In some FastCGI setups basic auth values will only be present in the
header. Fallback to reading that value if the PHP_AUTH super globals are
empty.
Refs #9365
When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.
Refs #10422
When child inherits from a deny parent the '*' permission should reflect
permissions on all nodes not just the leaf node. Previously once a node
with all permissions set to inherit was found, the check would pass.
Instead it should cascade to the parent nodes and look for explicit
allow/deny.
Refs #8450
When checking inherited permissions for '*' also copy inherited
permissions onto the inherited list. By copying the inherited values, we
get the union of explit allow and inherited permissions, which if all
things go well will match the permission key list.
Refs #8114
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
This test creates a numeric key of 0 in $_SESSION which is not a valid session key. This causes error - session_write_close(): Skipping numeric key 0 error.
These tests ensure that redirect() is never called which ensures the
Location header is never set. Ajax requests when no loginElement is
defined should get an empty response with a 403 status code.
Jquery sets accepts header similar to "text/plain, */*; q=0.01" by
default for xhr requests. Due to this RequestHandler used to set
extension to csv thereby causing View class to look for views under
non-existent csv folders.
