ยซ Changelog History


BookStack v0.30.0 Release Notes

Release Date: 2020-09-20 // over 3 years ago

  • ๐Ÿ”— Links

    โšก๏ธ Update Notices

    ๐Ÿ”’ Security Notice - Possible Privilege Escalation

    Thanks to @Defelo
    it was advised that current privilege escalation situations are not made clear when applying role permissions.
    Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
    assigned to one of their roles could technically alter their own permissions to gain wider access.
    ๐Ÿ’ป A clear advisory of these cases has been added in the UI in v0.30
    but admins are advised to review which users have these permissions with the above in mind.

    LDAP & SAML Group Matching - Potential Change

    Thanks to @nem1989 it was found that
    BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
    but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
    ๐Ÿšš and has now been removed, but it would store a cleaned version the first-set name of the role.
    ๐Ÿ”€ All roles will now be considered before being matched on name which may mean that roles which did not sync before,
    ๐Ÿ”€ that would have been expected to based on their name, may now start to sync.

    Full List of Changes

    • โž• Added API endpoints for chapters.
    • โž• Added audit log to the settings area. (#2173, #1167)
    • โž• Added the ability to insert an attachment link directly into the current editor window. (#1460)
    • โž• Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
    • โž• Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
    • โž• Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
    • โšก๏ธ Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
    • ๐ŸŽ Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
    • โšก๏ธ Updated Czech translations. Thanks to @jakubboucek. (#2238)
    • โšก๏ธ Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
    • โšก๏ธ Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
    • โšก๏ธ Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
    • โšก๏ธ Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
    • ๐Ÿ’… Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
    • โœ‚ Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
    • Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
    • ๐Ÿ›  Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
    • ๐Ÿ›  Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
    • ๐Ÿ›  Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
    • ๐Ÿ›  Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
    • ๐Ÿ›  Fixed issue where the redirect upon login could lead to an external site. (#2073)
    • ๐Ÿ›  Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
    • ๐Ÿ›  Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
    • ๐Ÿ›  Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
    • ๐Ÿ›  Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
    • ๐Ÿ›  Fixed bad pagination styling which would result in invisible numbering. (#1839)
    • ๐Ÿ›  Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)