logged on every request:

  • SS_ALLOWED_HOSTS environment variable
  • AllowedHostsMiddleware.AllowedHosts property

The "host" header is used by Silverstripe CMS to determine what the host name is for your project. This is useful when creating absolute URLs, e.g. for use in emails.

Notably this is used in Director::host(), which in turn is called by many methods including Director::hostName(), Director::protocolAndHost(), Director::is_site_url(), and Director::absoluteURL().

Ideally your hosting will reject invalid host headers. For example Apache allows you to define valid hosts as part of the virtual host configuration, and a Web Application Firewall (WAF) can also be configured to validate the host header. However if your hosting is set to allow any host header, your project might be vulnerable to host header injection attacks.

You should configure Silverstripe CMS to validate the host header, which is an extra layer of protection against this type of attack. While you should have appropriate validation at a hosting level, it is best practice to also configure this in your project.

This configuration has existed since 2016, but we've been alerted that many projects still have not configured their hosting nor their project to adequately validate host headers. To help prompt developers, we've added a warning which will be logged if the configuration is not set.

You can learn more about the relevant configuration in the secure coding documentation.

New XssSanitiser class

By far the most common type of security vulnerability that gets reported to us is XSS vulnerabilities. In many cases we can remove the vulnerability vector by disallowing HTML altogether, or by removing HTML specifically from user-provided input. Sometimes we need to allow HTML content from the user, such as in the WYSIWYG editor in the CMS - and in those cases we can mitigate XSS vulnerabilities by removing specific XSS attack vectors from the HTML content.

To help with this, we've added a new XssSanitiser class, which removes some known XSS attack vectors from HTML content. Note that this should be used only in scenarios where the HTML content can't be completely removed, and should not be considered a complete protection against all XSS attack vectors but rather as simply one of many tools in your security tool box.

Option to change ClassName column from enum to varchar {#classname-varchar}

On websites with very large database tables it can take a long time to run dev/build, which can be a problem when deploying changes to production. This is because the ClassName column is an enum type which requires an a ALTER TABLE query to be run affecting every row whenever there is a new valid value for the column. For a very rough benchmark, running an ALTER TABLE query on a database table of 10 million records took 28.52 seconds on a mid-range 2023 laptop, though this time will vary depending on the database and hardware being used.

This release introduces a new configuration option to change the ClassName column to a varchar type which removes the need to run ALTER TABLE whenever there is a new valid value.

Enabling this will result in a trade-off where the size of the database will increase by approximately 7 MB per 100,000 rows. There will also be a very slow initial dev/build as all of the ClassName columns are switched to varchar. To enable this, add the following configuration:

SilverStripe\ORM\DataObject:
  fixed_fields:
    ClassName: DBClassNameVarchar

SilverStripe\ORM\FieldType\DBPolymorphicForeignKey:
  composite_db:
    Class: "DBClassNameVarchar('SilverStripe\\ORM\\DataObject', ['index' => false])"

Reports quality of life updates

Numerous slight adjustments have been made to the ReportAdmin class for a better experience.

The changes include:

  • Search capability added (making use of PartialMatchFilter)
  • Sorting by columns now posssible
  • Default Sort is now Title ASC
  • Reports list is now paginated
  • Description is now displayed in the list as a column

New class_description configuration on DataObject {#class-description}

SiteTree and BaseElement both seperately implemented a description configuration property which was used to describe the purpose of a given subclass. For SiteTree this is used when creating a new page in the CMS. For BaseElement this is used in the elemental blocks report. In both cases the purpose is the same - it provides additional context about the intended use case for a given subclass.

We've now implemented this concept in DataObject directly with the new DataObject.class_description configuration property. It is now considered best practice to add a description of DataObject subclasses using this configuration. You can use the new DataObject::classDescription() and DataObject::i18n_classDescription() methods if you need a description of any DataObject class. Those methods already existed on SiteTree but have been moved up the hierarchy so they can be called on any DataObject class.

For now this is only used in the same places that used to use the deprecated configuration, but future minor releases are likely to broaden the scope of its usage.

As a part of this change, the SiteTree.description and BaseElement.description configuration properties are now deprecated. Use class_description instead.

The SilverStripe\CMS\Model\SiteTree.DESCRIPTION localisation key (along with the .DESCRIPTION suffix for any SiteTree subclass) will stop being used in a future major release. Use SilverStripe\CMS\Model\SiteTree.CLASS_DESCRIPTION instead.

oEmbed sandboxing

As part of the fix for the security vulnerability CVE-2024-47605 we have added a new feature to sandbox returned oEmbed HTML content in an iframe tag.

You can explicitly declare domains which should be excluded from sandboxing if you find it is interfering with embeds from specific domains. For example if a YouTube embed was not rendering correctly as a result of the sandboxing you could use this YAML configuration:

SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
  domains_excluded_from_sandboxing:
    - 'youtube.com'

Do not include the protocol (i.e. don't include https:// or http://).

You can also change the attributes of the iframe itself with this YAML configuration:

SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
  sandboxed_iframe_attributes:
    allow: 'fullscreen'

UX improvement for unique indexes {#unique-indexes}

It has been possible to create unique indexes for DataObject models for a long time in Silverstripe CMS, but when these unique indexes were violated (i.e. a user tried to create a duplicate record), there was no UX feedback in the CMS.

Violating a unique index will now throw a new DuplicateEntryException exception which you can catch and handle to produce appropriate validation messages.

If the violation happens when calling DataObject::write(), the exception will be caught and a ValidationException will be thrown instead. The CMS catches any ValidationException and displays them as user friendly validation errors in edit forms.

See indexes to learn about indexes in Silverstripe CMS.

Other new features

  • A new BaseKernel::getBooted() method has been added for checking whether the kernel has been booted yet or not.
  • A new CoreKernel::setBootDatabase() method has been added to replace the now deprecated DatabaselessKernel class.
  • Two new methods have been added to ArrayLib:
    • ArrayLib::insertBefore() for inserting a value before another value in an array
    • ArrayLib::insertAfter() for inserting a value after another value in an array
  • A new DBDatetime::getTimeBetween() method has been added. This method returns the amount of time that has passed between two DBDateTime objects as a human-readable string.
  • A new AbstractQueuedJob::getQueue() static method has been added to get the correct queue constant from a given string or int.
  • New GridFieldFilterHeader::setPlaceHolderText() and GridFieldFilterHeader::getPlaceHolderText() methods have been added which provide a way to override the GridFieldFilterHeader search field placeholder text if the dynamically generated text doesn't suit your use case.
  • RequiredFields can be to set to determine whether a whitespace only value, such as a single space character, is considered a valid value or not. This can be set globally via the RequiredFields.allow_whitespace_only config, which has a default value of true to retain backwards compatibility. This can also be set on a per-instance basis via RequiredFields::setAllowWhitespaceOnly() which will override the global config. See form validation docs for more details.

API changes

Return type changes in composer plugins

We have made an exception to our definition of public API by adding a return type to the execute() method in the symfony commands for silverstripe/vendor-plugin and silverstripe/recipe-plugin.

The exception was made for the following reasons:

  • This change ensures CMS 5 can continue to be installed in scenarios where Composer is installed with Symfony 7. This can be done manually, and is also likely to be a future default.
  • The likelihood of someone subclassing the relevant classes is very low.
  • For installations of installer with earlier versions of Symfony this won't cause any problems, since PHP allows return types to be more specific in subclasses. This is known as covariance.

Deprecated API

  • The class names for the TopPage feature in dnadesign/silverstripe-elemental do not follow the correct naming convention for Silverstripe CMS. The existing classes have been deprecated and will be renamed to match the correct naming convention in a future major release.
  • SilverStripe\ORM\ArrayLib has been deprecated. It will be renamed to SilverStripe\Core\ArrayLib
  • SilverStripe\ORM\ArrayList has been deprecated. It will be renamed to SilverStripe\Model\List\ArrayList
  • SilverStripe\ORM\Filterable has been deprecated. It will be merged into SS_List.
  • SilverStripe\ORM\GroupedList has been deprecated. It will be renamed to SilverStripe\Model\List\GroupedList
  • SilverStripe\ORM\Limitable has been deprecated. It will be merged into SS_List.
  • SilverStripe\ORM\ListDecorator has been deprecated. It will be renamed to SilverStripe\Model\List\ListDecorator
  • SilverStripe\ORM\Map has been deprecated. It will be renamed to SilverStripe\Model\List\Map
  • SilverStripe\ORM\PaginatedList has been deprecated. It will be renamed to SilverStripe\Model\List\PaginatedList
  • SilverStripe\ORM\Sortable has been deprecated. It will be merged into SS_List.
  • SilverStripe\ORM\SS_List has been deprecated. It will be renamed to SilverStripe\Model\List\SS_List
  • SilverStripe\ORM\ValidationException has been deprecated. It will be renamed to SilverStripe\Core\Validation\ValidationException
  • SilverStripe\ORM\ValidationResult has been deprecated. It will be renamed to SilverStripe\Core\Validation\ValidationResult
  • SilverStripe\View\ArrayData has been deprecated. It will be renamed to SilverStripe\Model\ArrayData
  • SilverStripe\View\ViewableData has been deprecated. It will be renamed to SilverStripe\Model\ModelData
  • SilverStripe\View\ViewableData_Customised has been deprecated. It will be renamed to SilverStripe\Model\ModelDataCustomised
  • SilverStripe\View\ViewableData_Debugger has been deprecated. It will be renamed to SilverStripe\Model\ModelDataDebugger
  • CliBypass has been deprecated. It will be removed without equivalent functionality to replace it.
  • CliController has been deprecated. It will be replaced with symfony/console commands.
  • DatabaselessKernel has been deprecated. Use CoreKernel::setBootDatabase() instead.
  • BuildTask.segment has been deprecated. It will be replaced with a new $commandName property.
  • BuildTask->description has been deprecated. It will be replaced with a new static property with the same name.
  • BuildTask::getDescription() has been deprecated. It will be replaced with a new static method with the same name.
  • DevBuildController has been deprecated. It will be replaced with a new SilverStripe\Dev\Command\DbBuild class.
  • DevConfigController has been deprecated. It will be replaced with a new SilverStripe\Dev\Command\ConfigDump class.
  • DatabaseAdmin has been deprecated. It will be replaced with a new SilverStripe\Dev\Command\DbBuild class.
  • DevelopmentAdmin::buildDefaults() has been deprecated. It will be replaced with a new SilverStripe\Dev\Command\DbDefaults class.
  • DevelopmentAdmin::generatesecuretoken() has been deprecated. It will be replaced with a new SilverStripe\Dev\Command\GenerateSecureToken class.
  • DevelopmentAdmin::getRegisteredController() has been deprecated. It will be removed without equivalent functionality to replace it.
  • DevelopmentAdmin.registered_controllers has been deprecated. It will be replaced with new controllers and commands configuration properties.
  • CleanupTestDatabasesTask::canView() has been deprecated. It will be replaced with a new canRunInBrowser() method.
  • HTTPOutputHandler has been deprecated. It will be renamed to SilverStripe\Logging\ErrorOutputHandler
  • Build has been deprecated. It will be replaced with a new SilverStripe\GraphQL\Dev\SchemaBuild class.
  • DevelopmentAdmin has been deprecated. It will be removed without equivalent functionality to replace it.
  • DevBuildExtension has been deprecated. It will be renamed to SilverStripe\GraphQL\Extensions\DbBuildExtension
  • LDAPGroupSyncTask::log() has been deprecated. It will be removed without equivalent functionality to replace it.
  • LDAPMemberSyncTask::log() has been deprecated. It will be removed without equivalent functionality to replace it.
  • LDAPMigrateExistingMembersTask::log() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SubsiteCopyPagesTask::log() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CheckExternalLinksTask::log() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CheckExternalLinksTask::setSilent() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CheckExternalLinksTask->silent has been deprecated. It will be removed without equivalent functionality to replace it.
  • RealMeSetupTask::message() has been deprecated. It will be removed without equivalent functionality to replace it.
  • StaticCacheFullBuildTask::log() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ContentReviewOwnerMigrationTask has been deprecated. It will be removed without equivalent functionality to replace it.
  • CronTaskController has been deprecated. It will be replaced with a new SilverStripe\CronTask\Cli\CronTaskCommand class.
  • Clear has been deprecated. It will be replaced with a new SilverStripe\GraphQLDevTools\SchemaClear class.
  • ConvertTranslatableTask has been deprecated. It will be removed without equivalent functionality to replace it.
  • Exception has been deprecated. It will be removed without equivalent functionality to replace it.
  • UpdatePackageInfoTask->supportedAddonsLoader has been deprecated. It will be removed without equivalent functionality to replace it.
  • UpdatePackageInfoTask::getSupportedAddonsLoader() has been deprecated. It will be removed without equivalent functionality to replace it.
  • UpdatePackageInfoTask::setSupportedAddonsLoader() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ProcessJobQueueChildTask has been deprecated. It will be replaced with a new Symbiote\QueuedJobs\Cli\ProcessJobQueueChildCommand class.
  • ProcessJobQueueTask::getQueue() has been deprecated. Use AbstractQueuedJob::getQueue() instead.
  • HTTPOutputHandler::isCli() has been deprecated. Use Director::is_cli() instead instead.
  • PasswordValidator has been deprecated. It will be renamed to SilverStripe\Security\Validation\RulesPasswordValidator.
  • ContentReviewEmails::isValidEmail() has been deprecated. Use Email::is_valid_address() instead.
  • The DBField.defaultVal property has been deprecated. Use DBField::getDefaultValue() and DBField::setDefaultValue() instead.
  • DBFile::validate() has been deprecated. Use DBFile::validateFilename() instead.
  • ContentController::Menu() has been deprecated. Use ContentController::getMenu() instead if calling the method in PHP. You can continue to use $Menu in templates, including passing arguments to it.
  • GridFieldDataColumns::getValueFromRelation() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ViewableData::castingClass() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ViewableData::escapeTypeForField() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ViewableData::objCacheName() has been deprecated. It will be made private. The corresponding ViewableData::objCacheSet() and ViewableData::objCacheGet() methods will change method signature to not require passing in the cache key.
  • The $cacheName parameter for the ViewableData::obj() method has been deprecated. It will be removed without equivalent functionality to replace it.
  • ViewableData::cachedCall() has been deprecated. Use ViewableData::obj() instead.
  • ViewableData::XML_val() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ViewableData::getXMLValues() has been deprecated. It will be removed without equivalent functionality to replace it.
  • The $parser parameter for the SSViewer::__construct() method has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::flush() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::flush().
  • SSViewer::fromString() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::renderString().
  • SSViewer::topLevel() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::chooseTemplate() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::setTemplate() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::setTemplate().
  • SSViewer::setParser() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::setParser().
  • SSViewer::getParser() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::getParser().
  • SSViewer::hasTemplate() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::hasTemplate().
  • SSViewer::exists() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::getTemplateFileByType() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::flush_template_cache() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::flushTemplateCache().
  • SSViewer::flush_cacheblock_cache() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::flushCacheBlockCache().
  • SSViewer::setPartialCacheStore() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::setPartialCacheStore().
  • SSViewer::getPartialCacheStore() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::getPartialCacheStore().
  • SSViewer::includeGeneratedTemplate() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::includeGeneratedTemplate().
  • The $inheritedScope parameter for the SSViewer::process() method has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::getSubtemplateFor() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::getSubtemplateFor().
  • SSViewer::parseTemplateContent() has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::parseTemplateContent().
  • SSViewer::templates() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::setTemplateFile() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::get_base_tag() has been deprecated. Use SSViewer::getBaseTag() instead.
  • SSViewer_DataPresenter has been deprecated. It will be merged into SSViewer_Scope.
  • SSViewer_FromString has been deprecated. It will be replaced with SilverStripe\TemplateEngine\SSTemplateEngine::renderString().
  • SSViewer_Scope::getItem() has been deprecated. Use SSViewer_Scope::getCurrentItem() instead.
  • SSViewer_Scope::obj() has been deprecated. It will be renamed to scopeToIntermediateValue().
  • SSViewer_Scope has been deprecated. It will be renamed to SilverStripe\TemplateEngine\ScopeManager.
  • SSViewer::execute_template() has been deprecated. It will be removed without equivalent functionality to replace it.
  • SSViewer::execute_string() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ThemeResourceLoader::findTemplate() has been deprecated. It will be removed without equivalent functionality to replace it.
  • FlushMiddleware has been deprecated. It will be replaced with flushing inside the Kernel directly.
  • The LeftAndMain.tree_class configuration property has been deprecated. It will be renamed to model_class.
  • SiteConfigLeftAndMain::save_siteconfig() has been deprecated. It will be replaced with save().
  • SSViewer_BasicIteratorSupport has been deprecated. It will be renamed to SilverStripe\TemplateEngine\BasicIteratorSupport.
  • SSTemplateParseException has been deprecated. It will be renamed to SilverStripe\TemplateEngine\Exception\SSTemplateParseException.
  • SSTemplateParser has been deprecated. It will be renamed to SilverStripe\TemplateEngine\SSTemplateParser.
  • TemplateIteratorProvider has been deprecated. It will be renamed to SilverStripe\TemplateEngine\TemplateIteratorProvider.
  • TemplateParser has been deprecated. It will be renamed to SilverStripe\TemplateEngine\TemplateParser.
  • ElementalAreaController::removeNamespacesFromFields() has been deprecated. It will be removed without equivalent functionality to replace it.
  • BaseElement::updateFromFormData() has been deprecated. It will be removed without equivalent functionality to replace it.
  • DBEnum::flushCache() has been deprecated. Use DBEnum::reset() instead.
  • The BaseElement.description configuration property has been deprecated. Use DataObject.class_description instead.
  • The SiteTree.description configuration property has been deprecated. Use DataObject.class_description instead.
  • FormField::extendValidationResult() has been deprecated. Use extend() directly instead.
  • SubsiteXHRController::canAccess() has been deprecated. It will be removed without equivalent functionality to replace it.
  • LeftAndMainSubsites::ListSubsites() has been deprecated. Use SubsiteSwitchList() instead.
  • LeftAndMain::methodSchema() has been deprecated. It will be replaced with SilverStripe\Admin\FormSchemaController::schema().
  • LeftAndMain::Modals() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ModalController::getController() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ModalController::getName() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CampaignAdminExtension has been deprecated. It will be replaced with SilverStripe\CampaignAdmin\Extensions\FileFormFactoryExtension.
  • CMSPageEditController::addtocampaign() has been deprecated. It will be moved to SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension.
  • CMSPageEditController::AddToCampaignForm() has been deprecated. It will be moved to SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension.
  • CMSPageEditController::getAddToCampaignForm() has been deprecated. It will be moved to SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension.
  • AssetAdmin::addtocampaign() has been deprecated. It will be moved to SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension.
  • AssetAdmin::AddToCampaignForm() has been deprecated. It will be moved to SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension.
  • AssetAdmin::getAddToCampaignForm() has been deprecated. It will be moved to SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension.
  • ModalController::EditorExternalLink() has been deprecated. It will be replaced with SilverStripe\Admin\ModalController::linkModalForm().
  • ModalController::EditorEmailLink() has been deprecated. It will be replaced with SilverStripe\Admin\ModalController::linkModalForm().
  • RemoteFileModalExtension::getRequest() has been deprecated. Use RemoteFileModalExtension::getOwner()->getRequest() instead.
  • RemoteFileModalExtension::getFormSchema() has been deprecated. It will be removed without equivalent functionality to replace it.
  • RemoteFileModalExtension::getSchemaResponse() has been deprecated. It will be replaced with RemoteFileModalExtension::getOwner()->getSchemaResponse().
  • InternalLinkModalExtension has been deprecated. It will be replaced with configuration on ModalController.
  • FormField::validate() will take zero arguments and return a ValidationResult object instead of a boolean in CMS 6.0.0.
  • FieldsValidator has been deprecated. It will be replaced with functionality inside Form::validate().
  • Validator has been deprecated. It will be renamed to SilverStripe\Forms\Validation\Validator.
  • RequiredFields has been deprecated. It will be renamed to SilverStripe\Forms\Validation\RequiredFieldsValidator.
  • CompositeValidator has been deprecated. It will be renamed to SilverStripe\Forms\Validation\CompositeValidator.
  • UserFormsRequiredFields has been deprecated. It will be renamed to SilverStripe\UserForms\Form\UserFormsRequiredFieldsValidator.
  • AWRequiredFields has been deprecated. It will be renamed to Symbiote\AdvancedWorkflow\Forms\AWRequiredFieldsValidator.
  • CMSPreviewable::CMSEditLink() has been deprecated. It will be renamed to getCMSEditLink().
  • CMSEditLinkExtension::CMSEditLink() has been deprecated. It will be replaced with SilverStripe\ORM\DataObject::getCMSEditLink() and updateCMSEditLink().
  • LeftAndMain::currentPageID() has been deprecated. Use LeftAndMain::currentRecordID() instead.
  • LeftAndMain::setCurrentPageID() has been deprecated. Use LeftAndMain::setCurrentRecordID() instead.
  • LeftAndMain::currentPage() has been deprecated. Use LeftAndMain::currentRecord() instead.
  • LeftAndMain::isCurrentPage() has been deprecated. Use LeftAndMain::isCurrentRecord() instead.
  • The SiteTree.need_permission configuration property has been deprecated. Use SiteTree::canCreate() instead.
  • The SiteTree.icon configuration property has been deprecated. It will be renamed to cms_icon.
  • The SiteTree.icon_class configuration property has been deprecated. It will be renamed to cms_icon_class. This applies to all subclasses of SiteTree as well.
  • CMSMain::PageList() has been deprecated. It will be renamed to RecordList().
  • CMSMain::PageListSidebar() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSMain::LinkPages() has been deprecated. Use CMSMain::LinkRecords() instead.
  • CMSMain::LinkPagesWithSearch() has been deprecated. Use CMSMain::LinkRecordsWithSearch() instead.
  • CMSMain::LinkPageEdit() has been deprecated. Use CMSMain::LinkRecordEdit() instead.
  • CMSMain::LinkPageSettings() has been deprecated. Use CMSMain::LinkRecordSettings() instead.
  • CMSMain::LinkPageHistory() has been deprecated. Use CMSMain::LinkRecordHistory() instead.
  • CMSMain::LinkPageAdd() has been deprecated. Use CMSMain::LinkRecordAdd() instead.
  • CMSMain::LinkPreview() has been deprecated. Use SiteTree::CMSEditLink() instead.
  • CMSMain::SiteTreeAsUL() has been deprecated. Use CMSMain::TreeAsUL() instead.
  • CMSMain::getSiteTreeFor() has been deprecated. Use CMSMain::getTreeFor() instead.
  • CMSMain::CanOrganiseSitetree() has been deprecated. Use CMSMain::canOrganiseTree() instead.
  • CMSMain::getSearchContext() has been deprecated. It will be replaced with SiteTree::getDefaultSearchContext().
  • CMSMain::getPageTypes() has been deprecated. Use CMSMain::getRecordTypes() instead.
  • CMSMain::PageTypes() has been deprecated. Use CMSMain::RecordTypes() instead.
  • CMSMain::SiteTreeHints() has been deprecated. Use CMSMain::TreeHints() instead.
  • CMSMain::performPublish() has been deprecated. Use RecursivePublishable::publishRecursive() instead.
  • CMSPageAddController has been deprecated. It will be replaced with SilverStripe\CMS\Forms\CMSMainAddForm.
  • CMSPagesController has been deprecated. It will be combined back into CMSMain.
  • CMSSiteTreeFilter::getPageClasses() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::isPageIncluded() has been deprecated. It will be removed without equivalent functionality to replace it.
  • LeftAndMainPageIconsExtension has been deprecated. It will be renamed to SilverStripe\CMS\Controllers\LeftAndMainRecordIconsExtension.
  • LeftAndMainPageIconsExtension::generatePageIconsCss() has been deprecated. Use LeftAndMainPageIconsExtension::generateRecordIconsCss() instead.
  • CurrentPageIdentifier has been deprecated. It will be renamed to SilverStripe\CMS\Model\CurrentRecordIdentifier.
  • CurrentPageIdentifier::currentPageID() has been deprecated. It will be renamed to currentRecordID().
  • CurrentPageIdentifier::isCurrentPage() has been deprecated. It will be renamed to isCurrentRecord().
  • SiteTree::page_type_classes() has been deprecated. Will be replaced with updateAllowedSubClasses().
  • SiteTree::setCreatableChildrenCache() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::setCreatableChildrenCache().
  • SiteTree::getCreatableChildrenCache() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::getCreatableChildrenCache().
  • SiteTree::getPermissionChecker() has been deprecated. It will be replaced with a non-static method of the same name.
  • SiteTree::flushMemberCache() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::clearCache().
  • SiteTree::creatableChildPages() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::getCreatableSubClasses().
  • SiteTree::getIconClass() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::getRecordIconCssClass().
  • SiteTree::getPageIconURL() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::getRecordIconUrl().
  • SiteTree::generateChildrenCacheKey() has been deprecated. It will be replaced with SilverStripe\CMS\Controllers\CMSMain::generateChildrenCacheKey().
  • Form::validationResult() has been deprecated. Use Form::validate() instead.
  • Director::get_session_environment_type() has been deprecated. Use Director::get_environment_type() instead.
  • Use of the CUSTOM_INCLUDE_PATH constant to change the PHP include path has been deprecated and will not work in a future major release.
  • SessionEnvTypeSwitcher has been deprecated. It will be removed without equivalent functionality to replace it.
  • VersionProvider::getComposerLockPath() has been deprecated. It will be removed without equivalent functionality to replace it.
  • FlushInvalidatedResource::getResource() has been deprecated. It will be removed without equivalent functionality to replace it.
  • Subsite::getMembersByPermission() has been deprecated. It will be removed without equivalent functionality to replace it.
  • The $join parameter for the Subsite::get_from_all_subsites() method has been deprecated. Use leftJoin($table, $joinClause) instead.
  • Passing a boolean value to the $mergeStrategy argument in Form::loadDataFrom() has been deprecated. Pass Form::MERGE_CLEAR_MISSING instead of true and 0 instead of false.
  • The HTTP.ignoreDeprecatedCaching configuration property has been deprecated. It will be removed without equivalent functionality to replace it.
  • FormField::Value() has been deprecated. It will be replaced by getFormattedValue() and getValue().
  • TextareaField::ValueEntities() has been deprecated. It will be replaced by getFormattedValueEntities().
  • Passing null for the $code parameter in ValidationResult::addError() is deprecated. Pass a blank string instead.
  • Passing null for the $cast parameter in ValidationResult::addError() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • Passing null for the $code parameter in ValidationResult::addFieldError() is deprecated. Pass a blank string instead.
  • Passing null for the $cast parameter in ValidationResult::addFieldError() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • Passing null for the $code parameter in ValidationResult::addMessage() is deprecated. Pass a blank string instead.
  • Passing null for the $cast parameter in ValidationResult::addMessage() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • Passing null for the $code parameter in ValidationResult::addFieldMessage() is deprecated. Pass a blank string instead.
  • Passing null for the $cast parameter in ValidationResult::addFieldMessage() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • Passing null for the $cast parameter in Form::sessionMessage() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • Passing null for the $cast parameter in Form::sessionError() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • Passing null for the $cast parameter in Form::sessionFieldError() is deprecated. Pass a ValidationResult::CAST_* constant instead.
  • DBInt::Times() has been deprecated. It will be removed without equivalent functionality to replace it.
  • Controller::has_curr() has been deprecated. It will be removed without equivalent functionality to replace it.
  • UserFormsColumnCleanTask has been deprecated. It will be removed without equivalent functionality to replace it.
  • The LeftAndMain_SearchFilter interface has been deprecated. It will be removed without equivalent functionality to replace it.
  • The LeftAndMain::getSearchFilter() has been deprecated. It will be removed without equivalent functionality to replace it.
  • LeftAndMain::SCHEMA_HEADER constant has been deprecated. Use FormSchema::SCHEMA_HEADER instead.
  • GridFieldFilterHeader::getSearchFieldSchema() has been deprecated. It will be replaced with SilverStripe\ORM\Search\SearchContextForm::getSchemaData().
  • GridFieldFilterHeader::getSearchFormSchema() has been deprecated. It will be replaced with SilverStripe\Forms\FormRequestHandler::getSchema().
  • CMSMain::getSearchFieldSchema() has been deprecated. It will be replaced with SilverStripe\ORM\Search\SearchContextForm::getSchemaData().
  • CMSMain::getQueryFilter() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSMain::getList() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::getChildrenMethod() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::getNumChildrenMethod() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::pagesIncluded() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::populateIDs() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::applyDefaultFilters() has been deprecated. It will be removed without equivalent functionality to replace it.
  • CMSSiteTreeFilter::mapIDs() has been deprecated. It will be removed without equivalent functionality to replace it.
  • ElementSiteTreeFilterSearch has been deprecated. It will be replaced with DNADesign\Elemental\ORM\Search\ElementalSiteTreeSearchContext.
  • ElementalCMSMainExtension has been deprecated. It will be removed without equivalent functionality to replace it.
  • The HTMLEditorField.fixed_row_height configuration property has been deprecated. It will be replaced with SilverStripe\Forms\HTMLEditor\HTMLEditorConfig.fixed_row_height.
  • HTMLEditorSanitiser::patternToRegex() has been deprecated. It will be replaced with SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet::patternToRegex().
  • HTMLEditorSanitiser::addValidElements() has been deprecated. It will be replaced with SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet.
  • HTMLEditorSanitiser::getRuleForElement() has been deprecated. It will be replaced with SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet::getRuleForElement().
  • HTMLEditorSanitiser::getRuleForAttribute() has been deprecated. It will be replaced with logic in SilverStripe\Forms\HTMLEditor\HTMLEditorElementRule.
  • HTMLEditorSanitiser::elementMatchesRule() has been deprecated. It will be replaced with SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet::isElementAllowed().
  • HTMLEditorSanitiser::attributeMatchesRule() has been deprecated. It will be replaced with SilverStripe\Forms\HTMLEditor\HTMLEditorElementRule::isAttributeAllowed().
  • TinyMCECombinedGenerator has been deprecated. It will be replaced with SilverStripe\TinyMCE\TinyMCECombinedGenerator.
  • TinyMCEConfig has been deprecated. It will be replaced with SilverStripe\TinyMCE\TinyMCEConfig.
  • TinyMCEScriptGenerator has been deprecated. It will be replaced with SilverStripe\TinyMCE\TinyMCEScriptGenerator.
  • FixtureContext::iSelectValueInAnchorDropdown() has been deprecated. It will be replaced with SilverStripe\CMS\Tests\Behaviour\AnchorContext::iSelectValueInAnchorDropdown().

Bug fixes

This release includes a number of bug fixes to improve a broad range of areas. Check the change logs for full details of these fixes split by module. Thank you to the community members that helped contribute these fixes as part of the release!

Change to error logging

Some errors were incorrectly being logged using the error handler service, which resulted in displaying the error in the browser and CLI and, in live mode, not displaying the rest of the response to users.

This was the result of a misunderstanding about the difference between the Psr\Log\LoggerInterface.errorhandler error handler service and the Psr\Log\LoggerInterface logging service.

The Psr\Log\LoggerInterface.errorhandler error handler service should not be used for logging - its purpose is to handle the display of uncaught exceptions and PHP errors.

Errors that were being logged to the error handler service are now being logged using the logging service instead. If you have connected a logging handler to that service, we recommend instead following the instructions in configuring error logging to attach your logging handler only to the logging service, which will also allow you to handle logging for the uncaught exceptions and errors the error handler displays.