You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A new per-account demo mode makes an account read-only across the whole admin, with an optional allowlist to still permit editing pages or uploading media.
Demo content resets back to a captured baseline on a timer or with the new bin/plugin api demo:baseline and demo:reset commands, so a shared demo cleans itself up after visitors.
Plugins can add per-user action buttons to the new admin's Users list that run a server-side operation against an account and can hand back a message or a safe redirect (grav-plugin-admin2#115).
Autoloading admin widgets can declare the routes they apply to, so their script loads only on the matching admin screen instead of on every page (grav-plugin-admin2#116).
Improved
Plugin and theme details now include the documentation and issue-tracker links from their blueprint, so the admin can link straight to a project's docs and bug tracker.
The API plugin's own settings are now organized into tabs instead of one long scrolling form.
Plugin-contributed link columns in the new admin's Users list can now show separate visible text from the link they point to (grav-plugin-admin2#111).
Bugfix
Plugin sidebar labels now display in the signed-in user's admin language instead of the site's content language, so the sidebar no longer mixes languages (#14).
Filtering the pages list by published, visible, or routable status now actually filters the results instead of being ignored (grav-plugin-admin2#121).
Saving metadata with several media files selected now updates every selected file instead of only the last one (grav-plugin-admin2#117).
[security] Reading a configuration section through the API no longer exposes stored passwords, API keys, and other secret values in plain text.
[security] A user who can edit pages can no longer move a page to a location outside the pages folder, closing a path that let a page's files be written anywhere the server can write (GHSA-qjq4-jp55-4mx2).
[security] Inviting a new user into a group is now restricted to super administrators, so a user who can only manage accounts can no longer invite someone straight into a super-admin group (GHSA-m86m-jjcg-gcvv).
[security] Changing the API plugin's own settings, such as its CORS policy and rate limiting, now requires a super administrator, so a user with general configuration access can no longer weaken the API's own protections (GHSA-4pqv-2qj5-38fp).