v1.6.3

Fixed

• Post mentions can be used to read any post on the forum without access control (ab1c868).
• Notifications can leak restricted content (d0a2b95).
• Any user including unactivated can reply in public discussions whose first post was permanently deleted (12f1411).
• (subscriptions) Post notifications not getting access checked (e5f0516).

v1.6.2

v1.6.2

Fixed

• XSS Vulnerability in core (#3684).

v1.6.1

Fixed

• JS dependencies update breaks some utilities.

v1.6.0

v1.6.0

Fixed

• (approval) posts approved for deleted users error (b5874a0)
• (regression) bad import (5f2d7fb)
• akismet fails when the extension is not on a version (45d9121)
• apply flex for AppearancePage colors input [#3651]
• groupmentions have poor contrast on some backgrounds [#3672]
• larastan v1 incompatible with phpstan v1.9.0 [#3665]
• package manager failures not showing alerts [#3647]
• password reset leaks user existence [#3616]
• statistics previous period chart is unclear [#3654]

Changed

• (package-manager) config composer to use web php version (fd19645)
• (package-manager) set min core version and add warning (31c3cfc)
• (statistics) prepare v1.5.1 (dc215ab)
• Apply fixes from StyleCI (267f675)
• Fix tag discussion count decreased by 2 when hiding before deleting [#3660]
• Log migration path when up/down keys are missing [#3664]
• Make it possible to extend SetupScript [#3643]
• Setup PHPStan Level 5 [#3553]
• yarn format (c5c312d)
• add missing last period to custom date ranges [#3661]
• add priorities to profile settings page [#3657]
• allow specifying php extensions in workflow (b0b47a0)
• format js (06963df)
• group mentions [#3658]
• remove styleci from changelog (b2fa28e)
• set flarum version to dev for 1.6.0 (fc743ba)
• throw an exception when no serializer is provided to the controller [#3614]

Added

• (statistics) support for custom date ranges [#3622]
• Allow additional login params, Introduce LogInValidator [#3670]
• Allow additional reset password params, introduce ForgotPasswordValidator [#3671]
• add statistics chart export button [#3662]
• allow specifying extensions when installing an instance [#3655]
• contrast util with yiq calculator [#3652]
• customizable session driver [#3610]
• replace ColorPreviewInput for GroupModal color input [#3650]
• send notifications of a new reply when post is approved [#3656]

v1.5.0

v1.5.0

Fixed

• (a11y) add accessible labels to notification grid options [#3520]
• (a11y) present post streams as feeds [#3522]
• (a11y) set aria-busy when editing a post stream item [#3521]
• (compilation) versioner not inject into compilers [#3589]
• (mentions) accessing id of null user relation [#3618]
• (subscriptions) add missing table prefix for filter gambit [#3599]
• (tags) use default index sortmap [#3615]
• Move guzzle requirement to core [#3544]
• MyISAM tables for extensions during installation (75aaef7, f926c58)
• Set the translator locale to user preference for email notifications [#3525]
• $events property declared dynamically [#3598]
• core settings header has no priority (33bf228)
• html entities shown raw in page title [#3542]
• incorrect centring of deleted user avatars in notification list [#3569]
• intellisense imports defaulting to absolute path from src folder [#3549]
• minor backward compatible fix for php 8.1 in st_replace (07b2f86)
• post query wildcard selection causes ambiguity [#3621]
• potential static caching memory exhaustion [#3548]
• prepare release workflow has invalid layout (70e483d)
• remove deprecation warning for decoding null values (590639f)
• replace .fa() mixin usage with .fas() [#3537]
• return type hint static is php 8+ (b01b75e)
• sticky nav content displays below post stream [#3575]
• titles positioned wrongly with custom header height [#3550]
• typo in error message (1a189f4)
• unread notifications are globally cached between users. [#3543]
• update workflow name (628c281)
• user has wrong discussion read status [#3591]

Changed

• (approval, likes) use subscribers [#3577]
• (package-manager) last tweaks before beta tag (335c602)
• (statistics) add release notes for 1.4.1 (f4ace73)
• (statistics) rewrite for performance on very large communities [#3531]
• (statistics) split timed data into per-model XHR requests [#3601]
• (tags) Replace event helper with event dispatcher [#3570]
• Add loading="lazy" attribute for avatars [#3578]
• Create CODEOWNERS (6e48a03)
• MyISAM tables for extensions during installation" (f128190)
• convert AlertManager IndexPage and UserPage components to TS [#3536]
• convert Badge Checkbox and Navigation components to TS [#3532]
• convert core modals to TypeScript [#3515]
• convert page components to TypeScript [#3538]
• debug line slipped in while rebasing a PR [#3580]
• don't pass password field between auth modals [#3626]
• fix github issue templates (d3e456a)
• format code (4954621)
• getting the release workflow in (5530400)
• link logo at the top with the official website [#3552]
• prevent running both push and pull_request actions at the same time [#3597]
• refactor prefix matrix and add MySQL 8.0 & PHP 7.3 to workflows [#3595]
• relying on a third-party for avatar URL tests is unreliable [#3586]
• require guzzle 6 or 7 (46b3b7a)
• split FA imports into separate Less file for easy overriding [#3535]
• unify JS actions into one (rewritten flarum/action-build) [#3573]
• update version constant during cycle 22 (d864405)
• use isCollapsed instead of rangeCount [#3581]
• use github issue template forms [#3526]

Added

• (likes) Add likes tab to user profile [#3528]
• (likes) Option to prevent users liking their own posts [#3534]
• (modals) support stacking modals, remove bootstrap modals dependency [#3456]
• (subscriptions) add option to send notifications when not caught up [#3503]
• Add custom class for email confirmation alert [#3584]
• Admin debug mode warning [#3590]
• Delete all notifications [#3529]
• Queue package manager commands [#3418]
• Restart the queue worker after cache clearing, ext enable/disable, save settings [#3565]
• add createTableIfNotExists migration helper [#3576]
• add new workflow for generating release meta (0901e59)
• clear password & email tokens when appropriate [#3567]
• discussion UTF-8 slug driver [#3606]
• expose assets base url to frontend forum model [#3566]
• extender to add custom less variables [#3530]
• publish assets on admin dashboard cache clear [#3564]
• throttle email change, email confirmation, and password reset endpoints. [#3555]

v1.4.0

Added

• created_at and updated_at columns added to several tables (#3435)
• Priorities added to AdminNav links (#3453)
• app.translator allows retrieving and setting locale (#3451)
• Extensions can now declare custom settings components for use with buildSettingComponent (#3494)
• Implement extensibility on rel and target attributes on links (#3455)
• New backend tests were added to some of the bundled extensions (#3508)

Changed

• Split boot script for Flarum in HTML footer into two parts for CSP hashing (#3461)
• Split asset compilation by giving assembling compilers its own method (#3446)
• Increase visibility of Component typescript class for better extensibility (#3437)

Fixed

• Mentioning an event post breaks the notification dropdown (#3493)
• Suspension modal shows after suspension is over (#3449)
• CLI based installations don't exit with an error code on failure (#3452)
• Tabbing through dropdown controls doesn't make them visible (#3450)
• Requiring zero tags on new discussions forces the user to select tags (#3448)
• Long topic titles in the notification list don't overflow (#3500)
• Subtags of tags the user has access to are visible even if these are not accessible (#3419)
• assertAdmin tests access based on wrong gate ability (#3501)
• Increasing the composer header size causes elements to slip underneath (#3502)
• The profile mentions tab errors when sorting by created_at (#3506)

v1.3.1

Changed

• UserCard now has ItemList for easier extending (#3436)

Fixed

• Button to go directly to all results page is hidden while API request for search hasn't completed (#3431)
• Setting extender does not register modifications beyond first fluent call (#3439)
• Link to font awesome icons list no longer works (df1bdd2)
• Mentions: mentions with deleted authors not showing (#3432)
• Nicknames: regex validation isn't functional (#3430)
• Subscriptions: reply notifications not working (#3445)
• Suspend: not providing suspension reason breaks mail (#3433)

v1.3.0

Added

• [A11Y] Added role feed to DiscussionList (#3359)
• Support multiple confirmation dialogs when closing a tab/window (#3372)
• Markdown: markdown toolbar support for admin frontend (16d5cc1)

Changed

• Post number calculation is now executed inside the database layer, preventing integrity constraints (#3358)
• Errors from within extensions no longer make Flarum crash but trigger a visible warning (#3349)
• Sorting options for discussion index is now extensible (#3377)
• Event listeners from the framework now are added before those of extensions (#3373)

Fixed

• Typings and missing typescript components (#3348)
• Post--by-start-user CSS class is not added to post html (#3356)
• Timestamps for notifications are incorrect on servers that have a timezone different than UTC (#3379)
• Extensions with dependencies that are enabled do not cause dependencies to be enforced (#3352)
• Search using non-words doesn't work (#3385)
• Slugs are not working for other languages than English (#3387)
• Deprecations are triggered on PHP 8.1 (#3384)
• Post permalink for subdirectory installs have duplicate paths segments (#3354)
• Composer discussion title is not always clearly visible (#3413)
• Mentions: extensions re-using mentions can cause errors due to missing context (#3382)
• Tags: tag selection modal errors on new discussions when pressing down (#3403)
• [A11Y] Tags: focus to input and layout of tag selection modal are off (#3412)
• Subscriptions: searching inside the following page will search in all discussions (#3376)

Full Changelog: 33d939c...v1.3.0

v1.2.1

Fixed

• Don't escape single quotes in discussion title meta tags (60600f4)

Full Changelog: v1.2.0...v1.2.1

v1.2.0

Added

• View README documentation in extension pages (#3094).
• Declare & Use CSS Custom Properties (#3146).
• Lazy draw dropdowns to improve performance (#2925).
• Default Settings Extender (#3127).
• Add textarea setting type to admin pages (#3141).
• Allow registering settings as Less config vars through Settings Extender (#3011).
• Allow replacing of blade template namespaces via extender (#3167).
• Update to Webpack 5 (#3135).
• Introduce Less custom function extender with a is-extension-enabled function (#3190).
• Support for few in ICU Message syntax (#3122).
• ES6 local support for number formatting (#3099).
• Added dedicated endpoint for retrieving single groups (#3084).
• Callback loadWhere relation eager loading extender (#3116).
• Extensible document title driver implementation (#3109).
• Type checks, typescript coverage GH action (#3136).
• Add color indicator in appearance admin page instead of validating colors (#3140).
• Add typing files for our translator libraries (#3175).
• StatusWidget tools extensibility (#3189).
• Allow switching the ImageManager driver (#3195).
• Events for notification read/all read actions (#3203).

Changed

• Testing with php8.1 (#3102).
• Migrate fully to Yarn (#3155).
• Handle post rendering errors to avoid crashes (#3061).
• Added basic filtering, sorting, and pagination to groups endpoint (#3084).
• Pass IP address to API Client pipeline (#3124).
• Rename Extension Page "Uninstall" to "Purge" (#3123).
• [A11Y] Improve accessibility for discussion reply count on post stream (#3090).
• Improved post loading support (#3100).
• Rewrite SubtreeRetainer into Typescript (#3137).
• Rewrite ModalManager and state to Typescript (#3007).
• Rewrite frontend application files to Typescript (#3006).
• Allow extensions to modify the minimum search length in the Search component (#3130).
• Allow use of any tag in listItems helper (#3147).
• Replace for ... in with Array.reduce (#3149).
• Page title format is now implemented through translations (#3077, #3228)
• Add aria-label attribute to the navigation drawer button (#3157).
• Convert extend util to TypeScript (#2928).
• Better typings for DiscussionListState (#3132).
• Rewrite ItemList, update ItemList typings (#3005).
• Add priority order to discussion page controls (#3165).
• Use @php in Blade templates (#3172).
• Convert some common classes/utils to TS (#2929).
• Convert routes to Typescript (#3177).
• Move admin colorItems to an ItemList (#3186).
• Centralize pagination/canonical meta URL generation in Document (#3077).
• Use revision versioner to allow custom asset versioning (#3183).
• Split up application error handling (#3184).
• Make SlugManager available to blade template (#3194).
• Convert models to TS (#3174).
• Allow loading relations in other discussion endpoints (#3191).
• Improve selected text stylization (#2961).
• Extract notification primaryControl items to an ItemList (#3204).
• Frontend code housekeeping (#3214, #3213).
• Only retain scroll position if coming from discussion (#3229).
• Use aria-live regions to focus screenreader attention on alerts as they appear (#3237).
• Prevent unwarranted a11y warnings on custom Button subclasses (#3238).

Fixed

• Missing locale text in the user editing modal (#3093).
• Dashes in table prefix prevent installation (#3089).
• Missing autocomplete attributes to input fields (#3088).
• Missing route parameters throwing an error (#3118).
• Mail settings select component never used (#3120).
• White avatar image throws javascript errors on the profile page (#3119).
• Unformatted avatar upload validation errors (#2946).
• Webkit input clear button shows up with the custom one (#3128).
• Media query breakpoints conflict with Windows display scaling (#3139).
• typeof this not recognized by some IDEs (#3142).
• Model.save() cannot save null hasOne relationship (#3131).
• Edit post until reply policy broken on PHP 8 (#3145).
• Inaccurate Component.component argument typings (#3148).
• Scrolling notification list infinitely repeats (#3159).
• Argument for INFO constant was assigned to maxfiles argument incorrectly (bfd81a8).
• Activated event is sent every time an email is confirmed instead of just once (#3163).
• [A11Y] Modal close button missing accessible label (#3161).
• [A11Y] Auth modal inputs missing accessible labels (#3207).
• [A11Y] Triggering click on drawer button can cause layered backdrops (#3018).
• [A11Y] Focus can leave open nav drawer on mobile (#3018).
• [A11Y] Post action items not showing when focus is within the post (#3173).
• [A11Y] Missing accessible label for alert dismiss button (#3237).
• Error accessing the forum after saving a setting with more than 65k characters (#3162).
• Cannot restart queue from within (#3166).
• Post--by-actor not showing when comparing user instances (#3170).
• Incorrect typings for Modal hide() method (#3180).
• Avatar Upload throws errors with correct mimetype and incorrect extension (#3181).
• Clicking the dropdown button on a post opens all dropdowns in Post-actions (#3185).
• getPlainContent() causes external content to be fetched (#3193).
• listItems not accepting all Mithril.Children (#3176).
• Notifications mark as read option updates all notifications including the read ones (#3202).
• Post meta permalink not properly generated (#3216).
• Broken contribution link in README (#3211).
• WelcomeHero is displayed when content is empty (#3219).
• last_activity_at, last_seen_at updated on all API requests (#3231).
• RememberMe access token updated twice in API requests (#3233).
• Error in funding item in composer.json bricks the frontend (#3239).
• Escaped quotes in window title (#3264)
• schedule:list command fails due to missing timezone configuration.

Deprecated

• Unused evented utility (#3125).