-
Notifications
You must be signed in to change notification settings - Fork 346
Changelog v1.7.2
This keeps track of important changes to the 1.x branch.
When you decide to upgrade to a new version, pay attention to the changes documented in this changelog, and the upgrade procedures documented.
As of 1.7.2, the Viewmodel class is deprecated, and replaced by the Presenter class. Functionality has remained largely the same, and a Viewmodel alias is present to maintain backward compatibility.
It has proven difficult to explain what a Viewmodel is and does, and why you should use it. Also having a classes/view and a views folder was very confusing for a lot of people. It is also a step closer to Fuel v2, there this class is also called Presenter.
As a result of the security issue mentioned below, the auto-format of the response in the Request_Curl
class is now disabled by default, as it is possible for a malicious site to construct a response of a specific reponse type that can lead to code execution. This means that if you use Request_Curl
, you have to either enable this manually in your code (ONLY if you absolutely trust the site you connect to!), or add code to validate the response before you process it.
The validation rule required
rule no longer treats an input value false
as a value, so passing this value will now trigger a validation error.
The PDO driver now returns the error code of the underlying database driver back as the error code in the Database_Exception
, instead of the PDO error code. This allows you to act on specific platform errors.
It also means you loose access to the original generic PDO error code, which you can work around by retrieving the current PDO database connection (through the connection()
method on the database object) and call PDO's errorCode()
method to retrieve the original generic PDO error code.
None.
There was one security advisory issued for 1.7.1, which also impact all previous versions from 1.1 onwards (see http://fuelphp.com/security-advisories). The issue is mitigated in 1.7.2, it is strongly advised that you upgrade as soon as possible, or alternatively follow the advice in the advisory.
A potentional vulnerability was discovered in the way column name quoting was done. This has been fixed. This means that coding SQL functions manually was something you could get away with earlier now require you to use DB::expr() to encapsulate the function.
// old code, no longer works
$result = DB::select("LOWER \"field\")")->from($table)->execute();
// has to be replaced by
$result = DB::select(DB::Expr("LOWER \"field\")"))->from($table)->execute();
Error messages are now escaped, to prevent a possible XSS through the generated error. Note that it is best practice not to display error messages in a production environment, so the possible risk for XSS is deemed to be very low.
- A possible XSS vulnerabity in the Profiler output has been fixed.
- The
import()
function can now also import third-party classes in APPPATH/vendor. - When using multiple DB connections, the profiler now shows the connection used for the query.
- The Profiler now html encodes the output to avoid incorrect handling of the ampersand.
- The internal Markdown class has been removed, and replaced by the Composer library.
- Some methods were still defined as
private
. This has been changed toprotected
to allow extension. - Fully namespaced controllers are now supported. Now you can use class names like Controller\Foo\Bar, Controller_Foo_Bar, or Controller\Foo_Bar.
- The Database layer now has support for nested transactions, either through native SQL support, or via SAVEPOINTS.
- The Agent class has been switched back to the original browscap.org URL's.
- Saving a Lang or Config file will now flush the APC and/or Opcode cache.
- Double quotes inside an HTML tag attribute value are now escaped.
- Debug logging has been added to the Session classes to aid in debugging session loss.
- GZIP compression is now automatically disabled if the client indicates it doesn't support it.
- Unit tests have been adapted where needed to support PHPUnit 4.
- The
html_tag
helper function now generates compliant HTML. - Several pieces of file handling code has been modified to handle Windows file paths better.
- The Autoloader now thows an exception if the class file can be found, but it doesn't contain the class expected.
- The Autoloader now supports loading Traits.
- The shutdown handler now logs any error if it fails to shutdown properly.
- The included PHPSecLib version has been upgraded to the July 1st version of the php5 branch.
- Unit testing now has support for AspectMock.
- An entry to the phpunit xml has been added to run tests in modules.
- Agent: Now correctly uses the defined browser agent instead of the system one.
-
Arr: New
keyval_to_assoc()
method converts key-value pairs into an associative array. -
Arr: When passing an object as key to
get()
, it is now cast to string. - Asset: Has a new config option "always_resolve", which will do local asset resolving even for absolute URL's.
- Cache: A check is added to avoid possible deadlocks with using files for caching.
- Cache: Now has a driver for Xcache (http://xcache.lighttpd.net).
- Cli: Backtrace output has been rewritten to make it more readable on the commandline.
- Cli: Now has the option to disable output colouring.
-
Cli: New methods
stdout
andstderr
allow you to redirect them to file. - Config: When saving a config file, the configured permission mask is now applied.
- Controller_Hybrid: Now correctly handles returned array responses.
- Controller_Rest: When no data is returned, "204 NO CONTENT" status is set.
- Controller_Rest: Better support for Digest authentication.
- Controller_Rest: The option to specify the return format in the URL now actually works.
-
Database: The PDO driver will now add the
charset
to the DSN if not specified. - Database: The MySQL drivers no longer use the "AUTOCOMMIT" value, which interferes with table locking.
-
Database:
Insert
now has the options to define multiple value sets, to insert multiple rows at once. -
Database: Quoted strings can now passed to methods without requiring
DB::expr()
. - DBUtil: Default values are now correctly quoted, instead of escaped.
-
DBUtil: Make sure the
COMMENT
keyword appears beforeAFTER
andBEFORE
. - DBUtil: Now allows you to set a specific DB connection to operate on.
-
Fieldset:
field()
without parameter will now correctly return all defined fieldset fields. -
Fieldset: Now has a
delete()
method to remove an existing field from the fieldset. -
Fieldset_Field:
set_fieldset()
now allows you to move a Field to a different fieldset. -
File:
download()
now has the option to delete the file after download is completed. -
File: New
file_exists()
method that will honour the defined Area. -
File: Fixed possible infinite recursion in
delete_dir()
. -
File:
Download
now supports the option to select "inline" or "attachment" disposition. -
Form: If no action is specified to
open()
, the current URI will be used. - Format: CSV conversion methods now have separate config for import and export of CSV data.
- Format: Improved CSV parsing, to support non-standards formats created by Microsoft applications.
- Format: CSV files without headers can now be imported.
-
Format:
to_csv()
now allows you to define custom headers. - Format: Incorrect handling of empty XML tags has been fixed.
-
FTP: Fixed directory recursion in
delete_dir()
. -
Inflector: The separator of
friendly_title()
is now configurable. - Input: Added better support for NGINX.
- Lang: If multiple languages are defined, the lang files are now loaded in the correct order.
-
Log: New
log_filename
config key allows you to override the generated log file name. -
Model_Crud: Can now correctly handle properties with a
null
value. -
Mongo_Db:
like()
method now correctly uses it's wildcard parameters. -
Mongo_Db: New method
list_collections()
. - Pagination: Logic has been completely rewritten to fix all bugs.
- Pagination: You can now define an offset to shift the active page in the navigation block left or right.
-
Session:
set_flash()
now correctly resets the state when setting an existing expired flash value. - Session: Deleting a session cookie now takes the configured path and domain into account.
- Session: Now has emulation of $_SESSION, to support external code using this to access session data.
-
Str: The
truncate
method now correctly handles multibyte strings. -
Uri: An empty URI string is valid input for
Uri::create()
. - Uri: Uri suffixing has been rewritten to accept new long TLD names.
-
Validation:
valid_string
now allows you to test for "slash" and "backslash". -
Validation: New
valid_collection
rule allows you to check against a predefined list of values. -
Validation: The
required
rule no longer treatsfalse
as a value. - Viewmodel: Now has the option to unset a variable set on it.
- Auth: The included ORM User model now supports both Ormauth and Simpleauth.
- Auth: Ormgroup's member() method now correctly checks for group membership.
- Auth: Calculating effective user permissions in Ormauth has been fixed.
-
Auth:
Opauth
: if no nickname is returned by the provider, try to find a match on email address. - Auth: Ormauth now supports database selection and DB's replication features.
- Email: Recepient names are now quoted to support comma's in the name.
-
Email: New
Mailgun
driver to support sending email through Mailgun's email service. - Email: SMTP driver now only authenicates ones per connection, to facilitate bulk email.
- Email: Added the option to strip or leave HTML comments in the HTML message body.
-
Email: New
Mandrill
driver to support sending email through Mandrill's email service. - Email: SMTP driver now supports STARTTLS for secure email. Used for example by Google mail.
- Email: Now has a config option to automatically correct relative protocol URI's in HTML bodies.
-
Oil:
oil server
now has inline help. - Oil: Authentication in generated Admin controllers has been fixed.
-
Oil: Added the
--module
argument to add module support to the code generation commands. - Oil: Scaffolding templates are updated for Boostrap 3.
-
Oil:
oil test
now supports the PHPunit argument--testsuite
. -
Oil:
oil test
now supports the PHPunit argument--debug
. -
Oil:
oil generate model
now can generate ORM temporal or nestedset models. -
Oil: the
--with-viewmodel
switch has been renamed to--with-presenter
. -
Oil: when
refine
calls an unknown command, it now lists the ones defined in the Task. - Oil: Generated view code now works properly cross platform and cross OS.
-
Orm:
to_array
now also also exports EAV value pairs. -
Orm: The
before_save
observer is now called before the object is checked for changes. -
Orm: New
enable_event
anddisable_event
methods for enabling/disabling observer events. -
Orm: Fixed
Soft_Delete::purge
, now it actually deletes the purged records. - Orm: You can now pass custom data when forging an ORM object.
- Orm: Observer_Slug now has a configurable separator.
- Orm: Observer_Slug now allows you to generate duplicate slugs, or to assign slugs manually.
- Orm: Fixed validation of new objects, now all fields are correctly validated.
-
Orm: There is now support for
DB::expr()
in ORMselect()
. -
Orm: There is now support for
select('*')
. - Orm: You can now add custom sanitation code to a model (used when a model object is passed to a View).
-
Parser: Twig driver now support
Input::post
,Session::get
andAuth::check
. - Parser: Smarty driver how has the same Fuel interface plugins as Twig.
- Parser: Now supports the "Lex" parser (http://github.com/pyrocms/lex).