Merge branch '5' into 6

.github/workflows/build.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - '3'
       - '4.13'
-      - '5.2'
+      - '5.3'
 jobs:
   build:
     name: build-docs

en/02_Developer_Guides/08_Performance/06_ORM.md

@@ -49,3 +49,26 @@ SilverStripe\ORM\Connect\DBSchemaManager:
 ```
 
 You can always manually trigger a check and repair (e.g. in a [`BuildTask`](api:SilverStripe/Dev/BuildTask)) by calling [`DB::check_and_repair_table()`](api:SilverStripe\ORM\DB::check_and_repair_table()). This ignores the above configuration.
+
+## Changing `ClassName` column from enum to varchar {#classname-varchar}
+
+On websites with very large database tables it can take a long time to run `dev/build`, which can be a problem when deploying changes to production. This is because the `ClassName` column is an `enum` type which requires an a `ALTER TABLE` query to be run affecting every row whenever there is a new valid value for the column.
+
+For a very rough benchmark, running an `ALTER TABLE` query on a database table of 10 million records took 28.52 seconds on a mid-range 2023 laptop, though this time will vary depending on the database and hardware being used.
+
+You may wish to change the `ClassName` column to a `varchar` type which remove the need to run `ALTER TABLE` whenever there is a new valid value. Enabling this will result in a trade-off where the size of the database will increase by approximately 7 MB per 100,000 rows.
+
+> [!WARNING]
+> There will also be a very slow initial `dev/build` as all of the `ClassName` columns are switched to `varchar`.
+
+To enable this, add the following configuration:
+
+```yml
+SilverStripe\ORM\DataObject:
+  fixed_fields:
+    ClassName: DBClassNameVarchar
+
+SilverStripe\ORM\FieldType\DBPolymorphicForeignKey:
+  composite_db:
+    Class: "DBClassNameVarchar('SilverStripe\\ORM\\DataObject', ['index' => false])"
+```

en/08_Changelogs/5.3.0.md

@@ -6,6 +6,7 @@ title: 5.3.0 (unreleased)
 
 ## Overview
 
+- [Security considerations](#security-considerations)
 - [Features and enhancements](#features-and-enhancements)
   - [High-level API for converting files](#file-converter)
   - [Improve customisability of rendered images](#image-rendering)
@@ -14,9 +15,21 @@ title: 5.3.0 (unreleased)
   - [Support for `JOIN` in SQL `UPDATE`](#sql-update-join)
   - [Autologin token regeneration changes](#autologin-token-regeneration)
   - [Other new features](#other-new-features)
-  - [API changes](#api-changes)
+- [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
 
+## Security considerations {#security-considerations}
+
+Three security fixes that were previously released in the July security release are mentioned in the [Silverstripe CMS security patches July 2024](https://www.silverstripe.org/blog/silverstripe-cms-security-patches-july-2024/) blog post are listed below.
+
+Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.
+
+We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating).
+
+- [CVE-2024-29885 - Reports are still accessible even when canView is set to false](https://www.silverstripe.org/download/security-releases/cve-2024-29885) Severity: Medium
+- [CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload](https://www.silverstripe.org/download/security-releases/cve-2024-32981) Severity: Medium
+- [SS-2024-001 - TinyMCE allows svg files linked in object tags](https://www.silverstripe.org/download/security-releases/ss-2024-001) Severity: Medium
+
 ## Features and enhancements
 
 ### Changes to `TinyMCEConfig` {#changes-to-tinymce}
@@ -106,6 +119,27 @@ class MyParent extends DataObject
 }
 ```
 
+```php
+namespace App\Model;
+
+use SilverStripe\Forms\FormField;
+use SilverStripe\ORM\DataObject;
+
+class MyChild extends DataObject
+{
+    // ...
+
+    public function scaffoldFormFieldForHasOne(
+        string $fieldName,
+        ?string $fieldTitle,
+        string $relationName,
+        DataObject $ownerRecord
+    ): FormField {
+        return /* instantiate some FormField here */;
+    }
+}
+```
+
 This means modules can pre-define the form field that should be used for their custom models, which reduces the amount of boilerplate code developers need to include in their `getCMSFields()` implementations.
 
 For more information see [scaffolding for relations](/developer_guides/model/scaffolding/#scaffolding-for-relations).
@@ -159,7 +193,7 @@ From 6.0 onwards, tokens will never be regenerated during session renewal, and t
 ## API changes
 
 - Passing a non-array `$fields` argument to both [`FieldList::addFieldsToTab()`](api:SilverStripe\Forms\FieldList::addFieldsToTab()) and [`FieldList::removeFieldsFromTab()`](api:SilverStripe\Forms\FieldList::removeFieldsFromTab()) has been deprecated.
-- The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update the description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API.
+- The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update or get the CMS description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API.
 - The [`RememberLoginHash::renew()`](api:SilverStripe\Security\RememberLoginHash::renew()) method has been deprecated without replacement, since the associated behaviour will be removed in 6.0.
   - The `onAfterRenewToken` extension point within this method will likely be replaced with a new extension point in 6.0.
 - The [`RememberLoginHash.replace_token_during_session_renewal`](api:SilverStripe\Security\RememberLoginHash->replace_token_during_session_renewal) configuration property has been added to allow disabling token regeneration during session renewal. This property will be removed in 6.0.

en/08_Changelogs/5.4.0.md

@@ -7,12 +7,31 @@ title: 5.4.0 (unreleased)
 ## Overview
 
 - [Features and enhancements](#features-and-enhancements)
+  - [Option to change `ClassName` column from enum to varchar](#classname-varchar)
   - [Other new features](#other-new-features)
 - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
 
 ## Features and enhancements
 
+### Option to change `ClassName` column from enum to varchar {#classname-varchar}
+
+On websites with very large database tables it can take a long time to run `dev/build`, which can be a problem when deploying changes to production. This is because the `ClassName` column is an `enum` type which requires an a `ALTER TABLE` query to be run affecting every row whenever there is a new valid value for the column. For a very rough benchmark, running an `ALTER TABLE` query on a database table of 10 million records took 28.52 seconds on a mid-range 2023 laptop, though this time will vary depending on the database and hardware being used.
+
+This release introduces a new configuration option to change the `ClassName` column to a `varchar` type which removes the need to run `ALTER TABLE` whenever there is a new valid value.
+
+Enabling this will result in a trade-off where the size of the database will increase by approximately 7 MB per 100,000 rows. There will also be a very slow initial `dev/build` as all of the `ClassName` columns are switched to `varchar`. To enable this, add the following configuration:
+
+```yml
+SilverStripe\ORM\DataObject:
+  fixed_fields:
+    ClassName: DBClassNameVarchar
+
+SilverStripe\ORM\FieldType\DBPolymorphicForeignKey:
+  composite_db:
+    Class: "DBClassNameVarchar('SilverStripe\\ORM\\DataObject', ['index' => false])"
+```
+
 ### Other new features
 
 - (fill this is as features are added)