|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## Changes 03/12/2026 (v3.8.0) |
| 4 | + |
| 5 | +`release(v3.8.0): share-link admin guards and centralized safe-upload policy` |
| 6 | + |
| 7 | +**Commit message** |
| 8 | + |
| 9 | +```text |
| 10 | +release(v3.8.0): share-link admin guards and centralized safe-upload policy |
| 11 | +
|
| 12 | +- shares(security): require authenticated admin + CSRF for file share link listing and deletion |
| 13 | +- uploads(policy): add centralized safe-upload policy with strict default and code-friendly admin override |
| 14 | +- webdav(policy): enforce the shared write-name policy for WebDAV file and folder creation paths |
| 15 | +- admin(ui): expose safe upload policy in Admin Panel and persist the normalized config value |
| 16 | +- admin(fix): guard partial config updates that omit oidc payloads |
| 17 | +``` |
| 18 | + |
| 19 | +**Added** |
| 20 | + |
| 21 | +- **Centralized safe-upload policy** |
| 22 | + - Added `src/FileRise/Support/UploadNamePolicy.php` to centralize write-path filename policy decisions. |
| 23 | + - Added admin-configurable policy modes: |
| 24 | + - `strict` (default) |
| 25 | + - `code_friendly` |
| 26 | + |
| 27 | +**Changed** |
| 28 | + |
| 29 | +- **File share admin endpoints** |
| 30 | + - `getShareLinks.php` now requires an authenticated admin session. |
| 31 | + - `deleteShareLink.php` now requires an authenticated admin session and a valid CSRF token. |
| 32 | + - Updated the generated OpenAPI spec to reflect the authenticated share-link route behavior. |
| 33 | +- **Write-path filename enforcement** |
| 34 | + - Normal uploads, file create/save flows, selected folder write paths, and WebDAV now use the shared write-name policy instead of relying only on the generic filename regex. |
| 35 | + - Added an Admin Panel control under upload settings so operators can switch between `strict` and `code_friendly` behavior. |
| 36 | + |
| 37 | +**Fixed** |
| 38 | + |
| 39 | +- **Partial admin config saves** |
| 40 | + - Fixed admin config updates failing when the submitted payload omits the `oidc` object during narrower settings changes. |
| 41 | +- **WebDAV folder-name validation** |
| 42 | + - WebDAV folder creation now rejects invalid path-like names such as empty names, `.` / `..`, and names containing path separators. |
| 43 | + |
| 44 | +**Security** |
| 45 | + |
| 46 | +- **Safe-upload defaults** |
| 47 | + - New write operations default to `strict` mode. |
| 48 | + - `.htaccess`, `.user.ini`, and `web.config` remain blocked in all policy modes. |
| 49 | +- **Share-link guard consistency** |
| 50 | + - File share-link listing and deletion now use the same authenticated admin expectations as the rest of the admin share management surface. |
| 51 | + |
| 52 | +--- |
| 53 | + |
3 | 54 | ## Changes 03/08/2026 (v3.7.0) |
4 | 55 |
|
5 | 56 | **Demo videos** |
|
0 commit comments