Apostrophe 3.62.0 Advanced Permission improvement, link attributes, and fixes

[BoDonkey]

Bonjour, Builders of the Web!

Happy belated New Year! As we kick off our first release of the Gregorian calendar new year, we're thrilled to bring you a major update to our Pro Advanced Permission extension. This isn't just any update; we've overhauled permissions to make them more granular, giving you unprecedented control. Now, you can tailor permissions not only at the piece-type, page, and per-document levels but also at the individual schema field level. Now, you have the flexibility to assign create permissions, allowing users to only create and edit their own documents of a specified type. Conversely, modify permissions enable users to edit all documents of a specific type, but not create new ones. You can also define permissions for creating child pages under a specific parent, adding a layer of precision. For those who love customization, we've introduced a top-level permissions object for crafting your own permission types, along with field-level permissions using the editPermission attribute. Fancy creating custom permissions? We've got you covered!

This version changes the paradigm from just assigning high-level roles to assigning individual permissions, so we know some customers who already use @apostrophecms-pro/advanced-permission might want to take their time upgrading. For that reason, you’ll need to edit your package.json file and change your dependency for this module from ^1.x.y to ^2.0.0 when you’re ready to upgrade. Just typing npm update alone will not upgrade to the new version in an existing project. Check out the extension README file for all the details. We're super excited about these changes and can't wait for you to try them out!

In our rich text editor, rich text hyperlinks now support custom HTML attributes. This came from a specific community request to be able to add additional accessibility attributes, like aria-label. Watch the documentation for more info soon. Speaking of community, this release also contains code contributions from two of our open-source community members to the @apostrophecms/random-words and @apostrophecms/absolution repositories. Thanks to Gauav Kumar and Orr Shalev!

While it was not part of this release cycle, some of you might have missed the exciting release of our new Astro integration extension. Released at the end of last year, the @apostrophecms/apostrophe-astro extension allows you to easily use an ApostropheCMS project as a backend for the Astro web framework. The really exciting thing here is that you still get to enjoy the same content management UI experience, including in-context editing, that you are used to in your ApostropheCMS projects! We have an accompanying Apostrophe starter-kit that you can install with the CLI using the --starter=astro flag and an Astro project ready to spin up. So, if you are ready to chuck your Nunjucks (templates), give it a try today!

The @apostrophecms/import-export extension was updated to add compatibility with the new Advanced Permission extension. Also, as previously announced, we published a hotfix to patch a security issue where a cleverly designed HTTP request could potentially delete files and folders. No user account was required to exploit this issue. All users of this optional extension, which not all projects contain, should immediately run npm update @apostrophecms/import-export and deploy to ensure the latest version of the extension is installed. The module has been carefully audited for similar issues, and best practices have been put in place to prevent any similar issues in the future.

Going forward into the next cycle, we will make some follow-up improvements to the Advanced Permission extension. We will also be working on implementing a new automatic translation extension to make getting your content into all your locales easier. Finally, we are starting development on the ability to easily compare changes in document versions as an upgrade to the @apostrophecms-pro/document-versions extension.

Several of our optional extensions have been updated to ensure mutual compatibility. So whether you use the Advanced Permission extension or not, make sure you npm update your entire project when upgrading to this latest release of Apostrophe.

Apostrophe 3.62.0

Adds

• Adds support for type query parameter for page autocomplete. This allows to filter the results by page type. Example: /api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type.
• Add testing for the float schema field query builder.
• Add testing for the integer schema field query builder.
• Add support for link HTML attributes in the rich text widget via configurable fields linkFields, extendable on a project level (same as it's done for fields). Add an htmlAttribute property to the standard fields that map directly to an HTML attribute, except href (see special case below), and set it accordingly, even if it is the same as the field name. Setting htmlAttribute: 'href' is not allowed and will throw a schema validation exception (on application boot).
• Adds support in can and criteria methods for create and delete.
• Changes support for image upload from canEdit to canCreate.
• The media manager is compatible with per-doc permissions granted via the @apostrophecms-pro/advanced-permission module.

Fixes

• Fix the launder and finalize methods of the float schema field query builder.
• Fix the launder and finalize methods of the integer schema field query builder.
• A user who has permission to publish a particular page should always be allowed to insert it into the
  published version of the site even if they could not otherwise insert a child of the published
  parent.

Apostrophe 3.x modules

@apostrophecms/import-export 1.2.1

This A3 module enables import and export of pages and pieces, with or without related documents such as files, images and other related types.

Security

• Fixed a security issue that allowed a correctly crafted
  HTTP request to delete arbitrary files and folders, subject to the permissions with which the Node.js
  process was run. No user account was required to exploit this issue. All users of this module should immediately run npm update @apostrophecms/import-export and deploy the latest version of this module. The module has been carefully audited for similar issues and best practices have been put in place to prevent any similar issue in future.

Changes

• Prefix routes and events to avoid conflicts with the old @apostrophecms/piece-type-importer and @apostrophecms/piece-type-exporter modules.

@apostrophecms/piece-type-importer 1.1.2

This module adds an optional import feature to all piece type modules in an Apostrophe project. This feature enables importing pieces from CSV files where it is configured.

Changes

• Change label to "Import from CSV" to avoid confusion with the new @apostrophecms/import-export module.

@apostrophecms/piece-type-exporter v1.0.1

This module adds an optional export feature to all piece type modules in an Apostrophe project. This feature enables exporting published pieces of piece types where it is configured. Requires Apostrophe 3.

Changes

• Change label to "Export as CSV" to avoid confusion with the new @apostrophecms/import-export module.

@apostrophecms/cache-redis v1.1.0

This module enhances the core caching module, @apostrophecms/cache, to use Redis rather than MongoDB. This module does not set up the actual Redis store, but instead allows Apostrophe to access an existing Redis store through the standard Apostrophe caching API and an internal Redis client.

Fixes

• Adds a deletion method to override core and allow deletion of login attempt cache

@apostrophecms/apostrophe-astro v1.0.4

This module integrates ApostropheCMS into your Astro application.

Changes

• Documentation fixes only.

Enterprise modules

@apostrophecms-pro/advanced-permission 2.0.0

This module provides more granular control over content permission. It allows the creation of custom groups with proscribed abilities and the ability to assign users to as few or as many groups as desired. Users and groups can also be assigned per-document and per-locale permissions allowing for fine control of who can edit and publish any document. Contact us or visit our new pricing page to learn more.

This release marks a major version change and includes breaking changes. To upgrade an existing installation of this module to version 2.0.0, edit the package.json file and update the version number to ^2.0.0. The README.md file has been updated to document the new functionality. Additionally, an automatic migration is included for permissions set in previous versions of the advanced permission module.

Changes

• Replaced roles with more granular permissions for groups and per-document permission settings.
• Introduced Create permission, allowing users to create documents of a specified type and edit only those they have created.
• Introduced Modify permission, enabling users to edit all documents of a specified type without the ability to create new ones.
• Users can be given permission to create child pages of a specific page, without the ability to create pages elsewhere in the tree.
• Added a new top-level permissions object for creating custom permission types.
• Enabled granular permissions per schema field using the editPermission attribute.

@apostrophecms-pro/multisite 3.13.0

This module lets you have many ApostropheCMS websites running on a single codebase in a single Node.js process. Each has its own database, users, media uploads, etc. Sites can be created and managed via a dashboard site. Contact us or visit our new pricing page to learn more.

Changes

• Simply mutualize the requireUniqueShortName code from beforeInsert and beforeUpdate handlers into beforeSave.

Adds

• Add pattern attribute to the shortName field of the site piece schema in order to force it being URL friendly.
• Disable browser autocomplete for site fields.
• Add handler to throw an error when trying to save a site that has a Production Hostname already in use by another site.

@apostrophecms-pro/doc-template-library 1.1.3

This module solves the "blank page problem" for developers and product managers, and makes it faster for editors to create content. doc-template-library allows for the configuration of default widgets and pre-populated content on piece or page templates, and to re-use existing layouts. Contact us or visit our new pricing page to learn more.

Fixes

• Correct an incompatibility between plugin-standard versions that broke npm test. No actual bugs.

@apostrophecms-pro/document-versions 1.1.4

This module automatically creates versions for your published documents (pages and pieces) and allows manual restore to any previously saved document version. Contact us or visit our new pricing page to learn more.

Fixes

• Correct an incompatibility between plugin-standard versions that broke npm test. No actual bugs.
• Compatible with latest Apostrophe, latest 1.x and 2.x advanced permission module, and the new create permission.

Utilities

@apostrophecms/random-words 2.0.1

This module generates random words for use as sample text. We use it to generate random blog posts when testing Apostrophe.

Fixed

• Fixed return type of generate so that it is consistent with the possibility of returning either string or string[]

@apostrophecms/cli 3.3.0

The Apostrophe CLI is a cross-platform starting point for creating and configuring ApostropheCMS projects, providing a simple boilerplate generator and wrapping other useful functions into an easy to use command line tool.

Adds

• Adds the --mongodb-uri flag to pass a MongoDB server connection string allowing for initial user addition during project creation when a host server is being used.

@apostrophecms/absolution 1.1.0

absolution accepts HTML and a base URL, and returns HTML with absolute URLs. Great for generating valid RSS feeds.

Fixed

• Added a fix for srcset in img tag. Thanks to Gauav Kumar for this contribution!