Releases: getkirby/kirby
4.5.0-rc.1
✨ Enhancements
avif
images are now considered resizable by default #6670- User view: show prev/next buttons also on account view #6610
- Video block: better
autoplay
handling panel.upload
exposes upload dialogopen
event #6621- New
Toolkit\Obj::toKeys()
method #6651 - Improved
Roles
filter methods #6655 - New
angle-dropdown
button #6663
- Improved highlighting of current items in a dropdown #6672
- Tags input: dropdown shows current selection via checkbox/radio button #6698
api.methodOverwrite
config option to activate purePATCH
requests #6650- Moving pages: allow pages as parent that don’t restrict any templates in their blueprint, but feature at least one pages section listing the page’s children #6717
- Role always shown when creating a new user, even if only one role available #6654
- Support
icon
andinfo
for query and api options #6780 - Changed the status update host to getkirby.com #6787
- Update composer dependencies
🐛 Bug fixes
- Fixed
$field->isEmpty()
for some empty arrays #6637 slugs.maxlength
option works now #6526- Fix updating new language variables for secondary languages #6622
- Page create dialog:
toggle
field allowed #6669 User::roles()
doesn't return only the current role for non-admin users but all available roles #6663- Fixed issue where the page create dialog would use an existing page
new
instead just creating a temporary object #6643 - Radio input: fix default columns count #6699
- Multilang: Writer field now inserts the correct permalink for the current content language #6668
- Multilang:
$page->permalink()
returns a language-based permalink for the current content language #6668 - Fixed uploading non-resizable files with template/blueprint that features
create
option #6718 - Fixed some cached page and file properties #6720
- The license key dialog now trims accidently copied spaces from the license key #6722
- Panel UI fixed for
create
andchangeRole
permissions and user options #5147 #5146
☠️ Deprecated
UserRules::validRole()
♻️ Refactored
- Remove roles count check from
UserPermissions
#6658
5.0.0-alpha.3
Pre-release notes: https://getkirby.com/buzz/v5-alpha
4.4.1
4.4.0
Tip
Pages section: if you are experiencing performance issues with a pages section and the table layout, you can try to use rawvalues: true
to improve performance. This will use the unprocessed values from the content file, which is a lot more performant, but can result in some broken column previews (which would require processed values).
✨ Enhancements
- Link field: when selecting files, the current page is preselected #6458
- New auto option for
(image: )
KirbyTag(image: cat.jpg width: auto height: auto)
// config.php 'kirbytext' => [ 'image' => [ 'width' => 'auto', 'height' => 'auto', ] ];
- Image/Gallery blocks: added selector to change background #6430
- Pages, files and users dialogs use proper radio buttons/checkboxes to display selection #6044 #5930
- Site area: using icon defined in site blueprint #5936
- Added support for language-specific UUID urls #6312
/en/@/page/1234 /en/@/file/1234
- New
google
icon - Allow access to the
Kirby\Cms\License::HISTORY
const #6503 k-button
: use title or text of a button to setaria-label
#5899$permissions->for()
,$modelpermissions->can()
and$modelpermissions->cannot()
accept a new$default
parameter #6548- Pages, files and users field: default empty string is now correct when only allowed to select one page/file/user #6565
- All fields have a
.k-field-type-TYPE
CSS class added #5009 - File uploads: preview uses
image
options from field/section #6611 - Change URL dialog: in multilang, show the language segment as part of the path preview #6607
content.uuid.index
option to prevent index lookup. Will throw an exception if a UUID model cannot be looked up from the cache alone. This requires you to keep a full UUID cache at all times but can be helpful for very large sites where any index lookup would run into memory limits. #6564- Use
content.uuid.format
to specifyuuid-v4
as format.
- Use
system.exception
hook: returnfalse
to prevent error to be logged #5028- Filename sanitization considers user language for better results #4972
(image: )
KirbyTag: for local files, addwidth: auto
and/orheight: auto
to include the actual image dimensions as attributes #5064
🐛 Bug fixes
- Using
Cmd + S/Ctrl + S
in nested structures/objects with date fields does not corrupt data anymore #6390 Kirby\Exception\NotFoundException
thrown during page rendering now redirects request to the error page (with 404); asKirby\Exception\ErrorPageException
already does #6553- Link field preview: fixed overflow instead of wrapping for long links #6510
- Tags input: dropdown won't open anymore when
max
has been reached #6468 - Text block: fixed padding when replacing writer input with texture input #6484
- Panel topbar: fix overflow when breadcrumb gets very long #6348
A::random()
throws exception instead of error when$count
is higher than array length #6555- Fix
focus
helper for non-native inputs #6347 - Writer field: content with non-breaking changes doesn't anymore show up as changed always #6285
- Fixed
new Http\Uri()
for relative URLs with a colon inside #6331 pattern
attribute for Panel fields: fixed inconsistencies between frontend and backend validation #6585preview
blueprint option now supports setting role-based permissions #6572$file->previewUrl()
returnsnull
if parent page preview is deactivated/not allowed for the user #6572- Fixed parallel Panel search requests #6409
- Files field: store only filenames when UUIDs disabled and file belongs to the same page #5084
- Sections with table layout: fixed some issues with sorting rows that should be unsortable #6609
- Redirect language URLs with non-translated slugs #3550
- Fix docblocks for $panel.dialog/$panel.drawer #6648
4.3.1
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
🐛 Bug fixes
- Fixed console error from views without a menu on narrow window widths #6487
- Prev-Next navigation isn’t always hidden anymore on user view
🧹 Housekeeping
3.10.1.1
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
3.9.8.2
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
3.8.4.4
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
3.7.5.5
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
Important note: This release marks the end of security support for Kirby 3.7. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.
➡️ Read more
3.6.6.6
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
Important note: This release marks the end of security support for Kirby 3.6. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.
➡️ Read more