WebHare 4.31 released

[Arnold Hendriks]

Incompatibilities and deprecations

• Various WRDAuth deprecations and removals to make room for 2FA support, contact us if you need any of these APIs:
  • Removes the following APIs from wrdauth: ProcessPasswordReset, ProcessPasswordResetPost, CreateEmailVerificationLink, HandleEmailVerificationPage, HandleEmailVerificationData, UpdateUserAccountFields, UpdateUserPassword, GetWRDAuthConfig, PrepareMail
  • Removes wrdauth from the wrdauth plugin. It will be temporary available as __GetWRDAuth() but our intention is to completely remove the object 'behind' wrdauth and merge it into the plugin, so don't rely on this one staying around or receiving a warning when it finally goes away.
  • Support for wrdauth plugins overriding VerifyPassword has been removed
  • passwordpolicy and passwordcheck can no longer be overridden by wrdauth plugins
  • Password fields no longer support onpolicycheck and policy/policytid
  • onpolicycheck and policy(tid) are no longer supported by Tollium <password> fields. Policy should be specified using validationchecks
• The usermgmt app and the Tollium backend expect the WRD schemas used for authentication to use <authenticationsettings> instead of <password>. The standard system:usermgmt schema will be upgraded automatically but if you changed how backend authentication works, you need to do this yourself
• JS import dompack/browserfix/url is obsolete, the WebHare polyfill already fixes this. You can just remove this import everywhere (at least back to 4.28)
• We are strongly considering deprecating deriving from WebtoolFormBase and to have the RPCs always use the 'fast' path, avoiding the webdesign too. We need to know about use cases which cannot switch to the faster webtool formhooks.
• The module dompack has been merged into WebHare
• The split datetimefields used non-BEM-ified classes for year/month/day/hour/minute/second classes. This has now been fixed.
• Emails no longer receive a X-WebHare-Origin header as this is a potential information leak. The origin is now shown with the mail headers in the dashboard.
• %IsRPCTrafficLogged is now implicitly checked by %LogRPCForWebbrowser, %LogRPCTraffic and %LogCurrentRequestToRPCLog. %IsRPCTrafficLogged will be deprecated as a public API
• system/js/compat/cookie.es has been removed as there seem to be no more users. Use dompack/extra/cookie.es if you still used it.
• Emails composed using PrepareMailWitty can no longer directly embed any WebHare resource - their extension must be one of .png, .jpg, .gif, .svg or .css and they must be either a mod:: or a site:: source
• If you're using old video widgets (EmbeddedObjectBase) make sure you listen to the wh-video--aspect_16_9 and wh-video--aspect_4_3 classes wherever you are now listening to aspect_16_9 and aspect_4_3 classes, as those latter non-BEM-prefixed classes will be dropped.
• PrepareMailWitty would invoke RewriteDomStyles twice (and still once even if restructuring was disabled). This is now fixed.
• This release drops support for old style 'structure definition' (<richstructure>) files for RTD and support for <richdocumenteditor> in site profiles
• Addon modules can no longer use modules from the central node_modules to prevent an accidental undeclared dependency

Things that are nice to know

• <filetype kind="rawfile"> didn't actually imply 'requirescontent' - documentation updated
• The label on the send button in the standard maildialog can be overridden by passing sendbuttontitle to %RunSendEmailDialog
• A new type of schedulde task "Replace with..." allows you to replace the contents of an existing file at a specific time.
• Webtool form hooks can add 'hidden' fields which will be present in the final form results.
• Adds %GetYearlyHoliday to calculate when well known holidays are celebrated
• All <text>s components in Tollium should have a selectable value now, even when not explicitly set as selectable
• Moduledefinitions now support <customsource> in <catalog> nodes to define module content sources
• Adds 'Download original' button to image properties in the RTD
• dompack/extra/storage.es offers convenience wrappers for localStorage and sessionStorage, adding a fallback storage in case storage itself throws (eg due to privacy settings). It also isolates storage if <html data-wh-isolate-storage> is set - this is used so eg. widget previews don't disturb each other or CI tests.
• Tollium <richdocument> supports a usercss property which contains additional CSS to include after the RTD css files
• PrepareMailWitty now supports linking to images using %GetModuleResourceURL and will automatically embed them
• siteprofile <to> rules can use 'withintype' to match the type of any parent or ancestor folder (within the same site)
• <screen>, <fragment> and <tabsextension> can now use objectname= to specify an explicit relative reference to their implementation, ie you don't have to set "library=" and match the object's name exactly. Keep in mind that <tabsextension> will still require an implementation="lib" attribute.
• OpenRTDType has been added as a public API to RestructureDocument.
• ExtractExcerpt and ExtractRTDExcerpt have been added to PublishableRichDocument and WebDesign respectively to quickly grab contents of a RTD without having to use RichDocumentFilter
• WRD fields can be marked as unsafetocopy which will prevent them from being exported, synced or duplicated. This can be used to prevent api keys/secrets from being cloned and having multiple servers talking to eg. the same upstream service.
• WRD schema metadata files can now use <migration> nodes to run preconversions before the schema is applied.

Things you should do

• Switch WRD schemas from <password> to <authenticationsettings>, especially if they are used for the backend. You don't need to run an explicit conversion, just change the schema definition. However, this has the following effects:
  • we no longer support `` and * as different password hashes, where the first meant "this user may not login" and the second meant "this user does not have a password set, but may login.". Any loginblock must be implemented explicitly by overriding IsLoginDenied