BookStack v0.30.0 Release Notes
Release Date: 2020-09-20 // over 3 years ago-
๐ Links
- โก๏ธ Update instructions
- ๐ Update details on blog
โก๏ธ Update Notices
๐ Security Notice - Possible Privilege Escalation
Thanks to @Defelo
it was advised that current privilege escalation situations are not made clear when applying role permissions.
Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
assigned to one of their roles could technically alter their own permissions to gain wider access.
๐ป A clear advisory of these cases has been added in the UI in v0.30
but admins are advised to review which users have these permissions with the above in mind.LDAP & SAML Group Matching - Potential Change
Thanks to @nem1989 it was found that
BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
๐ and has now been removed, but it would store a cleaned version the first-set name of the role.
๐ All roles will now be considered before being matched on name which may mean that roles which did not sync before,
๐ that would have been expected to based on their name, may now start to sync.Full List of Changes
- โ Added API endpoints for chapters.
- โ Added audit log to the settings area. (#2173, #1167)
- โ Added the ability to insert an attachment link directly into the current editor window. (#1460)
- โ Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
- โ Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
- โ Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
- โก๏ธ Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
- ๐ Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
- โก๏ธ Updated Czech translations. Thanks to @jakubboucek. (#2238)
- โก๏ธ Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
- โก๏ธ Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
- โก๏ธ Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
- โก๏ธ Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
- ๐ Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
- โ Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
- Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
- ๐ Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
- ๐ Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
- ๐ Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
- ๐ Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
- ๐ Fixed issue where the redirect upon login could lead to an external site. (#2073)
- ๐ Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
- ๐ Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
- ๐ Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
- ๐ Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
- ๐ Fixed bad pagination styling which would result in invisible numbering. (#1839)
- ๐ Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)