2.0-M5

Alf.io 2.0-M5 (2024-09-06)

This is the fifth milestone on our way to Alf.io v2. See Roadmap and full Changelog

What's Changed

Starting from 2.0-M5, we are dropping the old "executable war" file format in favor of a more standard "jar". Please update your instances accordingly.

Security Fixes

• CVE-2024-45300: Bypassing promo code limitations with race conditions - reported by @isacaya
• CVE-2024-45299: preloaded data as json is not escaped correctly - reported and fixed by @syjer

Changelog

• fix package-lock by @syjer in #1318
• add more ua for link preview: this round whatsapp and slack by @syjer in #1319
• delete references for ticket field in legacy tables by @syjer in #1321
• complete fix issue #1320 by @syjer in #1322
• fix issue #1324, handle donations by @syjer in #1325
• restrict lombok annotation use, add config file by @syjer in #1331
• Migrate to springboot 3.2 by @cbellone in #1349
• Initial integration of lit for admin by @syjer in #1353
• update lit, add context and task package by @syjer in #1356
• switch from mjml to mjml4j for build by @syjer in #1358
• Lit admin project banner, wip by @syjer in #1360
• Link subscriptions with categories by @cbellone in #1361
• switch to the new friendly fork of openhtmltopdf by @syjer in #1362
• Fix user-defined donation prices being saved with zero value by @shanebrowncs in #1363
• supporting "percentage fee" additional items by @cbellone in #1357
• port project banner from angularjs to lit by @syjer in #1364
• refactor file upload manager by @syjer in #1365
• add an unified "blob" cache by @syjer in #1366
• Improve error handling on public UI by @cbellone in #1376
• use different UUIDs for reservation/UI and check-in by @cbellone in #1375
• refactor admin: remove old angular-qrcode, use shoelace component by @syjer in #1378
• Bugfix/openid spring security 6 by @cbellone in #1383
• Support Cloudflare turnstile by @cbellone in #1385
• Disable SessionRepositoryFilter when accessing static resources by @syjer in #1386
• preload auth enabled check by @syjer in #1387
• display spinner on submit + refresh category by @cbellone in #1388
• prevent empty reservations to be created in case of high resources contention by @cbellone in #1390
• Improve file handling with if-none-match by @syjer in #1395
• fix OAuth redirection when connecting payment providers by @cbellone in #1396

New Contributors

• @shanebrowncs made their first contribution in #1363
• @isacaya made their first contribution in GHSA-67jg-m6f3-473g

Full Changelog: 2.0-M4-2407...2.0-M5

2.0-M4-2407

Alf.io 2.0-M4-2407 (2024-07-12)

This is the last maintenance release before M5

Full Changelog: 2.0-M4-2402-3...2.0-M4-2407

Bugs fixed

• fix error when loading system configuration
• #1363 Fix user-defined donation prices being saved with zero value (by @shanebrowncs )

New features

• implement Reservation Detail API (sponsored by Eventplane)
• implement ticket check-in status API (sponsored by Eventplane)

2.0-M4-2402-3

Alf.io 2.0-M4-2402-3 (2024-02-26)

This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402

Bugs fixed

• #1337 cannot change name of view column "tai_additional_info" to "e_version" (thanks to @daedric7 for reporting it)

Full Changelog: 2.0-M4-2402-1...2.0-M4-2402-2

2.0-M4-2402-1

Alf.io 2.0-M4-2402-1 (2024-02-24)

This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402

Bugs fixed

• #1334 Can't create Organizations (thanks to @titi1125 for reporting it)
• #1335 Additional Items do not handle discount properly
• #1336 Cannot update additional item policy

Full Changelog: 2.0-M4-2402...2.0-M4-2402-1

Alf.io 2.0-M4-2402

Security Fixes

• CVE-2024-25635: IDOR Vulnerability: Allowing Organization Owner to view the other Organizations API KEY and USERS - reported by @rac-fckscty
• CVE-2024-25634: IDOR make user can read e-mail log sent by other events - reported by @lujiefsi
• CVE-2024-25628: User sessions are not properly terminated - reported by @lujiefsi
• CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload - reported by @PinkDraconian

What's Changed

• Build published on Docker for arm64
• Fix spring-session <-> spring security integration + session removal on user deletion/disable by @syjer in #1214
• Google Wallet integration by @cbellone and @yanaga in #1215
• case insensitive qr code by @cbellone in #1218
• Payments list by @cbellone in #1240
• Configuration API by @cbellone in #1249
• Purchase context level config by @cbellone in #1251
• #1269 Resolved the bug to show correct {{eventName}} on compose message page by @ved-asole in #1275
• Manage additional service quantity by @cbellone in #1308
• unify access resource check in a service by @syjer in #1310
• Date of birth field + additional fields for subscriptions by @cbellone in #1312

New Contributors

• @ved-asole made their first contribution in #1275
• @yanaga made their first contribution in #1215

Full Changelog: 2.0-M4-2304...2.0-M4-2402

Alf.io 2.0-M4-2304

Alf.io 2.0-M4-2304 (2023-04-24)

Security fixes

• CVE-2023-2258 - CSV Injection (High Severity)
• CVE-2023-2259 - Admin Self-inflicted Server-side template injection (High Severity)
• CVE-2023-2260, reset password, disable users, update organization - Multiple IDOR vulnerabilities (High Severity)

please note that all security fixes are related to the Backoffice application. Some of them impact only multi-tenant deployments.
The "public" application was not impacted.

thanks to @huntr-helper contributors: @lujiefsi and @yelprofessor !

Improvements

• create Subscription reservation via API #1183 (sponsored by Eventplane)
• API to retrieve check-in log #1188 (sponsored by Eventplane)
• Refactor payment confirmation #1202 (sponsored by Eventplane)
• Resize images #1209 (sponsored by Eventplane)
• Preload Language #1192
• Custom VAT Application #1193
• Implement Reservation Export #1194
• Manage multiple sponsors scan #1205

Bug fixed

• Fix user admin check #1206

Alf.io 2.0-M4-2301

Alf.io 2.0-M4-2301 (2023-01-14)

Security fixes

• CVE-2023-0300 (low severity) - Self-inflicted XSS
• CVE-2023-0301 (low severity) - Prevent organizers to insert dangerous link within their event description

please note that both security fixes are related to the Backoffice application. The "public" application was not impacted.

thanks to @huntr-helper contributors!

Improvements

• Organization APIs at system level #1083 (sponsored by Eventplane)
• API for linking Subscriptions to an Event #1087 (sponsored by Eventplane)

Bug fixed

• Cannot search reservation by invoice number #1090
• Remove button should not be displayed for checked-in tickets #1093
• Various errors when selecting / deselecting the payment method #1100
• Error on "Confirmed" items on the Additional services page #1108
• Stripe API not working as expected #1159 (thanks to @icougil for reporting it and for helping us debugging it)

Alf.io 2.0-M4-2204

Alf.io 2.0-M4-2204 (2022-04-05)

Security fixes

This release contains a fix for CVE-2022-22965 a.k.a. "Spring Shell". Although we should not be impacted directly (we use jetty instead of tomcat as web server), we advise you to update your instance.

Improvements

• Accessibility improvements on the public reservation process

Bug fixed

• #1054 Error after trying to login to the demo instance (thanks to @PaulGoldschmidt for reporting it)

Alf.io 2.0-M4

Alf.io 2.0-M4 (2022-01-31)

This is the fourth milestone on our way to Alf.io v2. See Roadmap and full Changelog

New Features

• Support Hybrid Events #949 (@cbellone)
• Introduce Subscriptions #987 - Sponsored by Eventplane (@syjer)
• Introduce Extension Capabilities #993 - Sponsored by Eventplane
• Custom Join Links for Online tickets #1017
• OpenID support for end customers #1006
• Enable reverse charge for a specific ticket type #1026
• Define a new API for creating reservations #1035 - sponsored by Eventplane
• Generate tickets automatically for subscriptions owners #1036 - sponsored by Eventplane
• Add additional info to check-in extension #1038

BREAKING CHANGES

this release includes some breaking changes in the database schema, making it incompatible with older versions of alf.io.
It is strongly recommended to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3

Fixed Bugs

• Entering organisation or event stripe "Payment Webhook signing secret" may not override system value. #1019
• No way to view "additional options" or "donations" purchased so far. #1012
• Import existing attendees #998
• Transferring events between organisations breaks things #1046
• Cannot edit categories after changing event format #1024

Tech-related changes

• JavaScript Extension engine: Replace Nashorn with Rhino #956 - thanks to @mejrima

Alf.io 2.0-M3-2112-2

Alf.io 2.0-M3-2112-2 (2021-12-18)

This release contains a security fix for the following CVEs:

• CVE-2021-45105
• CVE-2021-45046 (already fixed in 2.0-M3-2112-1)
• CVE-2021-44228 (already fixed in 2.0-M3-2112)

update is strongly recommended