Changelog

BitsTheater Framework Changelog

3.7.0 (2017-Mar-10)

1. Scenes should also have a Closet folder that active Scenes can descend from.
2. added Scene::isFieldSortable() to help determine allowed values for sorting; added Scene::getColHeaderHTML() to use the new isFieldSortable().
3. added Scene::createCssTagBlock() for completeness; still recommend updating CSS file instead.
4. added SqlBuilder::sanitizeOrderByList() method to match sortable fields with the browser/user-supplied field to sort.
5. SqlBuilder::addParamIfDefined() should not have or use the $aValueIfEmpty parameter, therefore that parameter has been removed (backwards compatible for existing code).
6. added SqlBuilder::getUniqueDataKey() to generate unique parameter names / data keys.
7. added SqlBuilder::addFieldAndParamIfDefined() to match addParamIfDefined().
8. modified SqlBuilder::getQueryTotals() to toss its own exception so caller knows it is that query that failed, not the main query.
9. modified DbException to take advantage of PDO's errorInfo property, when defined.
10. added CLI version of Admin::apiWebsiteUpgrade().
11. added Strings::toInt() method for changing "" and null to NULL and numeric INT strings to INT.
12. added Strings::sanitizeFilename() in case you wish to use a filename based on user input - not all-inclusive for every OS, but it is quick and functional for any currently existing file system.
13. added Strings::errorLog() and AdamEve::errorLog() which are available methods in nearly every class; changed all framework error messages to use errorLog() rather than debugLog().
14. Actor::getEntityID() is now Actor::getRequestData().
15. added Actor::createMyScene() to allow descendants to dictate a specific Scene descendant to use rather than force same name as the actor.
16. added WornForAuditFields::addAuditFieldsForInsert/Update() to allow for being used multiple times within the same query (like a MERGE query).
17. added WornForFeatureVersioning::addFieldToTable() as a convenience for adding individual fields to a table.
18. OutputToCSV should really have a means to detect the client LineEnding rather than use a strictly Server-based OS determination.
19. added checks for Scene variables (csv_opt_*) to set CSV options in the View results_as_csv so that an Actor can tweak CSV output.
20. added the results_as_txt view as a specialized CSV output that merely outputs a text file using a client's detected line endings.
21. Auth::checkTicket() was supposed to return TRUE/FALSE so that descendants can base logic off its results.
22. modified AuthBasic::insertAuthToken() to require the first OR second parameter defined since both are not needed.
23. added AuthBasic::getAccountsToDisplay() method and supporting costumes to intelligently return its results.
24. AuthAccountSet costume and groups page view now uses the json_encode option JSON_FORCE_OBJECT rather than use a home-brewed method to try to do the same thing.
25. AuthBasicAccount::requestMobileAuth() now has a matching before/after login event methods descendants may override; also fixed default after() method since the model variable used was always empty.
26. default permission group for default registration code is now 3 (admin) rather than 2 (privileged).
27. modified the Update Account endpoint to properly account for NULL/1/0 for the value of the is_active flag.
28. updating an account should check for TITAN group if the group var is an array as well as if it was just an integer.
29. added AuthBasicAccount::afterSuccessfulRequestMobileAuthAccount() so descendants can override/add to its behavior.
30. checking for Model::isConnected() should only be done rarely, like when it needs to run during website install.
31. added audit fields to the BitsGroups model in every table.
32. added audit fields to AuthGroups model.
33. getRes() now supports getting strings from a defined array of strings; or even a nested array of strings.
34. added several Widgets::build*() convenience methods for various HTML input widgets.
35. Fragments now support arguments to the get() method so the fragment can use data, if supplied.
36. added Account List page under Admin menu (view only).
37. Admin > Website Status page should refresh itself before being displayed now to include new Models you app may have introduced since the last time the code was upgraded.
38. res > Website::js_libs_load_list now uses file=>path just like the other load lists (backwards compatible with intkey=>file).
39. added PHP-loaded JavaScript objects as meta tag itemprop attributed JSON-encoded data-x attributes to include in HTML for use in JavaScript objects -- allows for easy URL and language localization during page rendering for use in client-side JS code.
40. added a standard JavaScript confirm style dialog fragment.
41. Widgets got a lot of attention so they are built to HTML spec; ensure page renders use htmlentities() where needed; use buildWidget() instead of createWidget() for Bootstrap look; improve form security with HoneyBot trap for spambots and autocomplete off for sensitive fields.

3.6.3 (2017-Jan-09)

1. update PHPMailer library to fix security issues.
2. add a generic AuthBasic::removeTokensFor(auth_id, acct_id, pattern) so that descendant websites can more easily manipulate tokens.
3. MySQL 5.7 changes how TIMESTAMP disallows NULL by default, so it must be specified where required.
4. SqlBuilder::replaceSelectFieldsWith() updated to look for /* FIELDLIST */ and /* /FIELDLIST */ hints so that a complex nested SQL query with JOINs can easily use the getQueryTotals() method, if desired without screwing up the regex that replaces the SELECT ... FROM field list with count() fields.

3.6.2 (2016-Dec-13)

1. added Account::addMobileHardwareIdsForAutoLogin() which sets the "hardware_ids" field of returned Account information via the get() and getAll() endpoints.

3.6.1 (2016-Nov-30)

1. APIResponse::setError() added a boolean SetResponseCode parameter
2. added Arrays::parseCsvParamsStringToArray() util method to convert a CSV string of params into a true associative 2D array.
3. AuthBasic::removeStaleTokens() was broken since it compared a timestamp with a string, not a SQL error, but a logic error.
4. introduced the MODEL_NAME constant inside app/models so that descendant websites may use IDirected->getProp( ModelClass::MODEL_NAME ) rather than a string which may get misspelled.
5. refactored fingerprints/circumstances POST vars to parse auth_header_data as if constructed for the HTTP Authorization header so there is only one way to build/parse Broadway Auth data; easier to extend and fewer mistakes that way; modified ping/pong results; added ability to pre-provision hardware ID mapped to an auth account; added traits for HTTP Auth header to make it easier to understand.

3.6 (2016-Nov-02)

1. BrokenLeg now also provides mnemonic constants for a selection of HTTP error codes, so that the numeric constants for errors can be more obviously tied to those standard codes.
2. Strings::var_dump() modified to avoid fetching data from DB Cursor objects (PDOStatements).
3. OutputToCSV modified to accept any object with a fetch() method rather than specifically a PDOStatement.
4. Created a new costume, IteratedSet, for enabling printing out DB Cursor objects (PDOStatements); modified "results_as_json" view to detect and use printToJson() method, if found; added APIResponse::printToJson() method.
5. SqlBuilder adds a couple of methods for standardizing logging SQL failures and throwing DbExceptions.
6. Finally figured out how to get a costume to get all its public properties (very useful for exporting data); updated ABitsCostume and ASimpleCostume to export only public properties by default.
7. Created new AuthAccount API endpoints; updated Auth DB schema (AuthBasic model); updated Permissions and AuthGroups to accommodate as well; "is_active" flag can prevent logins if FALSE.
8. Added CLI terminal effects (colors, bold, reverse, etc.).

3.5.2 (2016-Sept-27)

1. Actor static methods are now denied URL access by default
2. Scene now permits a switch to specifically enable/disable the Pager mechanism (for export purposes).
3. UserParameterException added INVALID_ARGUMENT_VALUE.
4. Added WornForRestService::sendRequestToRestService().
5. Login fixed to handle multiple sessions/windows/devices with anti-CSRF tokens correctly.
6. Password reset now sets the anti-CSRF token correctly so a JavaScript font-end will actually work as intended.
7. Upgrade feature (e.g. db schema changes) now displays the error message, if any; also calls the SetupDb::normalizeFeature() non-statically like it should (meaning it can be overridden now).
8. Added anti-CSRF token mechanism to default Accounts and Rights views.
9. Fixed OutputToCSV so that double-double-quotes ("") are used whenever double quotes are encountered within data; also check for "+" at start of field data to prevent Excel from converting value to formula, prepend with '=' before enclosure.

3.5.1 (2016-Sept-01)

1. Output to ICS (vCalendar format) now available.
2. SetupDb moved into PropCloset so a website can descend from it.

3.5.0 (2016-June-21)

1. Move configs folder out from [site]/app/configs to just [site]/configs for new sites.
2. Remove the "no_sessions" workaround which just causes more trouble than it is worth.
3. Updated PasswordReset feature.
4. Updated SqlBuilder to handle paged queries easier.
5. Added UserParameterException.
6. Updated CLI with a -h param to specify which config to use.
7. Allow CLI to operate from any folder, not just from the app/cli subfolder.

3.4.5 (2016-May-06)

1. CLI capability introduced.
2. getModel()/getProp() can now accept the full class name as its parameter.
3. Saving list of configuration settings now returns those that were changed.
4. AuthGroups & BitsGroups refactored to ensure protection from SQL Injection. Admins were the only ones capable of introducing such SQL Injection, so the threat for earlier versions is quite low.
5. "Action" configuration setting introduced so that Buttons are now an option.
6. Traits for various classes have been introduced.
7. CSRF tokens now take advantage of the AuthBasic token mechanism, if available.
8. The hidden input companion field for checkboxes now has its value default to "0".

3.4.4 (2016-Apr-10)

1. Actor refactored so the SEO URL transformation can be tweaked on an Actor-by-Actor basis now.
2. The base Actor public methods cannot be called via URL by default.
3. BrokenLeg converts Exceptions more completely so that more information is passed to the caller.
4. Actor names are now converted to class names using the standard function instead of relying on PHP's case insensitive nature.
5. Several ancestor class names changed so they did not share the same name as their descendant as website installation was starting to get confused about which class to load.
6. Many new API endpoints exist so that framework features that used to require page renders to accomplish can now be done via a JavaScript front-end calling API routines in the background.
7. Install now provides an API endpoint to accomplish the entire install process in one call. This allows automation such as Ansible to install a website entirely without human interaction.
8. Boolean website settings that employed a checkbox widget now work properly when unchecking them.
9. "Auth" website settings now editable by a non-titan group admin.
10. PHP 5.5 deprecated code fixed.
11. Strings::wordWrap() greatly improved to attempt to break on word boundaries.
12. Improved security for permission related endpoints.

3.3.2 (2016-Mar-03)

1. Cookie management updated to allow HTTPOnly flag
2. getProp() smarter in that lower case class names figured out just like Actor class names
3. Registration cap website option added
4. Costumes with toJson() methods respected if passed to the "results_as_json" view
5. CommonMySql costume created to help simplify common model tasks.
6. Newly introduced CSRF protection mechanism debugged
7. Admin> Settings page now protected by CSRF protection mechanism

3.3.1 (2016-Feb-01)

1. Introduced login auto-lockout after X failed attempts per hour.
2. Introduced CSRF protection for API's using "ajaj" prefix.
3. Introduced non-cached-auth for API's using "api" prefix.

3.3.0 (2016-Jan-15)

1. Created a standardized API response object, if desired.
2. Shutdown code that helps debugging Out of Memeory errors.

3.0.0

1. Features introduced, version numbers can be displayed and now have meaning.
2. The CSS classes data-* have been renamed to db-* to avoid HTML5 class conflicts.
3. SqlBuilder costume class can now handle filters and orderby clauses as well as convert "=" operations into " IN ()" operations if the parameter data is an array.
4. Actor views will now additionally check app/views/* for their named view PHP file before giving a 404 error so that site-wide views can be re-used rather than copied everywhere. The check is done after checking for the actor/action-specific view and the framework-included site-wide view file in use is the results_as_json.php view.
5. The base class object now contains debugLog() which does not depend on debug settings in case you want to log something regardless of any of the "is debugging" const or vars such as logging a specific db error.

2.4.9

This version and anything prior was not versioned.