Merge branch '6.0' into 6

Author: github-actions[bot]

src/Control/RequestHandler.php

@@ -117,6 +117,14 @@ class RequestHandler extends ModelData
      */
     private static $allowed_actions = null;
 
+    /**
+     * If the request is handed off to a nested request handler, and that handler returns an array,
+     * by default this handler will be customised with that returned array.
+     * Setting this to true will return the array directly instead, which treats it as through this handler
+     * returned the array from an action method directly.
+     */
+    private static bool $customise_array_return_value = true;
+
     public function __construct()
     {
         $this->brokenOnConstruct = false;
@@ -223,7 +231,7 @@ public function handleRequest(HTTPRequest $request)
             $returnValue = $result->handleRequest($request);
 
             // Array results can be used to handle
-            if (is_array($returnValue)) {
+            if (is_array($returnValue) && static::config()->get('customise_array_return_value')) {
                 $returnValue = $this->customise($returnValue);
             }
 

src/Control/Session.php

@@ -4,7 +4,6 @@
 
 use BadMethodCallException;
 use SilverStripe\Core\Config\Configurable;
-use SilverStripe\Dev\Deprecation;
 
 /**
  * Handles all manipulation of the session.
@@ -128,13 +127,6 @@ class Session
      */
     private static bool $cookie_secure = true;
 
-    /**
-     * @config
-     * @var string
-     * @deprecated 5.4.3 Will be removed without equivalent functionality to replace it
-     */
-    private static $cookie_name_secure = 'SECSESSID';
-
     /**
      * Must be "Strict", "Lax", or "None".
      * @config
@@ -231,7 +223,7 @@ public function __construct($data)
      */
     public function init(HTTPRequest $request)
     {
-        if (!$this->isStarted() && $this->requestContainsSessionId($request)) {
+        if (!$this->isStarted() && $this->requestContainsSessionId()) {
             $this->start($request);
         }
 
@@ -266,19 +258,12 @@ public function isStarted()
     }
 
     /**
-     * @param HTTPRequest $request - deprecated will be removed
      * @return bool
      */
-    public function requestContainsSessionId(HTTPRequest $request)
+    public function requestContainsSessionId()
     {
-        Deprecation::noticeWithNoReplacment(
-            '5.4.3',
-            'The $request parameter is deprecated and will be removed',
-            Deprecation::SCOPE_GLOBAL
-        );
-        $secure = Director::is_https($request) && $this->config()->get('cookie_secure');
-        $name = $secure ? $this->config()->get('cookie_name_secure') : session_name();
-        return (bool)Cookie::get($name);
+        $name = session_name();
+        return (bool) Cookie::get($name);
     }
 
     /**
@@ -299,7 +284,7 @@ public function start(HTTPRequest $request)
         // If the session cookie is already set, then the session can be read even if headers_sent() = true
         // This helps with edge-case such as debugging.
         $data = [];
-        if (!session_id() && (!headers_sent() || $this->requestContainsSessionId($request))) {
+        if (!session_id() && (!headers_sent() || $this->requestContainsSessionId())) {
             if (!headers_sent()) {
                 $cookieParams = $this->buildCookieParams($request);
                 session_set_cookie_params($cookieParams);
@@ -314,19 +299,11 @@ public function start(HTTPRequest $request)
                     session_save_path($session_path);
                 }
 
-                // If we want a secure cookie for HTTPS, use a separate session name. This lets us have a
-                // separate (less secure) session for non-HTTPS requests
-                // if headers_sent() is true then it's best to throw the resulting error rather than risk
-                // a security hole.
-                if ($cookieParams['secure']) {
-                    session_name($this->config()->get('cookie_name_secure'));
-                }
-
                 session_start();
 
                 // Session start emits a cookie, but only if there's no existing session. If there is a session timeout
                 // tied to this request, make sure the session is held for the entire timeout by refreshing the cookie age.
-                if ($cookieParams['lifetime'] && $this->requestContainsSessionId($request)) {
+                if ($cookieParams['lifetime'] && $this->requestContainsSessionId()) {
                     Cookie::set(
                         session_name(),
                         session_id(),

src/Forms/GridField/GridFieldDetailForm_ItemRequest.php

@@ -3,7 +3,7 @@
 namespace SilverStripe\Forms\GridField;
 
 use LogicException;
-use SilverStripe\Admin\LeftAndMain;
+use SilverStripe\Admin\AdminController;
 use SilverStripe\Control\Controller;
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
@@ -285,7 +285,7 @@ public function ItemEditForm()
         }
 
         $toplevelController = $this->getToplevelController();
-        if ($toplevelController && $toplevelController instanceof LeftAndMain) {
+        if ($toplevelController && $toplevelController instanceof AdminController) {
             // Always show with base template (full width, no other panels),
             // regardless of overloaded CMS controller templates.
             $form->setTemplate([
@@ -513,7 +513,7 @@ protected function getBackLink()
     {
         $backlink = '';
         $toplevelController = $this->getToplevelController();
-        if ($toplevelController && $toplevelController instanceof LeftAndMain) {
+        if ($toplevelController && $toplevelController instanceof AdminController) {
             if ($toplevelController->hasMethod('Backlink')) {
                 $backlink = $toplevelController->Backlink();
             } elseif ($this->popupController->hasMethod('Breadcrumbs')) {
@@ -849,7 +849,7 @@ public function doDelete($data, $form)
         );
 
         $toplevelController = $this->getToplevelController();
-        if ($toplevelController && $toplevelController instanceof LeftAndMain) {
+        if ($toplevelController && $toplevelController instanceof AdminController) {
             $backForm = $toplevelController->getEditForm();
             $backForm->sessionMessage($message, 'good', ValidationResult::CAST_HTML);
         } else {

src/Security/MemberAuthenticator/ChangePasswordHandler.php

@@ -47,6 +47,8 @@ class ChangePasswordHandler extends RequestHandler
         '' => 'changepassword',
     ];
 
+    private static bool $customise_array_return_value = false;
+
     /**
      * Keep track of whether a temporary hash is already generated during this request cycle.
      * @internal
@@ -282,15 +284,16 @@ public function doChangePassword(array $data, $form)
         $session = $this->getRequest()->getSession();
         if (!$member) {
             $autoLoginHash = $session->get('AutoLoginHash');
-            if ($autoLoginHash) {
-                $member = Member::member_from_autologinhash($autoLoginHash);
+            if (!$autoLoginHash) {
+                // The user is not logged in and had no reset token, so give them a login form.
+                return $this->redirect($this->addBackURLParam(Security::singleton()->Link('login')));
             }
 
-            // The user is not logged in and no valid auto login hash is available
+            $member = Member::member_from_autologinhash($autoLoginHash);
             if (!$member) {
+                // Hash was invalid or expired
                 $session->clear('AutoLoginHash');
-
-                return $this->redirect($this->addBackURLParam(Security::singleton()->Link('login')));
+                return $this->getInvalidTokenResponse();
             }
         }
 

tests/php/Control/SessionTest.php

@@ -74,7 +74,7 @@ public function testStartUsesDefaultCookieNameWithHttp()
         Cookie::set(session_name(), '1234');
         $session = new Session(null); // unstarted session
         $session->start($req);
-        $this->assertNotEquals(session_name(), $session->config()->get('cookie_name_secure'));
+        $this->assertEquals(session_name(), 'PHPSESSID');
     }
 
     #[RunInSeparateProcess]
@@ -87,7 +87,7 @@ public function testStartUsesDefaultCookieNameWithHttpsAndCookieSecureOff()
         $session = new Session(null); // unstarted session
         $session->config()->set('cookie_secure', false);
         $session->start($req);
-        $this->assertNotEquals(session_name(), $session->config()->get('cookie_name_secure'));
+        $this->assertEquals(session_name(), 'PHPSESSID');
     }
 
     #[RunInSeparateProcess]
@@ -99,7 +99,7 @@ public function testStartUsesSecureCookieNameWithHttpsAndCookieSecureOn()
         Cookie::set(session_name(), '1234');
         $session = new Session(null); // unstarted session
         $session->start($req);
-        $this->assertEquals(session_name(), $session->config()->get('cookie_name_secure'));
+        $this->assertEquals(session_name(), 'PHPSESSID');
     }
 
     #[RunInSeparateProcess]
@@ -242,19 +242,9 @@ public function testRequestContainsSessionId()
     {
         $req = new HTTPRequest('GET', '/');
         $session = new Session(null); // unstarted session
-        $this->assertFalse($session->requestContainsSessionId($req));
+        $this->assertFalse($session->requestContainsSessionId());
         Cookie::set(session_name(), '1234');
-        $this->assertTrue($session->requestContainsSessionId($req));
-    }
-
-    public function testRequestContainsSessionIdRespectsCookieNameSecure()
-    {
-        $req = (new HTTPRequest('GET', '/'))
-            ->setScheme('https');
-        $session = new Session(null); // unstarted session
-        Cookie::set($session->config()->get('cookie_name_secure'), '1234');
-        $session->config()->set('cookie_secure', true);
-        $this->assertTrue($session->requestContainsSessionId($req));
+        $this->assertTrue($session->requestContainsSessionId());
     }
 
     public function testUserAgentLockout()