Today's update (fc0b9c4) brings with it the following changes:
Security improvements
- An extensive review of HTTP security headers has been performed and several
improvements to the security of the system has been implemented. This can,
in some situations, cause behavior that previously worked to not work
anymore, especially those involving cross-site requests involving
authentication and iframes.
- How the session identifier is stored has been hardened to protect against
malicious behavior. It is no longer possible to read it using JavaScript code.
- Cross-origin HTTP request validation now supports specific URIs, not just
the
*
value.
- HTTP headers to enable reporting of client errors were added.
- Code was hardened by avoiding code conventions that can lead to security issues.
Performance improvements
- Improved performance in file manager and object/container selector by consolidating database queries.
- A small optimization to how we populate system groups was implemented. This
should give a minor speed increase to anonymous requests.
New features
- It is now possible to create macros that can be used everywhere template markup can be used. Macros are named units of behavior that support required and optional parameters. The parameters are validated when the macro is called, to avoid the need for the implementing template to perform this validation. See the
macro
template function documentation for more details.
- A script for exporting contents of an XML dump/export into files was added. It is useful when e.g. binary content needs to be exported into another CMS.
- DuckDuckGo was added as a search engine provider.
Enhancements
- It's now possible to return JSON responses from the
read
request handler.
- System groups and users where previously always shown with an English name.
Now the name can be localized to the user interface language.
- The
label
template function now supports model instance as first parameter.
- Simplified the user event log user interface a bit.
- Now all search providers use HTTPS URLs. The addresses of several search
providers have been updated to match current APIs.
- Added logging of e-portal session validation URL when failing to improve ability to troubleshoot issues.
Documentation improvements
- Improved rendering and layout of reference documentation.
- Unrestricted methods in classes are now shown in reference documentation.
- Added reference documentation for:
- Client-side app behavior
- Appointments and calendar availability
- Configuration variables and sets
- Model class attributes
- Eportal behavior
- Asynchronous jobs, job notifications and job queue manager behavior
- Main configuration and search provider configuration
- Container model class
- Added reference documentation for the following HTTP request handlers:
- history
- impersonate
- leseweb
- list
- list_class_permission
- list_log
- read_container
- read_glossary
- read_institution
- read_message
- rebuild_course
- remove_institution_course
- remove_student
- reorder_course_element
- score
- selector
- selfreg
- send_message
- set_assignment_score
- set_course_supervisor
- set_ownership
- start_exam
- stop_exam
- tag_message
- tts
- unlink_access_key
- unpack
- update
- update_config_set
- update_container
- update_course
- update_course_element_order_list
- update_institution
- update_institution_course
- write_class
- write_class_membership
- write_config
- write_config_set
- write_container
- write_course
Feature removals / deprecations
- The filters for containers and groups have been removed in the event log user
interface. They were not used anywhere.
- The object type
script
is now deprecated. It's not been in use for a long time.
- The request handler
delete_account_membership
is now deprecated. Use the
collection manager remove_from_group
action instead.
- Some search providers that are no longer valid have been removed (most
notably ordboka.net). The category religious scriptures was removed
because there are no more entries.