--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
You do need to be logged in to run it. It redirects you to the login page if you aren't already logged in. Well it does in 2.4.7 anyway.
To be honest, this has always been something to concern me too.
As silverstripe becomes more popular, this needs to be stopped.
Dan
--
I've created a ticket for it: http://open.silverstripe.org/ticket/8290Wouldn't go so far to say its a security issue, but a grave oversightwhich leaves SilverStripe installations unnecessarily exposed.
By the way, anybody keen to write a dev/clearcache task?Ideally with optional cache names to clear, and an overviewof cache age and expiry rules on different caches.I don't really like this whole magic GET parameter business.We'd need to extend SS_Cache to keep track of available caches for this.There's also a related annoyance around partial caches not being cleared with ?flush=1,
I've created a ticket for it: http://open.silverstripe.org/ticket/8290
// In Director.php /** * Check requested flush level, given permission is available, or the * database is not ready. * * @param string $value An optional flush value to require. E.g. 'all' * @return boolean A flag indicating that the requsted flush level is given and authorised */ public static function is_flush($value = null) { // Rule out unflushed cases if(empty($_GET['flush'])) return false; if($value && ($_GET['flush'] != $value)) return false; // Allow flush in dev or CLI if(self::isDev() || self::is_cli()) return true; // If a database error would otherwise prevent authentication, permit flush if(!DB::isActive() || !DB::getConn()->hasTable('Member')) return true; // Safely check permission, erring on the side of safety try { $permission = @Permission::check('ADMIN'); if(is_bool($permission)) return $permission; } catch(Exception $ex) { exceptionHandler($ex); } return true; }
Your first line to rule out unflushed cases doesn't actually do what it says. Currently in SS there is no obligation for the flush param to have a value. Ie example.com?flush works. Removing that behavior will take some getting used to.
So, I'd suggest the first check is an isset, not an empty.
Also, my understanding is there are two non-falsey values flush can take, 1 and all. I'm not sure of their exact intricacies, but all does everything 1 does and more. With your function, if I'm checking for flush=all when the flush value is 1, I would get false, when I should get true.
I hope that all makes sense, I'm on my phone so formatting isn't so easy!
Dan
--