Merge branch '4.3' into 4.4

_config/confirmation-middleware.yml

@@ -0,0 +1,35 @@
+---
+Name: confirmation_middleware-prototypes
+---
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\AjaxBypass:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\AjaxBypass
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\GetParameter:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\GetParameter
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswithCaseInsensitive:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswithCaseInsensitive
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\HttpMethodBypass:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\HttpMethodBypass
+    type: prototype
+
+  SilverStripe\Control\Middleware\ConfirmationMiddleware\Url:
+    class: SilverStripe\Control\Middleware\ConfirmationMiddleware\Url
+    type: prototype

_config/dev.yml

@@ -11,3 +11,5 @@ SilverStripe\Dev\DevelopmentAdmin:
       controller: SilverStripe\Dev\TaskRunner
       links:
         tasks: 'See a list of build tasks to run'
+    confirm:
+      controller: SilverStripe\Dev\DevConfirmationController

_config/requestprocessors.yml

@@ -32,6 +32,7 @@ SilverStripe\Core\Injector\Injector:
       RequestHandler: '%$SilverStripe\Security\Security'
       Middlewares:
         - '%$SecurityRateLimitMiddleware'
+
 ---
 Name: errorrequestprocessors
 After:
@@ -40,6 +41,8 @@ After:
 SilverStripe\Core\Injector\Injector:
   # Note: If Director config changes, take note it will affect this config too
   SilverStripe\Core\Startup\ErrorDirector: '%$SilverStripe\Control\Director'
+
+
 ---
 Name: canonicalurls
 ---
@@ -48,3 +51,94 @@ SilverStripe\Core\Injector\Injector:
     properties:
       ForceSSL: false
       ForceWWW: false
+
+
+---
+Name: url_specials-middleware
+After:
+  - 'requestprocessors'
+  - 'coresecurity'
+---
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Control\Director:
+    properties:
+      Middlewares:
+        URLSpecialsMiddleware: '%$SilverStripe\Control\Middleware\URLSpecialsMiddleware'
+
+  SilverStripe\Control\Middleware\URLSpecialsMiddleware:
+    class: SilverStripe\Control\Middleware\URLSpecialsMiddleware
+    properties:
+      ConfirmationStorageId: 'url-specials'
+      ConfirmationFormUrl: '/dev/confirm'
+      Bypasses:
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
+      EnforceAuthentication: true
+      AffectedPermissions:
+        - ADMIN
+
+
+---
+Name: dev_urls-confirmation-middleware
+After:
+  - 'url_specials-middleware'
+---
+# This middleware enforces confirmation (CSRF protection) for all URLs
+# that start with "dev/*", with the exception for "dev/build" which is handled
+# by url_specials-middleware
+
+# If you want to make exceptions for some URLs,
+# see "dev_urls-confirmation-exceptions" config
+
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Control\Director:
+    properties:
+      Middlewares:
+        DevUrlsConfirmationMiddleware: '%$DevUrlsConfirmationMiddleware'
+
+  DevUrlsConfirmationMiddleware:
+    class: SilverStripe\Control\Middleware\PermissionAwareConfirmationMiddleware
+    constructor:
+      - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev")'
+    properties:
+      ConfirmationStorageId: 'dev-urls'
+      ConfirmationFormUrl: '/dev/confirm'
+      Bypasses:
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
+      EnforceAuthentication: false
+      AffectedPermissions:
+        - ADMIN
+
+---
+Name: dev_urls-confirmation-exceptions
+After:
+  - 'dev_urls-confirmation-middleware'
+---
+# This config is the place to add custom bypasses for modules providing UIs
+# on top of DevelopmentAdmin (dev/*)
+
+# If the module has its own CSRF protection, the easiest way would be to
+# simply add UrlPathStartswith with the path to the mount point.
+# Example:
+#  # This will prevent confirmation for all URLs starting with "dev/custom-module-endpoint/"
+#  # WARNING: this won't prevent confirmation for "dev/custom-module-endpoint-suffix/"
+#  - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/custom-module-endpoint")'
+
+# If the module does not implement its own CSRF protection but exposes all
+# dangerous effects through POST, then you could simply exclude GET and HEAD requests
+# by using HttpMethodBypass("GET", "HEAD"). In that case GET/HEAD requests will not
+# trigger confirmation redirects.
+SilverStripe\Core\Injector\Injector:
+  DevUrlsConfirmationMiddleware:
+    properties:
+      Bypasses:
+        # dev/build is covered by URLSpecialsMiddleware
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/build")'
+
+        # The confirmation form is where people will be redirected for confirmation. We don't want to block it.
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
+
+        # Allows GET requests to the dev index page
+        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\Url("dev", ["GET", "HEAD"])'

docs/en/00_Getting_Started/03_Environment_Management.md

@@ -1,7 +1,7 @@
 # Environment management
 
 As part of website development and hosting it is natural for our sites to be hosted on several different environments.
-These can be our laptops for local development, a testing server for customers to test changes on, or a production 
+These can be our laptops for local development, a testing server for customers to test changes on, or a production
 server.
 
 For each of these environments we may require slightly different configurations for our servers. This could be our debug
@@ -12,7 +12,7 @@ provides a set of APIs and helpers.
 
 ## Security considerations
 
-Sensitive credentials should not be stored in a VCS or project code and should only be stored on the environment in 
+Sensitive credentials should not be stored in a VCS or project code and should only be stored on the environment in
 question. When using live environments the use of `.env` files is discouraged and instead one should use "first class"
 environment variables.
 
@@ -29,7 +29,7 @@ set. An example `.env` file is included in the default installer named `.env.exa
 
 ## Managing environment variables with Apache
 
-You can set "real" environment variables using Apache. Please 
+You can set "real" environment variables using Apache. Please
 [see the Apache docs for more information](https://httpd.apache.org/docs/current/env.html)
 
 ## How to access the environment variables
@@ -114,3 +114,4 @@ SilverStripe core environment variables are listed here, though you're free to d
 | `SS_DATABASE_SSL_CERT` | Absolute path to SSL certificate file |
 | `SS_DATABASE_SSL_CA` | Absolute path to SSL Certificate Authority bundle file |
 | `SS_DATABASE_SSL_CIPHER` | Optional setting for custom SSL cipher |
+| `SS_FLUSH_ON_DEPLOY` | Try to detect deployments through file system modifications and flush on the first request after every deploy. Does not run "dev/build", but only "flush". Possible values are `true` (check for a framework PHP file modification time), `false` (no checks, skip deploy detection) or a path to a specific file or folder to be checked. See [DeployFlushDiscoverer](api:SilverStripe\Core\Startup\DeployFlushDiscoverer) for more details.<br /><br />False by default. |

docs/en/02_Developer_Guides/02_Controllers/05_Middlewares.md

@@ -33,7 +33,7 @@ class CustomMiddleware implements HTTPMiddleware
             return new HTTPResponse('You missed the special header', 400);
         }
 
-        // You can modify the request before 
+        // You can modify the request before
         // For example, this might force JSON responses
         $request->addHeader('Accept', 'application/json');
 
@@ -118,4 +118,5 @@ SilverStripe\Control\Director:
 
 ## API Documentation
 
+* [Built-in Middleware](./06_Builtin_Middlewares.md)
 * [HTTPMiddleware](api:SilverStripe\Control\Middleware\HTTPMiddleware)

docs/en/02_Developer_Guides/02_Controllers/06_Builtin_Middlewares.md

@@ -0,0 +1,21 @@
+title: Built-in Middleware
+summary: Middleware components that come with SilverStripe Framework
+
+# Built-in Middleware
+
+SilverStripe Framework has a number of Middleware components.
+You may find them in the [SilverStripe\Control\Middleware](api:SilverStripe\Control\Middleware) namespace.
+
+| Name | Description |
+| ---- | ----------- |
+| [AllowedHostsMiddleware](api:SilverStripe\Control\Middleware\AllowedHostsMiddleware) | Secures requests by only allowing a whitelist of Host values |
+| [CanonicalURLMiddleware](api:SilverStripe\Control\Middleware\CanonicalURLMiddleware) | URL normalisation and redirection |
+| [ChangeDetectionMiddleware](api:SilverStripe\Control\Middleware\ChangeDetectionMiddleware) | Change detection via Etag / IfModifiedSince headers, conditionally sending a 304 not modified if possible. |\
+| [ConfirmationMiddleware](api:SilverStripe\Control\Middleware\ConfirmationMiddleware) | Checks whether user manual confirmation is required for HTTPRequest |
+| [ExecMetricMiddleware](api:SilverStripe\Control\Middleware\ExecMetricMiddleware) | Display execution metrics in DEV mode |
+| [FlushMiddleware](api:SilverStripe\Control\Middleware\FlushMiddleware) | Triggers a call to flush() on all [Flushable](api:SilverStripe\Core\Flushable) implementors |
+| [HTTPCacheControlMiddleware](api:SilverStripe\Control\Middleware\HTTPCacheControlMiddleware) | Controls HTTP response cache headers |
+| [RateLimitMiddleware](api:SilverStripe\Control\Middleware\RateLimitMiddleware) | Access throttling, controls HTTP Retry-After header |
+| [SessionMiddleware](api:SilverStripe\Control\Middleware\SessionMiddleware) | PHP Session initialisation |
+| [TrustedProxyMiddleware](api:SilverStripe\Control\Middleware\TrustedProxyMiddleware) | Rewrites headers that provide IP and host details from upstream proxies |
+| [URLSpecialsMiddleware](api:SilverStripe\Control\Middleware\URLSpecialsMiddleware) | Controls some of the [URL special variables](../../debugging/url_variable_tools) |

docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Extend_CMS_Interface.md

@@ -29,7 +29,6 @@ from the `silverstripe/admin` module
 into `app/templates/SilverStripe/Admin/Includes/LeftAndMain_MenuList.ss`. It will automatically be picked up by
 the CMS logic. Add a new section into the `<ul class="cms-menu__list">`	
 
-
 ```ss
 ...
 <ul class="cms-menu-list">
@@ -139,10 +138,10 @@ Add the following code to a new file `app/src/BookmarkedLeftAndMainExtension.php
 ```php
 use SilverStripe\Admin\LeftAndMainExtension;
 
-class BookmarkedPagesLeftAndMainExtension extends LeftAndMainExtension 
+class BookmarkedPagesLeftAndMainExtension extends LeftAndMainExtension
 {
 
-    public function BookmarkedPages() 
+    public function BookmarkedPages()
     {
         return Page::get()->filter("IsBookmarked", 1);
     }
@@ -243,7 +242,7 @@ how-to.
 
 ## React-rendered UI
 For sections of the admin that are rendered with React, Redux, and GraphQL, please refer
-to [the introduction on those concepts](../07_ReactJS_Redux_and_GraphQL.md), 
+to [the introduction on those concepts](../../reactjs_redux_and_graphql/),
 as well as their respective How-To's in this section.
 
 ### Implementing handlers
@@ -256,18 +255,18 @@ applicable controller actions to it:
 ```php
 use SilverStripe\Admin\LeftAndMainExtension;
 
-class CustomActionsExtension extends LeftAndMainExtension 
+class CustomActionsExtension extends LeftAndMainExtension
 {
-    
+
     private static $allowed_actions = [
         'sampleAction'
     ];
-    
+
     public function sampleAction()
     {
         // Create the web
     }
-    
+
 }
 
 ```

docs/en/02_Developer_Guides/16_Execution_Pipeline/01_Flushable.md

@@ -1,6 +1,6 @@
 title: Flushable
 summary: Allows a class to define it's own flush functionality.
- 
+
 # Flushable
 
 ## Introduction
@@ -9,6 +9,14 @@ Allows a class to define it's own flush functionality, which is triggered when `
 [FlushMiddleware](api:SilverStripe\Control\Middleware\FlushMiddleware) is run before a request is made, calling `flush()` statically on all
 implementors of [Flushable](api:SilverStripe\Core\Flushable).
 
+
+<div class="notice">
+Flushable implementers might also be triggered automatically on deploy if you have `SS_FLUSH_ON_DEPLOY` [environment
+variable](../configuration/environment_variables) defined. In that case even if you don't manually pass `flush=1` parameter, the first request after deploy
+will still be calling `Flushable::flush` on those entities.
+</div>
+
+
 ## Usage
 
 To use this API, you need to make your class implement [Flushable](api:SilverStripe\Core\Flushable), and define a `flush()` static function,
@@ -25,15 +33,15 @@ use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Core\Flushable;
 use Psr\SimpleCache\CacheInterface;
 
-class MyClass extends DataObject implements Flushable 
+class MyClass extends DataObject implements Flushable
 {
 
-    public static function flush() 
+    public static function flush()
     {
         Injector::inst()->get(CacheInterface::class . '.mycache')->clear();
     }
 
-    public function MyCachedContent() 
+    public function MyCachedContent()
     {
         $cache = Injector::inst()->get(CacheInterface::class . '.mycache')
         $something = $cache->get('mykey');
@@ -57,10 +65,10 @@ flush so they are re-created on demand.
 use SilverStripe\ORM\DataObject;
 use SilverStripe\Core\Flushable;
 
-class MyClass extends DataObject implements Flushable 
+class MyClass extends DataObject implements Flushable
 {
 
-    public static function flush() 
+    public static function flush()
     {
         foreach(glob(ASSETS_PATH . '/_tempfiles/*.jpg') as $file) {
             unlink($file);