Skip to content

1.0.10

Choose a tag to compare

@rhukster rhukster released this 09 Jul 18:03
a6bc9ce

New

  • A new per-account demo mode makes an account read-only across the whole admin, with an optional allowlist to still permit editing pages or uploading media.
  • Demo content resets back to a captured baseline on a timer or with the new bin/plugin api demo:baseline and demo:reset commands, so a shared demo cleans itself up after visitors.
  • Plugins can add per-user action buttons to the new admin's Users list that run a server-side operation against an account and can hand back a message or a safe redirect (grav-plugin-admin2#115).
  • Autoloading admin widgets can declare the routes they apply to, so their script loads only on the matching admin screen instead of on every page (grav-plugin-admin2#116).

Improved

  • Plugin and theme details now include the documentation and issue-tracker links from their blueprint, so the admin can link straight to a project's docs and bug tracker.
  • The API plugin's own settings are now organized into tabs instead of one long scrolling form.
  • Plugin-contributed link columns in the new admin's Users list can now show separate visible text from the link they point to (grav-plugin-admin2#111).

Bugfix

  • Plugin sidebar labels now display in the signed-in user's admin language instead of the site's content language, so the sidebar no longer mixes languages (#14).
  • Filtering the pages list by published, visible, or routable status now actually filters the results instead of being ignored (grav-plugin-admin2#121).
  • Saving metadata with several media files selected now updates every selected file instead of only the last one (grav-plugin-admin2#117).
  • [security] Reading a configuration section through the API no longer exposes stored passwords, API keys, and other secret values in plain text.
  • [security] A user who can edit pages can no longer move a page to a location outside the pages folder, closing a path that let a page's files be written anywhere the server can write (GHSA-qjq4-jp55-4mx2).
  • [security] Inviting a new user into a group is now restricted to super administrators, so a user who can only manage accounts can no longer invite someone straight into a super-admin group (GHSA-m86m-jjcg-gcvv).
  • [security] Changing the API plugin's own settings, such as its CORS policy and rate limiting, now requires a super administrator, so a user with general configuration access can no longer weaken the API's own protections (GHSA-4pqv-2qj5-38fp).