All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Resolved the majority of Dependabot alerts by updating build/test dependencies (
npm audit fix,@wordpress/scripts31 → 32,@wordpress/components→ 36). Remaining alerts are dev-only transitive dependencies pinned by@wordpress/scripts.
- Added grouped
.github/dependabot.ymlconfig (npm/composer/github-actions) to consolidate future dependency update PRs.
- Renamed "Review" menu to "VMF Review" for consistency.
- Moved VMF Review menu to bottom of Media submenu (position 902).
- Refactored Plugin class to extend
VirtualMediaFolders\Addon\AbstractPluginbase class - Refactored SettingsTab to extend
AbstractSettingsTab, removed inline enqueue and WP 7 compat logic - Removed duplicated singleton boilerplate and manual textdomain loading
- WP 7.0+ design-token style overrides for settings and review pages
- Updated npm and Composer dependencies.
- Tested up to WordPress 7.0
- Uncommented
build/in.gitignore(build artifacts should be generated in CI, not committed)
- Replaced inline plugin updater with shared
class-github-updater.php
- Removed redundant
require_oncecalls in Plugin.php (handled by Composer autoloading)
uninstall.phpfor clean plugin removal
- Renamed generic
vmfa-settingsscript handle tovmfa-editorial-workflow-settings - Prevents script/style handle collisions with other add-ons
- Improved cross-plugin compatibility by using unique asset handles
- Force folder sidebar view for non-admin users in Media Library
- Non-admins can no longer toggle to list/grid view without folders
- New
MediaLibraryEnforcercomponent with separate JS/CSS assets
- Refactored to use external asset files instead of inline scripts/styles
- Replaced "Remove From" permission with "Delete Folder" permission
- Delete permission controls who can delete folders (system folders always protected)
- Moving between folders now only requires "Move To" on destination
- Removing media to Uncategorized no longer requires special permission
- Permission enforcement now blocks drag-drop moves in Media Library for users without permission
- Added AJAX interception for
vmfo_move_to_folderandvmfo_bulk_move_to_folderactions
- Permission enforcement now blocks drag-drop moves in Media Library for users without permission
- Added AJAX interception for
vmfo_move_to_folderandvmfo_bulk_move_to_folderactions
- GitHub Plugin Updater for automatic updates from GitHub releases
- GitHub Actions workflows for building release zip files
- Moved development documentation to docs/development.md
- Reorganized README.md structure
- Improved color contrast for WCAG AA accessibility compliance
- Simplified workflow settings help text for clarity
- Review page badge now properly vertically aligned with title
- Unused VMFA Rules Engine integration code and documentation
- JavaScript test suite with Vitest for React components and utilities
- Test coverage for
buildFolderOptions,InboxCard, andPermissionMatrix
- Updated
vitestto v4.0.18 - Added
vite,@vitejs/plugin-react,@testing-library/react,@testing-library/jest-dom, andjsdomdev dependencies - Improved color contrast for WCAG AA accessibility compliance (green stats now use
#008a20) - Darkened description text color for better readability on light backgrounds
- Simplified workflow settings help text for clarity
- Review page badge now properly vertically aligned with title
- Unused VMFA Rules Engine integration code and documentation
- Internationalization (i18n) support with Norwegian Bokmål translation
- NPM scripts for translation workflow (
npm run i18n) wp_set_script_translations()for JavaScript translations
- Unified Review page toolbar with single destination dropdown and Apply button
- Hierarchical folder display in all dropdowns (matching sidebar structure)
- Shared
buildFolderOptionsutility for DRY folder dropdown rendering
- Simplified Review page UX: "Approve" is now first option in destination dropdown
- Folder dropdowns now show hierarchy with "— " prefix for nested folders
- "Allow Editors to review media" toggle now properly saves and loads
- Boolean options stored as '1'/'0' strings for consistent database handling
- Configurable approved folder destination in workflow settings
- Support for all roles with
upload_filescapability (custom roles automatically included) - Auto-dismiss success notices with fade-out animation after 3 seconds
- Race condition prevention on Review page (prevents double-clicks and concurrent operations)
- Workflow is now always enabled when plugin is active (removed enable/disable toggle)
- Settings icon updated to Gutenberg settings icon
- Administrator role excluded from settings (always has full access)
- Editor has full access by default; Author and custom roles have no access by default
- "Revoke All Permissions" now works correctly for Editor role
- Saving settings no longer toggles all permissions ON unexpectedly
- Permission system properly handles empty arrays vs deleted entries
-
Role-based folder visibility and permissions
- View, move, upload, and remove actions per folder per role
- Permission matrix UI in settings
- Administrators bypass all permission checks
-
Inbox workflow
- Role-to-folder inbox mapping
- Automatic routing of uploads to inbox folders
vmfa_inbox_assignedaction hook for extensibility
-
Review workflow
- System folders:
/Workflow/Needs Reviewand/Workflow/Approved - Protected folders (cannot be renamed or deleted)
- Dedicated Review admin screen under Media menu
- Bulk approve and assign actions
- Notification badge with pending item count
- System folders:
-
Access enforcement across all surfaces
- REST API filtering and permission checks
- AJAX media query filtering
- Admin folder list filtering
- Server-side enforcement (fail-safe)
-
Settings UI
- Tab integration with VMF settings
- Permission matrix component
- Inbox mapping component
- Workflow toggle
-
REST API endpoints
- GET/POST
/vmfa-editorial/v1/settings - GET/POST
/vmfa-editorial/v1/permissions - GET/POST
/vmfa-editorial/v1/inbox - GET/POST
/vmfa-editorial/v1/workflow
- GET/POST
-
Testing infrastructure
- PHPUnit with Brain Monkey
- AccessChecker, InboxService, WorkflowState test suites
- Vite build configuration
- All REST endpoints require
manage_optionscapability - All AJAX actions verify nonces and capabilities
- Server-side enforcement prevents bypass of UI restrictions