5.0.0-beta.2

Pre-release notes: https://getkirby.com/releases/5

Changelog since 5.0.0-beta.1

✨ Enhancements

• Allow disable all page buttons via buttons: false
• New way to set the default storage instance for all models #6867
  • New App::storage(ModelWithContent $model) method
  • New storage component, which can be overwritten in plugins or the app instance setup.
  • The storage component is now used in all Models to create the default storage instance

  // How to create a new default storage instance component: 
  use Kirby\Cms\App;
  use Kirby\Cms\ModelWithContent;
  use Kirby\Content\PlainTextStorage;
  
  class MyCustomStorageClass extends PlainTextStorage
  {
  
  }
  
  // on app initialisation
  $kirby = new App([
    'components' => [
      'storage' => function (App $kirby, ModelWithContent $model) {
          return MyCustomStorageClass($model);
      ]
    ]  
  ]);
  
  // in a plugin
  App::plugin('my/storage', [
    'components' => [
      'storage' => function (App $kirby, ModelWithContent $model) {
          return MyCustomStorageClass($model);
      ]
    ]  
  ]);

• New $app->role() method that works like $app->user() to return a specific role or the role of the current user. #6874
• View buttons: i18n + query support, component name from key
  • Panel\Ui\Button: i18n support for text and title props
  • Panel\Ui\Buttons\ViewButtons and Panel\Ui\Buttons\ViewButton have new optional $model property
  • Kirby query support in Panel\Ui\Buttons\ViewButton for link, dialog, drawer, icon, text, theme props
  • Deriving the Vue component name from key:

    buttons:
      - preview
      retour:
        text: Retour

    This first looks up k-retour-view-button and falls back to k-view-button.
• Writer: nodes with inline: true in their button definition are displayed as inline buttons in toolbar (instead inside the dropdown) #6902
• New this.$helper.object.filter(object, predicate). #6902
• Page status button uses custom status labels for title #6911
• Plugin update status: passive theme for unknown plugin versions #6920
• System view: Plugin table features two distinct columns for the license type and status #6896
• LicenseStatus supports link, dialog and drawer props #6896

---

🐛 Bug fixes

• Fixed Str::ucfirst() behavior, now behaves like PHP default #6834
• Writer field: inline toolbar is hidden when no nodes and marks are available #6804
• Page dropdown: fix disabling preview item #6891
• File preview: fix aspect ratio for medium viewports #6891
• Page section w/ table layout: fix flag column #6866
• Range/Number field: fix isEmpty() usage #6898
• Custom writer nodes: fixed active state detection for nodes that include paragraph child nodes #6902
• Permissions are now always correctly determined if the active user changes during the request #6880

---

🐛 Fixed regressions from Beta.1

• Hide language selector for single language #6850
• Duplicate action is forcing to copy files #6921
• Link in info box is now visible again in dark mode #6906

---

🚨 Breaking changes

• The Str::ucfirst() method no longer lowercases all but the first letter of the text, it only capitalizes the first letter. #6860
• Classes extending ModelPermissions need to set their category with the const CATEGORY or static function category() instead of protected string $category and use the static user() method instead of $user and $permissions properties #6880
• <k-item>: Removed data-only-option attributes
• <k-dialog>: Removed data-has-footer attribute
• <k-toggles-input>: Removed data-disabled attribute
• <k-writer-input>: Removed data-toolbar-inline attribute
• <k-bubble>: Removed data-has-text attribute
• <k-header>: Removed data-has-buttons attribute
• <k-tag>: Removed data-has-image and data-has-toggle attributes
• <k-tree>: Removed data-has-subtree attribute
• required: true on checkbox and toggle fields now enforces that these fields need to be checked/toggles (active state)

---

☠️ Deprecated

• panel.favicon option throws deprecation warnings for url option (use href instead) and for rel key (use reloption instead)

---

♻️ Refactored

• ModelPermissions now also supports Language objects as quasi models #6876
• New LanguagePermissions class that inherits the existing logic from LanguageRules for consistency with other models #6876
• Globally cache access and list permissions per permission category, model type and user role to reduce code duplication #6881

---

♻️ Refactored after Beta.1

• Update preview token logic to reliably fix tokens for the homepage #6856

---

🧹 Housekeeping

• Move $app->roles() method to the AppUsers trait to increase the overview
• Clean up permission-related code for consistency #6879

4.6.0-rc.1

🐛 Bug fixes

• Fixed CSS rules messing up grid styling inside the gallery block drawer #6838
• Fix alt attribute for FileVersion instances #6852
• Using single quotes in sqlite table discovery query fixes #6769
• Fix console error when no buttons available #6863
• Structure field: fix label of remove dropdown item #6899
• Block options: fix tabbing from sort handle #6893
• Structure field: fix preview input when paginated #6894
• Set require: true on image block location field #6905
• Blueprint image option: fixed support for query string #6916
• System view: fixed too long server software names #6917
• Pages and files sections: fixed page option #6735
• Role blueprints get properly extended #6918
• Link field: fixed handling of invalid options #6919

🧹 Housekeeping

• Update the list of export ignores to keep unneeded files out of the Kirby ZIP downloads #6931
• Update JS dependencies #6933

5.0.0-beta.1

Pre-release notes: https://getkirby.com/releases/5

4.5.0

✨ Enhancements

• avif images are now considered resizable by default #6670
• User view: show prev/next buttons also on account view #6610
• Video block: better autoplay handling
• panel.upload exposes upload dialog open event #6621
• New Toolkit\Obj::toKeys() method #6651
• Improved Roles filter methods #6655
• New angle-dropdown button #6663
  
• Improved highlighting of current items in a dropdown #6672
  
  
• Tags input: dropdown shows current selection via checkbox/radio button #6698
  
  
• api.methodOverwrite config option to activate pure PATCH requests #6650
• Moving pages: allow pages as parent that don’t restrict any templates in their blueprint, but feature at least one pages section listing the page’s children #6717
• Role always shown when creating a new user, even if only one role available #6654
• Support icon and info for query and api options #6780
• Changed the status update host to getkirby.com #6787
• Update composer dependencies

🐛 Bug fixes

• Fixed $field->isEmpty() for some empty arrays #6637
• slugs.maxlength option works now #6526
• Fix updating new language variables for secondary languages #6622
• Page create dialog: toggle field allowed #6669
• User::roles() doesn't return only the current role for non-admin users but all available roles #6663
• Fixed issue where the page create dialog would use an existing page new instead just creating a temporary object #6643
• Radio input: fix default columns count #6699
• Multilang: Writer field now inserts the correct permalink for the current content language #6668
• Multilang: $page->permalink() returns a language-based permalink for the current content language #6668
• Fixed uploading non-resizable files with template/blueprint that features create option #6718
• Fixed some cached page and file properties #6720
• The license key dialog now trims accidently copied spaces from the license key #6722
• Panel UI fixed for create and changeRole permissions and user options #5147 #5146
• Fix preview links for files when the parent page preview is disabled #6786

☠️ Deprecated

• UserRules::validRole()

♻️ Refactored

• Remove roles count check from UserPermissions #6658

5.0.0-alpha.4

Pre-release notes: https://getkirby.com/buzz/v5-alpha

4.5.0-rc.1

✨ Enhancements

• avif images are now considered resizable by default #6670
• User view: show prev/next buttons also on account view #6610
• Video block: better autoplay handling
• panel.upload exposes upload dialog open event #6621
• New Toolkit\Obj::toKeys() method #6651
• Improved Roles filter methods #6655
• New angle-dropdown button #6663
  
• Improved highlighting of current items in a dropdown #6672
  
  
• Tags input: dropdown shows current selection via checkbox/radio button #6698
  
  
• api.methodOverwrite config option to activate pure PATCH requests #6650
• Moving pages: allow pages as parent that don’t restrict any templates in their blueprint, but feature at least one pages section listing the page’s children #6717
• Role always shown when creating a new user, even if only one role available #6654
• Support icon and info for query and api options #6780
• Changed the status update host to getkirby.com #6787
• Update composer dependencies

🐛 Bug fixes

• Fixed $field->isEmpty() for some empty arrays #6637
• slugs.maxlength option works now #6526
• Fix updating new language variables for secondary languages #6622
• Page create dialog: toggle field allowed #6669
• User::roles() doesn't return only the current role for non-admin users but all available roles #6663
• Fixed issue where the page create dialog would use an existing page new instead just creating a temporary object #6643
• Radio input: fix default columns count #6699
• Multilang: Writer field now inserts the correct permalink for the current content language #6668
• Multilang: $page->permalink() returns a language-based permalink for the current content language #6668
• Fixed uploading non-resizable files with template/blueprint that features create option #6718
• Fixed some cached page and file properties #6720
• The license key dialog now trims accidently copied spaces from the license key #6722
• Panel UI fixed for create and changeRole permissions and user options #5147 #5146

☠️ Deprecated

• UserRules::validRole()

♻️ Refactored

• Remove roles count check from UserPermissions #6658

5.0.0-alpha.3

Pre-release notes: https://getkirby.com/buzz/v5-alpha

4.4.1

🐛 Bug fixes

• Fixed file caching regression #6685
• Fixed 500 error in move page dialog #6684
• Fixed file browser in link field when UUID disabled #6683
• Only showing offline message in Panel when system is not a local environment #6679
• Fixed a regression for some custom routes #6676

4.4.0

Tip

Pages section: if you are experiencing performance issues with a pages section and the table layout, you can try to use rawvalues: true to improve performance. This will use the unprocessed values from the content file, which is a lot more performant, but can result in some broken column previews (which would require processed values).

✨ Enhancements

• Link field: when selecting files, the current page is preselected #6458
• New auto option for (image: ) KirbyTag

  (image: cat.jpg width: auto height: auto)
  

  // config.php
  'kirbytext' => [
      'image' => [
          'width' => 'auto',
          'height' => 'auto',
      ]
  ];

• Image/Gallery blocks: added selector to change background #6430
• Pages, files and users dialogs use proper radio buttons/checkboxes to display selection #6044 #5930
• Site area: using icon defined in site blueprint #5936
• Added support for language-specific UUID urls #6312

  /en/@/page/1234
  /en/@/file/1234
  

• New google icon
• Allow access to the Kirby\Cms\License::HISTORY const #6503
• k-button: use title or text of a button to set aria-label #5899
• $permissions->for(), $modelpermissions->can() and $modelpermissions->cannot() accept a new $default parameter #6548
• Pages, files and users field: default empty string is now correct when only allowed to select one page/file/user #6565
• All fields have a .k-field-type-TYPE CSS class added #5009
• File uploads: preview uses image options from field/section #6611
• Change URL dialog: in multilang, show the language segment as part of the path preview #6607
• content.uuid.index option to prevent index lookup. Will throw an exception if a UUID model cannot be looked up from the cache alone. This requires you to keep a full UUID cache at all times but can be helpful for very large sites where any index lookup would run into memory limits. #6564
  • Use content.uuid.format to specify uuid-v4 as format.
• system.exception hook: return false to prevent error to be logged #5028
• Filename sanitization considers user language for better results #4972
• (image: ) KirbyTag: for local files, add width: auto and/or height: auto to include the actual image dimensions as attributes #5064

🐛 Bug fixes

• Using Cmd + S/Ctrl + S in nested structures/objects with date fields does not corrupt data anymore #6390
• Kirby\Exception\NotFoundException thrown during page rendering now redirects request to the error page (with 404); as Kirby\Exception\ErrorPageException already does #6553
• Link field preview: fixed overflow instead of wrapping for long links #6510
• Tags input: dropdown won't open anymore when max has been reached #6468
• Text block: fixed padding when replacing writer input with texture input #6484
• Panel topbar: fix overflow when breadcrumb gets very long #6348
• A::random() throws exception instead of error when $count is higher than array length #6555
• Fix focus helper for non-native inputs #6347
• Writer field: content with non-breaking changes doesn't anymore show up as changed always #6285
• Fixed new Http\Uri() for relative URLs with a colon inside #6331
• pattern attribute for Panel fields: fixed inconsistencies between frontend and backend validation #6585
• preview blueprint option now supports setting role-based permissions #6572
• $file->previewUrl() returns null if parent page preview is deactivated/not allowed for the user #6572
• Fixed parallel Panel search requests #6409
• Files field: store only filenames when UUIDs disabled and file belongs to the same page #5084
• Sections with table layout: fixed some issues with sorting rows that should be unsortable #6609
• Redirect language URLs with non-translated slugs #3550
• Fix docblocks for $panel.dialog/$panel.drawer #6648

4.3.1

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.

---

🐛 Bug fixes

• Fixed console error from views without a menu on narrow window widths #6487
• Prev-Next navigation isn’t always hidden anymore on user view

🧹 Housekeeping

• Fix support for .env files in the Panel Vite build config #6516
• Use SERVER as name for the Vite host override env variable #6516