4.0.0-beta.3

🎉 Features

Second-factor auth via time-based one-time codes

TOTP (time-based one-time codes) are now supported for two-factor authentication via the new Kirby\Toolkit\Totp class #5654

<?php 
// /site/config/config.php

return [
  'auth' => [
    'methods' => [
      'password' => ['2fa' => true]
    ]
  ]
];

PHP 8.3 support

Kirby 4 now supports PHP 8.3 and drops support for PHP 8.0. #5774

New Panel Lab

Syntax highlighting in the k-code with prism

New Str::camelToKebab method

<?= Str::camelToKebab('fooBar') // output: foo-bar ?>

New k-text-drawer

this.$panel.drawer.open({
  component: "k-text-drawer",
  props: {
    text: "Hello world"
  }
});

New lab icon

Plugin assets get easily exposed via the PHP API #5641

• New $plugin->assets() collection
• New $plugin->asset('styles.css') method
• New PluginAsset object with many methods, e.g. $plugin->asset('styles.css')->url()
• Plugin asset's media url contains a modification timestamp to easily cachebust (e.g. https://getkirby.com/media/plugins/getkirby/test-plugin/2375797551-472389240/styles.css)
• css() and js() helpers support passing plugin and plugin assets objects to include all assets of the plugin

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')
]);

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')->assets(),
]);

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')->asset('styles.css'),
]);

New SymmetricCrypto class

User-friendly and safe abstraction for symmetrical authenticated encryption using the PHP sodium extension

use Kirby\Toolkit\SymmetricCrypto;

// encryption/decryption with a password
$crypto     = new SymmetricCrypto(password: 'super secure');
$ciphertext = $crypto->encrypt('a very confidential string');
$plaintext  = $crypto->decrypt($ciphertext);

// encryption with a random key
$crypto     = new SymmetricCrypto();
$ciphertext = $crypto->encrypt('a very confidential string');
$secretKey  = $crypto->secretKey();

// encryption/decryption with a previously generated key
$crypto     = new SymmetricCrypto(secretKey: $secretKey);
$ciphertext = $crypto->encrypt('a very confidential string');
$plaintext  = $crypto->decrypt($ciphertext);

More

• New F::safeExtension() method #5760
• New F::safeBasename() method #5760
• New $date->formatWithHandler() method for Kirby date objects that allows to use different date handlers or even the globally configured one (default).

✨ Enhancements

• panel.menu config option can be a closure now that receives the $kirby object as argument
• Floating notifications #5600
• Tweaked styles for choice inputs #5756
  
  
  
• UX improvements for the multiselect and tags inputs #5742
  • Remove the label on top of the selector.
  • Don't show "no options" when query doesn't show any matches and
    creating a new option is allowed. The create button already provides
    enough context of what action is available. For accept: options keep the empty text to give context what's happening.
  • When replacing an existing tag that is an option, the replace button no longer shows #5743
  • Fixed disable state #5749
  • Text block: consistent padding for writer #5727
• Items without links will now automatically be disabled in the breadcrumb
• Search inputs: turn off autocomplete #5775
• Str::date() and its dependents (e.g. F::modified(), File::modified(), Dir::modified()) now respect the globally configured date handler
• Upgrade to Symfony YAML to v6 #5778
• The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
• Removed the error boundary from k-fieldset The error boundary kills the entire field/input if an error occurs, which is way too aggressive and also makes it more difficult to handle errors properly. #5790
• New k-stat component #5801
• New layout prop mixin #5802
• New dumb k-toolbar #5806
• k-navigate: support custom HTML element via element prop
• Textarea supports toggling command, e.g. bold, code… #5837
• New items size full #5849
• New panel.isOffline state
• Checking and writing content lock is skipped when Panel is offline #5890
• Fix PluginAssets::clean() #5836
• Writer supports directly switching from a list to paragraph #5886
• New $helper.field.defaultValue(field) method
• Better default value creation in $helper.field.form(fields)

🐛 Bug fixes

• $site->search() allows to provide a string with field names as $params again #5713
• Exceptions don't prefix i18n keys with error prefix if already prefixed
• $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
• Keep layout settings after changing layout #5726
• Link field: doesn't display site as option anymore #5717
• Writer: adding link, insert text when no selected #5684
• Disabled calendar and time pickers in disabled date and time fields #5735
• Fix custom writer marks and nodes name #5733
• Options, e.g. page options, won't override other roles' permissions anymore #5759
• The tags and multiselect fields hide the add button when disabled #5723
• Page create dialog: validate fields when directly publishing to not create orphaned page on errors #5616
• Selector dropdown: fix glitch when resizing window #5746
• Heading block: support toolbar option for writer #5703
• Consistent @ k-string-input padding
• Writer toolbar: active nodes are correctly handled #5751
• Writer toolbar: paragraph node gets removed when editor doc doesn't support it
• Select options with integer values work properly now #5013
• Fixed reactivity in the fieldset component. This also fixes an issue with auto-filled inputs #5689
• Fix pasting blocks when a required fieldset is not available #5769
• Fix Panel::go() calls in dialog and drawer submit code.
• Plugin asset CSS files no longer miss timestamps in the URL #5164 #148
• Fixed option slot in the items table. The options column was always visible, no matter if the slot was set or not. #5792
• Search now takes access permissions into account what types can be shown #5757
• k-navigate: focusable elements are correctly detected for dynamic content
• Fix styling glitches on k-tag
• The thumb cached is only cleared when the focus point changed #5311
• Toggle field preview: don’t open drawer when the toggle is clicked #5813
• Fix random structure ids #5702
• Fix outside click for blocks #5621
• Fix multiselect for nested blocks #5626
• Fix Search view #5833 #5832
• Fix color field #5850
• Textarea: properly restore selection after upload #5848
• Textarea: fix select files dialog #5847
• Fix Cms\Collection::pagination() return type #5854
• Fix textarea scroll jumps #5251
• Fix ItemImage ratio in list items #5857
• Strip HTML from item title #5856
• Fix writer defaults #5851
• Toggles input: fix background when focused #5843
• No longer show writer toolbar dropdown when there’s just one node #5883
• The Writer Toolbar will ignore default mark/nodes list if no marks/nodes are allowed in writer instance (to not show just separators next to each other, which would be the only default entries that can be rendered) #5885
• Fixed multi-select for wysiwyg mode in blocks field #5874
• Fixed interactions in nested fields in blocks #5880 #5795
• Writer toolbar now isn't just contained to its editor but will extend to space around it if necessary (= toolbar larger than editor), but will ensure not to reach outside viewport. #5449 #5712
• Fix the active state for the quote node in the writer #5894
• Allows to switch directly to paragraph from quote node
• Improved empty content state for object fields
• Content is no longer kept when clearing an object field #5877
• Toolbar: Buttons not clickable in Safari #5442 #5399

♻️ Refactored

• Move k-navigate into a Vue component #5753
• Refactored toolbars for writer and textarea input with new k-toolbar
• Implemented k-block-options with k-toolbar
• Simplify BlockPasteboard #5797

☠️ Deprecated

• The internal method $user->passwordFile() was renamed $user->secretsFile(). The old method is kept as an alias for now but will be removed in a future version.
• Plugin asset urls now include a media hash. If you have hardcoded URLs
  to the plugin's media folder anywhere, you will need to update them to
  work in future versions. Best use $kirby->plugin('plugin/name')->asset('yourAsset.css)->url() #5641
• Deprecated k-plugin-view#5803
• • <k-breadcrumb>: view prop will be removed in a future version. Include in crumbs prop instead. #5799
• k-autocomplete #5823

🚨 Breaking changes

• Kirby now requires at least PHP 8.1
• The file format of the user secrets file (.htpasswd) was changed. The old format with just the password hash is still supported, however v4 can now store additional secrets in a JSON object in the second line of the file. This makes secrets files with a TOTP secret or other secrets incompatible with Kirby 3 sites.
• When defining page, file or user options that override a user’s permissions, roles that aren’t defined in the options now fall back to their general permission whereas previously they were denied. If you want to generally deny other roles than a specific one use the * entry for all other roles inside the options array.
• The Str::date() method and its dependents (e.g. F::modified(), File::modified(), Dir::modified()) no longer use the date handler if a different handler was configured globally with the date.handler option
• Plugin::assets() doesn't return an array anymore, but a PluginAssets collection #5641
• Textarea input now uses k-textarea-toolbar not k-toolbar