silverstripe-framework/docs/en/04_Changelogs/4.9.0.md
2021-09-09 23:00:37 +12:00

7.8 KiB

4.9.0 (Unreleased)

Overview

Security audit and regression test

This release has gone through a regression test suite to identify any possible instability between modules.

The release has also been audited by an independant security firm to identify possible security regressions.

Review the security audit report.

For development teams of Common Web Platform projects

This release marks the first release for Common Web Platform projects to eject out of managing projects in the CWP 2.x version line and to begin following the standard CMS 4.x version line, by adopting the CMS Recipe.

More information and guidance on how to manage your project composer.json file will be published as part of the CMS 4.9.0 stable release and supporting documentation.

Features and enhancements

Image lazy loading

Most modern browsers support the ability to "lazy load" images. When an image is configured to be lazy loaded, browsers only request the image once it's about to be visible to the users. This reduces the initial rendering time for pages.

From v4.9, Silverstripe CMS lazy loads most images by default. You have the options to opt-out of this behaviour globally or on specific image instances.

This feature was implemented in partnership with Google.

Read Browser-level image lazy-loading for the web on web.dev more information.

How developers can interact with image lazy loading

Most images get the loading="lazy" attribute added to them. This includes:

  • images added via the HTML Editor's insert media button
  • image DataObjects added to templates.

To disable lazy loading for an individual image in a template, use $MyImage.LazyLoad(false).

Image HTML tags (<img>) added in templates are not lazy loaded by default. Developers can manually lazy load these images by adding a loading="lazy" attribute.

Read the Image Lazy Loading Silverstripe CMS developer documentation for more details and code examples.

Opting out of image lazy loading globally

There's some scenarios where you might not want to use the native Silverstripe CMS lazy loading. For example, you might already have a custom lazy loading implementation.

To opt out of lazy loading globally, use the following yml config:

SilverStripe\Assets\Image:
  lazy_loading_enabled: false

How content authors can interact with image lazy loading

Content authors can disable lazy loading on images added via the HTML editor field in the Insert media dialog by setting the Loading field to Eager.

Consult the Insert images article in the Silverstripe CMS user help for detailed instructions.

Manage your CMS sessions across devices

The session manager module is a new security focused feature which allows a CMS user to view and manage their active sessions in the CMS within the "My profile" section of the CMS (/admin/myprofile). They can see the device details behind each session and have the ability to revoke these sessions. This new module has been added to silverstripe/recipe-cms which is the recommended method of managing Silverstripe CMS dependencies in a project.

Projects that have silverstripe/recipe-cms as a requirement in their composer.json will automatically get silverstripe/session-manager when you run composer update. If your project does not use silverstripe/recipe-cms, it's recommended that you require silverstripe/session-manager in your composer file as a security enhancement. The session manager module requires no configuration and works out-of-the-box.

If your site has the symbiote/silverstripe-queuedjobs module installed, then a job will automatically be created that will periodically remove old database records created by the session manager module.

CMS users can review the Session Manager user help for more information on managing their sessions.

FuntionalTest's should not use Security::setCurrentUser($member) when mocking an HTTP request

When writing an automated test using FuntionalTest the methods $this->get() and $this->post() are available to mock HTTP requests. Previously, developers could use the method Security::setCurrentUser($member) to define which member those mocked requests would run against.

Because Security::setCurrentUser() is stateless, its effect only last for the current request. When mocking an HTTP request, session-manager logs out the mocked user if it was defined with Security::setCurrentUser().

Functional tests should use $this->logInAs($member) and $this->logOut() when mocking HTTP requests. It is still appropriate to use Security::setCurrentUser() when testing stateless logic. e.g.: Testing that a DataObject's canView() method returns the correct value for the current user.

Review the Functional Testing developer documentation for more details on logInAs() and logOut().

Default mail transport upgraded to sendmail

Silverstripe CMS provides an API over the top of the SwiftMailer PHP library which comes with an extensive list of "transports" for sending mail via different services.

Prior to 4.9.0, Silverstripe CMS 4 defaulted to using the built-in PHP mail() command via a deprecated class Swift_MailTransport. However, using this layer is less secure and is strongly discouraged.

Installations of Silverstripe CMS setup using silverstripe/installer 4.9.0 or greater default to using the more secure class Swift_SendmailTransport which uses a sendmail binary.

It's highly recommended that existing Silverstripe CMS installation still using Swift_MailTransport upgrade to using Swift_SendmailTransport or another available transport, such as Swift_SmtpTransport. Details on how to use these classes are available in the email section of the developer docs.

Support for silverstripe/graphql v4

The Silverstripe CMS 4.8.0 release added support for the experimental silverstripe/graphql v4 module. We made it easier for early adopters to run silverstripe/graphql v4 in this release:

  • Upgrade to the Silverstripe CMS 4.9.0 release.
  • Confirm your project composer.json file has a "minimum-stability": "dev" key.
  • Explicitely require silverstripe/graphql v4 by running composer require silverstripe/graphql:^4

You don't need to inline any recipes anymore.

Other new features

Bugfixes

This release includes a number of bug fixes to improve a broad range of areas. Check the change logs for full details of these fixes split by module. Thank you to the community members that helped contribute these fixes as part of the release!