v1.2.12

UX/UI Improvements

• Added support for tel form field.

Bug Fixes

• Fixed z-index on MediaManager move dropdown.
• Fixed support for config properties on URL fields.
• Fixed issue where dynamically extending a class to add behaviors could fail if the behavior had been added before.

Security Improvements

• Added protection against privilege escalation attack from authenticated backend users.

Performance Improvements

• Moved Vite rendering to {% styles %} Twig tag instead of {% scripts %} to prevent FOUC.

Dependencies

• Improved support for PHP 8.4.

Full Changelog: v1.2.11...v1.2.12

v1.1.12

Security improvements

• Added protection against privilege escalation attack from authenticated backend users.

Full Changelog: v1.1.11...v1.1.12

v1.0.477

Security improvements

• Added protection against privilege escalation attack from authenticated backend users.

Full Changelog: v1.0.476...v1.0.477

v1.2.11

UX/UI Improvements

• Added "Failed Logins" tab to the User account form in the backend to view the throttle records of users and be able to manually unthrottle IPs.
• Reorganized the fields on the user account page in the backend for ease of use.
• Added support for autogenerating passwords when creating users in the backend (requires notification email to be sent to the user).
• Added ability for the CodeEditor to restore its original line location when restoring after being disposed of on a page (i.e. when switching between on-page tabs with multiple codeeditors, like in the CMS Theme Editor).

API Changes

• Added auto detection of LICENCE and LICENSE files in plugins as their license files.

Bug Fixes

• Fixed bug introduced in v1.2.10 where collections weren't being supported as a possible value for form field's options property.
• Fixed bug introduced in v1.2.10 where LESS, SASS, and SCSS files were being treated as PHP files by the CodeEditor in the CMS Theme Editor.
• Fixed support for type="module" inline script tags when using the Twig language mode with the Monaco CodeEditor.
• Fixed bug introduced in v1.2.10 where event listeners attached to Theme events from within plugin boot() methods weren't being fired.

Security Improvements

• Improved automatic sanitization of SVGs through the CMS AssetList widget.

Community Improvements

• Fix PHP Code block examples for the model.* events in the Winter CMS documentation.

Full Changelog: v1.2.10...v1.2.11

v1.2.10

UX/UI Improvements

• Replaced the codeeditor's implementation from Ace Editor to Monaco.
• Improved grouped repeater UX by adding search and multiple columns.
• Removed the . from the end of the generated password in the output of the winter:passwd command to make it easier to copy.

DX Improvements

• Fixed support for the Laravel Maintenance mode (artisan down, artisan up) which was broken with the move to Laravel 9 (note: this is separate from the backend / CMS "soft" maintenance mode).
• Added support for the schedule:list and schedule:work commands from Laravel
• AutoDatasource caching is now disabled when app.debug is true to avoid issues caused by stale path caches when developing locally.
• Added llms.txt and .user.ini to the list of mirrored files.
• Made the dropdown field use the Form::select() helper internally for consistency.
• Made the repeater's titleFrom property less picky about what type of field it can pull the value from.

API Changes

• Add support for images / icons in options with the Form::select() helper.

Bug Fixes

• Fixed issue where emptyOption wasn't being removed in the Form::select() helper after being used to populate the placeholder.
• Fixed issue where the FontAwesome assets downloaded by the winter:util compile less command weren't being pinned to a specific version.
• Fixed issue where fancy layout form styles were bleeding into modals.
• Fixed issue where the loading indicator wouldn't hide after receiving a RedirectResponse for file downloads through the AJAX framework.

Security Improvements

• Sanitize SVG files when uploaded to the theme assets.
• Improved escaping of EditorSettings, BrandSettings, & MailBrandSettings.

Translation Improvements

• Improved Ukrainian translation.

Community Improvements

• OFFLINE.Mall has been forked as a first-party plugin (Winter.Mall).
• Added mail driver that adds support for the MS Graph API mailer (Winter.DriverMSGraph).
• Improved support for external SSO provider driver plugins in the Winter.SSO plugin.
• Added Winter.SSOProviderMicrosoft - Microsoft 365 and Azure AD authentication provider for Winter.SSO.

New Contributors

• @gviabcua made their first contribution in #1444

Full Changelog: v1.2.9...v1.2.10

v1.2.9

UX/UI Improvements

• Added support for setting failover transports to the backend Mail Settings page.

DX Improvements

• config:clear command now warns users that caching configuration files is not currently supported in Winter CMS.
• Improved create:command scaffolder to allow for hyphens in generated command names and added optional --description option to set the help text for the generated command.
• Enhanced winter:util compile to download FontAwesome assets required to compile backend LESS files if not present.
• Added the Form's id attribute to the forms generated by the default FormController views.
• Registered the Illuminate\Contracts\Auth\Access\Gate contract with the application as a null gate to prevent plugins and IDE extensions that expect the contract to be present from throwing unhelpful errors.
• Exceptions passed to the Backend\Traits\ErrorMaker trait are now logged in the backend error log (excluding ApplicationExceptions).

API Changes

• Added iconClass option for the fileupload FormWidget to specify the icon that should be used for the upload button.
• Added search widget configuration options to the RelationController's view & manage mode configuration (prompt, mode, scope, searchOnEnter).

Bug Fixes

• Improved compatiblity of Winter's ConfigRepository with Laravel by aliasing top level config keys (currently prefixed with *:: to reflect the namespaced config system used in Winter) to their naked versions (i.e. debugbar is still internally stored as *::debugbar but will also be accessible from the getItems() and all() methods on the ConfigRepository as debugbar). This paves the way for support for Laravel Nightwatch which relies on directly accessing the underlying config data structure for performance reasons.
• Improved handling of package names as input to the vite:compile and vite:watch commands.
• Fixed issue where winter:util purge uploads could sometimes delete files that were actually in use.
• Improved vite base path generation to fix importing fonts.
• Improved error handling when using the default FormController views.
• Improved handling of form data in Snowboard.request() to skip null or undefined values.
• Removed the registration of the non-existant Backend\FormWidgets\TimePicker FormWidget.
• Updated bootstrap/autoload.php to return a 500 header when the vendor files are not present.
• Fixed issue with the DataTable widget not being able to actually save data.
• Fixed Preview labeling on the fancy toolbar for the default FormController view.

Security Improvements

• Ignored vendor & node_modules in the default .gitignore to ensure that those directories are ignored at every level of the project, not just at the project root.

Community Improvements

• Published first party plugin Winter.LaravelBoost to add support for Laravel Boost in Winter v1.3.
• Published first party plugin Winter.LaravelNightwatch to add support for Laravel Nightwatch in Winter v1.3.
• Published an official first-party Docker image for Winter CMS: https://github.com/wintercms/docker.

Dependencies

• Improved support for PHP 8.4.

New Contributors

• @phpiando made their first contribution in #1386

Full Changelog: v1.2.8...v1.2.9

v1.2.8

UX/UI Improvements

• Added a beautiful error log viewer in the backend that displays contextual information about exceptions, links directly to the source files, and unrolling of all previous exceptions in the stack.
• Added new button field type to make it easier to add custom buttons to backend forms.
• Added support for the url field type to the backend forms.
• Added email icon to email fields.
• Updated the default backend branding colours to match the Winter CMS Brand Guidelines.
• Added support for shift clicking to select multiple records at once in the Lists widget.
• Removed the sort icon from columns that aren't sortable and display a right arrow when a column is sortable but isn't currently being used to sort the results.
• Added button-group and dropdown filter scope types.
• Made the entire mediafinder field clickable when mode: file.
• Improve click behaviour of recordfinder fields when disabled.
• Allow users to zoom the backend on mobile.
• Added support for abort(403) to return the access denied view in the backend
• Improved handling of abort(404) in the backend
• Improved styling of disabled fields in the fancy form layout
• Hide the select all checkbox on the Lists widget when there are no records to select.
• Fixed anchor tag outline styling in Firefox.
• Style read-only columns on Table widget with slightly darker grey background to indicate read-only state.
• Allow tab and arrow navigation for read-only columns on the Table widget.
• Allowed searching option to show search box on the Table widget even if adding and deleting buttons are disabled.
• Fixed styling of toolbar on the Table widget if only the search box is shown (no background previously).
• Fixed styling of pagination on Table widget.
• Default to ignoreTimezone = true for date columns.

DX Improvements

• Added default views for the following backend controller behaviors (FormController, ImportExportController, ListController, ReorderController)
• Backend controllers will now automatically set their navigation context in the form of Author.Plugin as the author, $pluginName as the main menu code, and $controllerName as the side menu code. This means that you can remove calls to BackendMenu::setContext() and constructor overrides in your controllers if they follow that convention.
• Improved styling of file generated / updated status message in scaffolding commands
• Added support for ReactJS in Vite & Mix compiled asset packages.
• Added support for customizing the Vite build directory.
• Improved support for Model Factories.
• Added test alias for the winter:test command.
• Added schedule_timezone property to config/app.php.
• Updated theme scaffold's README.md to reflect the use of Vite in the generated themes.
• Added Mail::sendTo() method to the Mail facade's docblock.
• Added support for modules to the asset:create commands (mix:create, vite:create).
• Make readOnly option case-insensitive on the Table widget.
• Improvements to the default scaffolding stub files to bring more inline with the future PSR-12 coding style update.

API Changes

• Added typehints to all the method signatures on the base Winter\Storm\Database\Attach\File model. (eg. getPath(), getCacheKey(), getFilename(), getContents(), getDiskPath(), isPublic(), etc).
• Added metadata jsonable column to the base File model, migrations have been added for system_files, but if you use a custom files table you will need to add a migration that adds $table->mediumText('metadata')->nullable(); to your files table.
• Made getDiskName() on the base Winter\Storm\Database\Attach\File model public.
• Added support for an array of names to use for the postbackHandlerName in the Table widget.
• Removed the config:cache command as it wasn't improving our performance and didn't fully work with Winter's flexible configuration system.
• Added support for SystemException and ApplicationException instances to define their own response codes.
• Added appendViewPath() and prependViewPath() to the System\Traits\ViewMaker. addViewPath is renamed to prependViewPath() and is for paths that have higher priority than the existing paths while appendViewPath() is for paths that should have lower priority than the existing paths (i.e. fallbacks).
• Behaviors extending Backend\Classes\ControllerBehavior will now automatically append their views folder to the controller's view paths allowing them to provide fallbacks for any views required by the behavior.
• The create:controller command will now no longer generate the views by default unless --stubs is also passed and the --sidebar flag is replaced with a --layout=(standard|sidebar|fancy) option to choose the form layout to use.
• Support for passing new: true as a parameter in the request body to onSave() calls that will return a redirect to the create action
• formMakePartial(string $partial, array $params = []) to the FormController behavior that will render a partial through the controller's makePartial using the following priority list of contextual names (form_$context_$partial, form_$partial, $partial).
• Added PromptsForMissingInput to the base Winter\Storm\Console\Command class.
• Removed the unused (and broken) Winter\Storm\Database\DataFeed class.
• PluginTestCase now resets the application router in the setUp() method between test runs to ensure that plugin routes load in the correct order during tests.

Bug Fixes

• Removed redundant backend route.
• Fixed issues where TagList & Repeater FormWidgets were not able to save an empty value.
• Fixed issue where TagList could return an object in array mode.
• Fixed using Vite packages when they are explicitly ignored / excluded from the project's package.json.
• Improved support for winter:mirror on Windows
• Using the {% flash %} tag in Twig will now properly purge the FlashBag after it has been read.
• Improved support for plugins attempting to access the database before it's fully ready to go.
• Fixed suport for hex colors with alpha values.
• Fixed infinite loop that occurrs when the configured database exists but the tables don't exist yet.
• Fixed support for array callables as dynamic methods.
• Event listeners bound to events with bindEventOnce() now properly unbind after execution, even if the event is a halting event.
• Fixed Syntax Error in CAST Statement for Postgres attachment.
• Fixed CMS Maintenance Mode not working when the allowed_ips setting has a value but a null list of IPs.
• Fixed CMS Maintenance Mode settings page not showing the correct value for when the Maintenance Mode is enabled.
• Improved support for using hasManyThrough / hasOneThrough relationships with soft deletes.
• Fixed support for the --force flag in winter:env.
• Improved support for defining multiple Vite entrypoints.
• Prevent crashes when rendering invalid values in datepicker fields.
• Prevent editors from being created for all column types in the Table widget if read-only (previously, only string columns would be rendered read-only by setting the readonly attribute, this is not ideal because it can be easily changed).
• Fixed broken search if client datasource is used on the Table widget.
• Fixed addVite() method not being able to bind assets to the parent controller.
• Fixed displaying the status of maintenance mode triggered through the backend.
• Fixed backend-triggered maintenance mode support for defined but empty IP lists.
• Fixed support for hex colors with alpha values in the colorpicker FormWidget.
• Improved handling of registering / booting plugins when migrations haven't been run yet.

Security Improvements

• Added AllowList functionality to the Twig security policy.

Translation Improvements

• Improved Russian translations.
• Improved Dutch translations.

Performance Improvements

• Switched to a number input instead of a select dropdown for direct navigation to list pages in the Lists widget. Drastically improves performance when a list has 100+ pages in the results as it no longer causes an N+1 performance issue of rendering a single option element for every single page in your results.
• Fixed an infinite loop that could occur when a database was present but plugin migrations hadn't been run yet.

Community Improvements

• Added Laravel to the list of organizational sponsors.
• Removed Route4Me from the list of organizational sponsors.

Dependencies

• Added support for PHP 8.4
• Dropped support for PHP 8.0, PHP 8.1 is now the minimum requirement.
• wikimedia/less has been bumped to v5 from v3.
• Minimum Laravel version has been bumped to v9.49.

New Contributors

• @goldmont made their first contribution in #1268
• @thienvu18 made their first contribution in #1294
• @truechernyshov made their first contribution in #1272
• @IsaiahPaget made their first contribution in #1361
• @Satoshi-Sh made their first contribution in #1369

Full Changelog: v1.2.7...v1.2.8

v1.1.11

Security improvements

• Improved the Twig security policy (blocked methods that write, delete, or modify records and attributes in Database/Eloquent and Halcyon models; blocked access to the theme datasource; prevented extensions from being created or directly interacted with). See GHSA-xhw3-4j3m-hq53 for more information.

Full Changelog: v1.1.10...v1.1.11

v1.0.476

Security improvements

• Improved the Twig security policy (blocked methods that write, delete, or modify records and attributes in Database/Eloquent and Halcyon models; blocked access to the theme datasource; prevented extensions from being created or directly interacted with). See GHSA-xhw3-4j3m-hq53 for more information.

Full Changelog: v1.0.475...v1.0.476

v1.2.7

UX/UI Improvements

• Added support for showTotals option for Lists and summable option for columns of type: number to render the totals on a per page and per query basis in the Lists widget.
• Added new user:create CLI command to create a new backend user from the CLI.
• Checkbox lists will now show all of their options, even when disabled or in read-only mode.
• Visiting the backend login page will now redirect to the backend dashboard if the user is already logged in.
• Added additional warning about disabling debug mode in production to the config/app.php file.
• Added additional configuration checks to the Status dashboard widget.
• Improved the UX of drag and drop sorting of tree views.
• Disabled autocomplete on password and sensitive field types by default.
• Fixed minor box shadow issue with the recordfinder clear button.
• Made the entire fileupload field clickable in single file mode.
• Made the entire recordfinder field clickable and added translation support for the default prompt.
• Repeater items can now be extended by clicking on their title rather than just the dropdown arrow.
• Fixed minor styling issues with Select2 inputs.
• Fixed repeater item titles in preview contexts.

DX Improvements

• Added support for the Vite asset compiler (see Laravel docs & Winter docs for more information).
• Added new npm:install, npm:update, npm:run helper CLI commands. Refer to the docs.
• Added new BundleManager that manages the "asset bundles" used by the mix:create and vite:create scaffolding commands.
• Added support for Laravel-style relations (see wintercms/docs#176)
• Added a simple .devcontainer for the Storm library and the main Winter repository.
• Added support for "asset prioritization / load ordering" to the AssetMaker trait through the use of a new order system attribute that can be provided.
• Added support for project relative paths to the SQLite database.
• Changed the default scaffold for create:theme to Tailwind
• Changed the default asset compiler for the tailwind theme scaffold to vite.
• Added support for all abort($code) errors to the CMS module, now you can use abort(404) anywhere and get a nice 404 error page.
• Added winter:install, winter:env, and winter:mirror public to the default post create project composer scripts.
• Improved compatibility with Laravel's artisan migrate command by adding support for the --seed & --isolatable options.
• Added support for using dynamic methods to handle custom list column types.
• Added create:factory command to scaffold model factories in plugins.
• Added support for the --batchable option to the create:job scaffolder.
• Added support for dynamically extending filter scopes even if no scopes have been defined yet.
• Added --sidebar flag to the create:controller scaffolder to create a controller that uses the sidebar layout for form views.
• Fixed display of deleted files when reviewing changes in winter:version.
• Added --only-version|-o option flag to winter:version to display only the version number.
• Added new winter:util purge resized CLI command to delete all previously cached images from the resizer.
• Allowed create:migration to be called with the --update flag even if model does not have a fields.yaml to scan.

API Changes

• Added support for .avif image files.
• Removed the unnecessary Maker class from the core Application container.
• Added support for $table->dropColumnIfExists() in migrations.
• Added support for enabling the Laravel Mix manifest feature.
• Added File::getMaxUploadSize() and File::sizeToBytes() helper methods.
• Added File::copyBetweenDisks() and File::moveBetweenDisks() helper methods.
• Added slave relationship configuration to the DeferredBinding base model.
• Added $routePersistance parameter to Page::resolveMenuItem().
• Removed unnecessary TableData prefix from data returned by the Table widget (also DataTable formwidget) in AJAX requests.
• Added support for translation strings providing options in FormField->options().
• The Stripe Loader provided by Snowboard.js can now be disabled by setting data-request-stripe to false.
• Added support for command names that include a number.
• Core after login logic (runMigrationOnLogin and logging to the access log) has been moved to an event listener to more reliabily work across all methods of logging in.
• Added a default UserAgent of Winter Storm to calls made by the Winter HTTP client.
• Added a nestedArray() scope to the NestedTree trait and a toNestedArray() method to the core TreeCollection class.

Bug Fixes

• Fixed the argument order for paginate() and simplePaginate() in BelongsToOrMorphsMany relationships.
• Fixed issue where attempting to use the SortableScope could conflict with columns in pivot tables.
• Fixed infinite loop when using HasSortableRelations on a model with a self-referencing relationship.
• Restored the previous default value of true for showPageNumbers in the RelationController's view and manage configuration scopes.
• Fixed support for empty calls to date() in Twig.
• Fixed issue where FormWidgets would return null even when their raw field values aren't present in the save data.
• Fixed issue with some styling elements in the backend due to the switch of asset compilation systems for the backend styles in 1.2.6.
• Fixed error when using taglist with a single value.
• Fixed issue where the RelationManager FormWidget was overriding the default configuration of the RelationController even when the overrides were not explicitly set on the field instance.
• Fixed issue where creating themes from the backend using the blank scaffold would fail.
• Fixed issue where custom File models could not use string keys (i.e. UUIDs) as their primary key when using the default backend partials.
• Fixed issue where Pivot models were not being properly initialized with their attributes causing problems when the pivot record contained jsonable attributes used by repeaters / nested forms.
• Improved trace_log helper's handling of objects
• Fixed support for viewing complex (jsonable) pivot data in the RelationController.
• Fixed issue where the job class was generated twice when using create:job with the --sync option.
• Fixed issue where maxItems: 1 didn't work for the first item on repeaters.
• Fixed nested form data in Snowboard requests.
• Fixed issue where the Mix webpack config wasn't being removed after it was no longer required.
• Fixed issue where sometimes event listeners for model events would be bound multiple times.
• Disabled the --relative flag for winter:mirror on Windows because Windows doesn't support relative symlinks.
• Properly escape the SQLite database path when running winter:env on Windows.

Security Improvements

• Added the $requiredPermissions property to the default controller stub used by create:controller.
• Hardened theme objects, preventing certain properties from being passed through to the ThemeData object.
• Improved the Twig security policy (blocked methods that write, delete, or modify records and attributes in Database/Eloquent and Halcyon models; blocked access to the theme datasource; prevented extensions from being created or directly interacted with). See GHSA-xhw3-4j3m-hq53 for more information.

Translation Improvements

• Improved Latvian translation.
• Improved French translation.
• Improved Russian translation.

Performance Improvements

• Winter\Storm\Database\Traits\ArraySource now supports using generators to return records in the getRecords() method.

Community Improvements

• Fixed links to documentation in composer.json

Dependencies

• Bumped minimum required version of Twig to v3.14 to fix potential security issue.

New Contributors

• @Quendi6 made their first contribution in #1134
• @sephyld made their first contribution in #1209

Full Changelog: v1.2.6...v1.2.7