Security Notice - Possible Privilege Escalation
Thanks to @Defelo
it was advised that current privilege escalation situations are not made clear when applying role permissions.
Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
assigned to one of their roles could technically alter their own permissions to gain wider access.
A clear advisory of these cases has been added in the UI in v0.30
but admins are advised to review which users have these permissions with the above in mind.
LDAP & SAML Group Matching - Potential Change
Thanks to @nem1989 it was found that
BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
and has now been removed, but it would store a cleaned version the first-set name of the role.
All roles will now be considered before being matched on name which may mean that roles which did not sync before,
that would have been expected to based on their name, may now start to sync.
Full List of Changes
- Added API endpoints for chapters.
- Added audit log to the settings area. (#2173, #1167)
- Added the ability to insert an attachment link directly into the current editor window. (#1460)
- Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
- Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
- Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
- Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
- Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
- Updated Czech translations. Thanks to @jakubboucek. (#2238)
- Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
- Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
- Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
- Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
- Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
- Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
- Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
- Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
- Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
- Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
- Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
- Fixed issue where the redirect upon login could lead to an external site. (#2073)
- Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
- Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
- Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
- Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
- Fixed bad pagination styling which would result in invisible numbering. (#1839)
- Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)