github shopperlabs/shopper v3.0.0-beta.3
on GitHub

pre-release3 hours ago

Caution

This is a beta release of the framework. Breaking changes may be introduced to v3 releases during the beta period.

This third 3.0 beta is a small hardening pass. It closes a stored XSS vector in product file uploads and turns dashboard access into an overridable gate so the shipped manager role can reach the panel out of the box. The official 3.0 release is coming this September.

Installation

"minimum-stability": "beta",
"prefer-stable": true
composer require shopper/framework:^3.0.0-beta

Highlights

Product file uploads restricted

The product files collection accepted arbitrary types, so a staff member with an upload permission could store an HTML or SVG payload served inline from the same origin public disk and run it in an administrator's session. The collection is now limited to a configurable allowlist of document and archive types, enforced server side by the media library and mirrored on the Filament upload. Ports the remaining half of the 2.x fix for GHSA-vmvv-x5cp-2qv6.

Dashboard access is an overridable gate

The dashboard middleware only special cased the administrator role, so the shipped manager role was locked out of the panel until an administrator granted the system.dashboard permission by hand. The decision now lives in an overridable canAccessDashboard() method on the ShopperUser contract: administrators, managers, and holders of the system.dashboard permission can enter, and host apps can override the rule on their own user model.

New Features

  • feat(admin): gate dashboard access behind canAccessDashboard() by @mckenziearts in #596

Bug Fixes

  • fix(security): restrict the product files media collection by @mckenziearts in #597

Upgrading

1. Published media.php config. Stores that published config/shopper/media.php must add the new accepts_file_types key by hand to receive the upload hardening: 

'accepts_file_types' => [
    'application/pdf',
    'application/zip',
    'application/x-rar-compressed',
    'application/x-7z-compressed',
    'application/msword',
    'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
    'application/vnd.ms-excel',
    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
    'text/plain',
    'text/csv',
],

2. Custom user models implementing ShopperUser directly (without the InteractsWithShopper trait) must add the new contract method: 

public function canAccessDashboard(): bool
{
    return $this->isAdmin()
        || $this->isManager()
        || $this->hasPermissionTo('system.dashboard');
}

Models using the InteractsWithShopper trait get this implementation automatically.

Contributors

Full Changelog: v3.0.0-beta.2...v3.0.0-beta.3

Check out latest releases or
releases around shopperlabs/shopper v3.0.0-beta.3

Don't miss a new shopper release

NewReleases is sending notifications on new releases.

Get notifications