Version: 3.9.6
Security
- Security Hardening - Addressed authorization, SSRF, reset-token, LDAP, and stored-XSS vulnerabilities (#3584)
- Plugin Management - Plugin management now requires the proper permission and install input is validated more strictly (#3583)
- Avatar Rendering - User IDs are now encoded in avatar image sources to prevent DOM-based XSS (#3582)
- API Responses - Credentials are now stripped from getUser API responses (#3556, #3576)
New Features
- Content Templates - Introduced a generic content templates domain (#3493)
- My Day Schedule API - Added a getMyDaySchedule API endpoint that respects work hours and timezone (#3579)
- Personal Access Tokens - Added shared AI/MCP support classes and personal access token management (#3560)
- Domain Events - Added class-based domain events and filters with a legacy-string plugin bridge (#3503)
Bug Fixes
- Project Roles - Fixed user role inheritance when adding a user to a project (#3580)
- Kanban View - Fixed a rendering error caused by an undefined variable in the kanban view (#3554)
- General Fixes - Resolved a batch of recently reported bugs (#3555, #3575, #3571, #3568, #3569, #3570, #3577, #3535, #3539, #3536, #3542, #3547)
Improvements
- API Routing - Internal API calls now use canonical domain routes (#3557)
- Form Components - Migrated buttons, text inputs, and textareas to reusable form component primitives (#3564, #3563, #3562, #3558, #3531)
What's Changed
Other Changes
- feat(api): session-scoped mobile endpoints (notifications inbox + calendar) by @marcelfolaron in #3529
- fix(editor): position @mention dropdown beneath the caret by @marcelfolaron in #3530
- fix: resolve recent reported bugs (#3488, #3480, #3467, #3463) by @marcelfolaron in #3532
- fix(deps): promote symfony/yaml to a production dependency by @marcelfolaron in #3543
- fix(blueprints): canvas add/edit item returns 404 (canvasSlug bound to $id) by @marcelfolaron in #3544
- Release v3.9.5 by @marcelfolaron in #3545
- fix: resolve recent reported bugs (#3535, #3539, #3536, #3542) by @marcelfolaron in #3547
- fix: define $groupId variable before Blade component render in kanban view by @GautamKumarOffical in #3554
- feat(components): forms.button — migrate all buttons + establish the role model by @marcelfolaron in #3531
- feat(events): class-based domain events + filters with legacy-string plugin bridge (Tickets pilot) by @marcelfolaron in #3503
- chore(phpstan): raise static analysis to level 2 (429→0, fix-forward) by @marcelfolaron in #3559
- feat(components): forms.text-input no-op primitive + migrate 146 inputs (56 files) by @marcelfolaron in #3558
- feat(core): extract shared AI/MCP support classes and add PAT management by @marcelfolaron in #3560
- chore(phpstan): raise static analysis to level 3 (46→0, fix-forward) by @marcelfolaron in #3561
- chore(phpstan): raise static analysis to level 4 (227→0, dead-code removal) by @marcelfolaron in #3565
- feat(components): forms.textarea no-op primitive + migrate 10 plain textareas by @marcelfolaron in #3562
- feat(components): migrate 44 class=button submit inputs to forms.button by @marcelfolaron in #3563
- chore(phpstan): climb to level 5 (argument types) by @marcelfolaron in #3566
- feat(components): button + text-input completion round 2 (53 missed elements) by @marcelfolaron in #3564
- fix: batch of open bug fixes (#3555, #3575, #3571, #3568, #3569, #3570) by @marcelfolaron in #3577
- fix(users): strip credentials from getUser API responses (#3556) by @gloriafolaron in #3576
- feat(users): getMyDaySchedule @api (work hours + timezone) by @gloriafolaron in #3579
- feat(content-templates): generic templates domain (Phases 1, 3, 3b, 3c, 3d, 4) by @gloriafolaron in #3493
- fix(projects): resolve user role inheritance when adding user to project (supersedes #3572) by @marcelfolaron in #3580
- refactor(js): update internal /api/* calls to canonical domain routes by @ellitedom03 in #3557
- fix(js): encode avatar-src user id to clear CodeQL xss-through-dom alerts by @marcelfolaron in #3582
- harden(plugins): require permission for plugin management + tighten install input by @marcelfolaron in #3583
- harden(security): authz, SSRF, reset-token, LDAP, and stored-XSS fixes by @marcelfolaron in #3584
- Release v3.9.6 by @marcelfolaron in #3585
New Contributors
- @GautamKumarOffical made their first contribution in #3554
- @ellitedom03 made their first contribution in #3557
Full Changelog: v3.9.4...v3.9.6