Winter v1.0.474

Released on August 26, 2021
Review another release

v1.2 (Laravel 9)
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0

v1.1 (Laravel 6)
v1.1.10
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0

v1.0 (Laravel 5.5)
v1.0.475
v1.0.474
v1.0.473
v1.0.472
v1.0.471
v1.0.470
v1.0.469
v1.0.468
v1.0.467
v1.0.466
v1.0.465
v1.0.464
v1.0.463
v1.0.462
v1.0.461
v1.0.460
v1.0.459
v1.0.458
v1.0.457
v1.0.456
v1.0.455
v1.0.454
v1.0.453
v1.0.452
v1.0.451
v1.0.450
v1.0.449
v1.0.448
v1.0.447
v1.0.446
v1.0.445
v1.0.444
v1.0.443
v1.0.442
v1.0.441
v1.0.440
v1.0.439
v1.0.438
v1.0.437
View on GitHub CMS Changes Framework Changes

Security improvements backported from v1.1:

API Changes

  • The URL generator (URL::to() and url()) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out.
  • Added getRealUser() to Winter\Storm\Auth\Manager to get the real user for the current request, taking into account user impersonation
  • Added canBeImpersonated($impersonator = false) to Winter\Storm\Auth\Models\User and models extending it (i.e. Backend\Models\User); used to determine if the provided impersonator can impersonate the selected user.
  • Changed model.user.beforeImpersonate to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not

Bug Fixes

  • Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.

Security Improvements

  • URLs generated by Url::to() and url() now return properly URL-encoded values
  • Fixed issue where post() could return values when the request was not a valid POST request
  • Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
  • Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
  • CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.

Keep informed

Sign up to our newsletter and receive updates on Winter releases, new features in the works, plugin and theme promotions and much more!