Warning! Before you upgrade, if you use the raw PHP-style URL scheme...
If you upgrade to this release and are using the raw PHP-style URL scheme (default), the single public zone option will be forced on for your site to work around a bug which could lock members out of your site.
Please see tracker issue #6166 for more information.
If you want to work around this (you need the 'site' zone to be separate), before upgrading, change your URL scheme to a different option other than raw URLs. The "Use /pg/ to identify CMS pages" setting will work best without further configuration necessary on your part. Make sure your web server supports URL rewrites, and you have an .htaccess file present (copy recommended.htaccess if not).
Other important upgrade information
- Composr now requires the PHP gettext extension so location-based functionality works.
- Telemetry has changed. Review and change your settings under Admin Zone > Setup > Configuration > Privacy / legal compliance options after upgrading.
- Parental consent ("COPPA") settings have changed. See Admin Zone > Setup > Edit parental control settings (and the indicated tutorial) after upgrading. You and your members may be prompted to enter your Date of Birth, Time zone, and Region after upgrade (due to the default configuration).
- The multi_lang_content option in _config.php is now ignored; the value is migrated into the database and will be interpreted from there on. This was never meant to be hand-edited by the webmaster. Instead, to enable or disable content translations, use data_custom/execute_temp.php to run require_code('database_multi_lang_conv'); enable_content_translation(); to enable, or require_code('database_multi_lang_conv'); disable_content_translation(); to disable. Back up your database, and close your site, before you do either! And make sure you have a large execution time limit on PHP and your webserver / upstream proxies.
- These non-bundled addons have been removed / archived: performance_compile (obsolete), simplified_emails (obsolete), confluence (self-hosted instance not supported), SugarCRM (community edition deprecated), Bantr (very niche), world_regions (obsolete), and locations_catalogues (broken, but hopefully will be fixed / brought back later). See 0005687: Addons to archive / remove from the codebase (ongoing) - Composr CMS feature tracker.
- These new bundled addons will be installed upon upgrade automatically: core_locations (geolocation code refactored to this addon, and PHP ISO Codes library added)
Release video:
The following tracker issues have been resolved since version 11.beta6…
- Move publication date/time feature to unvalidated addon [validation]
- main_contact_catalogues and main_catalogues_form: Upload fields not POSTing [catalogues]
- Periodic content: delete action causes critical error [content_reviews]
- Add "other staff on this page" for the add warning screen [cns_warnings]
- resource-fs uses too much PHP memory when loading the contents of a var directory (e.g. downloads) [core]
- If the password ratchet is changed, update member passwords when they next log in [core_cns]
- [beta6] Home Home Home [core_comcode_pages]
- Catalogue field sort order confusion [catalogues]
- Accessing admin-lookup view from admin-lookup results causes PAGE_LINK language string missing (even if all langs required) [actionlog]
- calendar_matches: Incorrect time zone conversions [calendar]
The following changes were made via git since version 11.beta6…
- Broken make upgrader block
- Revert forward to beta4
- Prioritise installed addon info over TAR when checking for updates; bug fix
- Prevent publishing addons to the wrong target category
- Update build
- VERSION_BRANCH_NAME symbol; change branch for this version; update make release next steps screen
- Fix errorservice telemetry; should be pure Comcode
- Update errorservice
- Clarify use of errorservice.csv on mass auto-resolve
- mindless...
- Add two new common errors to errorservice
- Simple admin zone menu changes
- LDAP and lurk should queue member deletion rather than executing immediately
- Incorrect handling of SERIAL fields
- Add a small timeout increase when compiling a source file
- Fix addon registry comment
- These caused duplicate confirm modals
- Fix helper panel content
- ...
- Use a special cms_homesite chat room for the site chat
- Fix up chat to allow iframe ancestors (but require a token for security) (WIP)
- Better error handling
- Fix Filtercode bugs in preparation for using Filtercode as filtering mechanism on screens
- Delegate install statistics service checking to a Cron; add Remove me capability
- Filtercode-based filtering boxes; usergroup input field; other bug fixes
- New Tutorial: Free and Open Source Software
- Move report_issue to the site zone
- Refactor telemetry system to be more secure and GDPR compliant (WIP; not tested)
- ...
- Fix bugs in telemetry
- Config bug causing postsave handlers to not fire
- Use local install if running dev mode for telemetry
- Remove site keys
- Revert using local install; often local PHP runs single-threaded so these trigger memory errors (we're just going to have to test live)
- New codebook standard: Not allowed to use opening PHP tag directly in strings
- Follow-up in docs
- Infinite loop in config (also add infinite loop checks)
- Ack...
- Telemetry bug fixes
- Tweaks and minor bug fixes
- Fix lingering telemetry bugs; fix achievements bugs and activate cache on it
- Sort supported branches by release date descending
- Cache and carry: add ability to prevent post_params from breaking the cache
- Telemetry explanation
- Do not log conversion errors to error log if no API key set (populates very quickly)
- catalogue blocks should allow storing uploads
- Support custom text for member achievement qualification
- Achievements for addons
- Also support custom text requirement on group qualification
- Missing dependency
- Unused variable
- Inconsistencies with image thumb filenames (not sure if this will fix it)
- Directories iterator for counting files in a directory
- Hide footer page-link from those without adminzone access
- Add support for disabling automatic validation of new Comcode pages loaded from disk
- Add CAPTCHA to newsletter signup block
- Make infinite loops a critical error; add infinite loop check on hack attack
- Allow using our own logic for infinite loops
- Implement Pace.js for displaying page loading progress
- When adding new Comcode pages via txt files, also generate monikers, SEO
- File integrity scan bug: passing array to haystack (was passing hook info instead of hook files)
- cms_get_headers might return false
- Upgrade code might not run for earlier v11 sites; fix this
- Update config text
- ...
- Optimise downloads and Cyberduck use
- Add missing is_readable checks in Resource-fs file listings
- Resource-fs: fix issues with Comcode pages
- Generating invalid Comcode page IDs on welcome zone
- Archive performance_compile NB addon
- Prevent same-second edge case in stats
- Optimise cns_members stats to use m_total_sessions instead of making a query for every member
- Optimise content stats
- Run statistics every hour instead of day to hopefully spread out resource use on the very-intensive views hook
- Oops, tickets stats was not considering times
- Oops, that's a lot of bars if you have a lot of members
- Various fixes to the stats Cron hook
- More missing time checks in stats
- Add a couple other potential errors (though it is dev mode, they could get relayed so we want to ignore them)
- Fix modularisation
- Let's drop nu_search tables if they exist (since they are flushable) on upgrade to v11
- Remove lots of database_specific upgrade code which now exists in official upgrade code
- Whoops, both of those are v11 fields
- Misc upgrader fixes
- Misspelling
- Fix removed page
- Remove implicit_usergroup_sync value in favor of using the scheduler's native enable / disable system for hooks
- Remove / and $ from password generation
- Update contact page with spam attack reporting
- hack attacks should not consider risk score when silent to staff log is true
- Never assume log_hack_attack_and_exit will exit (silence from user in advanced banning prevents that)
- Fix mail templates and test
- Deprecate simplified_emails; they do not work well with CAN-SPAM requirements
- WEBP should be WebP; add a test for this
- Tutorial revisions (WIP)
- Replace phpDocumentor with our own API generator (composr.app will not be able to run phpDocumentor) (WIP)
- Fix telemetry automated test
- Add admin_compile_api to menu
- Wrong column name
- Linux does not sort directories like Windows does
- Try supporting custom progress on the member qualification
- Privacy: E-mail addresses are not necessarily unique and so should not usually be considered for ownership
- Tutorials revisions (WIP)
- Refactor authorisation of endpoints into hooks
- Make get_session_id more secure; keep_session and cookies should be validated against ID, expiration, and IP address
- Prioritise cookie sessions
- Prioritise header and cookie authorisation
- Add no_compiled_files as a site option to disable using _compiled on slow disks
- Enforce 80-char limit on comma-list field names for indexes due to i_fields type ID_TEXT
- Replace db_*.sh with PHP versions that use Composr API for more consistency
- Let's not accept 'outside the scope of this tutorial' anymore as it is not concise for users (will fix later)
- Store API docs in database for full-text searching; delegate API compile to a task
- Remove api directory
- Don't throw mail / newsletters as last in queue every time
- Tutorial edits (WIP)
- Small tweaks
- Mentorr; we don't want new staff members getting assigned to themselves
- Down homesite could result in site errors due to null response being passed to json_decode
- new member creation could be slow
- Additional guards needed for homesite connections
- Another missing guard
- Support displaying multiple members in conflict detection; also look back 60 seconds instead of 20
- Warnings conflict warning box: put in paragraph so we have padding
- Let's specifically state a conflict may occur; simply stating working on this is not an actionable warning
- Conflict resolution: support particularly sensitive operations via 'false' for $id
- Merge admin_cns_merge_members into admin_cns_members; no good reason this should be separate, and is necessary for proper conflict resolution
- Small changes to SENSITIVE_RESOURCE_HACK
- Add conflict resolution to places it was missing and could be handy
- Add previews to classes in API docs
- Additional tutorial revisions
- Archive/remove non-bundled addon confluence
- Remove/archive NB addon sugarcrm
- We should default to https in multi_domain_login
- Tweaks
- Archive/remove NB addon bantr
- Outdated Jestr description
- Tweaks on the telemetry status page
- Telemetry: Implement a challenge to prevent false registrations of sites
- Telemetry tutorial
- type error; could be null
- Wrong column
- A false cron_installed (after 5 hours) will prevent the blocked by upgrade message from showing for scheduler
- Let's get a little chaotic with Honey Pot technique
- Missing SMART_LINK_STRIP calls on signatures
- Increase minimum max allowed packet requirement to 16MB
- Tutorial revisions
- Link error
- Relay scheduler errors to Telemetry service, log to the error log, and keep erroring hooks locked
- Update Windows scheduler steps to Windows 11
- Add more context for scheduler hook locking
- Should not fatal exit when arguments are corrupt
- This file is incomplete
- key could be a number; we must strval it
- Task queue optimisations
- Add action logs to investigate user page based on what we know
- Pagination triggers a flood of INVESTIGATE_USER logs
- Fix specsettings_documented as it was not entirely scanning symbol hooks
- Add symbols *_EPOCH_INTERVAL_INDEX
- Un-evaluated Tempcode contains unique IDs which caused Privacy Policy hash / date to always change
- prefer header could have more than one keyword
- _helper_promote_text_field_to_comcode needs to tolerate multi_lang_content
- Fix broken file integrity scan
- Add review_rules as unhelpful redirect
- Add some missing browsers to browser detect
- Update addon descriptions
- Realtime rain improvements: better (documented) colours, attitude meaning, add escrow and failed login drops
- Add init method on realtime_rain hooks to pre-load CSS (e.g. non-bundled addons) since we cannot do that in AJAX
- Type error: member_based could be undefined
- Disable broken realtime_rain hooks for now
- Realtime rain for achievements
- Remove unnecessary TODO in admin_leader_board
- Various realtime_rain changes + cns_warnings bubble
- Misc Buildr fixes
- Move default diseases into predefined content (disastr)
- Use database for random Wiki page as it is much more optimal
- Fixed enable_content_translation
- Add infinite loop iteration reset API
- Misc fixes and tweaks
- Fix disable_content_translation
- Missing require
- Should not set dimensions on logo image as it must be dynamic
- Show error message if telemetry fails to register
- Add a little security to site validation in telemetry registration
- release build does not need upgrade code
- Begin refactoring how we handle locations / geolocation (mainly for parental controls) (WIP)
- Hero slider should have a sort parameter
- Add descriptions to each low-level log
- Missing file from previous commit
- Typo
- Add a theoretical test for require_code; in reality it would produce many false-positives but worthy of a thought for the future
- Rename site config use_persistent to use_persistent_database to avoid confusion with use_persistent_cache
- Small pedantic tweaks
- Quick language fixes in config editor
- ...
- Utilise new regions library for regions field (WIP)
- Compatibility fixes
- Region multi field (crude)
- Region and parental consent work
- Optimise parental controls and achievements XML to utilise cache
- ...
- We need global3 sooner now
- Do the same for achievements
- Add lockout parental control
- Clarification on field visibility
- Remove unused properties
- Modularisation
- Disable broken authorization for now
- Automated testing; remove NB addons; fix telemetry to use JSON; move multi_lang_content to value
- Additional fixes from testing
- Force bcrypt when using md5 or plain, for security
- Missing types in docs
- Prevent parental controls site lock-out on invalid XML
- Fix broken get_value (which in turn also fixes file integrity scan)
- Should be checking on string, not null
Special thanks to these members for resolving the issues above:
Special thanks to these members for reporting the issues above:
Special thanks to these individuals who contributed code to the git repository for this release:
- Lovinity
Comments
Find check_for_infinite_loop('get_option', [$name, false], 2); . Change to check_for_infinite_loop('get_option', [$name, false], 10); . This will cause infinite loop checking to be more lenient. Maybe bump the number higher if the error continues (not too high; if it is still looping after, say, 25, then it is an actual bug).