Fat Free CRM v0.19.0 Release Notes

Release Date: 2021-04-04 // 8 months ago
  • Important changes

    🛠 Fixed XSS flaw in tags_helper

    Credit Antonin Steinhauser (asteinhauser) for discovery and responsible disclosure.

    Devise replaces Authlogic for user authentication

    ✅ Ticket #742 replaces Authlogic with the latest Devise (4.3.0) which has wider adoption. This change requires a database migration on the User model. Please note:

    • Most User fields are renamed and can hence be rolled back. Existing Authlogic passwords will continue to work.
    • Users will be forced logged out. Existing user sessions will not be kept and the fields persistence_token, single_access_token, perishable_token will be dropped from the database.
    • Though the migration is generally safe we recommend to make a backup of your database before migrating.

    Existing OAuth broken

    🔌 The Devise change will break any OAuth login plugins which depend on Authlogic. 🔧 You can configure OAuth for Devise using the guides here.

    Login and user-related routes changed

    0️⃣ The login URL routes have been changed to use the defaults of Devise.

    👉 User mailers changed

    0️⃣ Mailers related to user password reset, etc. are changed to use the defaults of Devise.

    ⚡️ PaperClip version updated from 5.2.1 to 6.0.0

    👀 PaperClip now only depends on aws-sdk-s3 instead of aws-sdk. For more info see https://github.com/thoughtbot/paperclip/pull/2481. Replace the Cocaine gem with Terrapin. https://github.com/thoughtbot/terrapin/ Apart from the namespace change, this is a drop in replacement.

    🚅 Rails 5.2

    🚅 The underlying framework is now rails 5.2.*

    🗄 Ruby 2.4 deprecated

    ✅ Ruby 2.4 has reached end of life and is no longer activity tested against.

    Other changes

    • #794 Fix defect with unpermitted params in advanced search
    • 2bc6184779a26070496e6f4caefa0cc9ba555d7b Remove broken support for delete links on arrays.
    • #851 upgrade paper_trail
    • Security fixes CVE-2019-16109, CVE-2019-16676, CVE-2019-5477, CVE-2019-16892
    • Dependency updates