Full Changelog: v1.5.0...v1.5.1
Changes 10/19/2025 (v1.5.1)
fix(config/ui): serve safe public config to non-admins; init early; gate trash UI to admins; dynamic title; demo toast (closes #56)
Regular users were getting 403s from /api/admin/getConfig.php, breaking header title and login option rendering. Issue #56 tracks this.
What changed
- AdminController::getConfig
- Return a public, non-sensitive subset of config for everyone (incl. unauthenticated and non-admin users):
header_title, minimalloginOptions(disable* flags only),globalOtpauthUrl,enableWebDAV,sharedMaxUploadSize, and OIDCproviderUrl/redirectUri. - For admins, merge in admin-only fields (
authBypass,authHeaderName). - Never expose secrets or client IDs.
- Return a public, non-sensitive subset of config for everyone (incl. unauthenticated and non-admin users):
- auth.js
loadAdminConfigFunc()now robustly handles empty/204 responses, writes sane defaults, and setsdocument.titlefromheader_title.showToast()override: ondemo.filerise.netshows a longer demo-creds toast; keeps TOTP “don’t nag” behavior.
- main.js
- Call
loadAdminConfigFunc()early during app init. - Run
setupTrashRestoreDelete()only for admins (based onlocalStorage.isAdmin).
- Call
- adminPanel.js
- Bump visible version to v1.5.1.
- index.html
- Keep
<title>FileRise</title>static; runtime title now driven byloadAdminConfigFunc().
- Keep
Security v1.5.1
- Prevents info disclosure by strictly limiting non-admin fields.
- Avoids noisy 403 for regular users while keeping admin-only data protected.
QA
- As a non-admin:
- Opening the app no longer triggers a 403 on
getConfig.php. - Header title and login options render; document tab title updates to configured
header_title. - Trash/restore UI is not initialized.
- Opening the app no longer triggers a 403 on
- As an admin:
- Admin Panel loads extra fields; trash/restore UI initializes.
- Title updates correctly.
- On
demo.filerise.net:- Pre-login toast shows demo credentials for ~12s.
Closes #56.