error311/FileRise v1.7.2

on GitHub

Changes 10/29/2025 (v1.7.0 & v1.7.1 & v1.7.2)

release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish

✨ Features

• Public, non-sensitive site config cache:
  • Add AdminModel::buildPublicSubset() and writeSiteConfig() to write USERS_DIR/siteConfig.json.
  • New endpoint public/api/siteConfig.php + UserController::siteConfig() to serve the public subset (regenerates if stale).
  • Frontend now reads /api/siteConfig.php (safe subset) instead of /api/admin/getConfig.php.
• Frontend module versioning:
  • Replace all module imports with ?v={{APP_QVER}} query param so the release/Docker stamper can pin exact versions.
  • Add scripts/stamp-assets.sh to stamp ?v= and {{APP_VER}}/{{APP_QVER}} in staging for ZIP/Docker builds.

🧩 Refactors

• Extract shared boot/bootstrap logic into public/js/appCore.js:
  • CSRF helpers (setCsrfToken, getCsrfToken, loadCsrfToken)
  • initializeApp(), triggerLogout()
  • Keep main.js lean; wrap global fetch once to append/rotate CSRF.
• Update imports across JS modules to use versioned module URLs.

🚀 Performance

• Aggressive, safe caching for versioned assets:
  • .htaccess: ?v=… ⇒ Cache-Control: max-age=31536000, immutable.
  • Unversioned JS/CSS short cache (1h), other static (7d).
• Eliminate duplicate main.js loads and tighten CodeMirror mode loading.

🔒 Security / Hardening

• .htaccess:
  • Conditional HSTS only when HTTPS, add CORP and X-Permitted-Cross-Domain-Policies.
  • CSP kept strict for modules, workers, blobs.
• Admin config exposure reduced to a curated subset in siteConfig.json.

🧪 CI/CD / Release

• FileRise repo
  • sync-changelog.yml: keep public/js/version.js as source-of-truth only (no repo-wide stamping).
  • release-on-version.yml: build stamped ZIP from a staging copy via scripts/stamp-assets.sh, verify placeholders removed, attach checksum.
• filerise-docker repo
  • Read VERSION, checkout app to app/, run stamper inside build context before docker buildx, tag latest and :${VERSION}.

🔧 Defaults

• Sample/admin config defaults now set disableBasicAuth: true (safer default). Existing installations keep their current setting.

📂 Notable file changes

• src/models/AdminModel.php (+public subset +atomic write)
• src/controllers/UserController.php (+siteConfig action)
• public/api/siteConfig.php (new)
• public/js/appCore.js (new), public/js/main.js (slim, uses appCore)
• Many public/js/*.js import paths updated to ?v={{APP_QVER}}
• public/.htaccess (caching & headers)
• scripts/stamp-assets.sh (new)

⚠️ Upgrade notes

• Ensure USERS_DIR is writable by web server for siteConfig.json.
• Proxies/edge caches: the new ?v= scheme enables long-lived immutable caching; purge is automatic on version bump.
• If you previously read admin config directly on the client, it now reads /api/siteConfig.php.

Additional changes/fixes for release

• release-on-version.yml
  • normalize line endings (strip CRLF)
  • stamp-assets.sh don’t rely on the exec; invoke via bash

release(v1.7.2): harden asset stamping & CI verification

build(stamper)

• Rewrite scripts/stamp-assets.sh to be repo-agnostic and macOS/Windows friendly:
  • Drop reliance on git ls-files/mapfile; use find + null-delimited loops
  • Normalize CRLF to LF for all web assets before stamping
  • Stamp ?v=<APP_QVER> in HTML/CSS/PHP and {{APP_VER}} everywhere
  • Normalize any ".mjs|.js?v=..." occurrences inside JS (ESM imports/strings)
  • Force-write public/js/version.js from VER (source of truth in stamped output)
  • Print touched counts and fail fast if any {{APP_QVER}}|{{APP_VER}} remain

v1.7.2

Full Changelog

v1.6.11 → v1.7.2

SHA-256 (zip)

3dc41f93dc0cacff2728494d9823fa624b9ec0436104fd36a0476f59758dc7ab  FileRise-v1.7.2.zip