- Fix too-early call on
User::getIdentity()when plugin is disabled, for better performance.
- Revert infinite loop check, which results in incorrect redirect URLs.
- Allow arrays in config settings for
allowIps,denyIps,protectedUrls,unprotectedUrls. (thanks @Diewy).
- Fix a potential infinite redirect loop if changing from
httptohttps.
- Fix site-based custom templates not working correctly.
- Add support for custom CP-based templates. (thanks @seibert-io).
- Add support for IPv4 and IPv6 CIDR blocks in allowIps and denyIps config. (thanks @onstuimig).
- Deny access to settings for non-admins.
- Fix redirect URL not using the referrer URL after logging in.
- Fix potential error redirecting to non-site URLs after login. In some cases, this caused redirecting to a cpresources asset.
- Fix cookie not respecting the Craft
defaultCookieDomainconfig setting.
- Fix incorrect
loginUrlroute, causing issues on some site setups (subdirectory installs).
- Allow env variables to be used in allow/deny IPs.
- Fix login path not resolving correctly for some multi-site installs.
- Fix challenge URL not being correct for nested URLs.
- Add
useRemoteIpto opt-in to more stricter IP checks if security is your concern.
- Revert behaviour of using remote IP for checking user IP. Too many issues and edge-cases.
- Fix potential issue splitting multi-line settings (allowIps, denyIps, protectedUrls).
- Fix error introduced in 1.2.9.
- Deprecate
whitelistIps. UseallowIpsinstead. - Deprecate
blacklistIps. UsedenyIpsinstead.
- Fix fetching the IP for a user that could allow spoofing via headers. Vulnerability
IP Whitelist bypassreported by Paweł Hałdrzyński. - Ensure redirect param is validated to prevent malicious redirection. For custom forms, please update the redirect input to use
{{ redirect | hash }}otherwise logins will not work. VulnerabilityOpen-redirectreported by Paweł Hałdrzyński.
- Add
forcedRedirectto force a redirected URL once logging in.
- Fix logging error
Call to undefined method setFileLogging().
- File logging now checks if the overall Craft app uses file logging.
- Log files now only include
GETandPOSTadditional variables.
- Realllly fix live preview from cross-domains.
- Fix error thrown for console requests.
- Re-organise access testing code, and support cross-domain live preview (properly, through tokens).
- Exclude live preview requests from blocking access.
- Fix asset bundles causing style issues in the CP.
- Add support for Regex in protected URLs.
- Fix protected URL comparison taking into account query strings, when it shouldn't.
- Add Craft 3.4 compatibility.
- Fix
yii\base\InvalidConfigExceptionerror thrown in some instances.
- Added Custom login path. Thanks @X-Tender.
- Allow IPs to be whitelisted from login protection.
- Add Protected URLs to set specific URLs (and only those) for password protection.
- Update redirect input. = Fix redirection after login.
- Add lock-out and security behaviour.
- Add multi-site settings.
- Add custom template setting.
- New icon.
- Add override notice for settings fields.
- Fix console requests throwing an error.
- Downgrade requirement to Craft 3.0.x.
- Fix settings not saving.
- Added
enabledsetting.
- Initial release.