You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Admin branding now stores a custom sign-in title, subtitle, a toggle to hide the "Powered by Grav CMS" line, and a custom favicon, exposed to the sign-in screen before login (getgrav/grav-plugin-admin2#54).
The branding upload endpoint now accepts a favicon image alongside the light and dark logos.
Bugfix
[security] Password reset and invitation emails now build their links only from your site's own address or an allowlisted origin, so an attacker can no longer redirect a reset link to a server they control and capture the token to take over an account (GHSA-5xc4-j99p-cp4m).
[security] API access tokens can now be invalidated before they expire, so logging out, changing or resetting a password, and disabling an account immediately revoke any tokens already issued to that user (GHSA-m8g9-wxhx-6f86).
New pages now keep only the default values the template author actually set, instead of also copying inherited collection and plugin settings (such as empty sitemap fields) into the page's frontmatter (getgrav/grav-plugin-admin2#53).
Profile avatars now display for accounts whose avatar was stored as a plain filename, instead of appearing blank (getgrav/grav-plugin-api#9).
Permissions granted to a user through group membership are now honored, so a user whose access comes only from a group can again see and use Pages, Media, and Reports (getgrav/grav-plugin-admin2#57).
A group or user with no permissions set is now returned with an empty permission map rather than an empty list, so the admin can add the first permission to it (getgrav/grav-plugin-admin2#58).
Page and media lookups now find pages under a hidden home route, so editing a home child page and its Media panel work when "Hide home route in URLs" is enabled (getgrav/grav-plugin-api#10).