Skip to content

Commit 8bf050c

Browse files
chore: sync CHANGELOG.md + VERSION (v3.8.0) from FileRise
1 parent 862cc61 commit 8bf050c

2 files changed

Lines changed: 52 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,56 @@
11
# Changelog
22

3+
## Changes 03/12/2026 (v3.8.0)
4+
5+
`release(v3.8.0): share-link admin guards and centralized safe-upload policy`
6+
7+
**Commit message**
8+
9+
```text
10+
release(v3.8.0): share-link admin guards and centralized safe-upload policy
11+
12+
- shares(security): require authenticated admin + CSRF for file share link listing and deletion
13+
- uploads(policy): add centralized safe-upload policy with strict default and code-friendly admin override
14+
- webdav(policy): enforce the shared write-name policy for WebDAV file and folder creation paths
15+
- admin(ui): expose safe upload policy in Admin Panel and persist the normalized config value
16+
- admin(fix): guard partial config updates that omit oidc payloads
17+
```
18+
19+
**Added**
20+
21+
- **Centralized safe-upload policy**
22+
- Added `src/FileRise/Support/UploadNamePolicy.php` to centralize write-path filename policy decisions.
23+
- Added admin-configurable policy modes:
24+
- `strict` (default)
25+
- `code_friendly`
26+
27+
**Changed**
28+
29+
- **File share admin endpoints**
30+
- `getShareLinks.php` now requires an authenticated admin session.
31+
- `deleteShareLink.php` now requires an authenticated admin session and a valid CSRF token.
32+
- Updated the generated OpenAPI spec to reflect the authenticated share-link route behavior.
33+
- **Write-path filename enforcement**
34+
- Normal uploads, file create/save flows, selected folder write paths, and WebDAV now use the shared write-name policy instead of relying only on the generic filename regex.
35+
- Added an Admin Panel control under upload settings so operators can switch between `strict` and `code_friendly` behavior.
36+
37+
**Fixed**
38+
39+
- **Partial admin config saves**
40+
- Fixed admin config updates failing when the submitted payload omits the `oidc` object during narrower settings changes.
41+
- **WebDAV folder-name validation**
42+
- WebDAV folder creation now rejects invalid path-like names such as empty names, `.` / `..`, and names containing path separators.
43+
44+
**Security**
45+
46+
- **Safe-upload defaults**
47+
- New write operations default to `strict` mode.
48+
- `.htaccess`, `.user.ini`, and `web.config` remain blocked in all policy modes.
49+
- **Share-link guard consistency**
50+
- File share-link listing and deletion now use the same authenticated admin expectations as the rest of the admin share management surface.
51+
52+
---
53+
354
## Changes 03/08/2026 (v3.7.0)
455

556
**Demo videos**

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
v3.7.0
1+
v3.8.0

0 commit comments

Comments
 (0)