Changelog

BitsTheater Framework Changelog

5.2.3 (2022-Mar-29)

1. CHANGE/FIX: Disable Org feature failed to detect schema needed updating.
2. CHANGE/FIX: LogMessage costume error logging now correctly sends to LOG_ERR.
3. CHANGE/FIX: Fix the "Incorrect datetime value: ‘now’ for column ‘verified_ts’".
4. added: Send Test Email button to site settings area.
5. added: 'X-Content-Type-Options: nosniff header for IE & Edge.

5.2.2 (2022-Jan-06)

1. CHANGE/FIX: WornForRestService trait fixes request resource leak.
2. CHANGE/FIX: LogMessage costume to work with more than just strings (nested arrays/objects).
3. CHANGE/FIX: CurlRequestBuilder now uses the LogMessage costume.
4. CHANGE/FIX: ancestor of TicketViaMobileApp is now venue\TicketViaAuthHeaderBroadway instead of the wardrobe version so that apps that override that class inherit the changes correctly.
5. CHANGE/FIX: updated email lib to use latest version.
6. CHANGE/FIX: updated default rights groups page to not be broken if viewing a suborg.
7. CHANGE/FIX: updated UUID generation to not use Math.random(), if possible, if needed.
8. CHANGE/FIX: json encoded logs now have level_num and level is now a name.
9. CHANGE/FIX: Strings::getAllHeaders() now returns content_type and content_length.
10. CHANGE/FIX: setcookie() sets 'samesite' to 'Lax' to keep up with evolving browser practice.
11. added: Orgs may now be easily disabled.
12. added: endpoint api/account/checkPermission.
13. added: Director::getRequestOrgID() method to read a header value before reading GET/POST data for 'oid' as org_id.
14. added: Strings::redactURL() to easily hide passwords embedded in URLs for use in Logs.
15. added: parameter WornForExportData::getDefaultExportFieldList( $aAddTheseFields=null ) added to easily get and append to default data fields.
16. added: AuthMobile costume to work with AuthMobile records.

5.2.1 (2021-Feb-25)

1. CHANGE/FIX: delete account now also deletes child records in the AccountPrefs model.

5.2.0 (2021-Feb-24)

1. CHANGE/FIX: account update now does not require account_groups_ids parameter.
2. CHANGE/FIX: org creation placeholders to avoid "group_id" not found error.
3. added: a hidden last_org AccountPref to remember a user's most recent orgID.

5.1.1 (2020-Dec-16)

1. CHANGE/FIX: default export account fields should use getDefaultExportFieldList().
2. CHANGE/FIX: CLI action to create the database should only create tables if none exist; else it derails migration from v3.x to v4.x.

5.1.0 (2020-Dec-09)

1. BREAKING CHANGE: WornForExportData::appendFieldListWithMapInfo() is now STATIC.
2. CHANGE: vast speed improvements getting a list of accounts by:
   * setting flags so one big select statement with fields as CSV strings that get parsed is generated instead of generating 3 or more subqueries while looping through fetching data (which may lead to thousands of SQL queries for a single list of list of a few hundred).
   * exportFieldList parsing done once for the set of results desired instead of n-times during the individual item constructor.
3. CHANGE/FIX: adding an empty array to a SQL parameter in SqlBuilder treats it as NULL instead of generating "IN ()".
4. CHANGE/FIX: updating roles assigned to an account now correctly removes roles if more than 25 are defined.
5. NEW FEATURE: LogMessage costume for easily creating detailed JSON log objects.
6. added: CLI actionWaitForDbConn script to help facilitate Bash scripts that poke website endpoints.
7. added: Roles & Orgs now have endpoints to "get X for current org and suborgs" so UI widgets behave correctly.

5.0.0 (2020-Sept-15)

1. CHANGE: updated to run under PHP 7!
2. CHANGE/FIX: removing an org from an account also removes all permissions assigned from that org.
3. CHANGE: Accounts now have an admin-only readable comment field.
4. CHANGE: CSV output refined: empty quotes are omitted; also omit equal prefix if value contains a comma already (Excel quirk).
5. added: respect "oid" URL query parameter to automatically set the org to that ID.
6. added: long running task Interface and Trait helper costumes.

4.5.0 (2020-June-3)

1. CHANGE: ensure loaded permissions are session cached.
2. CHANGE: ensure auth group (role) creation contains a parent auth group ID unless it is for Root org.
3. CHANGE: Config Settings are now session cached per org for faster website response times. However, this means config setting changes will not be seen by browsers until logout/login occurs.
4. CHANGE: CurlRequestBuilder defaults to 6400K output buffer; added initRequest() to support chaining since createRequest() does not return $this.
5. CHANGE/FIX: ensure we clear out our session cache on logout.
6. CHANGE/FIX: CommonMySql::deepConvert of timestamps was never implemented correctly (only worked shallowly), now fixed to actually go deep into the array/object passed in as the name implied.
7. CHANGE/FIX: modified auth cookie handling to allow multiple simultaneous API calls to consume the same cookie and yet still be secure by consuming the cookie after a short period of time.
8. NEW FEATURE: ManagedConfig costumes for helping create an easy mechanism to download protected files like a JSON configuration file.
9. added: Director::getSiteLandingPage() method so it is easier for descendants to do their own thing.
10. added: MultiOrgProcessor costume for helping descendant classes loop through a set of orgs to process.
11. added: Strings::diffTime() and Strings::calcExpiresHeader() to help calculate cache duration headers.
12. added: ConfigResEntry::placeholder property so config settings widgets can display system-defined placeholders for input widgets or set as button labels for actions.
13. added: The results_as_csv view adds option bUseBOM to prepend the file with a Byte Order Mark to flag the contents as UTF-8 content.
14. added: The results_as_csv view adds csv_opt_col_names_to_prepend_equal to optionally turn off the Excel helper feature that ensure Excel imports a cell as text-only.
15. added: The results_as_json view adds output_filename support to optionally set the Content-Disposition header as an attachment for download rather than return the file as web page content.
16. added: WornForRestService::constructHostUrlParts() to support parseurl() arrays.

4.4.0 (2019-Oct-11)

1. CHANGE: moved APIResponse and BrokenLeg to Wardrobe so websites can override if need be.
2. CHANGE: Base costume ABitsCostume::exportData() now calls constructExportObject() to be more in line with other costume behaviors.
3. CHANGE: added optional org_id parameter to IDirected::getProp() and getConfigSetting().
4. CHANGE: added http status code param to Actor::setApiResults() since the APIResults costume supports it, too.
5. CHANGE/FIX: IteratedSet descendant AuthGroupList now defines DEFAULT_ITEM_CLASS.
6. NEW FEATURE: PropsMaster costume to handle simultaneous models per org connection.
7. NEW FEATURE: A view script and Auth model methods for handling long running "202" tasks. UI code would poll the endpoint until a 200 is returned with hints about how long to sleep before the next poll in the 202 response.
8. NEW FEATURE: non-website admin server scripts useful as examples: e.g. search across orgs for a value in a particular table.
9. NEW FEATURE: AuthMobile rows now support deactivate/re-activate mechanism to handle cases where fingerprint hash needs to be updated due to a factory reset of the device - akin to re-pairing a Bluetooth device.
10. added: restrictPublicFieldList() and getDefaultExportFieldList() which respects the object's $RESTRICTED_EXPORT_FIELD_LIST array property to WornForExportData trait.
11. added: AmazonS3 model keeps track of the region being used and provides methods to copy from bucket to bucket and deleting files.

4.3.1 (2019-Aug-22)

1. IMPORTANT FIX: updating an account to modify org membership will not forget orgs not visible to current one.
2. added: email reset link venue.
3. CHANGE/FIX: fixed schema update to return to Root org after looping through all defined orgs.
4. added: WornForFeatureVersioning::getFieldCollation().
5. CHANGE/FIX: CommonMySql::deepConvertSQLTimestampsToISOFormat() fixed; also standardized its usage.
6. added: CommonMySQL helper methods to convert ISO8601 formatted datetimes into MySQL format.
7. CHANGE/FIX: ARecord::fetchInstanceFromStatement() will now call onFetch() if defined when fetching.
8. added: ARecord::fetchInstanceFromRow() so the fetch mechanism and events will fire when retrieving data from an in-memory object as if it was fetched from the database itself.
9. CHANGE/FIX: WornForCLI fixed for a reference to a non-static method inside of a static method.
10. CHANGE/FIX: ensure non-sequential array SQL parameters are handled correctly by SqlBuilder.
11. CHANGE/FIX: detect a coding error while passing in an Object as a SQL parameter.
12. added: Director/Model::stringify() helper method to ensure an array or object will be properly JSON encoded when being used as a SQL parameter.
13. added: helper method Auth::getOrgsCursor() used to loop through orgs.
14. added: permission helper method AuthGroups::isAllowedForOrg().
15. CHANGE/FIX: AuthAccount costume updated to handle extra data better like list of auth groups, hardware IDs, and lockout info.
16. added: WornForExportData::appendFieldListWithMapInfo().
17. added: helper method Account::setAuthIsActive() as an alias for Account::setInvitation().
18. added: AOrgDbModel as an ancestor class to help ensure basic definitions for custom data models.
19. added: helper String functions to detect and remove the BOM character from text.

4.3.0 (2019-Apr-19)

1. CHANGE/FIX: ensure venues, orgs, permissions, and cli website upgrade features work as expected.
2. CHANGE/FIX: ensure the getSiteUrl() and getFullUrl() methods work with their arguments in a similar fashion.
3. CHANGE/FIX: ensure password reset by email feature still works as expected.
4. CHANGE/FIX: ensure stable PHP sessions so they are not created too often.
5. CHANGE/FIX: built-in Accounts web pages fix transition to AuthGroup UUID IDs.
6. CHANGE/FIX: addressed many warnings by fixing a bunch of typos mainly in catch() blocks.
7. ensure IDirected interface and their implemented methods have similar PHPDoc declarations.

4.2.2 (2018-Nov-30)

1. CHANGE/FIX: CLI actionCreateDbSchema needed a default for DBPORT.
2. CHANGE/FIX: AuthGroups::modifyGroupRights() uses the new AuthGroups::mergeDataForAuthPermissionGroup().
3. CHANGE: view fragment js-dialog_confirm now allows the caller to override the itemprop attribute and the message for the dialog.
4. added AuthGroups::mergeDataForAuthPermissionGroup() which uses MERGE SQL rather than DELETE/INSERT.
5. added AuthAccountInfo helper methods for setting the org and getting the org_id and parent_org_id.

4.2.1 (2018-Nov-08)

1. CHANGE/FIX: "do no show" condition in rights matrix processor; right was denied, but failed to hide itself.
2. CHANGE/FIX: CLI actions protect against execution as non-CLI; ensure the correct cli_bootstrap is loaded (in case you have multiple different versions of BitsTheater websites installed and executing from some other website's folder; website upgrade protects against execution if no auth table (since we now have migrate-specific CLI action).
3. CHANGE: actor ABitsAccount::validatePswdChangeInput() returns $this instead of boolean TRUE.
4. added ARecord::getContext() method.

4.2.0 (2018-Nov-07)

1. 4.x REQUIREMENT: PHP 5.6+ required as features are being used that were introduced in that version such as automatic argument wrap/unwrap "..." and class const concatenation.
2. MIGRATION NOTICE: execute the CLI actionMigrateWebsiteTo4.php script with option -p"install passphrase".
3. MIGRATION NOTICE: Titan role removed as of 4.1, any account mapped to it will be migrated to use the authgroup with `group_num``=2 (the default is named Admin). Ensure your Admin group has rights defined or you will lock yourself out of the website.
4. MIGRATION NOTICE: 4.1 moved the PHPMailer library underneath Composer management and its vendor lib folder.
5. BREAKING CHANGE: Since 4.1, AuthGroups::getAssignedRights() returns array of boolean instead of FORM_VALUEs; added RightsMatrixProcessor::getAssignedRightsForGroup() to return array of FORM_VALUEs to compensate.
6. BREAKING CHANGE: Since 4.1, Scene now wears the WornForPagerManagement trait. Descendants that also wear that trait may start to complain about it.
7. BREAKING CHANGE: Since 4.1, added abstract methods getManagedMediaPath() and getMediaStream() to ManagedMediaFile object.
8. BREAKING CHANGE: Since 4.1, auth mechanisms now their own classes in app/costumes/venue. All descend from Wardrobe/ATicketForVenue which implements IWillCall.
9. BREAKING CHANGE: Since 4.1, account session cache now caches entire record not just the ID, including rights, authgroups, and orgs.
10. CHANGE/FIX: CLI actions in app/cli should all be executable files by default.
11. CHANGE/FIX: Resources website->framework_version and _seq added and are used instead of SetupDb::FEATURE_VERSION_SEQ.
12. CHANGE/FIX: updated framework version to be 4.2.0 instead of still saying 3.8.2 :doh:.
13. CHANGE/FIX: fixed a bug with Auth::getAccountsToDisplay() which tried to limit by group_id and was totally the wrong SQL.
14. CHANGE/FIX: fix SqlBuilder::addSubQueryForColumn() not returning $this as it should.
15. CHANGE/FIX: fix AuthGroups::getGroupRegCodes() so it works with pre-4.0 code when no params are passed in; add getRolesToDisplay().
16. CHANGE/FIX: added actor AuthGroups::groups(), group(), and modify() to support pre-4.0 endpoints.
17. CHANGE/FIX: default views for accounts and permissions updated to work with 4.x AuthGroups model.
18. added cli/actionCreateDbSchema and cli/actionMigrateWebsiteTo4 CLI scripts.
19. added fragments for favicon and extras in header.php view file for easier descendant customized website header information.
20. added AuthGroups::getRolesToDisplay().

4.1.0 (2018-Oct-08)

1. 4.x REQUIREMENT: PHP 5.6+ required as features are being used that were introduced in that version such as automatic argument wrap/unwrap "..." and class const concatenation.
2. MIGRATION NOTICE: Titan role is removed, any account mapped to it will be migrated to use the authgroup with `group_num``=2 (the default is named Admin). Ensure your Admin group has rights defined or you will lock yourself out of the website.
3. MIGRATION NOTICE: moved the PHPMailer library underneath Composer management and its vendor lib folder.
4. BREAKING CHANGE: Scene now wears the WornForPagerManagement trait. Descendants that also wear that trait may start to complain about it.
5. BREAKING CHANGE: added abstract methods getManagedMediaPath() and getMediaStream() to ManagedMediaFile object.
6. BREAKING CHANGE: auth mechanisms now their own classes in app/costumes/venue. All descend from Wardrobe/ATicketForVenue which implements IWillCall.
7. BREAKING CHANGE: account session cache now caches entire record not just the ID, including rights, authgroups, and orgs.
8. CHANGE/FIX: api/actor/method URL format is now built-in as part of Director::routeRequest() so auth only happens once (occurred twice before this change).
9. CHANGE/FIX: URL resolution code refactored a bit so its clearer.
10. CHANGE/FIX: PHP session management improved to protect against more attack vectors.
11. CHANGE/FIX: a 25 message limit has been placed on user_msgs so the session list that contains them cannot grow indefinitely.
12. CHANGE/FIX: top-level BrokenLeg catch now returns proper HTTP response code, if defined.
13. CHANGE/FIX: a couple of instances where BrokenLeg::tossException() threw an exception now just returns the object.
14. CHANGE/FIX: IDirected::getConfigSetting() will now return the PHP code defined default if the Config model has a connection issue.
15. CHANGE: ABitsAccount base class now defines Account::loginAs() as an API Result method.
16. CHANGE: AuthBasicAccount::ajajDeactivate() now also removes the anti-CSRF, Cookie, and Lockout tokens related to the account. Effectively allows an admin to "reset" an account's locked out status by toggling its Active status.
17. CHANGE: a database connection exception now returns info about which connection failed.
18. CHANGE: catch Actor::perform() exceptions and convert to BrokenLeg if determined to be an API result.
19. CHANGE: removed the legacy Actor::config property, but defines it dynamically to support older code that relies on it.
20. CHANGE: removed the legacy Scene::_config property, but defines it dynamically to support older code that relies on it.
21. CHANGE: moved WornForSqlSanitize to Wardrobe so websites can override if need be.
22. CHANGE: moved RightsMatrixProcessor to Wardrobe so websites can override if need be.
23. CHANGE: WornForExportData::exportFilter() was modified to protect against PHP warnings if the field does not exist in the source, but needs to always exist in the destination.
24. CHANGE: changing an account's email will now reset all passwordReset tokens.
25. CHANGE: SqlBuilder got some love clarifying some methods and adding others. Existing code won't break, but any SQL using the method addParam() should definitely be reviewed for clarity.
26. CHANGE: refactored methods in AuthAccount/Set CursorCloset classes so descendants can override easier.
27. CHANGE/FIX: actor Api now tests agaist a list of method prefixes and only calls upon ones defined with a scope of public, by default.
28. CHANGE/FIX: ManagedMediaFile is now abstract and defines the abstract getFile() method which it already used but forgot to define.
29. CHANGE/FIX: MenuItemResEntry class now calls getRes() and getConfigSetting() using its own IDirected context instead of from its _scene property.
30. CHANGE/FIX: AuthOrg data now flows through the costume and avoids sensitive data leaking in the process.
31. FIX: Actor::throwPermissionDenied() forgot to use $this->getRes().
32. FIX: database connection mis-config/error will not cause infinite connection loop anymore.
33. FIX: WornForPagerManagement trait now calls the correct method name for setPagerSize().
34. FIX: AuthPasswordReset::deleteAllTokens() now does not check for myNewToken.
35. FIX: AuthOrg::forModelConnection() and loadParentOrg() fixed.
36. added Strings::isUUIDtype4() and a bunch of HTTP header normalization methods.
37. added ManagedMediaFile and FileIOException classes.
38. added WEBAPP_NAME constant, so WEBAPP_NAMESPACE is now "WEBAPP_NAME . '\'"; allows for the name to be used in places like FEATURE_ID, if desired.
39. added SiteSettings class; modified templates/code to utilize new class (stops IDE from complaining the config/Settings class is undefined).
40. added FileUtils::getTempFileName() which returns the name of a temporary file whose existence is managed and cleaned up by PHP when it is no longer needed. Very useful for creating files that only exist long enough for a client to download.
41. added Strings::getStackTrace() and added support to debugStr()/var_dump for inline-defined functions rather than crash on them.
42. added Actor::get/setApiResults(), Actor::setApiResultsAsNoContent(), and its alias Actor::setNoContentResponse().
43. Scenes now support a single IDirected constructor parameter as well as the original Actor and Action constructor.
44. added CurlRequestBuilder costume. WornForRestService utilizes the new costume.
45. added "auth account search" feature.
46. added BrokenLeg::setConditionCode(), setMessage(), and 208 HTTP_ALREADY_REPORTED definition.
47. added ARecordSet::withContextAndColumns() helper factory constructor to help use ARecord-like costumes in a more understandable fashion.
48. added ARecordSetPaged rather than add the trait WornForPagerManagement to ARecordSet as it could cause descendents that already have that trait to choke.
49. added FileUtils::deleteFolder().
50. added static AdamEve::debugOutput(), which all framework classes descend from.
51. added CLASS_OF_MAILER const to MailUtils.
52. added ability for log output to be in JSON format as well as directed output to file.
53. added Account::ajajChangeOrg().
54. added DbAdmin::pushOrgSetting().
55. IteratedSet now implements Countable and IteratorAggregate so that derived classes can be used in foreach() loops.
56. added new feature: account preferences storage mechanism similar to site config storage. Thanks Pasha!

4.0.0 (2018-Apr-04)

1. NEW REQUIREMENT: PHP 5.6+ required as features are being used that were introduced in that version (Automatic argument wrap/unwrap "..." and class const concatenation).
2. MIGRATION NOTICE: Sites using the default AuthBasic model in a previous version will require use of the CLI actionWebsiteUpdate script.
3. CHANGE: reorganized repo, moving framework code into subfolder called framework.
4. CHANGE: moved AuthPasswordReset costume base out of CursorCloset and into the new Wardrobe subfolder.
5. CHANGE: moved DbConnInfo to app/costumes & Wardrobe.
6. CHANGE: ISqlSanitizer::getDefinedFields() and getSanitizedFieldList() are now static; added getPagerPageSize(), getPagerQueryOffset(), and setPagerTotalRowCount().
7. CHANGE: internal site "current logged in account" uses AccountInfoCache class along with getMyAccountInfo() and the new createAccountInfoObj() methods.
8. CHANGE: Auth groups (permission roles) now utilize getTitanGroupID() and introduced model methods for updateName(), updateEmail() and updatePassword() so the actor does not need to create SQL queries; reason: these changes attempt a more model-agnostic codebase.
9. CHANGE: Feature update code is more verbose (both CLI output and logs) and always updates the Auth model before any other model.
10. CHANGE: Default Auth model is now AuthOrg rather than AuthBasic which combines many of the basic tables and adds org/suborg tables; otherwise acts the same - but requires use of the CLI actionWebsiteUpdate script to migrate old schemas to the new mechanism.
11. CHANGE: debugLog(), errorLog(), and getRes() methods to accept any number of parameters rather than a single string. NOTE: this feature uses the unpack operator "..." which requires PHP 5.6+.
12. CHANGE: make default CLI action args optional.
13. corrected a bunch of class references, @var types, and phpDoc comments.
14. DbConnSettings will now check for "charset" and use if found, defaulting to "utf8mb4" if not (prior versions hardcoded a charset of "utf8").
15. DBConnInfo modified to parse a URI for db connection information, which can be set via a "dbconn-NAME" environment variable rather than a ".ini" file.
16. added feature to create the database(s) and database user(s) if administrative credentials are supplied during the install wizard.
17. SqlBuilder defines a const for and enforces the not-equal "<>" standard.
18. added SqlBuilder nestable transaction methods.
19. added AdamEve::logErrors() and logStuff() which calls debugStr() on all function args and logAsJSON() which makes it available to most objects.
20. added Config::getDefinedSettings().
21. added Added CLI scripts to push framework files to a remote server.
22. added Strings::bytesToSemanticSize() and updated Strings::semanticSizeToBytes() to work with up to Yottabyte values (3x beyond Petabyte).
23. added BrokenLeg::ACT_NOT_ACCEPTABLE and ACT_* consts to several Exception classes that descend from BrokenLeg.
24. IteratedSet now checks for onFetch() for every record class it fetches in addition to its own object's onFetch() method so that a record class can define its own onFetch() behavior, if desired.
25. added ARecord::getExportFieldList() to make the protected mExportTheseFields property publicly accessible.
26. added static helper method ARecord::fetchInstanceFromStatement().
27. added some ManagedMedia endpoints.
28. added the "size" property and exportData() method to the FileUploadInfo class.
29. added FileUtils::getFileSize() and getFileSizeOfStream().
30. added prototype Amazon S3 support classes.
31. added a result view that calls obj::printOutput($v).
32. added Model::getDateTimeAsDbTimestampFormat() method which takes the model dbtype into account.
33. added sample appdefines.php script.
34. added actors/Api.php sample script.
35. added Actor::getMyScene() to help descendants use object typecasting if they override the standard Scene object.
36. added WornForFeatureVersioning trait methods describeColumn() and isFieldIndexed().
37. added WornByActor, WornByIDirectedForValidation, WornForExportData, and WornForPagerManagement traits.
38. introducing a Model const, TABLE_PREFIX_INCLUDES_DB_NAME, to auto-handle adding the DbName to the table name so that utilizing multiple simultaneous databases is easier.

3.8.2 (2017-Oct-27)

1. BUGFIX: CLI --host long option should be defined as host: so that it will actually accept an input.
2. CHANGE: added B option to RewriteRule in .htaccess to handle "+" in the URL (encoded or not).
3. CHANGE: update the standard API error result so that "extra" information can be returned via the "data" property.
4. CHANGE: expanded many costume constructors to use IDirected rather than the more limited Director as a parameter. Since this is a type-compatible change, no code should be affected by it.
5. CHANGE: added an optional HTTP response code as a parameter to APIResponse::resultsWithData().
6. CHANGE: The Permissions Scene now implements WornForSqlSanitize.
7. clarified several MailUtils type hints and removed superfluous "&" object parameter definitions.
8. added Director::checkIfAnyAllowed() as a convenience method for checking if any of a set of permissions is allowed.
9. added a helper exception to Model::query() in order to help developers to catch "not a SQL string" SQL problems.
10. added WornForFeatureVersioning::isIndexDefined().
11. added WornForSqlSanitize::getRequestedFieldList().
12. added BitsGroups::getListForPicker().
13. added simple CLI script to return a generated UUID.
14. added CLI script to help determine value for "localhost" when trying to connect to a database via an SSH tunnel while inside a Docker container.

3.8.1 (2017-Jul-04)

1. CHANGE: ANonDbModel::setupModel() interferes with real DB models being created during install -- renamed setupNonDbModel()
2. CHANGE: 403/401 discombobulated so consumers of REST endpoints can act appropriately based on the actual auth issue
3. CHANGE: Director::onShutdown() event should not force an exit() since we're already exiting the script execution and there might be other registered shutdown scripts that need to execute
4. CHANGE: OutputToCSV should output columns that contain a leading "0" as text just like leading "+".
5. Added deep SQL-to-ISO datetime converter to CommonMySql
6. BrokenLeg added ACT_* constants for ease-of-use
7. checkPermission() added to IDirected to throw 403/401 exception rather than return a boolean like isAllowed()
8. WornByActor removed in favor of using IDirected
9. WornForRestService should use initialized properties rather than fixed config names
10. AuthBasic should not use &params for Object parameters with type hints (unneeded and can cause errors if using function results instead of variables)

3.8.0 (2017-May-26)

1. BUGFIX: AuthBasicAccount::ajajCreate() endpoint returns to expecting account_group_id as the POST variable name like it did prior to 3.7.0 instead of account_group_ids
2. BUGFIX: account delete forgot to also delete the group<->account mapping
3. CHANGE: Director::getModel(), aka getProp(), now throws exceptions if connection fails so that descendants can try/catch them
4. CHANGE: Scene::getColHeaderLabel() now defaults to returning the column name as the label
5. CHANGE: Regisseur class (means Stage Manager) now bootstraps the website and CLI use
6. CHANGE: autoload.php has been removed as it is no longer loaded since Regisseur supplanted it
7. ensure support for MySQL 5.7
8. always have WEBAPP_NAMESPACE defined, even if it is just BITS_NAMESPACE by default; if WEBAPP_NAMESPACE.AppDirector class exists, create that as global $director instead
9. added BrokenLeg::HTTP_MULTISTATUS=207 which reflects a "partial" success
10. model AuthBasic::registerAccount() now checks the POST variable account_is_active for a wider range of values to indicate true/false
11. added AuthPasswordReset costume to the CursorCloset so descendants can override it
12. added FileUtils::isEmptyCSV() to indicates whether a row returned by the standard PHP function fgetcsv() could be considered "empty"
13. added ARecord, ARecordSet, and ARecordList ancestors for costumes focused on working with table rows
14. modified cli_bootstrap.php so that an action can override/extend CLI options
15. added WornForCLI::writeLog() to write a message to the appropriate output stream as well as (errorLog/debugLog/BrokenLeg::toss)
16. added ISqlSanitizer interface and WornForSqlSanitize trait to help build SQL with a user defined field set and/or a user defined sort and yet protect against SQL Injection attacks
17. added ISqlSanitizer implementation to Account scene for AuthBasicAccount model to use

3.7.0 (2017-Mar-10)

1. Scenes should also have a Closet folder that active Scenes can descend from.
2. added Scene::isFieldSortable() to help determine allowed values for sorting; added Scene::getColHeaderHTML() to use the new isFieldSortable().
3. added Scene::createCssTagBlock() for completeness; still recommend updating CSS file instead.
4. added SqlBuilder::sanitizeOrderByList() method to match sortable fields with the browser/user-supplied field to sort.
5. SqlBuilder::addParamIfDefined() should not have or use the $aValueIfEmpty parameter, therefore that parameter has been removed (backwards compatible for existing code).
6. added SqlBuilder::getUniqueDataKey() to generate unique parameter names / data keys.
7. added SqlBuilder::addFieldAndParamIfDefined() to match addParamIfDefined().
8. modified SqlBuilder::getQueryTotals() to toss its own exception so caller knows it is that query that failed, not the main query.
9. modified DbException to take advantage of PDO's errorInfo property, when defined.
10. added CLI version of Admin::apiWebsiteUpgrade().
11. added Strings::toInt() method for changing "" and null to NULL and numeric INT strings to INT.
12. added Strings::sanitizeFilename() in case you wish to use a filename based on user input - not all-inclusive for every OS, but it is quick and functional for any currently existing file system.
13. added Strings::errorLog() and AdamEve::errorLog() which are available methods in nearly every class; changed all framework error messages to use errorLog() rather than debugLog().
14. Actor::getEntityID() is now Actor::getRequestData().
15. added Actor::createMyScene() to allow descendants to dictate a specific Scene descendant to use rather than force same name as the actor.
16. added WornForAuditFields::addAuditFieldsForInsert/Update() to allow for being used multiple times within the same query (like a MERGE query).
17. added WornForFeatureVersioning::addFieldToTable() as a convenience for adding individual fields to a table.
18. OutputToCSV should really have a means to detect the client LineEnding rather than use a strictly Server-based OS determination.
19. added checks for Scene variables (csv_opt_*) to set CSV options in the View results_as_csv so that an Actor can tweak CSV output.
20. added the results_as_txt view as a specialized CSV output that merely outputs a text file using a client's detected line endings.
21. Auth::checkTicket() was supposed to return TRUE/FALSE so that descendants can base logic off its results.
22. modified AuthBasic::insertAuthToken() to require the first OR second parameter defined since both are not needed.
23. added AuthBasic::getAccountsToDisplay() method and supporting costumes to intelligently return its results.
24. AuthAccountSet costume and groups page view now uses the json_encode option JSON_FORCE_OBJECT rather than use a home-brewed method to try to do the same thing.
25. AuthBasicAccount::requestMobileAuth() now has a matching before/after login event methods descendants may override; also fixed default after() method since the model variable used was always empty.
26. default permission group for default registration code is now 3 (admin) rather than 2 (privileged).
27. modified the Update Account endpoint to properly account for NULL/1/0 for the value of the is_active flag.
28. updating an account should check for TITAN group if the group var is an array as well as if it was just an integer.
29. added AuthBasicAccount::afterSuccessfulRequestMobileAuthAccount() so descendants can override/add to its behavior.
30. checking for Model::isConnected() should only be done rarely, like when it needs to run during website install.
31. added audit fields to the BitsGroups model in every table.
32. added audit fields to AuthGroups model.
33. getRes() now supports getting strings from a defined array of strings; or even a nested array of strings.
34. added several Widgets::build*() convenience methods for various HTML input widgets.
35. Fragments now support arguments to the get() method so the fragment can use data, if supplied.
36. added Account List page under Admin menu (view only).
37. Admin > Website Status page should refresh itself before being displayed now to include new Models you app may have introduced since the last time the code was upgraded.
38. res > Website::js_libs_load_list now uses file=>path just like the other load lists (backwards compatible with intkey=>file).
39. added PHP-loaded JavaScript objects as meta tag itemprop attributed JSON-encoded data-x attributes to include in HTML for use in JavaScript objects -- allows for easy URL and language localization during page rendering for use in client-side JS code.
40. added a standard JavaScript confirm style dialog fragment.
41. Widgets got a lot of attention so they are built to HTML spec; ensure page renders use htmlentities() where needed; use buildWidget() instead of createWidget() for Bootstrap look; improve form security with HoneyBot trap for spambots and autocomplete off for sensitive fields.

3.6.3 (2017-Jan-09)

1. update PHPMailer library to fix security issues.
2. add a generic AuthBasic::removeTokensFor(auth_id, acct_id, pattern) so that descendant websites can more easily manipulate tokens.
3. MySQL 5.7 changes how TIMESTAMP disallows NULL by default, so it must be specified where required.
4. SqlBuilder::replaceSelectFieldsWith() updated to look for /* FIELDLIST */ and /* /FIELDLIST */ hints so that a complex nested SQL query with JOINs can easily use the getQueryTotals() method, if desired without screwing up the regex that replaces the SELECT ... FROM field list with count() fields.

3.6.2 (2016-Dec-13)

1. added Account::addMobileHardwareIdsForAutoLogin() which sets the "hardware_ids" field of returned Account information via the get() and getAll() endpoints.

3.6.1 (2016-Nov-30)

1. APIResponse::setError() added a boolean SetResponseCode parameter
2. added Arrays::parseCsvParamsStringToArray() util method to convert a CSV string of params into a true associative 2D array.
3. AuthBasic::removeStaleTokens() was broken since it compared a timestamp with a string, not a SQL error, but a logic error.
4. introduced the MODEL_NAME constant inside app/models so that descendant websites may use IDirected->getProp( ModelClass::MODEL_NAME ) rather than a string which may get misspelled.
5. refactored fingerprints/circumstances POST vars to parse auth_header_data as if constructed for the HTTP Authorization header so there is only one way to build/parse Broadway Auth data; easier to extend and fewer mistakes that way; modified ping/pong results; added ability to pre-provision hardware ID mapped to an auth account; added traits for HTTP Auth header to make it easier to understand.

3.6 (2016-Nov-02)

1. BrokenLeg now also provides mnemonic constants for a selection of HTTP error codes, so that the numeric constants for errors can be more obviously tied to those standard codes.
2. Strings::var_dump() modified to avoid fetching data from DB Cursor objects (PDOStatements).
3. OutputToCSV modified to accept any object with a fetch() method rather than specifically a PDOStatement.
4. Created a new costume, IteratedSet, for enabling printing out DB Cursor objects (PDOStatements); modified "results_as_json" view to detect and use printToJson() method, if found; added APIResponse::printToJson() method.
5. SqlBuilder adds a couple of methods for standardizing logging SQL failures and throwing DbExceptions.
6. Finally figured out how to get a costume to get all its public properties (very useful for exporting data); updated ABitsCostume and ASimpleCostume to export only public properties by default.
7. Created new AuthAccount API endpoints; updated Auth DB schema (AuthBasic model); updated Permissions and AuthGroups to accommodate as well; "is_active" flag can prevent logins if FALSE.
8. Added CLI terminal effects (colors, bold, reverse, etc.).

3.5.2 (2016-Sept-27)

1. Actor static methods are now denied URL access by default
2. Scene now permits a switch to specifically enable/disable the Pager mechanism (for export purposes).
3. UserParameterException added INVALID_ARGUMENT_VALUE.
4. Added WornForRestService::sendRequestToRestService().
5. Login fixed to handle multiple sessions/windows/devices with anti-CSRF tokens correctly.
6. Password reset now sets the anti-CSRF token correctly so a JavaScript font-end will actually work as intended.
7. Upgrade feature (e.g. db schema changes) now displays the error message, if any; also calls the SetupDb::normalizeFeature() non-statically like it should (meaning it can be overridden now).
8. Added anti-CSRF token mechanism to default Accounts and Rights views.
9. Fixed OutputToCSV so that double-double-quotes ("") are used whenever double quotes are encountered within data; also check for "+" at start of field data to prevent Excel from converting value to formula, prepend with '=' before enclosure.

3.5.1 (2016-Sept-01)

1. Output to ICS (vCalendar format) now available.
2. SetupDb moved into PropCloset so a website can descend from it.

3.5.0 (2016-June-21)

1. Move configs folder out from [site]/app/configs to just [site]/configs for new sites.
2. Remove the "no_sessions" workaround which just causes more trouble than it is worth.
3. Updated PasswordReset feature.
4. Updated SqlBuilder to handle paged queries easier.
5. Added UserParameterException.
6. Updated CLI with a -h param to specify which config to use.
7. Allow CLI to operate from any folder, not just from the app/cli subfolder.

3.4.5 (2016-May-06)

1. CLI capability introduced.
2. getModel()/getProp() can now accept the full class name as its parameter.
3. Saving list of configuration settings now returns those that were changed.
4. AuthGroups & BitsGroups refactored to ensure protection from SQL Injection. Admins were the only ones capable of introducing such SQL Injection, so the threat for earlier versions is quite low.
5. "Action" configuration setting introduced so that Buttons are now an option.
6. Traits for various classes have been introduced.
7. CSRF tokens now take advantage of the AuthBasic token mechanism, if available.
8. The hidden input companion field for checkboxes now has its value default to "0".

3.4.4 (2016-Apr-10)

1. Actor refactored so the SEO URL transformation can be tweaked on an Actor-by-Actor basis now.
2. The base Actor public methods cannot be called via URL by default.
3. BrokenLeg converts Exceptions more completely so that more information is passed to the caller.
4. Actor names are now converted to class names using the standard function instead of relying on PHP's case insensitive nature.
5. Several ancestor class names changed so they did not share the same name as their descendant as website installation was starting to get confused about which class to load.
6. Many new API endpoints exist so that framework features that used to require page renders to accomplish can now be done via a JavaScript front-end calling API routines in the background.
7. Install now provides an API endpoint to accomplish the entire install process in one call. This allows automation such as Ansible to install a website entirely without human interaction.
8. Boolean website settings that employed a checkbox widget now work properly when unchecking them.
9. "Auth" website settings now editable by a non-titan group admin.
10. PHP 5.5 deprecated code fixed.
11. Strings::wordWrap() greatly improved to attempt to break on word boundaries.
12. Improved security for permission related endpoints.

3.3.2 (2016-Mar-03)

1. Cookie management updated to allow HTTPOnly flag
2. getProp() smarter in that lower case class names figured out just like Actor class names
3. Registration cap website option added
4. Costumes with toJson() methods respected if passed to the "results_as_json" view
5. CommonMySql costume created to help simplify common model tasks.
6. Newly introduced CSRF protection mechanism debugged
7. Admin> Settings page now protected by CSRF protection mechanism

3.3.1 (2016-Feb-01)

1. Introduced login auto-lockout after X failed attempts per hour.
2. Introduced CSRF protection for API's using "ajaj" prefix.
3. Introduced non-cached-auth for API's using "api" prefix.

3.3.0 (2016-Jan-15)

1. Created a standardized API response object, if desired.
2. Shutdown code that helps debugging Out of Memeory errors.

3.0.0

1. Features introduced, version numbers can be displayed and now have meaning.
2. The CSS classes data-* have been renamed to db-* to avoid HTML5 class conflicts.
3. SqlBuilder costume class can now handle filters and orderby clauses as well as convert "=" operations into " IN ()" operations if the parameter data is an array.
4. Actor views will now additionally check app/views/* for their named view PHP file before giving a 404 error so that site-wide views can be re-used rather than copied everywhere. The check is done after checking for the actor/action-specific view and the framework-included site-wide view file in use is the results_as_json.php view.
5. The base class object now contains debugLog() which does not depend on debug settings in case you want to log something regardless of any of the "is debugging" const or vars such as logging a specific db error.

2.4.9

This version and anything prior was not versioned.