Skip to content

v0.2.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@wirehead wirehead released this 17 Jul 19:05
v0.2.0
9f70fa8

This version is incompatable with 0.1.x databases.

Added

  • Updated environment variable manual.
  • Changed security warnings in the logs.
  • Tombstones for deleted entities.
  • Persistant storage of sessions in Redis
  • Unit tests for the CLI tooling
  • Templates can now create all of the RBAC entities and users.
  • Blob store for binary objects (photos, audio, videos, etc).
  • SVG support via Vector Graphics proto.
  • JPEG support via Photograph proto.
  • Workflow engine
  • rm3backup generates a catalog file and dumps permissions, credentials, and blobs
  • rm3load can load a backup folder generated by rm3backup in one step
  • rm3admin can peek into identities
  • Improved logging.
  • Predicates can have a URI (For eventual JSON-LD / RDF goodness)
  • Templates can now have an 'index' type

Changed

  • BREAKING: updated to textblocks 0.0.10, which is incompatible with previous versions.
  • Gulpfile refactored into smaller chunks.
  • gulp-clean-css replaces gulp-minify-css.
  • User proto refactored
  • Password paths shuffled
  • Improved default page text to be a bit more beginner-friendly.
  • Default behaviour after editing a page is to redirect back to the page, instead of showing edit again.

Removed

  • node 0.12 support removed.
  • postgres 9.3 support removed. postgres 9.4 now recommended.

Fixed

  • Coverage collection fixed.
  • Icon generation uses picture polyfill instead of accidentally invalid html.
  • If a user provides an invalid cookie for user deserialization (e.g. trying to log in after clearing the databse but not the Redis session cache) the error is logged and the request continues as if the user is unauthenticated.

Security

  • RM3_SESSION_SECRET to store the session secret, instead of known hardcoded secret.
  • A bunch of views weren't checking for read access.
  • Password changing has been protected differently from editing a user profile.
  • Passwords are stored as credentials, instead of in the user object.
  • TOTP Two-Factor authentication.
  • CVE-2015-8851: node-uuid prior to 1.4.4 uses insecure random number generator.
  • CVE-2016-5118: sharp prior to 0.15.0 uses insecure Magick.
  • CWE-400: negotiator prior to 0.6.1 are vulnerable to ReDoS.
Assets 3
Loading