# Changelog # [v1.6.3](https://github.com/flarum/framework/compare/v1.6.2...v1.6.3) ### Fixed * Post mentions can be used to read any post on the forum without access control (ab1c868b978e8b0d09a5d682c54665dae17d0985). * Notifications can leak restricted content (d0a2b95dca57d3dae9a0d77b610b1cb1d0b1766a). * Any user including unactivated can reply in public discussions whose first post was permanently deleted (12f14112a0ecd1484d97330b82beb2a145919015). * (subscriptions) Post notifications not getting access checked (https://github.com/flarum/framework/commit/e5f05166a062a9a6eb7c12e28728bfd5db7270e3). ## [v1.6.2](https://github.com/flarum/framework/compare/v1.6.1...v1.6.2) ### Fixed * XSS Vulnerability in core (https://github.com/flarum/framework/pull/3684). ## [v1.6.1](https://github.com/flarum/framework/compare/v1.6.0...v1.6.1) ### Fixed * JS dependencies update breaks utilities. ## [v1.6.0](https://github.com/flarum/framework/compare/v1.5.0...v1.6.0) ### Fixed - (approval) posts approved for deleted users error ([b5874a0](b5874a08e482196f50af50aa78e43c93c29fb647)) - (regression) bad import ([5f2d7fb](5f2d7fb7b6e430d40cf2bb05eca7c73f6ca5a2cc)) - akismet fails when the extension is not on a version ([45d9121](45d91212f6bfa777cae9fc06c55c85d01ffd174d)) - apply flex for AppearancePage colors input [#3651] - groupmentions have poor contrast on some backgrounds [#3672] - larastan v1 incompatible with phpstan v1.9.0 [#3665] - package manager failures not showing alerts [#3647] - password reset leaks user existence [#3616] - statistics previous period chart is unclear [#3654] ### Changed - (package-manager) config composer to use web php version ([fd19645](fd196454a5641776784fa80886cc7577c840f8ed)) - (package-manager) set min core version and add warning ([31c3cfc](31c3cfc4eab4c314260b9b0d11e53ac2d4be158d)) - (statistics) prepare v1.5.1 ([dc215ab](dc215aba59145dfd7b0d6efad4388444f30e47fb)) - Apply fixes from StyleCI ([267f675](267f6759f80bd06f468337245ea6045635e827d9)) - Fix tag discussion count decreased by 2 when hiding before deleting [#3660] - Log migration path when up/down keys are missing [#3664] - Make it possible to extend SetupScript [#3643] - Setup PHPStan Level 5 [#3553] - `yarn format` ([c5c312d](c5c312db0d800e3b84b94a4abb9691e348dea742)) - add missing last period to custom date ranges [#3661] - add priorities to profile settings page [#3657] - allow specifying php extensions in workflow ([b0b47a0](b0b47a0888f513a459b67e9f89e72a61de38f1ce)) - format js ([06963df](06963df4079373fc8fc51b7479e9576f02beb098)) - group mentions [#3658] - remove styleci from changelog ([b2fa28e](b2fa28e4b57094e46dbdb3d79fab74f290a17d17)) - set flarum version to dev for 1.6.0 ([fc743ba](fc743ba88872031db13597d7365a063b8004c78f)) - throw an exception when no serializer is provided to the controller [#3614] ### Added - (statistics) support for custom date ranges [#3622] - Allow additional login params, Introduce `LogInValidator` [#3670] - Allow additional reset password params, introduce `ForgotPasswordValidator` [#3671] - add statistics chart export button [#3662] - allow specifying extensions when installing an instance [#3655] - contrast util with yiq calculator [#3652] - customizable session driver [#3610] - replace `ColorPreviewInput` for GroupModal color input [#3650] - send notifications of a new reply when post is approved [#3656] ## [v1.5.0](https://github.com/flarum/framework/compare/v1.4.0...v1.5.0) ### Fixed - (a11y) add accessible labels to notification grid options [#3520] - (a11y) present post streams as feeds [#3522] - (a11y) set `aria-busy` when editing a post stream item [#3521] - (compilation) versioner not inject into compilers [#3589] - (mentions) accessing `id` of null `user` relation [#3618] - (subscriptions) add missing table prefix for filter gambit [#3599] - (tags) use default index sortmap [#3615] - Move guzzle requirement to core [#3544] - MyISAM tables for extensions during installation ([75aaef7](75aaef7d76317bc8578eac1439fed8091c87213b), [f926c58](f926c58e0143fe75a4a4c2e93810970c5910afc8)) - Set the translator locale to user preference for email notifications [#3525] - `$events` property declared dynamically [#3598] - core settings header has no priority ([33bf228](33bf2284c77863a1bb18d71d87b8516483056a74)) - html entities shown raw in page title [#3542] - incorrect centring of deleted user avatars in notification list [#3569] - intellisense imports defaulting to absolute path from `src` folder [#3549] - minor backward compatible fix for php 8.1 in st_replace ([07b2f86](07b2f86dcc90a3ef17c8ee19a1a07e99a4b17360)) - post query wildcard selection causes ambiguity [#3621] - potential static caching memory exhaustion [#3548] - prepare release workflow has invalid layout ([70e483d](70e483d1b185332910be9513fd06cc6342830d49)) - remove deprecation warning for decoding null values ([590639f](590639f5f3e1fe883f28c41e1f175c2826b4b5f4)) - replace `.fa()` mixin usage with `.fas()` [#3537] - return type hint static is php 8+ ([b01b75e](b01b75e36790d8026dd27ce59051d9581ad47940)) - sticky nav content displays below post stream [#3575] - titles positioned wrongly with custom header height [#3550] - typo in error message ([1a189f4](1a189f492320071365286a8835bc49d5a9571753)) - unread notifications are globally cached between users. [#3543] - update workflow name ([628c281](628c281c39855f01069ddc40b698d80d29fec870)) - user has wrong discussion read status [#3591] ### Changed - (approval, likes) use subscribers [#3577] - (package-manager) last tweaks before beta tag ([335c602](335c602cea3fbaee9ad7c32ceecaaf222e5d89a7)) - (statistics) add release notes for 1.4.1 ([f4ace73](f4ace73a3c59434b8717efb2d83f50084f470fe4)) - (statistics) rewrite for performance on very large communities [#3531] - (statistics) split timed data into per-model XHR requests [#3601] - (tags) Replace event helper with event dispatcher [#3570] - Add `loading="lazy"` attribute for avatars [#3578] - Create CODEOWNERS ([6e48a03](6e48a0303e45bcf210e550ba3e0772bc8443a207)) - MyISAM tables for extensions during installation" ([f128190](f128190f143398dd1262fd1379e634794daee4c1)) - convert `AlertManager` `IndexPage` and `UserPage` components to TS [#3536] - convert `Badge` `Checkbox` and `Navigation` components to TS [#3532] - convert core modals to TypeScript [#3515] - convert page components to TypeScript [#3538] - debug line slipped in while rebasing a PR [#3580] - don't pass password field between auth modals [#3626] - fix github issue templates ([d3e456a](d3e456a1bf42d13b7cd2542c371f392712247c09)) - format code ([4954621](495462183bfb3b33046b293e6b1088ab225968df)) - getting the release workflow in ([5530400](5530400b093b5fd07d670e5c92d8a7da96634cfe)) - link logo at the top with the official website [#3552] - prevent running both `push` and `pull_request` actions at the same time [#3597] - refactor prefix matrix and add `MySQL 8.0` & `PHP 7.3` to workflows [#3595] - relying on a third-party for avatar URL tests is unreliable [#3586] - require guzzle 6 or 7 ([46b3b7a](46b3b7a9527b935c3c52269aaad2010c75dcb6d8)) - split FA imports into separate Less file for easy overriding [#3535] - unify JS actions into one (rewritten `flarum/action-build`) [#3573] - update version constant during cycle 22 ([d864405](d86440506dd37101e60adec591d4b017e7765ec6)) - use `isCollapsed` instead of `rangeCount` [#3581] - use github issue template forms [#3526] ### Added - (likes) Add likes tab to user profile [#3528] - (likes) Option to prevent users liking their own posts [#3534] - (modals) support stacking modals, remove bootstrap modals dependency [#3456] - (subscriptions) add option to send notifications when not caught up [#3503] - Add custom class for email confirmation alert [#3584] - Admin debug mode warning [#3590] - Delete all notifications [#3529] - Queue package manager commands [#3418] - Restart the queue worker after cache clearing, ext enable/disable, save settings [#3565] - add createTableIfNotExists migration helper [#3576] - add new workflow for generating release meta ([0901e59](0901e59a58a3e1f017762583a2adf419f7f34257)) - clear password & email tokens when appropriate [#3567] - discussion UTF-8 slug driver [#3606] - expose assets base url to frontend forum model [#3566] - extender to add custom less variables [#3530] - publish assets on admin dashboard cache clear [#3564] - throttle email change, email confirmation, and password reset endpoints. [#3555] ## [1.4.0](https://github.com/flarum/framework/compare/v1.3.1...v1.4.0) ### Added - `created_at` and `updated_at` columns added to several tables (https://github.com/flarum/framework/pull/3435) - Priorities added to AdminNav links (https://github.com/flarum/framework/pull/3453) - `app.translator` allows retrieving and setting locale (https://github.com/flarum/framework/pull/3451) - Extensions can now declare custom settings components for use with `buildSettingComponent` (https://github.com/flarum/framework/pull/3494) - Implement extensibility on `rel` and `target` attributes on links (https://github.com/flarum/framework/pull/3455) - New backend tests were added to some of the bundled extensions (https://github.com/flarum/framework/issues/3508) ### Changed - Split boot script for Flarum in HTML footer into two parts for CSP hashing (https://github.com/flarum/framework/pull/3461) - Split asset compilation by giving assembling compilers its own method (https://github.com/flarum/framework/pull/3446) - Increase visibility of Component typescript class for better extensibility (https://github.com/flarum/framework/pull/3437) ### Fixed - Mentioning an event post breaks the notification dropdown (https://github.com/flarum/framework/pull/3493) - Suspension modal shows after suspension is over (https://github.com/flarum/framework/pull/3449) - CLI based installations don't exit with an error code on failure (https://github.com/flarum/framework/pull/3452) - Tabbing through dropdown controls doesn't make them visible (https://github.com/flarum/framework/pull/3450) - Requiring zero tags on new discussions forces the user to select tags (https://github.com/flarum/framework/pull/3448) - Long topic titles in the notification list don't overflow (https://github.com/flarum/framework/pull/3500) - Subtags of tags the user has access to are visible even if these are not accessible (https://github.com/flarum/framework/pull/3419) - `assertAdmin` tests access based on wrong gate ability (https://github.com/flarum/framework/pull/3501) - Increasing the composer header size causes elements to slip underneath (https://github.com/flarum/framework/pull/3502) - The profile mentions tab errors when sorting by `created_at` (https://github.com/flarum/framework/pull/3506) ## [1.3.1](https://github.com/flarum/framework/compare/v1.3.0...v1.3.1) ### Changed - UserCard now has ItemList for easier extending (https://github.com/flarum/framework/pull/3436) ### Fixed - Button to go directly to all results page is hidden while API request for search hasn't completed (https://github.com/flarum/framework/pull/3431) - Setting extender does not register modifications beyond first fluent call (https://github.com/flarum/framework/pull/3439) - Link to font awesome icons list no longer works (https://github.com/flarum/framework/commit/df1bdd2ad84e992414c0e1e7be576558b4b0fe29) - Mentions: mentions with deleted authors not showing (https://github.com/flarum/framework/pull/3432) - Nicknames: regex validation isn't functional (https://github.com/flarum/framework/pull/3430) - Subscriptions: reply notifications not working (https://github.com/flarum/framework/pull/3445) - Suspend: not providing suspension reason breaks mail (https://github.com/flarum/framework/pull/3433) ## [1.3.0](https://github.com/flarum/framework/compare/33d939cb012716ed6309ea02236737ad4f25a75b...v1.3.0) From v1.2.1 on all bundled Flarum extensions and `flarum/core` are merged into one monorepo. As a result of this, the full code diff linked above looks rather complex and messy compared to the full list of changes made for this release. ### Added - [A11Y] Added role feed to DiscussionList (https://github.com/flarum/framework/pull/3359) - Support multiple confirmation dialogs when closing a tab/window (https://github.com/flarum/framework/pull/3372) - Markdown: markdown toolbar support for admin frontend (https://github.com/flarum/framework/commit/16d5cc11e3aee5c94aeed877987cdb199a2a0d2c) ### Changed - Post number calculation is now executed inside the database layer, preventing integrity constraints (https://github.com/flarum/framework/pull/3358) - Errors from within extensions no longer make Flarum crash but trigger a visible warning (https://github.com/flarum/framework/pull/3349) - Sorting options for discussion index is now extensible (https://github.com/flarum/framework/pull/3377) - Event listeners from the framework now are added before those of extensions (https://github.com/flarum/framework/pull/3373) ### Fixed - Typings and missing typescript components (https://github.com/flarum/framework/pull/3348) - `Post--by-start-user` CSS class is not added to post html (https://github.com/flarum/framework/pull/3356) - Timestamps for notifications are incorrect on servers that have a timezone different than UTC (https://github.com/flarum/framework/pull/3379) - Extensions with dependencies that are enabled do not cause dependencies to be enforced (https://github.com/flarum/framework/pull/3352) - Search using non-words doesn't work (https://github.com/flarum/framework/pull/3385) - Slugs are not working for other languages than English (https://github.com/flarum/framework/pull/3387) - Deprecations are triggered on PHP 8.1 (https://github.com/flarum/framework/pull/3384) - Post permalink for subdirectory installs have duplicate paths segments (https://github.com/flarum/framework/pull/3354) - Composer discussion title is not always clearly visible (https://github.com/flarum/framework/pull/3413) - Mentions: extensions re-using mentions can cause errors due to missing context (https://github.com/flarum/framework/pull/3382) - Tags: tag selection modal errors on new discussions when pressing down (https://github.com/flarum/framework/issues/3403) - [A11Y] Tags: focus to input and layout of tag selection modal are off (https://github.com/flarum/framework/pull/3412) - Subscriptions: searching inside the following page will search in all discussions (https://github.com/flarum/framework/pull/3376) ## [1.2.1](https://github.com/flarum/framework/compare/v1.2.0...v1.2.1) ### Fixed - Don't escape single quotes in discussion title meta tags (60600f4d2b8f0c5dac94c329041427a0a08fad42) ## [1.2.0](https://github.com/flarum/framework/compare/v1.1.1...v1.2.0) ### Added - View `README` documentation in extension pages (https://github.com/flarum/framework/pull/3094). - Declare & Use CSS Custom Properties (https://github.com/flarum/framework/pull/3146). - Lazy draw dropdowns to improve performance (https://github.com/flarum/framework/pull/2925). - Default Settings Extender (https://github.com/flarum/framework/pull/3127). - Add `textarea` setting type to admin pages (https://github.com/flarum/framework/pull/3141). - Allow registering settings as `Less` config vars through Settings Extender (https://github.com/flarum/framework/pull/3011). - Allow replacing of blade template namespaces via extender (https://github.com/flarum/framework/pull/3167). - Update to Webpack 5 (https://github.com/flarum/framework/pull/3135). - Introduce `Less` custom function extender with a `is-extension-enabled` function (https://github.com/flarum/framework/pull/3190). - Support for `few` in ICU Message syntax (https://github.com/flarum/framework/pull/3122). - ES6 local support for number formatting (https://github.com/flarum/framework/pull/3099). - Added dedicated endpoint for retrieving single groups (https://github.com/flarum/framework/pull/3084). - Callback `loadWhere` relation eager loading extender (https://github.com/flarum/framework/pull/3116). - Extensible document title driver implementation (https://github.com/flarum/framework/pull/3109). - Type checks, typescript coverage GH action (https://github.com/flarum/framework/pull/3136). - Add color indicator in appearance admin page instead of validating colors (https://github.com/flarum/framework/pull/3140). - Add typing files for our translator libraries (https://github.com/flarum/framework/pull/3175). - `StatusWidget` tools extensibility (https://github.com/flarum/framework/pull/3189). - Allow switching the `ImageManager` driver (https://github.com/flarum/framework/pull/3195). - Events for notification read/all read actions (https://github.com/flarum/framework/pull/3203). ### Changed - Testing with php8.1 (https://github.com/flarum/framework/pull/3102). - Migrate fully to Yarn (https://github.com/flarum/framework/pull/3155). - Handle post rendering errors to avoid crashes (https://github.com/flarum/framework/pull/3061). - Added basic filtering, sorting, and pagination to groups endpoint (https://github.com/flarum/framework/pull/3084). - Pass IP address to API Client pipeline (https://github.com/flarum/framework/pull/3124). - Rename Extension Page "Uninstall" to "Purge" (https://github.com/flarum/framework/pull/3123). - [A11Y] Improve accessibility for discussion reply count on post stream (https://github.com/flarum/framework/pull/3090). - Improved post loading support (https://github.com/flarum/framework/pull/3100). - Rewrite SubtreeRetainer into Typescript (https://github.com/flarum/framework/pull/3137). - Rewrite ModalManager and state to Typescript (https://github.com/flarum/framework/pull/3007). - Rewrite frontend application files to Typescript (https://github.com/flarum/framework/pull/3006). - Allow extensions to modify the minimum search length in the Search component (https://github.com/flarum/framework/pull/3130). - Allow use of any tag in `listItems` helper (https://github.com/flarum/framework/pull/3147). - Replace `for ... in` with `Array.reduce` (https://github.com/flarum/framework/pull/3149). - Page title format is now implemented through translations (https://github.com/flarum/framework/pull/3077, https://github.com/flarum/framework/pull/3228) - Add `aria-label` attribute to the navigation drawer button (https://github.com/flarum/framework/pull/3157). - Convert extend util to TypeScript (https://github.com/flarum/framework/pull/2928). - Better typings for DiscussionListState (https://github.com/flarum/framework/pull/3132). - Rewrite ItemList, update `ItemList` typings (https://github.com/flarum/framework/pull/3005). - Add priority order to discussion page controls (https://github.com/flarum/framework/pull/3165). - Use `@php` in Blade templates (https://github.com/flarum/framework/pull/3172). - Convert some common classes/utils to TS (https://github.com/flarum/framework/pull/2929). - Convert routes to Typescript (https://github.com/flarum/framework/pull/3177). - Move admin `colorItems` to an `ItemList` (https://github.com/flarum/framework/pull/3186). - Centralize pagination/canonical meta URL generation in Document (https://github.com/flarum/framework/pull/3077). - Use revision versioner to allow custom asset versioning (https://github.com/flarum/framework/pull/3183). - Split up application error handling (https://github.com/flarum/framework/pull/3184). - Make SlugManager available to blade template (https://github.com/flarum/framework/pull/3194). - Convert models to TS (https://github.com/flarum/framework/pull/3174). - Allow loading relations in other discussion endpoints (https://github.com/flarum/framework/pull/3191). - Improve selected text stylization (https://github.com/flarum/framework/pull/2961). - Extract notification `primaryControl` items to an ItemList (https://github.com/flarum/framework/pull/3204). - Frontend code housekeeping (#3214, #3213). - Only retain scroll position if coming from discussion (https://github.com/flarum/framework/pull/3229). - Use `aria-live` regions to focus screenreader attention on alerts as they appear (https://github.com/flarum/framework/pull/3237). - Prevent unwarranted `a11y` warnings on custom Button subclasses (https://github.com/flarum/framework/pull/3238). ### Fixed - Missing locale text in the user editing modal (https://github.com/flarum/framework/pull/3093). - Dashes in table prefix prevent installation (https://github.com/flarum/framework/pull/3089). - Missing autocomplete attributes to input fields (https://github.com/flarum/framework/pull/3088). - Missing route parameters throwing an error (https://github.com/flarum/framework/pull/3118). - Mail settings select component never used (https://github.com/flarum/framework/pull/3120). - White avatar image throws javascript errors on the profile page (https://github.com/flarum/framework/pull/3119). - Unformatted avatar upload validation errors (https://github.com/flarum/framework/pull/2946). - Webkit input clear button shows up with the custom one (https://github.com/flarum/framework/pull/3128). - Media query breakpoints conflict with Windows display scaling (https://github.com/flarum/framework/pull/3139). - `typeof this` not recognized by some IDEs (https://github.com/flarum/framework/pull/3142). - `Model.save()` cannot save `null` `hasOne` relationship (https://github.com/flarum/framework/pull/3131). - Edit post `until reply` policy broken on PHP 8 (https://github.com/flarum/framework/pull/3145). - Inaccurate `Component.component` argument typings (https://github.com/flarum/framework/pull/3148). - Scrolling notification list infinitely repeats (https://github.com/flarum/framework/pull/3159). - Argument for INFO constant was assigned to `maxfiles` argument incorrectly (bfd81a83cfd0fa8125395a147ff0c9ce622f38e3). - `Activated` event is sent every time an email is confirmed instead of just once (https://github.com/flarum/framework/pull/3163). - [A11Y] Modal close button missing accessible label (https://github.com/flarum/framework/pull/3161). - [A11Y] Auth modal inputs missing accessible labels (https://github.com/flarum/framework/pull/3207). - [A11Y] Triggering click on drawer button can cause layered backdrops (https://github.com/flarum/framework/pull/3018). - [A11Y] Focus can leave open nav drawer on mobile (https://github.com/flarum/framework/pull/3018). - [A11Y] Post action items not showing when focus is within the post (https://github.com/flarum/framework/pull/3173). - [A11Y] Missing accessible label for alert dismiss button (https://github.com/flarum/framework/pull/3237). - Error accessing the forum after saving a setting with more than 65k characters (https://github.com/flarum/framework/pull/3162). - Cannot restart queue from within (https://github.com/flarum/framework/pull/3166). - `Post--by-actor` not showing when comparing user instances (https://github.com/flarum/framework/pull/3170). - Incorrect typings for Modal `hide()` method (https://github.com/flarum/framework/pull/3180). - Avatar Upload throws errors with correct mimetype and incorrect extension (https://github.com/flarum/framework/pull/3181). - Clicking the dropdown button on a post opens all dropdowns in `Post-actions` (https://github.com/flarum/framework/pull/3185). - `getPlainContent()` causes external content to be fetched (https://github.com/flarum/framework/pull/3193). - `listItems` not accepting all `Mithril.Children` (https://github.com/flarum/framework/pull/3176). - Notifications mark as read option updates all notifications including the read ones (https://github.com/flarum/framework/pull/3202). - Post meta permalink not properly generated (https://github.com/flarum/framework/pull/3216). - Broken contribution link in README (https://github.com/flarum/framework/pull/3211). - `WelcomeHero` is displayed when content is empty (https://github.com/flarum/framework/pull/3219). - `last_activity_at, last_seen_at` updated on all API requests (https://github.com/flarum/framework/pull/3231). - `RememberMe` access token updated twice in API requests (https://github.com/flarum/framework/pull/3233). - Error in `funding` item in `composer.json` bricks the frontend (https://github.com/flarum/framework/pull/3239). - Escaped quotes in window title (https://github.com/flarum/framework/pull/3264) - `schedule:list` command fails due to missing timezone configuration. ### Deprecated - Unused `evented` utility (https://github.com/flarum/framework/pull/3125). ## [1.1.1](https://github.com/flarum/framework/compare/v1.1.0...v1.1.1) ### Fixed - Performance issue with very large communities. ## [1.1.0](https://github.com/flarum/framework/compare/v1.0.4...v1.1.0) ### Added - Info command now displays MySQL version, queue driver, mail driver (https://github.com/flarum/framework/pull/2991) - Use organization Prettier config (https://github.com/flarum/framework/pull/2967) - Support for global typings in extensions (https://github.com/flarum/framework/pull/2992) - Typings for class component state attribute (https://github.com/flarum/framework/pull/2995) - Custom colorising with CSS custom properties (https://github.com/flarum/framework/pull/3001) - Theme Extender to allow overriding LESS files (https://github.com/flarum/framework/pull/3008) - Update lastSeenAt when authenticating via API (https://github.com/flarum/framework/pull/3058) - NoJs Admin View (https://github.com/flarum/framework/pull/3059) - Preload FontAwesome, JS and CSS, and add `preload` extender (https://github.com/flarum/framework/pull/3057) ### Changed - Move Day.js plugin types import to global typings (https://github.com/flarum/framework/pull/2954) - Avoid resolving excluded middleware on each middleware items - Allow extra attrs provided to `