apostrophe
Advanced tools
Changelog
4.1.1 (2024-03-21)
styles
property. The bug was introduced in 4.0.0 as an indirect side effect of deeper
watching behavior by Vue 3.Changelog
4.1.0 (2024-03-20)
enterUsername
and enterPassword
i18n fields for front end customization and localization.apos.task.getReq
now include a req.headers
property, for
greater accuracy and to prevent unexpected bugs in other code.attachment.url
still lies with the developer.getChanges
method to the schema module to get an array of document changed field names instead of just a boolean like does the isEqual
method.Changelog
4.0.0 (2024-03-12)
beforeLocalize
and afterLocalize
events.apos.schema.addManagerIndicator({ component, props, if })
. The component registered this way will be automatically rendered in the manager modal.translation
module to support document translations via the @apostrophecms-pro/automatic-translation
module.
The translation
core module may be removed or refactored to reduce overhead in the core, so its presence should
not be relied upon.textStyle
to Tiptap types so that spans are rendered on RT initializationfield.help
and field.htmlHelp
are now correctly translated when displayed in a tooltip.he
package to most recent version.Changelog
3.63.2 (2024-03-01)
external-condition
API actually appear in if
or requiredIf
clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of
Apostrophe modules could be called over the network, without arguments, and the results returned to the caller.
While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by
invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin
penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities
in ApostropheCMS code via security@apostrophecms.com.alwaysIframe
query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team.Changelog
3.63.1 (2024-02-22)
sanitize-html
to ^2.12.1
at a minimum, to ensure that npm update apostrophe
is sufficient to guarantee a security update is installed. This security update prevents specially crafted HTML documents from revealing the existence or non-existence of files on the server. The vulnerability did not expose any other information about those files. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.Changelog
3.63.0 (2024-02-21)
launder
method to the slug
schema field query builder to allow for use in API queries.withType
is set to a page type, like @apostrophecms/home-page
, default-page
, article-page
...canCreate
, canPreview
& canShareDraft
in context operations conditions.canCreate
, canEdit
, canArchive
& canPublish
in utility operations definitions.uponSubmit
requirement in the @apostrophecms/login
module. uponSubmit
requirements are checked each time the user submit the login form. See the documentation for more information.apos.doc.setMeta()
, apos.doc.getMeta()
, apos.doc.getMetaPath()
and apos.doc.removeMeta()
. The metadata is stored in the database and can be used to store additional information about a field.apos.schema.addFieldMetadataComponent(namespace, component)
method to allow adding custom components. They have access to the server-side added field metadata and can decide to show indicators on the admin UI fields. Currently supported fields are "string", "slug", "array", "object" and "area".content-changed
event for the submit draft action now uses a complete document.Changelog
3.62.0 (2024-01-25)
type
query parameter for page autocomplete. This allows to filter the results by page type. Example: /api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type
.float
schema field query builder.integer
schema field query builder.linkFields
, extendable on a project level (same as it's done for fields
). Add an htmlAttribute
property to the standard fields that map directly to an HTML attribute, except href
(see special case below), and set it accordingly, even if it is the same as the field name. Setting htmlAttribute: 'href'
is not allowed and will throw a schema validation exception (on application boot).can
and criteria
methods for create
and delete
.canEdit
to canCreate
.@apostrophecms-pro/advanced-permission
module.launder
and finalize
methods of the float
schema field query builder.launder
and finalize
methods of the integer
schema field query builder.publish
a particular page should always be allowed to insert it into the
published version of the site even if they could not otherwise insert a child of the published
parent.Changelog
3.61.1 (2023-01-08)
Changelog
3.61.0 (2023-12-21)
validate
method to the url
field type to allow the use of the pattern
property.autocomplete
attribute to schema fields that implement it (cf. HTML attribute: autocomplete).delete
method to the @apostrophecms/cache
module so we don't have to rely on direct MongoDB manipulation to remove a cache item.date
schema field query builder to work with arrays.if
on pages. When you open the AposDocEditor
modal on pages, you now see an up to date view of the visible fields.clearLoginAttempts
method to work with the new @apostrophecms/cache
module delete
method.