diff options
| -rw-r--r-- | ChangeLog | 30 | ||||
| -rw-r--r-- | app/constants.php | 2 | ||||
| -rw-r--r-- | config.default.php | 4 |
3 files changed, 34 insertions, 2 deletions
@@ -1,3 +1,33 @@ +Version 1.2.8 (February 2, 2019) +-------------------------------- + +Breaking Changes: + +* Authorize only API tokens when 2FA is enabled (no user password) +* Disable by default plugin installer for security reasons: + - There is no code review or any approval process to submit a plugin. + - This is up to the Kanboard instance owner to validate if a plugin is legit. + +Fixes and Improvements: + +* Limit avatar image size +* Avoid CSRF in users CSV import +* Avoid XSS in pagination sorting +* Do not show projects dropdown when prompting the 2FA code +* Always returns a 404 instead of 403 to avoid people discovering users +* Check if user role has changed while the session is open +* Add missing CSRF check in TwoFactorController::deactivate() +* Hide edit button when user cannot edit task +* Fix permission check before "Assign to me" +* Fix permission check before showing project options +* Fix assignable users on a group with a custom role +* Fix import of automatic actions when parameters are "unassigned" or "no category" +* Update license year +* Update Docker image to Alpine 3.9 +* Update translations +* Fix PHP error in task views (tag colors) +* Limit assignee drop-down selector scope + Version 1.2.7 (December 19, 2018) --------------------------------- diff --git a/app/constants.php b/app/constants.php index 21f911f7..e7d8c41c 100644 --- a/app/constants.php +++ b/app/constants.php @@ -21,7 +21,7 @@ defined('CACHE_DIR') or define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache' // Plugins settings defined('PLUGINS_DIR') or define('PLUGINS_DIR', ROOT_DIR.DIRECTORY_SEPARATOR.'plugins'); defined('PLUGIN_API_URL') or define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json'); -defined('PLUGIN_INSTALLER') or define('PLUGIN_INSTALLER', false); // Disabled by default for security reason +defined('PLUGIN_INSTALLER') or define('PLUGIN_INSTALLER', false); // Disabled by default for security reasons // Enable/disable debug defined('DEBUG') or define('DEBUG', strtolower(getenv('DEBUG')) === 'true'); diff --git a/config.default.php b/config.default.php index d845b277..ad260cf1 100644 --- a/config.default.php +++ b/config.default.php @@ -24,7 +24,9 @@ define('PLUGINS_DIR', __DIR__.DIRECTORY_SEPARATOR.'plugins'); // Plugins directory URL define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json'); -// Enable/Disable plugin installer (Disabled by default for security reason) +// Enable/Disable plugin installer (Disabled by default for security reasons) +// There is no code review or any approval process to submit a plugin. +// This is up to the Kanboard instance owner to validate if a plugin is legit. define('PLUGIN_INSTALLER', false); // Available cache drivers are "file" and "memory" |