When child inherits from a deny parent the '*' permission should reflect
permissions on all nodes not just the leaf node. Previously once a node
with all permissions set to inherit was found, the check would pass.
Instead it should cascade to the parent nodes and look for explicit
allow/deny.
Refs #8450
When checking inherited permissions for '*' also copy inherited
permissions onto the inherited list. By copying the inherited values, we
get the union of explit allow and inherited permissions, which if all
things go well will match the permission key list.
Refs #8114
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
This test creates a numeric key of 0 in $_SESSION which is not a valid session key. This causes error - session_write_close(): Skipping numeric key 0 error.
These tests ensure that redirect() is never called which ensures the
Location header is never set. Ajax requests when no loginElement is
defined should get an empty response with a 403 status code.
Jquery sets accepts header similar to "text/plain, */*; q=0.01" by
default for xhr requests. Due to this RequestHandler used to set
extension to csv thereby causing View class to look for views under
non-existent csv folders.
Having maxLimit infer what it should be based on limit was not a very
transparent default behavior. The documentation states that maxLimit
will default to 100, but the code would default it to 'limit' if set.
This created confusing behavior when only one setting was defined.
Refs #5973
When paginating data, we should not ignore numerically indexed order
conditions. Instead they should be handled similar to Model::find().
This creates a slightly different behavior when model's have default
sorting applied as more default sort options forms will be honoured.
Refs #5964
