v1.0.474 Released on August 26, 2021

View on GitHub CMS Changes Framework Changes

Security improvements backported from v1.1:

API Changes

  • The URL generator (URL::to() and url()) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out.
  • Added getRealUser() to Winter\Storm\Auth\Manager to get the real user for the current request, taking into account user impersonation
  • Added canBeImpersonated($impersonator = false) to Winter\Storm\Auth\Models\User and models extending it (i.e. Backend\Models\User); used to determine if the provided impersonator can impersonate the selected user.
  • Changed model.user.beforeImpersonate to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not

Bug Fixes

  • Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.

Security Improvements

  • URLs generated by Url::to() and url() now return properly URL-encoded values
  • Fixed issue where post() could return values when the request was not a valid POST request
  • Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
  • Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
  • CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.

Keep informed

Sign up to our newsletter to receive updates on Winter CMS releases, new features in the works, and much more.
We'll never spam or give this address away.

Latest blog post

The Winter CMS Web Installer is now available!

Published June 17, 2021
We are super excited to announce that our new Web-based Installer is finally available for download, to make it super easy to get your next Winter CMS project started!

View this post Read all posts

Latest Winter CMS release

v1.1.6

Released August 25, 2021
1 Bug Fix

View details View all releases