Version 11 beta8 has now been released. This version is a beta release of the next major version of Composr. Upgrading to this release is advised for v11 sites due to numerous bug fixes; support for new composr.app security on its downloads.

    To upgrade follow the steps in your website's http://mybaseurl/upgrader.php script. You will need to copy the URL of the attached file (created via the form below) when running the step to transfer new / updated files.
    
    A database upgrade is required for this release. Be sure to run step 6 ("Do a database upgrade") in the upgrader after step 4 and, if applicable, step 5.

    
    Check out the release video at

The following tracker issues have been resolved since version 11.beta7…

• It appears auto-banning in log_hack_attack_and_exit is not working for anyone [core]
• [beta6] Newsletter bugs [newsletter]
• XML reader and writer handlers in PHP 8.4 must have callable strings [core]
• Cannot pass null to $type which requires string (mail bounce) [core]
• Member profile references warnings page without checking if cns_warnings is installed [core]
• Apache syntax not being used for two-factor maintenance script protection [core_cns]
• Database error with credit card scrubbing [ecommerce]
• cms_importer must de-dup members by e-mail [core_cns]
• Stats processing uses too much memory [stats]
• Upgrader does not extract new images for default theme [core_upgrader]
• Max members before busy site incorrectly counting guests [core]
• Step4 of the setupwizard fails. [core_addon_management]
• Forgot password would re-send an expired code if it existed [core_cns]
• Topic polls appear closed when a date is specified even if in the future [core_cns]
• Missing theme image error when it exists in the default theme [core]
• A blank regions entry would get saved in the database [core]
• Unable to log out when rules, password change, or parental controls enforced [core]
• Cleanup tools e-mail bounces doing nothing [core_cleanup_tools]
• GDPR: Composr must get consent before creating any cookies [core_privacy]
• Disabled tick boxes will not POST their value [core_cns]
• Undefined array offset on quiz scoring results [quizzes]
• Add WEBP to valid images [core]
• Deprecated: preg_match() at install.php [health_check]
• google-analytics.com not on list of trusted CSP sites [core]
• Changing any public config options should trigger template cache flush [core]

The following changes were made via git since version 11.beta7…

• Type error on shell_exec for change log
• Improve make release: add field for video URL; use POST parameters instead of shoving everything in GET
• Create software release category and permissions if it is missing
• Remove unnecessary hybridauth hook
• Refactor release cycle (WIP)
• Incorrect array keys
• More incorrect keys
• Ditch using descriptions and additional_details since we are now using off-mode
• Fix imperfect get_version_pretty__from_dotted which sometimes did not remove trailing zeroes
• Missing require_code(?)
• Fix a few errors in the refactored release code
• Be more tolerant of get_option infinite loop check
• Replace ob_flush with ignore user abort and fastcgi finish request
• Add "cannot access the file from the given URL" to the errorservice
• Fix cache issues
• gettext now required
• Downloads should not include a keep_session (anti-leech uses a hashed for_session which is more secure)
• Missing for_session filtering
• Generate download links directly from the download API for software releases (so we can support anti-leech)
• Remove obsolete download_composr
• Make dload script more secure (and fix bugs)
• Additional 6128
• Remove deprecated E_STRICT
• Fix Mantis types
• mysqli_ping deprecated in PHP 8.4; a simple SELECT 1 will trigger a re-connection
• Bundle non-bundled addon imap into core_imap (PHP 8.4 deprecates its own IMAP extension)
• Small fixes
• Add 1-hour cache to Stop Forum Spam queries
• Run spam check when subscribing to newsletters
• No cache on newsletter block since we have CAPTCHA now
• Need to use Apache syntax for adjust_htaccess
• Woah, someone could bypass CAPTCHA with an invalid e-mail
• ??? Trying to figure out why auto-bans are not happening
• Missing IP ban params
• Improve infinite loop checks
• Should auto-populate regions when using geolocation
• Query could return null
• ...
• Prepare to remove cms_homesite_tracker
• #4 - Archive cms_homesite_support_credits
• #4 - Archive cms_homesite_tracker
• Add region multi field
• Cache is problematic when catalogue fields change or member submits entry on a one-allowed-only basis
• #5 - Attempt at issues webhook endpoint (untested)
• #4 - Points aggregate
• #4 - Add GitLab issues to achievements
• #4 - GitLab Comments Integration (untested)
• Let's use escrows instead for GitLab issues (WIP, untested)
• ...
• Refactor cns_warnings code out of core_cns into cns_warnings
• Re-organise software publish steps
• Forgot the privileges
• Refactor cns_multi_moderations
• Attempt to fix small addon_installed bug
• EU Digital Services Act: Require evidence and reasoning when adding a warning
• Revert "#4 - Archive cms_homesite_tracker"
• Multi moderation errors
• Set default mantis issue priority to 30 for not sponsored
• Send tracker issue notifications as system
• Re-add tracker to achievements
• Logic error; should be true by default
• Missed that one...
• Tweaks in Mantis plugin
• Do not perform IP validation in get session ID on the server IP
• I don't have the effing time to get this working
• Oops, don't double up on points if the reporter on an issue is also the resolver
• Remove legacy web service API now that we are using composr.app
• Modularisation
• Use array_merge to assign defaults to module info properties
• Fail if min_cms_version not defined
• Link in admin_lookup should be param, not ID
• Add mantis import (just for re-mapping member IDs)
• Cannot check null on a key that might not exist
• Must save bytes as we are using a text key
• Fixes to module defaults
• Intentionally break antispam implicit usergroups so compo.sr migration works
• Delete and re-create credit card field to avoid database truncation error; losing this data is not critical as members can type it back in
• Mismatch max values
• Do not use object factory as we need to support overrides
• Something seems off; disable fail_ok and use usernames for mapping instead
• That's what I thought...
• Revert back to ID remap now that we knew the issue
• bug_monitor_table is indexed on user
• Nope, still not effing working...
• Looks like we have to do the import method after all or we run into issues with IDs
• ...
• Need to actually continue out of insert completely
• FFS
• typo
• Fix missing lang entry for stats import
• Use new ID of -1 to flag an attempted import as error
• Make alternative_id handling more robust
• ...
• FFS
• Bug fixes; remove config as a dependency for permissions and feedback imports
• Add importer ID remap correction in member dedup
• Additional exclusions
• Missing points imports
• Need infinite loop protection for infinite loop protection
• Something is wrong with rebrand_name; no idea what it is but it's triggering a loop somewhere
• Disable infinite loop checking on get_value for now since we have no idea what is causing it
• Looks like we have a loop of getting values via queries?
• Ugh...
• Wrong column name
• Fix feedback import to skip over entries without a mapped content
• Wrong parameter
• Filter banned members from the directory for those who do not have the privilege
• effective_value could be undefined for corrupt merges
• Fix attempts in import dealing with tree categories
• Additional fixes to download categories
• Not sure if that was intentional to use an underscore variable
• Improve failed mail handling; enable mail queue by default so mail retry capabilities are active
• Add pruning of orphaned download galleries to cleanup tools
• Add profiling to events stats processing as there is a memory leak somewhere
• Disable logging of endpoint hits; uses too much memory
• Disable content hook as it is currently bugged
• Whoops, issue with file permissions buttons not showing on upgrader
• Missing false guard in cms_parse_url_safe
• Deprecated cannot pass null to explode
• Attempt fixes for session validation in endpoints (unfortunately we cannot do IP validation; so make session IDs longer)
• Forgot to activate authorization
• Whoops, parameters defined backwards
• Bounce support: add Plesk; also add e-mails to global unsubscribe list
• Try fixing up connection issues to Stop Forum Spam
• Be a bit more tolerant of invalid content types in privacy hooks for serialise
• the same file might be referenced multiple times; cannot add multiple times to TAR
• Wrong variable keys in SERIAL processing
• Bypass files 32 MB or larger
• Let us not force parental controls by default as it is bad UX coming from the installer
• Modularisation and GUIDs
• Add ability to auto-load omni-upgrader generated from release tools
• Upgrader: add guard to prevent errors if country field does not exist
• Disable cache in the upgrader; it may try a cache access before admin_version is upgraded throwing an error
• Sometimes permissions are not loaded yet for parental controls
• referer column must be upgraded for all <v11 installs in stats
• Move zone upgrading and entry point updating to admin_version due to dependency on sitemap upgrade; bug fixes with entry point upgrades
• Bug fixes for changing default zone pages
• Adjust set_value infinite loop checks
• Trigger htaccess update when changing url_scheme
• Fix tracker issue page
• Fixes to tracker block
• Add secondary sorting by date
• Fix _critical_error.html: Don't save for banned messages / busy / etc, use {} replacements instead of URL redirect / GET parameters
• Simplify critical error messages
• Further simplify; it should speak to a user, not a staff member
• Add redundancy if a compiled file was deleted but not yet re-created
• Add antispam to exceptions for critical error log files
• Add more logging for Commandr
• A couple of Mantis pages need to redirect to Composr login
• Fix Mantis permissions
• Fix contact us
• New Australia law will ban social media for children under 16
• Update parental controls with latest laws
• Add no_join attribute on lockout parental control to outright prevent joining
• Deprecate now-defunct Skype
• Test successful
• Add checks for blacklist and whitelist use
• Several changes and fixes to coding standards wording
• Fix DATE symbol used with incorrect parameter order
• Fix selection problems with useServerId
• Be more strict about what hack attacks we classify as "repeat" and thus excused
• Add more secure CAPTCHA logic used when noise is enabled
• Disable PHP imagecolorallocate in favour of cms_imagecolorallocate to handle false conditions with imagecolorallocate
• Trip AI speech-to-text by adding NATO phrases to audio CAPTCHA
• audio CAPTCHA cleanup
• More robust method for testing password strengths
• Optimise CAPTCHA audio; tweak Y offset
• A few small fixes to homesite releases
• Be more space efficient with personal upgraders on homesite
• Add ability to get a hashed session from the homesite (in case anti-leech is active)
• Cannot use usleep for values over 1 second
• Whoops; forgot to remove debug lines
• Fix missing files property in addon inf file
• Type error; load_version_download_rows had the possibility of returning null when it should never
• Add support for when homesite is using anti-leech
• iplists now uses HTTPS
• Typo
• Update IPs and CAs
• Fixes with personal upgrader
• update tutorial on CAPTCHAs; too much Y distribution
• Try allowing logging in to Hybridauth if account already exists on site
• We should sync Hybridauth by e-mail address if only allowing one account per e-mail
• Use cns_edit_member API for Hybridauth (so we can properly trigger sensitive change alerts etc)
• Hybridauth is not httpauth
• Try adding the ability to log out of third-party providers when the compat scheme changes
• That didn't work...
• Sometimes we can compare password "hashes" to see if a password actually changed
• Oops; we accidentally doubled up on the conflict messages
• GDPR; forcefully send sensitive profile change alerts no matter who changed them (and don't allow opt-out by staff)
• Add 'common errors' page to homesite
• Standardise config backups by using exports/file_backups everywhere
• That's a security issue! Unsalted hashes of IP addresses could expose IP addresses
• Do not use MD5 in most circumstances (untested)
• We have some weird condition where tempcode might not be loaded yet before the field renders
• Tidy up a few things with encoding
• Use chat API for guest names
• Undetected type error bug
• Actually we should set staff address before filtering
• Force re-prompting of cookie consent (as default is DISMISS) by renaming cookie
• If cookies rejected, eat existing cookie
• Disable aggressive ZBMF_CACHE when using the filesystem
• Separate profiler logs
• Optimise tutorials module / calculations
• Heavily optimise filesystem cache to save only on shutdown
• Small persistent cache filesystem bug
• Whoops, cms_eatcookie should be in global3, not users_active_actions, which is where cms_setcookie is
• Try a more aggressive eat cookie approach
• Revert; that causes header too large on Nginx
• Let's try a recursive expiration
• Ack, that could be an infinite loop
• Use cms_setcookie instead of cms_eatcookie
• ...
• Oops, we should be using has_cookies(), not checking directly for the cookie
• Should be bailing if bot, not if non-bot
• Stack overflow
• Various testing platform fixes
• Bump tested MariaDB support to 10.11
• Other fixes
• Fix URLs in docs; use HTTPS
• TODO additions for JS linter
• line count tool needs a time limit extension
• Build updates
• Hackers were targeting catalogue_name so let us make it filter naughty
• Use select boxes instead of tick boxes for file integrity (since we cannot use ModSecurity workaround)
• Ignore _compiled access controllers
• Fix issue with core addons not being renamed as necessary from old name; don't auto-install new addons
• Bug: upgrader was not updating import addon TARs for addons not wanted/installed when it should have been
• Make core_imap remove old non-bundled IMAP directory
• Bug: tar_get_directory was stripping path separators on long file names
• Try fixing XML directories
• Make core_imap also remove old imap hook
• Force tasks to run immediately if in the upgrader (in case we didn't upgrade the v10 addon yet and an error occurs)
• Do not calculate users online if in upgrader or installer; unnecessary and may cause errors.
• tar.php needs immediate upgrade for 11 beta8 so the upgrader works properly
• Update md docs
• Typo...
• Update README
• Add GitHub as a repos
• Temporal needs a PHP < 8 polyfill
• substr may return false in PHP < 8
• Substr may return false in PHP < 8
• Be less aggressive with find_theme_image errors
• infinite loop check should not critically error on next call after infinite loop; it should critically error on next actual infinite loop
• Need to clear infinite loop counting on attach_message when appropriate
• Optimise attach_message tracking
• Too many attached messages for missing images
• Enforce PHP 8.2 on openspout; fall back to Composr default otherwise
• Enforce webdav PHP version 8
• Exploit regression testing
• Error with attach_message
• Cannot use eval for deferred blocks; this doesn't exactly work either but it's our best temporary fix for now
• Quiz scoring bug
• get_handler_flags was too vague of a function name
• Whoops, this didn't get committed
• Bug: addons2 was scanning for author "Core Team" when it should be "Core Development Team"
• Some adjustments
• Time limit extension in Cron is too aggressive
• Ignore Fleet settings
• Edits from 6242 in stub
• Problems authorizing CMS users in Mantis tracker
• Lots of type errors when handling sponsorships
• Add our position on AI use in coding Composr
• Type bugs in catalogues2
• Attempt bug fix with achievements on qualification groups with no active qualifications
• Empty cache DB table when erasing persistent cache
• Do not clear block cache on every immediate long task; this should be done in the task hook when appropriate
• Add explanation of understanding / context
• Cache fixes (fix _get_cache_entries not correctly matching DB rows; flush DB cache when erasing persistent cache)
• Small fixes
• photo_verification non-bundled addon
• Deprecation errors when commands fail in performance_server
• Attempt common agent to bypass Cloudflare in Mantis
• Update common errors to use hide boxes
• Use Cron for issue sponsorships instead of buggy endpoint calls to Composr
• Ensure new auto-resolved issues automatically handle points
• Australia is starting to ban social media accounts of those under 16, so update default parental controls
• Fix GUIDs etc
• Try working around Cloudflare nonsense
• Enhance persistent_cache test; fix caches
• test fixes
• Add/fix nonce to dynamic scripts
• Fix cache identifier column type
• Small updates
• forum_driver might be null when trying to enforce JavaScript
• Whoops
• load_comcode_page is not erroring on missing page when it should
• Add missing pages for photo_verification addon
• Make session IDs longer; 16 characters still too short for security
• Checking availability of telemetry cannot be cached as it breaks the test
• missing remap
• Add password censor exception for things that look like they may just be a plural word
• Change comment
• photo verification edits
• Uninitialised variable in get_release_tree
• Missing require_code
• modularisation
• ...no idea how that got lost...
• Update certificate bundles
• Validation addon privileges should be part of addon, not core; always check addon installed first
• Try fixing critical errors out of the installer (might not work)
• Bail enforcement if installer exists
• Additional enforcement fixes
• New Build
• Updated NB addons
• More effective decache when saving comcode pages
• Fix sync_htaccess_with_zones
• Build update
• NB addon update
• Partial fix for updated addons using ID and not GUID

Special thanks to these members for resolving the issues above:

• PDStig

Special thanks to these members for reporting the issues above:

• PDStig
• Adam Edington
• Master Rat
• sholzy
• SoccerDad
• Terry

Special thanks to these individuals who contributed code to the git repository for this release:

• Lovinity (Patrick Schmalstig)