Alvaro Folgado identified several security issues in Publify that are fixed in this release:
- Rails' protection from CSRF was not active for all actions. This was fixed.
- Devise' password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise' 'paranoid' mode.
- Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.
- Publify used Rails' cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.
- The blog name was not properly escaped in the views used for Devise.
Additionally, the following small bugs were fixed:
- There was an error on the sign-in due to the use of a deprecated method in Devise.
- Failed resource uploads were reported as succesful.
It is recommended you update to this release as soon as possible.
This release brings a lot of small changes and a few big ones under the hood. The big ones shouldn't really change anything from a functional standpoint right now, but they will allow some new possibilities and directions in the future. Enough with the vague words, here is a list of large or breaking changes:
- Make Publify multiblog-ready: All models should now be directly or indirectly linked to a blog, opening the way for finally supporting multiple blogs in some form. What form? That is still up for debate, but you can join the discussion in the GitHub ticket.
- Replace custom Publify authentication system with Devise. This just gives use less code to maintain ourselves.
- Replace custom Publify authorization system with CanCanCan. As with Devise, it's better to use a well-maintained gem for this.
- Remove Profile model. This wasn't really doing anything in standard Publify, but beware if you've put any customization there.
- Remove long-deprecated view_root method for sidebars. Just some simple house-keeping, but if you haven't been paying to Publify's warnings for the past years, this is a breaking change.
- Provide registration mechanism for themes, allowing them to be stored anywhere. This opens the way for turning Publify into a Rails Engine, and for having themes as plug-ins.
As always, there are many small changes as well. See the change log for details.
Publify master has been running on Rails 4.2 for some time, so a new release is long overdue.
Some important changes:
- Dependency on Rails has been updated to 4.2, including recent security fixes.
- Migrations have been rolled up to 113 according to our upgrade policy. You must now first upgrade to at least version 7 before upgrading to the latest version.
- The default bootstrap theme was replaced with bootstrap-2. You can find the old theme at https://github.com/publify/themes-bootstrap.
- A Plain theme was added that uses only Publify's default templates with a sprinkle of custom css.
In addition, there have been numerous smaller changes, bug fixes and improvements. See the change log for details.
Short after pushing 8.1.0, we're releasing a quick bugfix one. We obviously have some work on automated tests.
#497 Publishing breaks before adding tags and publishing time.
#498 Pages and articles editor appears on 2 lines only
#499 Autosave is broken on PostgreSQL
Released Sunday September the 14th, Publify 8.0.2 is the result of a bug squashing session.
Thank you to our contributors Alexander Markov, Benoit C. Sirois, Hans de Graaff, Soon Van, Tor Helland and Nicolas Bianco.
Très Acton has discovered a risk of denial of service by memory exhaustion in the way Publify comments user input are parsed.
The editor save bar jumps up and down when typing with inconsistent behavior (#428).
The help messages can't be hiden (#429)
Avatars in the Dashboard's last comments block are not inline with the comment. (#431)
Dashboard inbound links widget is broken (#432)
The admin / content search does not bring anything back (#433)
When creating a post, tags are shown in white on white (#443)
The articles date picker does not allow to change the time the article is published (#444)
Using the articles date picker results in a 500 error (#445)
Marking content as spam using the thumb icon results in a 500 error (#447)
Media library: the JS refactoring removed the lightbox (#454)
Admin / sidebar: the help box should be in a blue block (#456)
Lots of unused assets to clear (#475)
Cancel links are not displayed correctly (#482)
File upload is broken (#488)
Fixes link caching issue (All cached links are the same basically)
Use a relative image path for blogs installed outside of the site root
Fixes archives page caching
Feature and improvement
Improved Russian, Norwegian and French translations
Upgrade to Rails 3.2.18
Add support for a human.txt
This 8.0.1 release fixes the most important bugs we found since the 8.0 release.
- #398: the user-style.css stylesheet is not loaded in the Bootstrap theme
- #399: the note style is not applied.
- #402, #410, #411: deployment crashes on Heroku (thank you @slainer68 for fixing that).
- #412: the editor locally saves the content of the edited note, which means it reloads it when you edit another note, overwriting the legit content.
It's been 5 months since Publify 7.1, and considering the figures, Publify 8.0 is the biggest release we ever pushed in 9 years: 474 commits, 71 issues closed, 8 contributors, 567 files changed, 60,767 additions and 45,166 deletions.
But you probably don't care about numbers that much, except if you're wondering whether or not the project is till alive. TL; DR: it is.
The project itself has known one big change, moving from Fred's personal Github account to a dedicated organization. We have been thinking about it for a while, and we believe it's the best we could do for Publify.
Simpler, better, faster
Last summer, we started to rethink what we wanted Publify to be. At a time where online publishing is more or less split between Wordpress, hosted platforms and static engines, being "only" a blogging platform had no meaning anymore. We started to extend publishing capabilities, choosing Twitter pushed short notes as a first step before we add more content type. This led to Publify 7.0, and once again we knew it was the way to go.
Before adding these feature, we wanted Publify 8.0 to rebuild the whole user experience. It had to be simpler, clearer and better, far from the MS Word 97 style that prevails in Web publishing since more than 10 years.
This meant a simpler interface with a single, smaller menu, getting out of the old create / read / update / delete scheme when possible, merging some sections and finally removing lots of things. This also means using the most of large screens capabilities, using responsive layouts as much as we could, even though it made the job more difficult at some point.
The editor has been completely revamped, following the way opened by both Medium and Ghost. We've pushed aside everything that may distract you from writing. The post settings are one click away from the editor so you won't feel lost anyway. You can even go fullscreen and chose a dark or white background. We know how much work is left to get a really classy tool, but we're working on it.
The notes have also been improved. When replying to a tweet, Publify now displays the original tweet so readers can see the context of the reply.
Users' profiles have been improved to. Each user now has their own detailed page with avatar, contact links, short bio and indeed the published content.
Missing in action
The old categories vs. tags separation is no more. We merged the first into the second as a strict categorization has no real meaning on most blogs. Don't worry about your URLs, we took care of everything, creating the necessary redirects where needed.
The excerpt has been removed. Excerpt was meant to display a different content on the listing page and on the post itself. It was an interesting feature, but only a handful of people, if any, were using it, and it made the editor more complicated than necessary.
The old Typographic theme is not part of the core anymore. It has moved to its own project and will still be maintained.
The old XMLRPC backend has been discontinued. This means Publify does not support desktop clients anymore. This choice has been motivated by the fact that the APIs it was relying on had not been updated for 10 years, and that most desktop editors are not maintained anymore either. Web browsers' capabilities have evolved, and you can now have a fairly decent editor with local saving without the need for a desktop application.
Under the hood
Publify has been around for 9 years now. Rails was not 1.0 yet, and some of our code was older than you can ever imagine.
Publify 8.0 got rid of most of that legacy code. The old Prototype based helpers that made Rails famous back then left the building. Prototype itself has finally been replaced by jQuery, and Rails i18n allowed the Globalize based translation system to enjoy a deserved retirement. Most helpers have been removed too, as most of them were only used in one place.
This should not affect you unless you're running custom themes and plugins. If so, have a look at the Bootstrap theme to see how we're now working.
That's all folks, you can now download Publify, or give it a try on our demo platform.