Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
This keeps track of important changes to the 1.x branch.
When you decide to upgrade to a new version, pay attention to the changes documented in this changelog, and the upgrade procedures documented.
Important fixes, changes, notes. Read them carefully.
As of 1.7.2, the Viewmodel class is deprecated, and replaced by the Presenter class. Functionality has remained largely the same, and a Viewmodel alias is present to maintain backward compatibility.
It has proven difficult to explain what a Viewmodel is and does, and why you should use it. Also having a classes/view and a views folder was very confusing for a lot of people. It is also a step closer to Fuel v2, there this class is also called Presenter.
Backward compatibility notes
As a result of the security issue mentioned below, the auto-format of the response in the
Request_Curl class is now disabled by default, as it is possible for a malicious site to construct a response of a specific reponse type that can lead to code execution. This means that if you use
Request_Curl, you have to either enable this manually in your code (ONLY if you absolutely trust the site you connect to!), or add code to validate the response before you process it.
The validation rule
required rule no longer treats an input value
false as a value, so passing this value will now trigger a validation error.
The PDO driver now returns the error code of the underlying database driver back as the error code in the
Database_Exception, instead of the PDO error code. This allows you to act on specific platform errors.
It also means you loose access to the original generic PDO error code, which you can work around by retrieving the current PDO database connection (through the
connection() method on the database object) and call PDO's
errorCode() method to retrieve the original generic PDO error code.
Removed code (because it was deprecated in v1.7.1 or earlier)
There was one security advisory issued for 1.7.1, which also impact all previous versions from 1.1 onwards (see http://fuelphp.com/security-advisories). The issue is mitigated in 1.7.2, it is strongly advised that you upgrade as soon as possible, or alternatively follow the advice in the advisory.
A potentional vulnerability was discovered in the way column name quoting was done. This has been fixed. This means that coding SQL functions manually was something you could get away with earlier now require you to use DB::expr() to encapsulate the function.
// old code, no longer works $result = DB::select("LOWER \"field\")")->from($table)->execute(); // has to be replaced by $result = DB::select(DB::Expr("LOWER \"field\")"))->from($table)->execute();
Error messages are now escaped, to prevent a possible XSS through the generated error. Note that it is best practice not to display error messages in a production environment, so the possible risk for XSS is deemed to be very low.
- A possible XSS vulnerabity in the Profiler output has been fixed.
import()function can now also import third-party classes in APPPATH/vendor.
- When using multiple DB connections, the profiler now shows the connection used for the query.
- The Profiler now html encodes the output to avoid incorrect handling of the ampersand.
- The internal Markdown class has been removed, and replaced by the Composer library.
- Some methods were still defined as
private. This has been changed to
protectedto allow extension.
- Fully namespaced controllers are now supported. Now you can use class names like Controller\Foo\Bar, Controller_Foo_Bar, or Controller\Foo_Bar.
- The Database layer now has support for nested transactions, either through native SQL support, or via SAVEPOINTS.
- The Agent class has been switched back to the original browscap.org URL's.
- Saving a Lang or Config file will now flush the APC and/or Opcode cache.
- Double quotes inside an HTML tag attribute value are now escaped.
- Debug logging has been added to the Session classes to aid in debugging session loss.
- GZIP compression is now automatically disabled if the client indicates it doesn't support it.
- Unit tests have been adapted where needed to support PHPUnit 4.
html_taghelper function now generates compliant HTML.
- Several pieces of file handling code has been modified to handle Windows file paths better.
- The Autoloader now thows an exception if the class file can be found, but it doesn't contain the class expected.
- The Autoloader now supports loading Traits.
- The shutdown handler now logs any error if it fails to shutdown properly.
- The included PHPSecLib version has been upgraded to the July 1st version of the php5 branch.
- Unit testing now has support for AspectMock.
- An entry to the phpunit xml has been added to run tests in modules.
- Agent: Now correctly uses the defined browser agent instead of the system one.
keyval_to_assoc()method converts key-value pairs into an associative array.
Arr: When passing an object as key to
get(), it is now cast to string.
- Asset: Has a new config option "always_resolve", which will do local asset resolving even for absolute URL's.
- Cache: A check is added to avoid possible deadlocks with using files for caching.
- Cache: Now has a driver for Xcache (http://xcache.lighttpd.net).
- Cli: Backtrace output has been rewritten to make it more readable on the commandline.
- Cli: Now has the option to disable output colouring.
Cli: New methods
stderrallow you to redirect them to file.
- Config: When saving a config file, the configured permission mask is now applied.
- Controller_Hybrid: Now correctly handles returned array responses.
- Controller_Rest: When no data is returned, "204 NO CONTENT" status is set.
- Controller_Rest: Better support for Digest authentication.
- Controller_Rest: The option to specify the return format in the URL now actually works.
Database: The PDO driver will now add the
charsetto the DSN if not specified.
- Database: The MySQL drivers no longer use the "AUTOCOMMIT" value, which interferes with table locking.
Insertnow has the options to define multiple value sets, to insert multiple rows at once.
Database: Quoted strings can now passed to methods without requiring
- DBUtil: Default values are now correctly quoted, instead of escaped.
DBUtil: Make sure the
COMMENTkeyword appears before
- DBUtil: Now allows you to set a specific DB connection to operate on.
field()without parameter will now correctly return all defined fieldset fields.
Fieldset: Now has a
delete()method to remove an existing field from the fieldset.
set_fieldset()now allows you to move a Field to a different fieldset.
download()now has the option to delete the file after download is completed.
file_exists()method that will honour the defined Area.
File: Fixed possible infinite recursion in
Downloadnow supports the option to select "inline" or "attachment" disposition.
Form: If no action is specified to
open(), the current URI will be used.
- Format: CSV conversion methods now have separate config for import and export of CSV data.
- Format: Improved CSV parsing, to support non-standards formats created by Microsoft applications.
- Format: CSV files without headers can now be imported.
to_csv()now allows you to define custom headers.
- Format: Incorrect handling of empty XML tags has been fixed.
FTP: Fixed directory recursion in
Inflector: The separator of
friendly_title()is now configurable.
- Input: Added better support for NGINX.
- Lang: If multiple languages are defined, the lang files are now loaded in the correct order.
log_filenameconfig key allows you to override the generated log file name.
Model_Crud: Can now correctly handle properties with a
like()method now correctly uses it's wildcard parameters.
Mongo_Db: New method
- Pagination: Logic has been completely rewritten to fix all bugs.
- Pagination: You can now define an offset to shift the active page in the navigation block left or right.
set_flash()now correctly resets the state when setting an existing expired flash value.
- Session: Deleting a session cookie now takes the configured path and domain into account.
- Session: Now has emulation of $_SESSION, to support external code using this to access session data.
truncatemethod now correctly handles multibyte strings.
Uri: An empty URI string is valid input for
- Uri: Uri suffixing has been rewritten to accept new long TLD names.
valid_stringnow allows you to test for "slash" and "backslash".
valid_collectionrule allows you to check against a predefined list of values.
requiredrule no longer treats
falseas a value.
- Viewmodel: Now has the option to unset a variable set on it.
- Auth: The included ORM User model now supports both Ormauth and Simpleauth.
- Auth: Ormgroup's member() method now correctly checks for group membership.
- Auth: Calculating effective user permissions in Ormauth has been fixed.
Opauth: if no nickname is returned by the provider, try to find a match on email address.
- Auth: Ormauth now supports database selection and DB's replication features.
- Email: Recepient names are now quoted to support comma's in the name.
Mailgundriver to support sending email through Mailgun's email service.
- Email: SMTP driver now only authenicates ones per connection, to facilitate bulk email.
- Email: Added the option to strip or leave HTML comments in the HTML message body.
Mandrilldriver to support sending email through Mandrill's email service.
- Email: SMTP driver now supports STARTTLS for secure email. Used for example by Google mail.
- Email: Now has a config option to automatically correct relative protocol URI's in HTML bodies.
oil servernow has inline help.
- Oil: Authentication in generated Admin controllers has been fixed.
Oil: Added the
--moduleargument to add module support to the code generation commands.
- Oil: Scaffolding templates are updated for Boostrap 3.
oil testnow supports the PHPunit argument
oil testnow supports the PHPunit argument
oil generate modelnow can generate ORM temporal or nestedset models.
--with-viewmodelswitch has been renamed to
refinecalls an unknown command, it now lists the ones defined in the Task.
- Oil: Generated view code now works properly cross platform and cross OS.
to_arraynow also also exports EAV value pairs.
before_saveobserver is now called before the object is checked for changes.
disable_eventmethods for enabling/disabling observer events.
Soft_Delete::purge, now it actually deletes the purged records.
- Orm: You can now pass custom data when forging an ORM object.
- Orm: Observer_Slug now has a configurable separator.
- Orm: Observer_Slug now allows you to generate duplicate slugs, or to assign slugs manually.
- Orm: Fixed validation of new objects, now all fields are correctly validated.
Orm: There is now support for
Orm: There is now support for
- Orm: You can now add custom sanitation code to a model (used when a model object is passed to a View).
Parser: Twig driver now support
- Parser: Smarty driver how has the same Fuel interface plugins as Twig.
- Parser: Now supports the "Lex" parser (http://github.com/pyrocms/lex).