
9.2.2 Release Notes

New Features

    Added a Switch Language option to the Top Navigation Bar, allowing the navigation bar to present a list of site languages and facilitate switching between them for the given page (thanks hissy)

Behavioral Improvements

    Express Detail block now has support for getSearchableContent: pages that contain this block will have that block’s content properly added to the search index.
    We now display the minimum and maximum username length when adding users in the Dashboard (thanks ounziw)
    Prevent loading full tree views when not needed, improving performance with large topic trees in topic attributes, large file manager trees on Dashboard user and file manager pages.
    Add package name and version to the message displayed after a package update (thanks JohnTheFish)
    Improvements to clarity in field layout when resetting a user’s password from the Dashboard (thanks iampedropiedade)
    Page List block outputs canonical path only when ccm_paging_p is 2 or greater (thanks ccmEnlil)
    Site-wide attributes will now be grouped by set if sets have been enabled for site attributes (thanks parasek)
    Added links to the images in the Atomik blog summary templates.
    Updating some automatically created directories to use the proper directory permissions (thanks mlocati)
    Clicking the labels of the checkboxes in the Rich Text Editor Settings Dashboard page will not check the appropriate checkbox (thanks mlocati)

Bug Fixes

    Fixed bug where page attributes were added to the attribute index immediately upon saving, even if the version they were joined to had not yet been approved.
    Fixed bug where announcements might not have been displayed to certain users who should see them.
    Fixed bug when using advanced permissions in file manager with File Uploader access entity under certain conditions.
    Fixed bug in the Atomik theme where a board would error if certain properties on a page were not set.
    Fixed bug in advanced permissions that made it impossible to select a custom date/time range for a permission access entity.
    Fixed: Page with gallery block breaks if deletes an image from the File manager.
    jQuery UI is no longer required to use the core date/datetime attribute (thanks hamzaouibacha)
    Fixed: Help block for related topics on page list form is incorrect (thanks ccmEnlil)
    Fixed: Can't delete a user who is favoriting a folder in the file manager (thanks mlocati)
    Fixed error where Page not found after updating URL slug of a page in composer.
    Improved compatibility with PHP 8.2 and greater.
    Fixed: ResponseAssetGroup::requireAsset required "core/rating" but "core/rating" is not a valid asset group handle
    Fixed: Feature Link block: Undefined variable $buttonColor error on PHP8
    Removed directory selector from File manager add file dialog because it could slow things down significantly.
    Fixed bug where certain marketplace files would be marked as incompatible with the current version when they were not actually incompatible under PHP versions lower than 8.
    Fixed Undefined variable $calendarID with PHP 8 when working with calendar boards configuration under PHP 8.
    Fixed bug where Multi-site default site attributes at the Site Type level were not working.
    Fixed: --env command option is ignored on v9 (thanks jscott-rawnet)
    Fixed issue where users who were granted the ability to edit page type drafts were not actually able to publish those drafts.
    Link settings in an image block will now export properly when using the Migration Tool (thanks hissy)
    Fixed issue where if you’re filtering by a topic using custom code, similarly named topics would return objects assigned to both topics (thanks pszostok)
    Fix error when an invalid file is passed into the download file single page (thanks JohnTheFish)
    Fixed bug where nested groups would show HTML for their breadcrumbs when viewed in the user group search in the user advanced search.
    Fixed some instances where the CollectionSearchIndexAttributes table might be updated based on the latest version instead of the approved version (thanks biplobice)
    Fixed concrete/attributes/email/controller.php:33 Undefined array key "value" (thanks mlocati)
    Fixed: PHP 8 deprecation warnings on login page (thanks mlocati)
    Remove HTML from user_group attribute form.
    Prevents PHP8 undefined key exception in Snippet::getByHandle() (thanks bikerdave)
    "Invalid or Empty Node passed to getItem constructor." error on adding express form in certain languages (thanks hissy)
    Bug fixes to the download file page under PHP8 (thanks JohnTheFish)
    Fix error when logging in as another user with multisite enabled under PHP8.
    Fixed Undefined variable $user on /login/session_invalidated under PHP 8 (thanks hissy)
    Fixed bug where certain users may not have been able to dismiss announcements.
    Fixed issue where "Subpage Permissions" setting is ignored when draft pages are inherited from defaults (thanks hissy)
    Add missing t() in "Edit Page List" block view so it can be translated (thanks mlocati)
    Fixed bug when trying to use Calendar summary templates to select a specific sub-set of summary templates as available for a particular event.
    Fixed errors when accessing Express attribute keys programmatically if they had the phrase “get” at any point in them.
    Load fresh version object instead of cached one when running update (thanks pszostok)
    Fixed: Express Form Block's Form Name doesn't get changed after first setting (thanks hamzaouibacha)
    Sanitize the output of the Accordion block title field (thanks ismeashim)
    We now properly sanitize the output of files uploaded through Express Forms.
    Updated to Guzzle 7.8, remediating INSERT ISSUE HERE!!!
    Updated League OAuth2 Server dependency to 8.4.2 to fix security issue.
    Better sanitization of Plural handles in Express objects.
    Better sanitizing of Custom labels in Express objects.

Developer Improvements

    Added new capabilities for custom theme documentation pages (pages that use site page types and page templates for support elements, but still live in the documentation pages area.)

    Made ReindexPageCommand fully synchronous, and added a new QueueReindexPageCommand that is asynchronous for use when developers want to queue a page for reindexing asynchronously.

    Added new console command concrete:theme:activate and concrete:theme:activate-skin.
    Added the ability to affect the new page’s display order and page path when using the on_page_duplicate event.
    Enhance DeleteGroupCommand to customize its handling of sub-groups (thanks mlocati)
    Developers can now override the PageItem and Navigation classes within the Top Navigation Bar using custom code if they choose to do so (thanks danklassen)

Security Fixes

    Updated the Guzzle HTTP library to 7.8 to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197 Thank you Danilo Costa for reporting H1 2132287
    Fixed Directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix. Fixed in commit 11677
    Fixed stored XSS on the Concrete Admin page by sanitizing uploaded file names. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Thanks @akbar_jafarli for reporting H1 2149479. Fixed in commit 11695
    Fixed CVE-2023-44761 Admin can add XSS via Data Objects with this commit
    Fixed CVE-2023-44765 Stored XSS Associations (via data objects) with commit 11746

9.2.1 Release Notes

New Features

    Added a thumbnail property to the Feature and Feature Link block types (thanks katalysis)
    File manager image editor now supports full screen mode (thanks mlocati)

Behavioral Improvements

    Reinstated the ability to attach accounts to external authentication providers on the My Account page.
    Use User->isRegistered() instead of User->isLoggedIn() throughout Concrete (Thanks mlocati)
    Top Navigation Bar now honors replace_link_with_first_in_nav custom attribute (thanks danklassen)
    Top Navigation Bar block can now use the site name for branding text if no custom branding text is defined in the block.
    Dashboard image editor is now larger (thanks mlocati)
    Minor display improvements
    First weekday in calendar is now defined by the locale instead of being hard-coded to Sunday (thanks mlocati)
    Page Selector and User Selector attributes now work better when used with Express label entry display masks/labels.
    Image editor in Dashboard now reloads an image detail page when an asset is edited (thanks mlocati)
    Display more details when explaining why a package cannot be installed due to problems in the package controller (thanks mlocati)
    Dashboard File Details page now reloads when versions are changed (thanks mlocati)
    Improved appearance of Express Entry Details block.
    Added optional alphabetical sort to to block type sets using a configuration option (see here: #11292) (thanks mnakalay)
    Dates displayed in Site Health reports are now properly localized (thanks mlocati)
    Logs Dashboard page now reloads when logs are cleared (thanks mlocati)
    Content replacement should be slightly faster when dealing with large amounts of block records.

Bug Fixes

    Many additional stricter code fixes under PHP 8.2 (thanks mlocati)
    Fixed: Express form with file upload attributes results in multiple copies of a file in the file manager.
    Fixed inability to do Board instance editing of individual slots.
    Fixed inability to view site health reports under certain conditions.
    Fixed bug where selecting “Force file to download” in a block would result in being unable to un-check and save the setting at a later point (thanks mlocati)
    Fixed bug where conversations were not getting a unique ID when being created, leading duplicate conversations when being added.
    Fixed some misnamed migrations (thanks mlocati)
    Bug fixes to redirect response in GenericOauthTypeController (thanks mlocati)
    We now properly pass the type object to the authentication type controllers upon instantiation (thanks mlocati)
    Fixed errors importing files in the incoming directory (thanks JeRoNZ)
    OAuth service provider: avoid deprecated methods, display errors properly (thanks mlocati)
    Fixed bug where adding an attribute to a page via the attributes panel would clear out select attribute options set against that page if they existed.
    Fixed: Using the feature block, if the icon is not selected, an exception occurs with PHP 8.x due to an undefined array index (thanks JeRoNZ)
    Fixed: Can't bulk edit attributes on page search v9.2 (thanks mlocati)
    Fix View pages using a specific block type (thanks mlocati)
    Fixed Social links stacking instead of displaying inline (thanks nikkiklassen)
    Fixed: Health Check - "Consider enabling logging on tasks." incorrect link
    Fixed: If a page doesn't have the tags attribute attached to it but has a Tags Block you will get this error when accessing that page (thanks mlocati)
    Fixed some errors when detaching OAuth2 accounts (thanks mlocati)
    We now properly pass the item object to user interface menu controllers (thanks mlocati)
    Multilingual - Exception when try to reload strings (thanks mlocati)
    Fixed: Fixed attempt to read property "pTemplateID" results in null under some very rare circumstances.
    PHP 8 Fix: Fix warnings when viewing /dashboard/reports/logs (thanks mlocati)
    Fixed error when searching Logs by their severity level in the Dashboard (thanks lemonbrain-mk)
    Fixed bug where Express object added to the API was unavailable in the API if it had been added via the in-page form builder.
    Fix Undefined property error on PHP 8 in WorkflowAccess class (thanks hissy)
    Fixed error when attempting to use the Closure password validator (thanks gregheafield)
    Fix Undefined array key "scheme" in redis drivers (thanks mlocati)
    Fixed inability to revert page to draft (thanks JeRonZ).
    Fixed Feature and Feature Link block types not exporting their files or importing them properly when used with the Migration Tool.
    Fixed: Pages with theme defined preset layouts crash when editing if the theme is changed (thanks JeRoNZ)
    Fix accessing undefined array index in dialog/block/design.php under certain conditions (thanks mlocati)
    Fix ckeditor language path & remove declaration variable $useLanguage (thanks hamzaouibacha)
    Fixed error when using sitemap selector that nodes in the unexpanded areas would not be selected when those areas were expanded (thanks deanL-zuiderlicht)
    Declare width, height and size in ccmi18n_filemanager object is used in ConcreteFileChooser component so it’s properly localized (thanks hamzaouibacha)
    Currently active geolocation library is now properly highlighted. (thanks mlocati)
    When given a list of topic node ID's such as tid:54,tid:56, the method updateAttributeValueFromTextRepresentation() only imports the last ID in the list when importing content (thanks JohnTheFish)

Developer Improvements

    Fixed: The email validation with the EmailValidator class gets passed even if it contains emojis (thanks biplobice)
    Developers can now define the minimum PHP version required for a Concrete package with the getPhpVersionRequired in their package controllers (thanks mlocati)
    Developers can now specify if certain block content fields ought to be run through the content importer replaceContent method, by including them in the $btExportContentColumns protected array in their block controller.
    Fix support for C5_ENVIRONMENT_ONLY env variable (thanks mlocati)
    Move the on_user_logout event at the end of the logout (thanks mlocati)
    Upgrade primal/color third party color parsing library for better PHP 8 compatibility (thanks mlocati)
    Add on_before_user_logout, enable customization of post-logout URL (thanks mlocati)
    icon-bar class now included in the Navigation fallback asset so themes that the Top Navigatiaon Bar block will support it when using fallback assets.
    Add ability to column at a specific position (thanks biplobice)
    Added new MemoryOutput class for tasks for diagnostic purposes (thanks mlocati)