Skip to content

Releases: getkirby/kirby

4.5.0-rc.1

12 Nov 15:15
8fc6f34
Compare
Choose a tag to compare
4.5.0-rc.1 Pre-release
Pre-release

✨ Enhancements

  • avif images are now considered resizable by default #6670
  • User view: show prev/next buttons also on account view #6610
  • Video block: better autoplay handling
  • panel.upload exposes upload dialog open event #6621
  • New Toolkit\Obj::toKeys() method #6651
  • Improved Roles filter methods #6655
  • New angle-dropdown button #6663
    angle-dropdown
  • Improved highlighting of current items in a dropdown #6672
    active-1
    active-2
  • Tags input: dropdown shows current selection via checkbox/radio button #6698
    dropdown-1
    dropdown-2
  • api.methodOverwrite config option to activate pure PATCH requests #6650
  • Moving pages: allow pages as parent that don’t restrict any templates in their blueprint, but feature at least one pages section listing the page’s children #6717
  • Role always shown when creating a new user, even if only one role available #6654
  • Support icon and info for query and api options #6780
  • Changed the status update host to getkirby.com #6787
  • Update composer dependencies

🐛 Bug fixes

  • Fixed $field->isEmpty() for some empty arrays #6637
  • slugs.maxlength option works now #6526
  • Fix updating new language variables for secondary languages #6622
  • Page create dialog: toggle field allowed #6669
  • User::roles() doesn't return only the current role for non-admin users but all available roles #6663
  • Fixed issue where the page create dialog would use an existing page new instead just creating a temporary object #6643
  • Radio input: fix default columns count #6699
  • Multilang: Writer field now inserts the correct permalink for the current content language #6668
  • Multilang: $page->permalink() returns a language-based permalink for the current content language #6668
  • Fixed uploading non-resizable files with template/blueprint that features create option #6718
  • Fixed some cached page and file properties #6720
  • The license key dialog now trims accidently copied spaces from the license key #6722
  • Panel UI fixed for create and changeRole permissions and user options #5147 #5146

☠️ Deprecated

  • UserRules::validRole()

♻️ Refactored

  • Remove roles count check from UserPermissions #6658

5.0.0-alpha.3

23 Sep 09:53
b1b3f44
Compare
Choose a tag to compare
5.0.0-alpha.3 Pre-release
Pre-release

4.4.1

23 Sep 09:43
eb47158
Compare
Choose a tag to compare

🐛 Bug fixes

  • Fixed file caching regression #6685
  • Fixed 500 error in move page dialog #6684
  • Fixed file browser in link field when UUID disabled #6683
  • Only showing offline message in Panel when system is not a local environment #6679
  • Fixed a regression for some custom routes #6676

4.4.0

12 Sep 12:29
d14bc47
Compare
Choose a tag to compare

Tip

Pages section: if you are experiencing performance issues with a pages section and the table layout, you can try to use rawvalues: true to improve performance. This will use the unprocessed values from the content file, which is a lot more performant, but can result in some broken column previews (which would require processed values).

✨ Enhancements

  • Link field: when selecting files, the current page is preselected #6458
  • New auto option for (image: ) KirbyTag
    (image: cat.jpg width: auto height: auto)
    
    // config.php
    'kirbytext' => [
        'image' => [
            'width' => 'auto',
            'height' => 'auto',
        ]
    ];
  • Image/Gallery blocks: added selector to change background #6430
  • Pages, files and users dialogs use proper radio buttons/checkboxes to display selection #6044 #5930
  • Site area: using icon defined in site blueprint #5936
  • Added support for language-specific UUID urls #6312
    /en/@/page/1234
    /en/@/file/1234
    
  • New google icon
  • Allow access to the Kirby\Cms\License::HISTORY const #6503
  • k-button: use title or text of a button to set aria-label #5899
  • $permissions->for(), $modelpermissions->can() and $modelpermissions->cannot() accept a new $default parameter #6548
  • Pages, files and users field: default empty string is now correct when only allowed to select one page/file/user #6565
  • All fields have a .k-field-type-TYPE CSS class added #5009
  • File uploads: preview uses image options from field/section #6611
  • Change URL dialog: in multilang, show the language segment as part of the path preview #6607
  • content.uuid.index option to prevent index lookup. Will throw an exception if a UUID model cannot be looked up from the cache alone. This requires you to keep a full UUID cache at all times but can be helpful for very large sites where any index lookup would run into memory limits. #6564
    • Use content.uuid.format to specify uuid-v4 as format.
  • system.exception hook: return false to prevent error to be logged #5028
  • Filename sanitization considers user language for better results #4972
  • (image: ) KirbyTag: for local files, add width: auto and/or height: auto to include the actual image dimensions as attributes #5064

🐛 Bug fixes

  • Using Cmd + S/Ctrl + S in nested structures/objects with date fields does not corrupt data anymore #6390
  • Kirby\Exception\NotFoundException thrown during page rendering now redirects request to the error page (with 404); as Kirby\Exception\ErrorPageException already does #6553
  • Link field preview: fixed overflow instead of wrapping for long links #6510
  • Tags input: dropdown won't open anymore when max has been reached #6468
  • Text block: fixed padding when replacing writer input with texture input #6484
  • Panel topbar: fix overflow when breadcrumb gets very long #6348
  • A::random() throws exception instead of error when $count is higher than array length #6555
  • Fix focus helper for non-native inputs #6347
  • Writer field: content with non-breaking changes doesn't anymore show up as changed always #6285
  • Fixed new Http\Uri() for relative URLs with a colon inside #6331
  • pattern attribute for Panel fields: fixed inconsistencies between frontend and backend validation #6585
  • preview blueprint option now supports setting role-based permissions #6572
  • $file->previewUrl() returns null if parent page preview is deactivated/not allowed for the user #6572
  • Fixed parallel Panel search requests #6409
  • Files field: store only filenames when UUIDs disabled and file belongs to the same page #5084
  • Sections with table layout: fixed some issues with sorting rows that should be unsortable #6609
  • Redirect language URLs with non-translated slugs #3550
  • Fix docblocks for $panel.dialog/$panel.drawer #6648

4.3.1

29 Aug 08:57
576306d
Compare
Choose a tag to compare

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.


🐛 Bug fixes

  • Fixed console error from views without a menu on narrow window widths #6487
  • Prev-Next navigation isn’t always hidden anymore on user view

🧹 Housekeeping

  • Fix support for .env files in the Panel Vite build config #6516
  • Use SERVER as name for the Vite host override env variable #6516

3.10.1.1

29 Aug 08:57
1953eb4
Compare
Choose a tag to compare

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.

3.9.8.2

29 Aug 08:56
40ae4e5
Compare
Choose a tag to compare

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.

3.8.4.4

29 Aug 08:56
d3de5c2
Compare
Choose a tag to compare

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.

3.7.5.5

29 Aug 08:56
a645ec7
Compare
Choose a tag to compare

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.


Important note: This release marks the end of security support for Kirby 3.7. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.

➡️ Read more

3.6.6.6

29 Aug 08:55
38fb94d
Compare
Choose a tag to compare

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.


Important note: This release marks the end of security support for Kirby 3.6. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.

➡️ Read more