Skip to content

Horilla CRM v1.11.1 — Security, CSRF & Data-Integrity Hardening

Choose a tag to compare

View all tags
@horilla-opensource horilla-opensource released this 29 May 16:47
· 110 commits to master since this release
1.11.1
2478fa7

Release Date: 29 May 2026
Version: 1.11.1
Status: Security Hardening, CSRF Protection, Data-Integrity Fixes & Form/Stability Maintenance Release

Horilla CRM v1.11.1

Horilla CRM v1.11.1 is a focused hardening and maintenance release that builds on the major v1.11.0 platform. It addresses security vulnerabilities in the mail preview pipeline, restores CSRF protection across state-mutating views, fixes a class of data-integrity bugs around protected stage relationships, and resolves multiple form and OAuth crashes — while standardizing internal imports and completing broad pylint compliance.

This release prioritizes safety, correctness, and stability, smoothing out the rough edges introduced by the large 1.11.0 feature drop without changing the platform's behavior or surface.

This release focuses on:

🔐 Security Fixes (SSTI, IDOR & Mail Permissions)
🛡️ CSRF Protection Restoration
🗃️ Data-Integrity & Protected-Relationship Fixes
🧾 Form Field-Handling & Multi-Step Crash Fixes
📞 OAuth & Meeting Reliability
📅 Booking Calendar & Timezone UX
🧩 Internal Import Shims & Standardization
🧹 Pylint Compliance & Docstring Coverage
📚 Documentation Expansion

The result is a safer, more correct, and production-hardened CRM platform.

Highlights

🔐 Security Fixes

v1.11.1 closes several security issues discovered in the mail subsystem.

Mail Preview Hardening

  • Fixed SSTI (Server-Side Template Injection) information disclosure in the preview endpoint
  • Fixed IDOR (Insecure Direct Object Reference) in the preview endpoint
  • Blocked dangerous template paths
  • Added a per-object permission check before rendering previews

Mail Permission Corrections

  • Replaced incorrect admin-config permissions with proper add / view / change / delete own-record permissions

  • Applied consistently across:

    • All mail views
    • The activity email tab

🛡️ CSRF Protection Restoration

State-mutating views that had been left unprotected are now fully CSRF-guarded.

Restored Protection

  • Removed @csrf_exempt from:

    • CreateStageGroupView
    • CreateOppStageGroupView
    • SaveCalendarPreferencesView
    • SaveCustomStagesView
    • SaveCustomOppStagesView

  • Added {% csrf_token %} to the corresponding HTMX forms and custom stage templates

  • Fixed the resulting 403 errors on those flows

  • Retained @csrf_exempt only on the pre-session DB-init wizard views

CSRF Failure Experience

  • Added a custom CSRF failure view
  • Added csrf_failure.html for DEBUG=False environments

🗃️ Data-Integrity & Protected-Relationship Fixes

Safe Stage Saving

  • SaveCustomStagesView / SaveCustomOppStagesView now use validate-first, then update-or-create instead of delete-and-recreate

  • Stages removed from the form are deleted only if no leads/opportunities reference them

  • Prevents the ProtectedError raised by the PROTECT FKs on:

    • Lead.lead_status
    • Opportunity.stage

Bulk Delete Safety

  • GENERICS: _bulk_delete_related now skips M2M relations to prevent ProtectedError during cascade traversal

🧾 Form & Multi-Step Crash Fixes

HorillaModelForm Field Preservation

Switched the following to fields = "__all__" with field_order (and keep_on_form where needed) so base fields are no longer dropped:

  • FiscalYearForm
  • RegionalFormattingForm
  • CompanyFormClassSingle
  • UserFormClass / UserFormSingle (with sensitive fields excluded, is_active reordered to end)
  • ApprovalRuleForm (also dropped the unused process_config field)

Multi-Step Form KeyError Fixes

  • CRM / COMPANY: Removed/guarded direct created_by / updated_by access that crashed because HorillaMultiStepForm strips fields not listed in step_fields
  • Applied across campaign, contact, and company create flows

Review Process Fix

  • REVIEWS: Fixed KeyError on review-process create by adding keep_on_form for is_active

Form Cleanup

  • Removed redundant fields attributes superseded by form_class across:

    • Activity, Dashboard, Report views
    • Forecast target, Assignment rule, Opportunity team, Scoring rule views

📞 OAuth & Meeting Reliability

Meeting Integration

  • Fixed MultipleObjectsReturned on the Zoom / Teams OAuth callbacks

Access-Control UI

  • Constrained the access-control section to the viewport
  • Added a count + eye pill for allowed users/roles
  • Clicking the pill opens a HorillaListView modal
  • Fixed the card-wide click handler

📅 Booking Calendar & UX

Booking Improvements

  • Improved booking calendar UX with timezone-aware slot display
  • Updated booking confirmation rendering
  • Fixed the public date-strip to read date-object properties instead of stale outer-scope day / currentMonth variables
  • Updated booking app locale folder

🧩 Internal Import Shims & Standardization

New Compatibility Shims

  • Added horilla.utils.timezone shim
  • Added horilla.db.models.signals shim
  • Migrated signal and timezone imports across all apps to the new shims
  • Standardized first-party import groups project-wide

Other Core Improvements

  • CORE: "Add Business Hour" button now hides immediately after creation without a page reload
  • BUSINESS_HOUR: Guarded BusinessHourHolidayModalView with a get() that returns a modal-closing script when the BusinessHour pk no longer exists
  • GENERICS: Added cursor-pointer to note/attachment and related-list action buttons

🧹 Code Quality & Cleanup

Pylint Compliance

Added missing class and method docstrings across the platform for:

  • C0115 (missing class docstring)
  • C0116 (missing function/method docstring)

Coverage spans: Activity, Cadences, Core, Dashboard, Meeting, Booking, CRM, sync_db, and all contrib apps.

Standardization

  • Standardized import organization
  • Synced module documentation with the new shim layout

📚 Documentation

  • Added new docs for: booking, forecast targets, lead assignment rules, opportunity teams, scoring rules
  • Expanded docs for: activity, core, dashboard, generics, reports
  • Synced module documentation with the new import-shim conventions

🛠️ Major Fixes

Security

  • Fixed SSTI information disclosure in mail preview
  • Fixed IDOR in mail preview endpoint
  • Corrected HorillaMail own-record permissions

CSRF

  • Restored CSRF protection on stage, stage-group, and calendar-preference views
  • Fixed 403 errors on affected HTMX forms

Data Integrity

  • Prevented ProtectedError on stage deletion (validate-first / update-or-create)
  • Skipped M2M relations in bulk-delete traversal

Forms

  • Prevented HorillaModelForm base fields being dropped
  • Fixed multi-step create KeyError on created_by / updated_by
  • Fixed review-process create KeyError

Meeting / OAuth

  • Fixed MultipleObjectsReturned on Zoom/Teams OAuth callbacks

Booking

  • Fixed date-strip rendering bug

📜 Changelog Summary

v1.11.1 (29 May 2026)

Added

  • Custom CSRF failure view and csrf_failure.html for DEBUG=False
  • horilla.utils.timezone compatibility shim
  • horilla.db.models.signals compatibility shim
  • Access-control count + eye pill with HorillaListView modal (Meeting)
  • New documentation for booking, forecast targets, lead assignment rules, opportunity teams, and scoring rules

Improved

  • Timezone-aware booking slot display and scheduling UX
  • HorillaModelForm field handling across fiscal year, regional formatting, company, user, and approval-rule forms
  • Standardized first-party imports and signal/timezone shims across all apps
  • Business Hour button hides without page reload
  • Broad pylint docstring compliance (C0115 / C0116)
  • Expanded activity, core, dashboard, generics, and reports documentation

Fixed

  • Security: SSTI information disclosure and IDOR in mail preview
  • Security: Incorrect HorillaMail permissions (now correct own-record perms)
  • CSRF 403 errors on stage, stage-group, and calendar-preference views
  • ProtectedError on stage deletion when referenced by leads/opportunities
  • ProtectedError from M2M relations during bulk delete
  • KeyError on multi-step create forms (created_by / updated_by)
  • KeyError on review-process create
  • MultipleObjectsReturned on Zoom/Teams OAuth callbacks
  • Booking date-strip rendering using stale outer-scope variables
  • BusinessHourHolidayModalView crash on deleted records
  • HorillaModelForm base fields being dropped from refactored forms

🎯 Impact

Horilla CRM v1.11.1 hardens the platform delivered in v1.11.0, prioritizing security, data integrity, and reliability.

This release:

  • Closes SSTI and IDOR vulnerabilities in the mail subsystem
  • Restores CSRF protection across state-mutating workflows
  • Prevents data loss from protected stage relationships
  • Fixes multiple form and OAuth crashes
  • Standardizes internal imports for long-term maintainability
  • Completes broad pylint and documentation coverage

Overall

v1.11.1 is a stability and security release that makes the ambitious 1.11.0 feature set production-ready. It resolves the highest-impact bugs and vulnerabilities surfaced after the major release, tightens CSRF and permission handling, and protects against data-integrity failures — delivering a safer, more reliable, and more maintainable CRM platform. 🔒🚀

Assets 2
Loading