v1.1.8

UX/UI Improvements

• All default backend controller behaviors (i.e. FormController, ListController, RelationController, etc) no longer require a configuration property (i.e. $formConfig, $listConfig, $relationConfig, etc) defined on the implementing controller if the default config file is being used (i.e. config_form.yaml, config_list.yaml, config_relation.yaml, etc).
• The winter:down command now requires a user to explicitly confirm the action by typing DELETE in their CLI.
• The plugin:remove command now requires a user to explicitly confirm the action by typing the plugin code in their CLI.
• Added Created At & Updated At columns to the Backend User & User Roles lists, marked invisible by default.
• Updated the syntax highlighting language used by the backend custom CSS brand setting to acurately reflect the actual language in use (LESS, not CSS).
• The Markdown editor will now add a https:// template when adding a link or image, to encourage use of secure links.
• Removed the timeout when running winter:test.
• Fixed styling issue with color pickers on the Mail Brand Settings page in the backend.
• Files in the CMS Theme Editor AssetList component will now be sorted alphabetically.
• Added ability to manage the list of users associated with a given role from that role's update page.
• Added "slug" input preset to the Administrator Role's code field.

API Changes

• Permissions registered without the roles property defined will now only be inherited by the developer system role, not all system roles.
• Added Snowboard.js, a new JS framework intended to replace the existing AJAX Framework that is more modular and no longer depends on jQuery.
• Added support for Laravel Mix via the following commands: mix:install, mix:compile, mix:watch, & mix:list.
• Added autodetection of Laravel Mix package configuration files when winter.mix.js is present in a plugin, theme, or module.
• Added System\Classes\MixAssets for managing Laravel Mix packages provided by plugins, themes, & modules. See registerMixAssets() now available as a registration method for Plugin.php, MixAssets::registerCallback() for Modules, and the mix property on theme.yaml definitions
• Classes implementing the System\Traits\PropertyContainer trait to provide dynamic property options for Inspector fields no longer need to have zero (or one optional) parameters in their constructor in order to work correctly. Note that if your constructor requires a value in any property and does not define a default, this will still fail, so ideally you should still use a class specifically set up for handling Inspector properties.
• Added | md_line Twig filter to make use of the Markdown::parseLine() method in Twig templates.
• Replaced Winter\Storm\Auth\AuthException with Winter\Storm\Auth\AuthenticationException, added Winter\Storm\Auth\AuthorizationException.
• The plugin:remove command now provides a --no-rollback option which disables the rolling back of database migrations for a plugin when it is being removed, allowing the plugin data to be retained.
• Added support for the app.asset_url & ASSET_URL configuration options for use with the Url::asset() & asset() helpers.
• Added | asset Twig Filter
• Made app(), media(), asset(), resize(), imageWidth(), imageHeight() available as Twig Functions

Bug Fixes

• Integers can now be used as values for options provided to the Inspector set field.
• Fixed issue with list of available encodings for importing where ISO 8859-9 was incorrectly referenced as ISO 8859-0.
• Fixed issue that could occur when running console commands on a project that had replaced plugins and their replacing plugins present at the same time.
• Fixed incorrect exception message when attempting to impersonate a user without authorization.
• Fixed color picker widget not allowing empty values.
• Fixed color picker widget showing misleading mouse cursors in read-only mode.
• Fixed color picker widget not triggering dependent fields on change.
• Fixed issue where attempting to render a theme without a database present would fail because the AssetMaker trait was attempting to get the system build information from the database even though the DB wasn't present.
• Fixed PHP 8 compatibility issue where a component with no controller throws an error when checking the existence of a method on the non-existent controller.
• Fixed bug introduced in v1.1.5 where an infinite loop would occur when attempting to impersonate a backend user while logged in as a user without the is_superuser flag.
• Modules will now be seeded before plugin migrations are run to support plugin migrations that interact with module seeded data.
• Fixed issue where setting the readOnly property to true on datepicker FormWidgets would leave the field greyed out but still editable.

Security Improvements

• Improved the Twig SecurityPolicy to block more potentially dangerous entry points from being abused by accounts with access to Twig but not PHP.
• Themes can no longer be imported while cms.enableSafeMode is active.
• Added a warning message to the system status dashboard widget when the default admin user is detected on the system.
• Limited inheritance of "orphaned" (permissions without default roles assigned) to just the "Developer" role instead of all system roles.
• Fixed issue where users without the backend.access_dashboard could still access the dashboard if they did not have access to any other main menu items in the backend.
• Removed the is_safe="html" flag from the System Twig filters (| app, | media, | resize, | imageWidth, & | imageHeight) as none of them should ever return values that should be injected into templates without escaping the results.

Translation Improvements

• Improved Latvian translation.
• Improved Ukrainian translation.
• Improved French translation.
• Improved Italian translation.
• Improved Slovak translation.
• Improved Russian translation.
• Improved Persian translation.
• Improved Japanese translation.

Community Improvements

• Winter.Notes, a new first party plugin for adding notes to any record type in Winter was released. It provides a custom notes FormWidget that presents a note management experience similar to the Mac OS Notes App.
• All code examples in the official documentation now has proper language highlighting depending on the language of each example.
• The console commands documentation has been signficantly refactored with an introductory page with a list of all commands now available. Commands are now grouped by their logical function.
• Added a default .vscode/settings.json to the project to help VS Code correctly identify the language (PHP, Twig, or WinterCMS Template) used for .htm files based on where in the project they are located.
• Added a default .vscode/extensions.json to the project to provide recommendations on extensions for VS Code that work well with Winter

Dependencies

• Laravel 6.x LTS does not support PHP 8.1 so Winter has limited the supported PHP versions to PHP 7.2.9 -> PHP 8.0.*. PHP 8.1 support will come with Winter 1.2 using Laravel 9.x LTS in February/March 2022.

v1.1.7

UX/UI Improvements

• The color picker widget has been redesigned with a fresh look and additional features. See #324 for more information.
• You can now define one or more IP addresses that may view the site during maintenance mode via the Maintenance mode Settings screen.
• Console scaffolding commands (i.e. create:controller, create:plugin, etc) will now list the files that were created during the scaffolding process for clarity.

API Changes

• Added $data as the fourth argument to the mailer.prepareSend and mailer.send events.
• Added create:settings {plugin} {settings=Settings} scaffolding command to generate a Settings model for the provided plugin.
• Added winter:test {?--p|plugin=} {?--c|configuration=} {?--o|core} --ANY-PHP-UNIT-FLAGS-HERE command to easily run the core and plugin's PHPUnit testing suites.

Bug Fixes

• Fixed issue introduced in v1.0.466 where copying the default RelationController markup to use in a controller-level override of RelationController partials would result in an "undefined index" exception.
• Client language files for child locales (i.e. en-ca) will now include fallback strings from their parent locales.
• Fixed an issue with the Markdown Editor in Chrome clipping the editor content if the viewport height is restricted while the widget has "stretch" enabled.
• Fixed Backed\Helper\Backend::makeCarbon() to correctly default to the backend timezone set in cms.backendTimezone
• Large numbers of options (250+) are now better handled with the group filter
• Added support for base64 encoded data:image URIs in image type columns.

Translation Improvements

• Improved Persian translation.
• Improved Latvian translation.
• Improved Russian translation.
• Improved German translation.

Community Improvements

• Winter CMS can now be accessed via the Gitpod service, providing near-instant, fully working copies of Winter CMS for testing and development. Please see #295 for more information.
• The Architecture Concepts section has been added to the documentation and provide an higher level overview of Winter CMS and some of the advanced time-saving features available within the project.
• The Maintainer Guide has been added to the documentation.

v1.0.474

Security improvements backported from v1.1:

API Changes

• The URL generator (URL::to() and url()) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out.
• Added getRealUser() to Winter\Storm\Auth\Manager to get the real user for the current request, taking into account user impersonation
• Added canBeImpersonated($impersonator = false) to Winter\Storm\Auth\Models\User and models extending it (i.e. Backend\Models\User); used to determine if the provided impersonator can impersonate the selected user.
• Changed model.user.beforeImpersonate to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not

Bug Fixes

• Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.

Security Improvements

• URLs generated by Url::to() and url() now return properly URL-encoded values
• Fixed issue where post() could return values when the request was not a valid POST request
• Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
• Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
• CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.

v1.1.6

Bug Fixes

• Fixed a CSS issue from v1.1.5 where pages that were less that 100% of the viewport's height would only display a sliver of vertical content.

v1.1.5

UX/UI Improvements

• Added a notice to the top of every page in the backend when using the user impersonation functionality.

API Changes

• Added getRealUser() to Winter\Storm\Auth\Manager to get the real user for the current request, taking into account user impersonation
• Added canBeImpersonated($impersonator = false) to Winter\Storm\Auth\Models\User and models extending it (i.e. Backend\Models\User); used to determine if the provided impersonator can impersonate the selected user.
• Changed model.user.beforeImpersonate to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not

Bug Fixes

• Fixed critical issue introduced in 1.1.4 where post() didn't return the default value when the request was not a POST request. This caused issues with forms relying on session keys (i.e. file upload fields etc.) as well as the form context property.

Security Improvements

• Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
• Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
• CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.

v1.1.4

UX/UI Improvements

• Fixed visual issue with checkboxes in inspector popups where they would take up space but not be visible.
• The order of columns in the Lists widget will be reset when pressing the "Reset to Default" button in the List config popup.
• The password restore and reset pages in the Auth controller now provide a body class (restore and reset, respectively) for targeting CSS.

API Changes

• The URL generator (URL::to() and url()) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out.
• SystemExceptions are now thrown for code paths resulting in not found exceptions (AJAX handlers, partials, content, components, etc) to make it easier to identify and resolve issues before end users are affected.
• Added the getNamespaceAliases($namespace) & getReverseAlias($class) methods to the ClassLoader class.
• Added Winter\Storm\Support\Testing\MocksClassLoader trait for mocking the ClassLoader in unit tests.
• The Http helper in the Storm library now stores and makes available all response headers in the $headers property even if the toFile() method is used - previously, headers would be discarded to prevent them being added to the file content.
• Custom Twig filters & functions registered in plugins via registerMarkupTags() can now specify the options to be used when registering the filters / functions with Twig.
• Added support for Trusted Proxies in Winter CMS, allowing sites behind proxies to still be served under HTTPS even if the HTTPS connection terminates at the proxy. Previously, the Backend of Winter CMS would redirect the user to the real underlying web address, which may not exist if it is proxied.
• Added support for providing a default image to be used for type: image backend list columns.
• Added the following global helper functions:
  • array_accessible(): Arr::accessible()
  • array_has_any(): Arr::hasAny()
  • is_associative(): Arr::isAssoc()
  • array_shuffle(): Arr::shuffle()
  • str_ordinal(): Str::ordinal()
  • str_after_last(): Str::afterLast()
  • str_ascii(): Str::ascii()
  • str_before_last(): Str::beforeLast()
  • str_contains_all(): Str::containsAll()
  • str_is_uuid(): Str::isUuid()
  • str_limit_words(): Str::words()
  • str_plural_studly(): Str::pluralStudly()

Bug Fixes

• Fixed issue where warnings about removing replaced plugins were still shown even when the plugins had already been removed.
• Fixed support for multiple where clauses on the unique model attribute validation rule.
• Fixed support for uppercase file extensions when using the ImageResizer (i.e. .JPG, etc)
• Fixed a few issues with the unique validation rule (couldn't specify multiple where conditions, minor inconsitencies in how it was being parsed, etc) and added unit tests to cover all valid variations fo the rule
• Fixed issue where calling url() or temporaryUrl() on a filesystem driver that didn't support those methods would throw a Class not found exception instead the appropriate RuntimeException.
• Backported a fix from Laravel 7 to allow pagination for queries with having clauses.
• Fixed issue with NavigationManager items that had invalid order values causing the backend to crash.
• Fixed issue where requests to non-existant Asset Combiner routes would return a 500 error code instead of 404.
• Fixed issue where the replacing plugin would be disabled on the first request after an aliased plugin was disabled.
• Fixed issue where namespace aliases registered via the ClassLoader (usually through the plugin replacement functionality) would not be evaluated by the Extendable trait (i.e. behaviors were not resolving correctly).
• Fixed issue where 0 couldn't be used as the min or max value for number field types.
• Fixed an issue with SSL connection failures and the winter:version command on Mac OS by using the Http helper as opposed to the file_get_contents() method.
• Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.

Security Improvements

• URLs generated by Url::to() and url() now return properly URL-encoded values
• Fixed issue where post() could return values when the request was not a valid POST request

Translation Improvements

• Improved French translation.
• Improved Latvian translation.
• Improved Italian translation.
• Improved Romanian translation.
• Improved Russian translation.
• Improved German translation.

Performance Improvements

• Improved speeds with path resolution for Halcyon File datasources sharing the same base directory.

Community Improvements

• Dropped old "build" files in the Storm library that were previously used for subsplitting the modules in the main Winter CMS repository for Composer. This has been replaced by a command in the Winter CMS CLI utility.
• Changed the default database host config option to be 127.0.0.1 instead of localhost. localhost may be slightly faster in some environments, but 127.0.0.1 is more reliable in all environments and the default can always be changed for specific projects that require it.
• Added automatic regeneration of the docs on wintercms.com/docs whenever a commit is made to the docs repository meaning that the public docs will finally be always up to date with the underlying git repository that powers them! Huge thanks to Marc Jauvin for finally taking care of a long standing annoyance with the project documentation.
• Updated the default config files to more closely match Laravel 6's default configurations.
• Improved issue templates on the main Winter CMS repository

v1.1.3

UX/UI Improvements

• Added support for choosing the default backend locale and timezone in php artisan winter:install.
• Controller scaffolding now uses the default backend localization keys for the default titles in the FormBehavior config instead of hardcoded English strings
• The unique validation rule can now be used without any additional information, previously it required the table name to be specified in the form of unique:table_name. This also means that unique validation rules will respect the current model's $table property.

API Changes

• Added support for modifying the RichEditor's allowed attributes list through the EditorSettings in the backend
• Added support for saving deferred bindings with pivot data.
• Added Backend::makeCarbon($dateTime) helper for setting the backend timezone on date values.
• Added support for Dependency Injection in console commands.
• Added support for php artisan winter:util purge orphans command that removes any system_files records that do not have matching files stored on the filesystem.
• Added support for registerValidationRules in the Plugin.php plugin registration file to register custom validation rules.
• Added support for specifying min, max, and step values on the number and numberrange List Filter scope types.
• Added support for pre and post processing of YAML being parsed which should pave the way for supporting YAML v4
• Added support for array views to the MailFake class
• Added support for HTTP HEAD requests from the Http utility.
• Added boolean $ok indicator to the Http utility to indicate if the last response was successful (ie. an HTTP 2xx response code was returned)
• Added support for automatic cache busting for the assets loaded by the {% framework %} Twig tag based on the current version stored in the database. Use artisan winter:version to set the correct version for your project.
• Added support for translator namespace aliases by adding Lang::registerNamespaceAlias('real.namespace', 'aliased.namespace').
• Added Config::registerNamespaceAlias($original, $alias); to allow aliasing a config namespaces to another config namespace, i.e. Config::registerNamespaceAlias('winter.debugbar', 'debugbar'); would return the config items from winter.debugbar when accessing the debugbar config. This is useful for forked packages or when integrating Laravel packages into Winter.
• Added Config::registerPackageFallback($original, $fallback) to allow the config items to be loaded from the global $fallback config when present if the $original global config isn't present. Useful when forking plugins to ensure existing installations with customized configs at the global level continue to work.
• Added support for lazy loading class aliases only when needed through the new Winter\Storm\Support\ClassLoader->addAliases(['Real\Class' => 'Alias\For\Class']) method.
• Added support for aliasing entire namespaces in the class loader via the new Winter\Storm\Support\ClassLoader->addNamespaceAliases(['Real\Namespace' => 'Aliased\Namespace']) method.
• Added support for getting the original class name of an aliased class when registered through the ClassLoader via the Winter\Storm\Support\ClassLoader->getAlias($aliasedClass) method
• Added support for plugins specifying that they "replace" other plugins via the replaces key in the pluginDetails() method. See wintercms/winter#41 & wintercms/docs#11 for more details. Methods added to PluginBase: getReplaces($includeConstraints = false), canReplacePlugin($plugin, $version), getPluginIdentifier(), getPluginPath(), and getPluginVersion().

Bug Fixes

• Fixed issue with Schedule->withoutOverlapping() by bringing the Halcyon MemoryRepository more inline with the parent class.
• Fixed an error thrown when using the "package:discover" command when app.loadDiscoveredPackages set to false, as the manifest was reset to null as opposed to an empty array.
• Fixed issue where tooltips set on the first column of the Lists widget were not working.
• Fixed issue where components that used dependency injection in their constructors would break in the backend.
• The RecordFinder FormWidget will now automatically determine what to use for the key column if the model used is not using the default of id. This used to be controlled by the undocumented keyFrom option on the recordfinder, but is now handled behind the scenes automatically.
• Reverted "Fixed issue introduced in Laravel 5.7 where eager loading File relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed"" introduced in 1.1.2 since it was causing issues when strict typing was enabled.
• Fixed an issue where PluginManager->getRegistrationMethodValues() would attempt to call protected methods on PHP 7.4.
• Improved Media Library path validation logic by allowing // but not allowing :// to account for poorly constructed paths that are still technically valid.
• Fixed issue where sending emails using the Laravel Notification system could cause an exception in the System module when it attempted to extend a view instance while it was expecting a view string reference.
• Fixed issue where a TagList field that is disabled or readOnly would fail to correctly render if the value was an array.
• Added branching support for winter:version, different version branches (1.0, 1.1, etc) can now be correctly identified.
• Improved handling of dates by the Filter widget, specifically when ignoreTimezone is set on only one of a few date inputs in a given filter, and when using the daterange filter type with certain date values.
• Changed the default value of database.connections.sqlite.database to base_path('storage/database.sqlite') to better support applications using a mirrored public directory.
• Fixed issue where redirects to slow loading pages via AJAX could stop the loading indicator (and thus enable the triggering element) before the redirect actually completed, potentially leading to users triggering multiple requests unintentionally. As a side-effect due to how browsers process file downloads triggered by AJAX, this broke the loading indicator for AJAX redirects that cause the browser to download files instead of leaving the page; see the test plugin for how you can manually fix that functionality within your projects.
• Fixed long standing issue with the pagelinks plugin in the richeditor where inserting a link from the pagelinks popup would insert it at the start of the content instead of where the selected text was, and fixed another issue that would cause any preset text to be overwritten when selecting a link to use from the pagelinks popup.
• Fixed issue where exceptions / errors that were thrown before the Event facade was available would always be reported as "Class Event does not exist" instead of the actual problem.
• Fixed support for CSS variables within the asset compiler / combiner, this is a step closer towards native Tailwind support within Winter CMS.
• Fixed issue where resizing certain .gif images would result in imagecolorsforindex(): Argument #2 ($color) is out of range.
• Fixed issue where resizing .gif images with no transparent colour set would result in the white colour being replaced with the default transparent colour.
• Fixed issue where passing null as the image source to the | resize filter resulted in an exception being thrown instead of more gracefully silently ignoring the input and returning an emptry string.
• Fixed issue where init.php wouldn't be loaded by the plugin boot process when running unit tests.
• Fixed long standing issue where disabled plugins wouldn't be uninstalled by the winter:down command
• Fixed issue where routes registered via plugin's routes.php file would not have names registered via Route::name() actually registered with the internal route name mapping meaning that route($name) would not be able to resolve to those routes.

Security Improvements

• Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
• Tightened up the permission checking logic by requiring strict type matches.
• Removed xml from the list of default allowed extensions to upload, can be added back through the configuration if required.

Translation Improvements

• Improved French translation.
• Improved Russian translation.
• Improved Dutch translation.
• Moved Media Manager rename and move action language keys to the backend module instead of the CMS module.

Community Improvements

• Documented the Lists widget's perPageOptions configuration property

Dependencies

• Refactored the Winter\Storm\Events\Dispatcher class to extend and override the base Laravel Event Dispatcher rather than just duplicating and implementing the contract for greater compatibility with Laravel.
• Switched away from the abandoned fzaninotto/faker package to the maintained fakerphp/faker package.

v1.0.473

Security Improvements

• Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
• Tightened up the permission checking logic by requiring strict type matches.
• Removed xml from the list of default allowed extensions to upload, can be added back through the configuration if required.

v1.1.2

NOTE: As of v1.1.2, the core maintainer team has left October CMS and forked the project into Winter CMS.

UX/UI Improvements

• Fixed issue where the browser's number increment/decrement control would cover up the placeholder text in type: number inputs when hovered over or focused on.
• Added ability to select the default backend locale when running the winter:install command
• Added ability for CMS editor to auto detect which editor should be used based on file type, bringing the editor in line with the documented feature.
• Added the List Behavior's new perPageOptions config property to the default stub for scaffolding new controllers.
• Fix support for browser-based validation of checkboxes and radio options

API Changes

• Added support for the {colorpicker} field in the Dynamic Syntax parser.
• The availableColors attribute can now be specified for colorpicker type variables in the Dynamic Syntax parser.
• Added new getRelationTypeDefinitions and getRelationTypeDefinition methods to models to query relationship definitions through methods as opposed to interacting with the relation properties directly.
• The "Customize" button is now disabled for all themes that are not the currently active theme.
• Added registerOwnerAlias($owner, $alias) to the NavigationManager to add aliases for given owners of registered menu items.
• Added registerPermissionOwnerAlias($owner, $alias) to the AuthManager to add aliases for given owners of registered permissions.
• Added registerOwnerAlias($owner, $alias) to the SettingsManager to add aliases for given owners of registered setting items.
• Added support for using the sort_order_column property on a model implementing the Winter\Storm\Database\Behaviors\Sortable behavior to define the name of the sort order column as constants cannot be defined on classes dynamically.
• Added ability to control the auto-detaching behavior of BelongsToMany relationships by setting detach (default true) on the relationship definition.

Bug Fixes

• Fixed a duplicate AJAX call being fired when using the "Apply" or "Clear" buttons in a group filter.
• Fixed an exception thrown on viewing or logging into the Backend when attempting to load the backend localization files of a missing theme.
• Fixed issue where /0 would return the result from /.
• Fixed issue where plugins with external dependencies referenced in their migration files would fail to install correctly via the plugin:install CLI command while installing normally in a web environment.
• The listAllDirectories() method in the MediaLibrary helper now correctly excludes paths and directories that are specified in the storage ignore rules configuration.
• Fixed issue where field options specified using a static method in the form of options: "\Path\To\Class::staticMethod" were not receiving the Form widget instance or the Field widget instance as per the documentation.
• Fixed issue introduced in Laravel 5.7 where eager loading File relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed".
• Fixed issue where having safeMode enabled when editing a CMS CompoundObject with different line endings from the user's browser (i.e. \r vs \r\n) would cause the safe mode protection to unnecessarily trigger (preventing any changes to non-protected properties from being saved) because the user's browser would modify the original line endings.
• Fixed an issue with integers being used as keys for the options in the checkbox list.
• Fixed an issue with syncing belongToMany relationships introduced in v1.1.1.
• Fixed an issue where the user-provided password for the default admin account during winter:install was not being respected and was instead always being set to a random string of characters as if no password had been provided.
• Fixed an issue where the ImageResizer was always provided absolute URLs instead of respecting the value of cms.linkPolicy.
• Reverted previous fixes to the BelongsToMany relationship related to conditions and scopes being defined during detach() as they were causing more problems than they solved.
• Added a default value of SQLite to the database options question of the winter:install command so that --no-interaction will work.
• Fixed a breaking change in how empty route parameters with default values are handled that was introduced in v1.0.466
• Fixed an issue where fields that use dependsOn to depend on another field that is itself dependent on other fields wouldn't be triggered when the first field was updated through the dependsOn functionality.

Security Improvements

• Tightened up the Twig SecurityPolicy. Calling insert(), update(), delete() methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead.
• Added a new config value (app.trustedHosts) to protect against host header poisoning. The following values can be used: true will allow only the naked and www versions of app.url as trusted hosts, the default of false will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns.
• Session identifiers are now invalidated on logging out instead of just flushed.

Translation Improvements

• Improved Slovakian translation.
• Improved Hungarian translation.
• Improved Brazilian Portuguese translation.
• Improved Dutch translation.
• Improved French translation.

Community Improvements

• Added a new EventFake class to provide mocking and testing services for events in unit tests.
• Fixed the order of parameters in the docblock for the mailer.beforeAddContent event.

Dependencies

• Updated Pikaday to 1.8.2
• Updated wikimedia/less.php to ~3.0
• PHP 8 is now supported
• Switched back to the source repository for the wikimedia/composer-merge-plugin as Composer 2.0 support has fully arrived. Update your composer.json files to require "wikimedia/composer-merge-plugin": "~2.0.1"

v1.0.472

NOTE: As of v1.0.472, the core maintainer team has left October CMS and forked the project into Winter CMS.

UX / UI Improvements

• Fix support for browser-based validation of checkboxes and radio options

API Changes:

• Added registerOwnerAlias($owner, $alias) to the NavigationManager to add aliases for given owners of registered menu items.
• Added registerPermissionOwnerAlias($owner, $alias) to the AuthManager to add aliases for given owners of registered permissions.
• Added registerOwnerAlias($owner, $alias) to the SettingsManager to add aliases for given owners of registered setting items.

Security Improvements

• Tightened up the Twig SecurityPolicy. Calling insert(), update(), delete() methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead. Backported from v1.1.2.
• Added a new config value (app.trustedHosts) to protect against host header poisoning. The following values can be used: true will allow only the naked and www versions of app.url as trusted hosts, the default of false will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns.
• Session identifiers are now invalidated on logging out instead of just flushed.