Zenario 9.3.57754

This update sees some security-related changes to what is available to administrators in admin mode .

Security-related changes in admin mode

In this update, we've done a review of which functions administrators have access to when writing frameworks and Twig Snippet plugins, and have decided to remove a few from Zenario's whitelist to tighten security.

The functions that let frameworks and Twig Snippet plugins look up values of specific columns from the database have been removed.

The functions that let frameworks and Twig Snippet plugins look up any extranet user's name/email/ip/group memberships by user ID have been removed.

The functions that let frameworks and Twig Snippet plugins check any extranet user's permissions has been removed, however there is a new version of this function now available that checks the current extranet user's permissions.

The function that let Twig Snippet plugins look up the values of site settings has been removed, however there is a new version of this function now available when writing frameworks.

Plugin developers writing frameworks can still call public functions from their own module, this has not changed.

Other fixes

Fixed a small security vulnerability in admin mode, where calling the refreshPluginSlot() function for plugins in admin mode was able to bypass the plugin's init() check.

If you have deleted/trashed a content item, you can now create a spare alias to another content item using its tag ID, e.g. html_12.