NOTE: As of v1.0.472, the core maintainer team has left October CMS and forked the project into Winter CMS.
UX / UI Improvements
- Fix support for browser-based validation of checkboxes and radio options
API Changes:
- Added
registerOwnerAlias($owner, $alias)to theNavigationManagerto add aliases for given owners of registered menu items. - Added
registerPermissionOwnerAlias($owner, $alias)to theAuthManagerto add aliases for given owners of registered permissions. - Added
registerOwnerAlias($owner, $alias)to theSettingsManagerto add aliases for given owners of registered setting items.
Security Improvements
- Tightened up the Twig SecurityPolicy. Calling
insert(),update(),delete()methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead. Backported from v1.1.2. - Added a new config value (
app.trustedHosts) to protect against host header poisoning. The following values can be used:truewill allow only the naked andwwwversions ofapp.urlas trusted hosts, the default offalsewill disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns. - Session identifiers are now invalidated on logging out instead of just flushed.