Releases: wintercms/winter
Releases · wintercms/winter
v1.1.8
UX/UI Improvements
- All default backend controller behaviors (i.e.
FormController
,ListController
,RelationController
, etc) no longer require a configuration property (i.e.$formConfig
,$listConfig
,$relationConfig
, etc) defined on the implementing controller if the default config file is being used (i.e.config_form.yaml
,config_list.yaml
,config_relation.yaml
, etc). - The
winter:down
command now requires a user to explicitly confirm the action by typingDELETE
in their CLI. - The
plugin:remove
command now requires a user to explicitly confirm the action by typing the plugin code in their CLI. - Added Created At & Updated At columns to the Backend User & User Roles lists, marked invisible by default.
- Updated the syntax highlighting language used by the backend custom CSS brand setting to acurately reflect the actual language in use (LESS, not CSS).
- The Markdown editor will now add a
https://
template when adding a link or image, to encourage use of secure links. - Removed the timeout when running
winter:test
. - Fixed styling issue with color pickers on the Mail Brand Settings page in the backend.
- Files in the CMS Theme Editor AssetList component will now be sorted alphabetically.
- Added ability to manage the list of users associated with a given role from that role's update page.
- Added "slug" input preset to the Administrator Role's code field.
API Changes
- Permissions registered without the
roles
property defined will now only be inherited by thedeveloper
system role, not all system roles. - Added Snowboard.js, a new JS framework intended to replace the existing AJAX Framework that is more modular and no longer depends on jQuery.
- Added support for Laravel Mix via the following commands:
mix:install
,mix:compile
,mix:watch
, &mix:list
. - Added autodetection of Laravel Mix package configuration files when
winter.mix.js
is present in a plugin, theme, or module. - Added
System\Classes\MixAssets
for managing Laravel Mix packages provided by plugins, themes, & modules. SeeregisterMixAssets()
now available as a registration method forPlugin.php
,MixAssets::registerCallback()
for Modules, and themix
property ontheme.yaml
definitions - Classes implementing the
System\Traits\PropertyContainer
trait to provide dynamic property options for Inspector fields no longer need to have zero (or one optional) parameters in their constructor in order to work correctly. Note that if your constructor requires a value in any property and does not define a default, this will still fail, so ideally you should still use a class specifically set up for handling Inspector properties. - Added
| md_line
Twig filter to make use of theMarkdown::parseLine()
method in Twig templates. - Replaced
Winter\Storm\Auth\AuthException
withWinter\Storm\Auth\AuthenticationException
, addedWinter\Storm\Auth\AuthorizationException
. - The
plugin:remove
command now provides a--no-rollback
option which disables the rolling back of database migrations for a plugin when it is being removed, allowing the plugin data to be retained. - Added support for the
app.asset_url
&ASSET_URL
configuration options for use with theUrl::asset()
&asset()
helpers. - Added
| asset
Twig Filter - Made
app()
,media()
,asset()
,resize()
,imageWidth()
,imageHeight()
available as Twig Functions
Bug Fixes
- Integers can now be used as values for options provided to the Inspector
set
field. - Fixed issue with list of available encodings for importing where ISO 8859-9 was incorrectly referenced as ISO 8859-0.
- Fixed issue that could occur when running console commands on a project that had replaced plugins and their replacing plugins present at the same time.
- Fixed incorrect exception message when attempting to impersonate a user without authorization.
- Fixed color picker widget not allowing empty values.
- Fixed color picker widget showing misleading mouse cursors in read-only mode.
- Fixed color picker widget not triggering dependent fields on change.
- Fixed issue where attempting to render a theme without a database present would fail because the AssetMaker trait was attempting to get the system build information from the database even though the DB wasn't present.
- Fixed PHP 8 compatibility issue where a component with no controller throws an error when checking the existence of a method on the non-existent controller.
- Fixed bug introduced in v1.1.5 where an infinite loop would occur when attempting to impersonate a backend user while logged in as a user without the
is_superuser
flag. - Modules will now be seeded before plugin migrations are run to support plugin migrations that interact with module seeded data.
- Fixed issue where setting the
readOnly
property totrue
ondatepicker
FormWidgets would leave the field greyed out but still editable.
Security Improvements
- Improved the Twig SecurityPolicy to block more potentially dangerous entry points from being abused by accounts with access to Twig but not PHP.
- Themes can no longer be imported while
cms.enableSafeMode
is active. - Added a warning message to the system status dashboard widget when the default admin user is detected on the system.
- Limited inheritance of "orphaned" (permissions without default roles assigned) to just the "Developer" role instead of all system roles.
- Fixed issue where users without the
backend.access_dashboard
could still access the dashboard if they did not have access to any other main menu items in the backend. - Removed the
is_safe="html"
flag from the System Twig filters (| app
,| media
,| resize
,| imageWidth
, &| imageHeight
) as none of them should ever return values that should be injected into templates without escaping the results.
Translation Improvements
- Improved Latvian translation.
- Improved Ukrainian translation.
- Improved French translation.
- Improved Italian translation.
- Improved Slovak translation.
- Improved Russian translation.
- Improved Persian translation.
- Improved Japanese translation.
Community Improvements
Winter.Notes
, a new first party plugin for adding notes to any record type in Winter was released. It provides a customnotes
FormWidget that presents a note management experience similar to the Mac OS Notes App.- All code examples in the official documentation now has proper language highlighting depending on the language of each example.
- The console commands documentation has been signficantly refactored with an introductory page with a list of all commands now available. Commands are now grouped by their logical function.
- Added a default
.vscode/settings.json
to the project to help VS Code correctly identify the language (PHP, Twig, or WinterCMS Template) used for.htm
files based on where in the project they are located. - Added a default
.vscode/extensions.json
to the project to provide recommendations on extensions for VS Code that work well with Winter
Dependencies
- Laravel 6.x LTS does not support PHP 8.1 so Winter has limited the supported PHP versions to PHP 7.2.9 -> PHP 8.0.*. PHP 8.1 support will come with Winter 1.2 using Laravel 9.x LTS in February/March 2022.
v1.1.7
UX/UI Improvements
- The color picker widget has been redesigned with a fresh look and additional features. See #324 for more information.
- You can now define one or more IP addresses that may view the site during maintenance mode via the Maintenance mode Settings screen.
- Console scaffolding commands (i.e.
create:controller
,create:plugin
, etc) will now list the files that were created during the scaffolding process for clarity.
API Changes
- Added
$data
as the fourth argument to themailer.prepareSend
andmailer.send
events. - Added
create:settings {plugin} {settings=Settings}
scaffolding command to generate a Settings model for the provided plugin. - Added
winter:test {?--p|plugin=} {?--c|configuration=} {?--o|core} --ANY-PHP-UNIT-FLAGS-HERE
command to easily run the core and plugin's PHPUnit testing suites.
Bug Fixes
- Fixed issue introduced in v1.0.466 where copying the default RelationController markup to use in a controller-level override of RelationController partials would result in an "undefined index" exception.
- Client language files for child locales (i.e.
en-ca
) will now include fallback strings from their parent locales. - Fixed an issue with the Markdown Editor in Chrome clipping the editor content if the viewport height is restricted while the widget has "stretch" enabled.
- Fixed
Backed\Helper\Backend::makeCarbon()
to correctly default to the backend timezone set incms.backendTimezone
- Large numbers of options (250+) are now better handled with the
group
filter - Added support for base64 encoded
data:image
URIs inimage
type columns.
Translation Improvements
- Improved Persian translation.
- Improved Latvian translation.
- Improved Russian translation.
- Improved German translation.
Community Improvements
- Winter CMS can now be accessed via the Gitpod service, providing near-instant, fully working copies of Winter CMS for testing and development. Please see #295 for more information.
- The Architecture Concepts section has been added to the documentation and provide an higher level overview of Winter CMS and some of the advanced time-saving features available within the project.
- The Maintainer Guide has been added to the documentation.
v1.0.474
Security improvements backported from v1.1:
API Changes
- The URL generator (
URL::to()
andurl()
) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out. - Added
getRealUser()
toWinter\Storm\Auth\Manager
to get the real user for the current request, taking into account user impersonation - Added
canBeImpersonated($impersonator = false)
toWinter\Storm\Auth\Models\User
and models extending it (i.e.Backend\Models\User
); used to determine if the provided impersonator can impersonate the selected user. - Changed
model.user.beforeImpersonate
to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not
Bug Fixes
- Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.
Security Improvements
- URLs generated by
Url::to()
andurl()
now return properly URL-encoded values - Fixed issue where
post()
could return values when the request was not a validPOST
request - Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
- Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
- CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.
v1.1.6
Bug Fixes
- Fixed a CSS issue from v1.1.5 where pages that were less that 100% of the viewport's height would only display a sliver of vertical content.
v1.1.5
UX/UI Improvements
- Added a notice to the top of every page in the backend when using the user impersonation functionality.
API Changes
- Added
getRealUser()
toWinter\Storm\Auth\Manager
to get the real user for the current request, taking into account user impersonation - Added
canBeImpersonated($impersonator = false)
toWinter\Storm\Auth\Models\User
and models extending it (i.e.Backend\Models\User
); used to determine if the provided impersonator can impersonate the selected user. - Changed
model.user.beforeImpersonate
to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not
Bug Fixes
- Fixed critical issue introduced in 1.1.4 where
post()
didn't return the default value when the request was not a POST request. This caused issues with forms relying on session keys (i.e. file upload fields etc.) as well as the form context property.
Security Improvements
- Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
- Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
- CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.
v1.1.4
UX/UI Improvements
- Fixed visual issue with checkboxes in inspector popups where they would take up space but not be visible.
- The order of columns in the Lists widget will be reset when pressing the "Reset to Default" button in the List config popup.
- The password restore and reset pages in the Auth controller now provide a body class (
restore
andreset
, respectively) for targeting CSS.
API Changes
- The URL generator (
URL::to()
andurl()
) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out. SystemException
s are now thrown for code paths resulting in not found exceptions (AJAX handlers, partials, content, components, etc) to make it easier to identify and resolve issues before end users are affected.- Added the
getNamespaceAliases($namespace)
&getReverseAlias($class)
methods to theClassLoader
class. - Added
Winter\Storm\Support\Testing\MocksClassLoader
trait for mocking the ClassLoader in unit tests. - The
Http
helper in the Storm library now stores and makes available all response headers in the$headers
property even if thetoFile()
method is used - previously, headers would be discarded to prevent them being added to the file content. - Custom Twig filters & functions registered in plugins via
registerMarkupTags()
can now specify the options to be used when registering the filters / functions with Twig. - Added support for Trusted Proxies in Winter CMS, allowing sites behind proxies to still be served under HTTPS even if the HTTPS connection terminates at the proxy. Previously, the Backend of Winter CMS would redirect the user to the real underlying web address, which may not exist if it is proxied.
- Added support for providing a default image to be used for
type: image
backend list columns. - Added the following global helper functions:
array_accessible()
:Arr::accessible()
array_has_any()
:Arr::hasAny()
is_associative()
:Arr::isAssoc()
array_shuffle()
:Arr::shuffle()
str_ordinal()
:Str::ordinal()
str_after_last()
:Str::afterLast()
str_ascii()
:Str::ascii()
str_before_last()
:Str::beforeLast()
str_contains_all()
:Str::containsAll()
str_is_uuid()
:Str::isUuid()
str_limit_words()
:Str::words()
str_plural_studly()
:Str::pluralStudly()
Bug Fixes
- Fixed issue where warnings about removing replaced plugins were still shown even when the plugins had already been removed.
- Fixed support for multiple where clauses on the
unique
model attribute validation rule. - Fixed support for uppercase file extensions when using the
ImageResizer
(i.e..JPG
, etc) - Fixed a few issues with the
unique
validation rule (couldn't specify multiple where conditions, minor inconsitencies in how it was being parsed, etc) and added unit tests to cover all valid variations fo the rule - Fixed issue where calling
url()
ortemporaryUrl()
on a filesystem driver that didn't support those methods would throw aClass not found
exception instead the appropriateRuntimeException
. - Backported a fix from Laravel 7 to allow pagination for queries with
having
clauses. - Fixed issue with NavigationManager items that had invalid
order
values causing the backend to crash. - Fixed issue where requests to non-existant Asset Combiner routes would return a 500 error code instead of 404.
- Fixed issue where the replacing plugin would be disabled on the first request after an aliased plugin was disabled.
- Fixed issue where namespace aliases registered via the
ClassLoader
(usually through the plugin replacement functionality) would not be evaluated by theExtendable
trait (i.e. behaviors were not resolving correctly). - Fixed issue where
0
couldn't be used as themin
ormax
value fornumber
field types. - Fixed an issue with SSL connection failures and the
winter:version
command on Mac OS by using theHttp
helper as opposed to thefile_get_contents()
method. - Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.
Security Improvements
- URLs generated by
Url::to()
andurl()
now return properly URL-encoded values - Fixed issue where
post()
could return values when the request was not a validPOST
request
Translation Improvements
- Improved French translation.
- Improved Latvian translation.
- Improved Italian translation.
- Improved Romanian translation.
- Improved Russian translation.
- Improved German translation.
Performance Improvements
- Improved speeds with path resolution for Halcyon File datasources sharing the same base directory.
Community Improvements
- Dropped old "build" files in the Storm library that were previously used for subsplitting the modules in the main Winter CMS repository for Composer. This has been replaced by a command in the Winter CMS CLI utility.
- Changed the default database host config option to be
127.0.0.1
instead oflocalhost
.localhost
may be slightly faster in some environments, but127.0.0.1
is more reliable in all environments and the default can always be changed for specific projects that require it. - Added automatic regeneration of the docs on wintercms.com/docs whenever a commit is made to the docs repository meaning that the public docs will finally be always up to date with the underlying git repository that powers them! Huge thanks to Marc Jauvin for finally taking care of a long standing annoyance with the project documentation.
- Updated the default config files to more closely match Laravel 6's default configurations.
- Improved issue templates on the main Winter CMS repository
v1.1.3
UX/UI Improvements
- Added support for choosing the default backend locale and timezone in
php artisan winter:install
. - Controller scaffolding now uses the default backend localization keys for the default titles in the FormBehavior config instead of hardcoded English strings
- The
unique
validation rule can now be used without any additional information, previously it required the table name to be specified in the form ofunique:table_name
. This also means thatunique
validation rules will respect the current model's$table
property.
API Changes
- Added support for modifying the RichEditor's allowed attributes list through the EditorSettings in the backend
- Added support for saving deferred bindings with pivot data.
- Added
Backend::makeCarbon($dateTime)
helper for setting the backend timezone on date values. - Added support for Dependency Injection in console commands.
- Added support for
php artisan winter:util purge orphans
command that removes anysystem_files
records that do not have matching files stored on the filesystem. - Added support for
registerValidationRules
in thePlugin.php
plugin registration file to register custom validation rules. - Added support for specifying
min
,max
, andstep
values on thenumber
andnumberrange
List Filter scope types. - Added support for pre and post processing of YAML being parsed which should pave the way for supporting YAML v4
- Added support for array views to the MailFake class
- Added support for HTTP HEAD requests from the
Http
utility. - Added boolean
$ok
indicator to theHttp
utility to indicate if the last response was successful (ie. an HTTP 2xx response code was returned) - Added support for automatic cache busting for the assets loaded by the
{% framework %}
Twig tag based on the current version stored in the database. Useartisan winter:version
to set the correct version for your project. - Added support for translator namespace aliases by adding
Lang::registerNamespaceAlias('real.namespace', 'aliased.namespace')
. - Added
Config::registerNamespaceAlias($original, $alias);
to allow aliasing a config namespaces to another config namespace, i.e.Config::registerNamespaceAlias('winter.debugbar', 'debugbar');
would return the config items fromwinter.debugbar
when accessing thedebugbar
config. This is useful for forked packages or when integrating Laravel packages into Winter. - Added
Config::registerPackageFallback($original, $fallback)
to allow the config items to be loaded from the global$fallback
config when present if the$original
global config isn't present. Useful when forking plugins to ensure existing installations with customized configs at the global level continue to work. - Added support for lazy loading class aliases only when needed through the new
Winter\Storm\Support\ClassLoader->addAliases(['Real\Class' => 'Alias\For\Class'])
method. - Added support for aliasing entire namespaces in the class loader via the new
Winter\Storm\Support\ClassLoader->addNamespaceAliases(['Real\Namespace' => 'Aliased\Namespace'])
method. - Added support for getting the original class name of an aliased class when registered through the ClassLoader via the
Winter\Storm\Support\ClassLoader->getAlias($aliasedClass)
method - Added support for plugins specifying that they "replace" other plugins via the
replaces
key in thepluginDetails()
method. See wintercms/winter#41 & wintercms/docs#11 for more details. Methods added toPluginBase
:getReplaces($includeConstraints = false)
,canReplacePlugin($plugin, $version)
,getPluginIdentifier()
,getPluginPath()
, andgetPluginVersion()
.
Bug Fixes
- Fixed issue with Schedule->withoutOverlapping() by bringing the Halcyon MemoryRepository more inline with the parent class.
- Fixed an error thrown when using the "package:discover" command when
app.loadDiscoveredPackages
set to false, as the manifest was reset tonull
as opposed to an empty array. - Fixed issue where tooltips set on the first column of the Lists widget were not working.
- Fixed issue where components that used dependency injection in their constructors would break in the backend.
- The RecordFinder FormWidget will now automatically determine what to use for the key column if the model used is not using the default of
id
. This used to be controlled by the undocumentedkeyFrom
option on the recordfinder, but is now handled behind the scenes automatically. - Reverted "Fixed issue introduced in Laravel 5.7 where eager loading
File
relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed"" introduced in 1.1.2 since it was causing issues when strict typing was enabled. - Fixed an issue where
PluginManager->getRegistrationMethodValues()
would attempt to call protected methods on PHP 7.4. - Improved Media Library path validation logic by allowing
//
but not allowing://
to account for poorly constructed paths that are still technically valid. - Fixed issue where sending emails using the Laravel Notification system could cause an exception in the System module when it attempted to extend a view instance while it was expecting a view string reference.
- Fixed issue where a TagList field that is disabled or readOnly would fail to correctly render if the value was an array.
- Added branching support for
winter:version
, different version branches (1.0, 1.1, etc) can now be correctly identified. - Improved handling of dates by the Filter widget, specifically when ignoreTimezone is set on only one of a few date inputs in a given filter, and when using the daterange filter type with certain date values.
- Changed the default value of
database.connections.sqlite.database
tobase_path('storage/database.sqlite')
to better support applications using a mirrored public directory. - Fixed issue where redirects to slow loading pages via AJAX could stop the loading indicator (and thus enable the triggering element) before the redirect actually completed, potentially leading to users triggering multiple requests unintentionally. As a side-effect due to how browsers process file downloads triggered by AJAX, this broke the loading indicator for AJAX redirects that cause the browser to download files instead of leaving the page; see the test plugin for how you can manually fix that functionality within your projects.
- Fixed long standing issue with the pagelinks plugin in the richeditor where inserting a link from the pagelinks popup would insert it at the start of the content instead of where the selected text was, and fixed another issue that would cause any preset text to be overwritten when selecting a link to use from the pagelinks popup.
- Fixed issue where exceptions / errors that were thrown before the
Event
facade was available would always be reported as "Class Event does not exist" instead of the actual problem. - Fixed support for CSS variables within the asset compiler / combiner, this is a step closer towards native Tailwind support within Winter CMS.
- Fixed issue where resizing certain
.gif
images would result inimagecolorsforindex(): Argument #2 ($color) is out of range
. - Fixed issue where resizing
.gif
images with no transparent colour set would result in the white colour being replaced with the default transparent colour. - Fixed issue where passing
null
as the image source to the| resize
filter resulted in an exception being thrown instead of more gracefully silently ignoring the input and returning an emptry string. - Fixed issue where
init.php
wouldn't be loaded by the plugin boot process when running unit tests. - Fixed long standing issue where disabled plugins wouldn't be uninstalled by the
winter:down
command - Fixed issue where routes registered via plugin's
routes.php
file would not have names registered viaRoute::name()
actually registered with the internal route name mapping meaning thatroute($name)
would not be able to resolve to those routes.
Security Improvements
- Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
- Tightened up the permission checking logic by requiring strict type matches.
- Removed
xml
from the list of default allowed extensions to upload, can be added back through the configuration if required.
Translation Improvements
- Improved French translation.
- Improved Russian translation.
- Improved Dutch translation.
- Moved Media Manager
rename
andmove
action language keys to the backend module instead of the CMS module.
Community Improvements
- Documented the Lists widget's
perPageOptions
configuration property
Dependencies
- Refactored the
Winter\Storm\Events\Dispatcher
class to extend and override the base Laravel Event Dispatcher rather than just duplicating and implementing the contract for greater compatibility with Laravel. - Switched away from the abandoned
fzaninotto/faker
package to the maintainedfakerphp/faker
package.
v1.0.473
Security Improvements
- Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
- Tightened up the permission checking logic by requiring strict type matches.
- Removed
xml
from the list of default allowed extensions to upload, can be added back through the configuration if required.
v1.1.2
NOTE: As of v1.1.2, the core maintainer team has left October CMS and forked the project into Winter CMS.
UX/UI Improvements
- Fixed issue where the browser's number increment/decrement control would cover up the placeholder text in
type: number
inputs when hovered over or focused on. - Added ability to select the default backend locale when running the
winter:install
command - Added ability for CMS editor to auto detect which editor should be used based on file type, bringing the editor in line with the documented feature.
- Added the List Behavior's new
perPageOptions
config property to the default stub for scaffolding new controllers. - Fix support for browser-based validation of checkboxes and radio options
API Changes
- Added support for the
{colorpicker}
field in the Dynamic Syntax parser. - The
availableColors
attribute can now be specified forcolorpicker
type variables in the Dynamic Syntax parser. - Added new
getRelationTypeDefinitions
andgetRelationTypeDefinition
methods to models to query relationship definitions through methods as opposed to interacting with the relation properties directly. - The "Customize" button is now disabled for all themes that are not the currently active theme.
- Added
registerOwnerAlias($owner, $alias)
to theNavigationManager
to add aliases for given owners of registered menu items. - Added
registerPermissionOwnerAlias($owner, $alias)
to theAuthManager
to add aliases for given owners of registered permissions. - Added
registerOwnerAlias($owner, $alias)
to theSettingsManager
to add aliases for given owners of registered setting items. - Added support for using the
sort_order_column
property on a model implementing theWinter\Storm\Database\Behaviors\Sortable
behavior to define the name of the sort order column as constants cannot be defined on classes dynamically. - Added ability to control the auto-detaching behavior of BelongsToMany relationships by setting
detach
(default true) on the relationship definition.
Bug Fixes
- Fixed a duplicate AJAX call being fired when using the "Apply" or "Clear" buttons in a group filter.
- Fixed an exception thrown on viewing or logging into the Backend when attempting to load the backend localization files of a missing theme.
- Fixed issue where
/0
would return the result from/
. - Fixed issue where plugins with external dependencies referenced in their migration files would fail to install correctly via the
plugin:install
CLI command while installing normally in a web environment. - The
listAllDirectories()
method in theMediaLibrary
helper now correctly excludes paths and directories that are specified in the storage ignore rules configuration. - Fixed issue where field options specified using a static method in the form of
options: "\Path\To\Class::staticMethod"
were not receiving the Form widget instance or the Field widget instance as per the documentation. - Fixed issue introduced in Laravel 5.7 where eager loading
File
relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed". - Fixed issue where having safeMode enabled when editing a CMS CompoundObject with different line endings from the user's browser (i.e.
\r
vs\r\n
) would cause the safe mode protection to unnecessarily trigger (preventing any changes to non-protected properties from being saved) because the user's browser would modify the original line endings. - Fixed an issue with integers being used as keys for the options in the checkbox list.
- Fixed an issue with syncing belongToMany relationships introduced in v1.1.1.
- Fixed an issue where the user-provided password for the default admin account during
winter:install
was not being respected and was instead always being set to a random string of characters as if no password had been provided. - Fixed an issue where the ImageResizer was always provided absolute URLs instead of respecting the value of
cms.linkPolicy
. - Reverted previous fixes to the BelongsToMany relationship related to conditions and scopes being defined during detach() as they were causing more problems than they solved.
- Added a default value of
SQLite
to the database options question of thewinter:install
command so that--no-interaction
will work. - Fixed a breaking change in how empty route parameters with default values are handled that was introduced in v1.0.466
- Fixed an issue where fields that use
dependsOn
to depend on another field that is itself dependent on other fields wouldn't be triggered when the first field was updated through thedependsOn
functionality.
Security Improvements
- Tightened up the Twig SecurityPolicy. Calling
insert()
,update()
,delete()
methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead. - Added a new config value (
app.trustedHosts
) to protect against host header poisoning. The following values can be used:true
will allow only the naked andwww
versions ofapp.url
as trusted hosts, the default offalse
will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns. - Session identifiers are now invalidated on logging out instead of just flushed.
Translation Improvements
- Improved Slovakian translation.
- Improved Hungarian translation.
- Improved Brazilian Portuguese translation.
- Improved Dutch translation.
- Improved French translation.
Community Improvements
- Added a new
EventFake
class to provide mocking and testing services for events in unit tests. - Fixed the order of parameters in the docblock for the
mailer.beforeAddContent
event.
Dependencies
- Updated Pikaday to 1.8.2
- Updated wikimedia/less.php to ~3.0
- PHP 8 is now supported
- Switched back to the source repository for the
wikimedia/composer-merge-plugin
as Composer 2.0 support has fully arrived. Update yourcomposer.json
files to require"wikimedia/composer-merge-plugin": "~2.0.1"
v1.0.472
NOTE: As of v1.0.472, the core maintainer team has left October CMS and forked the project into Winter CMS.
UX / UI Improvements
- Fix support for browser-based validation of checkboxes and radio options
API Changes:
- Added
registerOwnerAlias($owner, $alias)
to theNavigationManager
to add aliases for given owners of registered menu items. - Added
registerPermissionOwnerAlias($owner, $alias)
to theAuthManager
to add aliases for given owners of registered permissions. - Added
registerOwnerAlias($owner, $alias)
to theSettingsManager
to add aliases for given owners of registered setting items.
Security Improvements
- Tightened up the Twig SecurityPolicy. Calling
insert()
,update()
,delete()
methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead. Backported from v1.1.2. - Added a new config value (
app.trustedHosts
) to protect against host header poisoning. The following values can be used:true
will allow only the naked andwww
versions ofapp.url
as trusted hosts, the default offalse
will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns. - Session identifiers are now invalidated on logging out instead of just flushed.