Free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

UX/UI Improvements

• Added support for streaming file uploads directly to S3 storage disks via the stream_uploads option on the disk configuration. Requires the Winter.DriverAWS plugin.
• Added support for the data-request-parent attribute to the AJAX framework, allowing AJAX requests to include the data from the elements that spawned them which allows for highly complex workflows where popups spawn popups and then those popups need to call their own AJAX handlers but the page previously didn't know to initialize them without their parent data being present. This fixes support of the RecordFinder inside of popups like the RelationController's update & pivot forms as well as the FileUpload's description form popup inside of other popups.
• Switched the winter:up / migrate commands to use the new Laravel CLI components for improved output formatting.
• Added support for type: range Form fields.
• Added support for the conditions property on List Columns with a relationship defined via the relation property.
• Added support for changing an image's extension / file type when using the ImageResizer to resize the image.
• Added support for ignoring specific Mix packages to avoid including third-party Mix packages in your application's package.json unnecessarily.
• Clicking the label of a switch field will now toggle the switch.
• Increased the width of the crop dimension inputs when cropping or resizing an image in the Media widget.
• Standard HTML flash messages that are converted to JavaScript flash messages through Snowboard are now removed once converted, to prevent the original message from remaining even after the flash message is dismissed.
• The autogenerated password for the default administrator account is now displayed in the winter:install command output and can be changed through the wizard.
• Documented app.tempPath configuration option.
• Added winter:password as an alias for winter:passwd.
• Minor CSS improvements.

API Changes

• Removed the default maxlength of 255 from type: text Form fields.
• The twig.environment.cms Twig environment is no longer provided as a singleton, instead being generated on each request to App::make(). This helps to avoid conflicts when calling the CMS controller multiple times in the same request.
• Deprecated the Winter\Storm\Database\Behaviors\Purgeable behavior as the Purgeable trait is now included by default on all Winter models.
• Added the backend.formwidgets.fileupload.onUpload event to allow for custom handling of file uploads in the FileUpload FormWidget.
• Added the backend.widgets.uploadable.onUpload event to allow for custom handling of file uploads in the widgets that implement the Backend\Traits\UploadableWidget trait.
• Added the formwidgets.fileupload.initUploader Snowboard global JS event to allow for interacting with the FileUpload's JS uploader instance.
• Added the formwidgets.richeditor.init Snowboard global JS event to allow for interacting with the RichEditor's JS editor instance.
• Added the widgets.mediamanager.initUploader Snowboard global JS event to allow for interacting with the MediaManager's JS uploader instance.
• Switched visibility of getRelationModel() from protected to public on the Backend\Traits\FormModelWidget trait.
• Switched visibility of getOptionsFromModel() from protected to public on the Backend\Widgets\Form widget.
• Added the following methods to the Backend\Traits\UploadableWidget trait to make it easier to customize upload behaviour:
  • uploadableGetDisk()
  • uploadableGetUploadPath()
  • uploadableGetUploadUrl()
• Added the following model relation events:
  • model.relation.beforeAdd($relationName, $relatedModel)
  • model.relation.afterAdd($relationName, $relatedModel)
  • model.relation.beforeRemove($relationName, $relatedModel)
  • model.relation.afterRemove($relationName, $relatedModel)
  • model.relation.beforeAssociate($relationName, $relatedModel)
  • model.relation.afterAssociate($relationName, $relatedModel)
  • model.relation.beforeDisassociate($relationName)
  • model.relation.afterDisassociate($relationName)
• A new mix:run Artisan command has been added to allow scripts defined in the package.json file of a Mix package to be run easily through the CLI. You can find the documentation here.
• The AJAX framework and Snowboard framework now both enforce either a class name dot (.) or an ID hash (#) to be prefixed to any partials that are to be updated in an AJAX response. This includes any mapped selectors.
• Snowboard JavaScript AJAX requests now accept two or three parameters, similar to the old framework. When using two parameters, the user only needs to specify the handler and options - it is assumed in this case that the AJAX requests is detached and not tied to an element.
• Added Winter\Storm\Database\Traits\HasSortableRelations trait to make it easier to sort related records on a model.
• Added support for ** as a wildcard when setting the application's trusted proxies. This was originally supported in fideloper/trustedProxy but was removed without explanation in Laravel 5.6. * will trust the currently requesting IP address, ** will trust all proxies in a chain of proxies (often required if you are behind something like CloudFront and another proxy). This was required for retrieving the correct Client IP address when using Laravel Vapor.
• Properties added to Model instances via addDynamicProperty() are now automatically added as purgeable attributes to prevent them from being saved to the database.
• Added the Arr::moveKeyToIndex($array, $targetKey, $index) helper method to make it easier to move a specific array element to the specified index.
• Added the Str::unique($str, $items, $separator, $step) helper method that ensures the provided string will be unique when compared to the provided array by adjusting the string with the separator & step as necessary. Useful for filename deplication or other deduplication of unique references.
• Added the Str::join($items, $glue, $lastGlue, $dyadicGlue) helper method to join an array of items with a glue string, optionally using a different glue string for the last item and for the dyadic item case (only two items). By default this applies the "Oxford / Serial Comma" gramatical construct when listing items.
• Added the fromStorage() helper method to the Winter\Storm\Database\Attach\File model class in order to create a new file record from a file path that already exists on the file model's storage disk.
• Added new Winter\Storm\Console\Traits\HandlesCleanup trait to the base Winter Command class that makes it easier to implement cross-platform cleanup logic on your CLI commands when process termination signals are received.
• Added support for root level paths in the Halcyon DbDatasource, required for Child Theme support.
• Added support for exit codes in mix:compile. Also added support for the --silent, --stop-on-error, and --manifest flags.

Bug Fixes

• The winter:test command now automatically uses the correct bootstrap file for unit testing, irrespective of the bootstrap configuration in any plugin or module's phpunit.xml file, to assist users migrating their unit tests to Winter 1.2.
• Fixed issue where plugins weren't being correctly sorted by their dependencies when depending on a plugin that registers itself as a replacement which could cause migrations to run in the incorrect order.
• Fixed typo in the MediaManager widget that was preventing SVGs from displaying their previews in the sidebar.
• Fixed issue when attempting to generate a TailwindCSS theme scaffold on a case sensitive file system.
• Fixed mismatching method signature on AutoDatasource->lastModified() that could cause issues when using DatabaseTemplates in v1.2.
• Fixed issue where MorphedByMany relationships would use the wrong class name when building queries.
• Removed an override to the Input::all() facade method, which prevented files from being included in the result, breaking previous behaviour.
• Removed an extra 0 that was left over in numberrange filter partials.
• Fixed an issue where only the last component would be saved in a CMS template due to the framework not correctly processing arrayed POST data.
• Fixed an issue with the winter:fresh command where the demo plugin was not removed and an error message was shown.
• The Array Source trait will no longer attempt to save a temporary SQLite DB if storage is disabled via setting $cacheArray to false.
• Fixed an issue where custom AJAX error responses were being mangled by the Snowboard Request class, before sending off to the error handlers. If an error does not appear to be a PHP exception with an exception class and message, it will now pass through the response untouched (but still be considered an error response).
• Fixed an issue where the File model's fromUrl() method would not correctly determine the file's mimeType if the file was delivered with a Content-Type header that was incorrectly capitalized.
• Fixed an issue where migrations using anonymous classes could not be run more than once in a single process.
• Fixed support for the Laravel ClassName@method syntax for event listeners.
• Fixed issue where custom pivot models were not being used when using the attach method on a BelongsToMany relationship.
• Fixed support for queueing emails (was broken by a change in Laravel 7 that was missed in the Winter v1.2 upgrade).
• Fixed support for hidden files in Zip folders on systems without support for GLOB_BRACE (Solaris, Alpine Linux, etc).
• Fixed issue that occurred when attempting to dynamically add HasOneThrough|HasManyThrough relations to models.
• Improved support for Winter < v1.2 mail configurations.
• Fixed breaking change in Laravel 9.36 with the Winter\Storm\Console\Command's alert() method.
• Fixed issue with identifying currently installed versions of plugins when the versions reported by the filesystem do not match exactly (i.e. with or without the "v" prefix) the versions reported by the database.
• Fixed issue where Snowboard assets loaded via the {% snowboard %} Twig tag were not taking into account the configured app.asset_url of the application.
• Fixed issue where the Status backend Dashboard Widget would break on clean installs.
• Improved the reliability of the System's first boot date by storing it as a system parameter instead of relying on the oldest present plugin.
• Fixed an issue where migrations were not ran if a notes output instance is not available to the migrator.
• Fixed an issue where attempting to crop images with unsafe characters in their path would fail.
• Fixed support for Winter Mix commands on Windows.
• Fixed an issue where attempting to crop / resize images that were bigger than the viewport window would fail when using the TailwindUI backend skin.
• Fixed issue when attempting to preview a CSV column with the ImportExportController behavior.
• Fixed issue where the codeeditor and richeditor fields were not properly triggering change events when their contents were changed.
• Fixed issue where custom error messages sent via AJAX and processed by Snowboard would not be properly handled.
• Fixed issue where the jobs / failed_jobs table structure did not match that of Laravel 9.

Security Improvements

• Prototype hardening has been implemented on the Snowboard framework to prevent prototype pollution. You may read the security advisory for more information.
• Fixed issue where the AuthManager's persistence cookie was not respecting the configuration values set in config/session.php.
• Added a new Svg helper class to make it easier to work with SVG files. Currently one method (extract()) is availabel which sanitizes and optionally minifies the provided SVG file making it safer to deal with.
• Added migrate to the list of commands that require plugins to have the $elevated property set in order to run when the command is being run.

Translation Improvements

• Fixed a misnamed language string for the custom editor HTML styles input.
• Improved German translation.
• Improved Vietanamese translation.
• Improved Ukrainian translation.
• Improved Russian translation.

Performance Improvements

• Slightly optimised searching for used slugs with models using the Sluggable trait by runnning an "exists" query as opposed to a "count" query.

Community Improvements

• The Winter CMS module sub-split is now automated, ensuring that the module repositories are now automatically updated with the latest changes as soon as they are committed to the main repository.
• The base System\Tests\Bootstrap\PluginTestCase class has been signficantly refactored to improve testing in plugins. While it is mostly backwards-compatible, the method runPluginRefreshCommand is now deprecated and will be removed in the Winter CMS 1.3 branch. Please use the instantiatePlugin method instead if you have overridden the core plugin test case methods.

Dependencies

• Moved the Laravel configuration file writing functionality out of the Winter\Storm library and into it's own standalone Winter\LaravelConfigWriter library. This was done in order to reuse it in the web installer, but also means that any Laravel application can take advantage of this package.
• Made the Composer merge plugin less greedy by default, previously it would merge in all plugin composer.json files that existed in your project, now it will only merge in specific plugin paths defined in your project's composer.json. Copy the changes from GitHub in order to apply it to your projects.

New Contributors

• @cstorus made their first contribution in https://github.com/wintercms/winter/pull/616
• @simonmannsfeld made their first contribution in https://github.com/wintercms/winter/pull/623
• @quangtrongonline made their first contribution in https://github.com/wintercms/winter/pull/636
• @nathanlesage made their first contribution in https://github.com/wintercms/winter/pull/665
• @vllvll made their first contribution in https://github.com/wintercms/winter/pull/669
• @robertalexa made their first contribution in https://github.com/wintercms/winter/pull/668
• @iamyigitkoc made their first contribution in https://github.com/wintercms/winter/pull/624
• @hecc127 made their first contribution in https://github.com/wintercms/winter/pull/682
• @prsuhas made their first contribution in https://github.com/wintercms/winter/pull/723

Full Changelog: https://github.com/wintercms/winter/compare/v1.2.0...v1.2.1

Security Improvements

• Prototype hardening has been implemented on the Snowboard framework to prevent prototype pollution. You may read the security advisory for more information.

Community Improvements

• The image resizer tests have been re-done in order to more accurately test image resizing in Winter. The tests themselves will generate artifacts that can be reviewed as a ZIP file if the tests fail.

See the Upgrade Guide for a quick highlight of any potentially required changes in your code in order to be compatible with Winter CMS v1.2+. Although the upgrade should be relatively painless it is still worth taking a quick look to verify that you are not affected by any of the relatively few breaking changes.

Due to the significant number of changes in 1.2, they are grouped by section rather than category for this release note.

• Dependencies
• Community Improvements
• CLI & Console Commands
• Project Configuration & Helper Files
• Testing
• Plugin Manager
• Backend UI & UX
• Media Manager & Image Resizing
• Themes
• Twig
• Events
• Database
• Filesystem
• Modules
• Internals

Dependencies

• Minimum version of PHP bumped from PHP 7.2.9 to PHP 8.0.2
• Laravel upgraded from 6.x LTS to 9.x
• Twig upgraded from 2.x to 3.x
• Minimum version of Laravel Tinker bumped to 2.7
• Minimum version of PHPUnit bumped to 9.5.8
• Minimum version of Mockery bumped to 1.4.4
• Symfony ugpraded from 4.x to 6.x
• Symfony/Yaml upgraded from 3.4 to 6.0
• Assetic upgraded from the modified embedded version of 1.4.0 to 3.0 as an external dependency.

Community Improvements

Over the past year as we have been working on the Laravel 9 upgrade we have released a number of plugins, themes, and development tools designed to further enhance the Winter CMS developer experience.

• First Party Plugins
• First Party Themes
• VS Code Extension

First Party Plugins:

The following first party plugins were released / revamped:

• Winter.TailwindUI - TailwindUI-based skin for the backend.
• Winter.Search - Enables full-text search capabilities in Winter.
• Winter.Redirect - Manage redirects.
• Winter.Docs - Manages & displays documentation from various sources within your Winter projects.
• Winter.Matomo - Integrates the open source Matomo Analytics platform into Winter.
• Winter.DriverAWS - Driver plugin that adds support for AWS to Winter.
• Winter.DriverMailgun - Driver plugin that adds support for Mailgun to Winter.
• Winter.DriverMandrill - Driver plugin that adds support for Mandrill to Winter.
• Winter.DriverPostmark - Driver plugin that adds support for Postmark to Winter.
• Winter.DriverSendGrid - Driver plugin that adds support for SendGrid to Winter.
• Winter.DriverSparkPost - Driver plugin that adds support for SparkPost to Winter.

First Party Themes:

The following first party themes were released:

• Nabu - Theme designed for documentation sites using the powerfull Winter.Docs & Winter.Search plugins.
• Workshop - TailwindCSS-built theme for testing first party plugins.

VSCode Extension:

The official Winter CMS VSCode extension was released which provides code completion and syntax highlighting for Winter CMS projects.

CLI & Console Commands

A number of improvements have been made to the console commands available out of the box with Winter as well as the developer experience for working with the CLI in general. In addition to these improvements, the Console documentation has been updated and enhanced, click here to read the docs.

• Autocompletion
• Improved Support for Laravel-provided commands
• New Winter\Storm\Console\Command base class and helpers
• Scaffolding Improvements
• Bug Fixes

Autocompletion

• Added support for autocompletion for all Winter provided CLI commands.
• Added complete() function to the create:command Command scaffolding for providing autocompletion in console commands. (run artisan completion --help to setup autocompletion in your terminal)
• Added autocompletion support to the following commands:
  • plugin:disable $name
  • plugin:enable $name
  • plugin:refresh $name
  • plugin:rollback $name $rollbackVersion
  • winter:passwd $username (last 20 updated backend users)

Improved Support for Laravel provided commands

• Added migrate as an alias to winter:up to simplify transitioning to Winter from Laravel
• Laravel's migration commands have been removed / aliased to the relevant Winter commands as they did not function with Winter and never have.
• Version number reported by artisan --version will now include Winter CMS.
• route:list and route:cache now support module routes out of the box.
• Fixed issue where the key:generate command wouldn't set the APP_KEY value in the .env file if the .env file didn't exist yet.

New Winter\Storm\Console\Command base class and helpers

• Added Winter\Storm\Console\Command base class that adds helpers for making it easier for commands to implement suggested values for autocompletion.
• Added alert() helper to the Winter Command base class that improves on the Laravel default by adding support for wrapping long alert messages to multiple lines.
• Added Winter\Storm\Console\Traits\ConfirmsWithInput trait provides the confirmWithInput($message, $requiredInput) method to require the user to input the required input string in order before proceeding with running the command.
• Added Winter\Storm\Console\Traits\ProcessesQuery trait that provides a processQuery($query, $callback, $chunkSize, $limit) method that simplifies the process of processing large numbers of records in console commands by handling creating and updating a progress bar, chunking the provided query by the provided chunk size and limit parameters, running the callback for each record, and gracefully handling any exceptions thrown during the processing of records.

Scaffolding Improvements

• Added create:job Author.Plugin JobName scaffolding console command to create an initial Job class
• Added new scaffold argument to create:theme command, defaults to less; also supports tailwind.
• Moved all scaffolding commands out of Winter\Storm and into their relevant Modules (Backend, CMS, & System).
• Added $nameFrom property and getNameInput() method to the Winter\Storm\Scaffold\GeneratorCommand to enable checking for reserved names when generating code via scaffolding commands. Also made some method signature type hint changes to the class, be sure to review and apply them accordingly in any custom uses of that base class.
• Removed getPluginIdentifier() method from the Winter\Storm\Scaffold\GeneratorCommand class and added a new base class for scaffolding resources that are specific to plugins: System\Console\BaseScaffoldCommand.
• Added support for autocompletion of the plugin argument for scaffolders that extend System\Console\BaseScaffoldCommand.
• Added System\Console\Traits\HasPluginInput trait that provides helpers for when a console command interacts with plugin names as input arguments.
• Added support for generating localization messages by calling a getLangKeys() method defined on the scaffolding command during the execution process. This method can use the $this->vars property and $this->laravel->getLocale() method to return an associative array of message keys without the author prefix and their values for the current locale.
• Added several helpers in the scaffolding template files:
  • plugin_id -> lowercase version of a plugin's identifier
  • plugin_code -> Studly case version of the plugin's identifier
  • plugin_url -> author/plugin, used in Backend::url() calls
  • plugin_folder -> author/plugin, used when generating paths to files with the $ plugins directory path symbol or the ~ application path symbol.
  • plugin_namespace -> Studly case version of the plugin's identifier in namespace form (i.e. Author\Plugin)

Bug Fixes

• Added ability for the mix:watch command to clean up after itself when terminated with SIGTERM.
• winter:version will now only normalize file contents before hashing if the file is a valid text-based file which improves the reliability of change detection on Windows.
• Fixed issue where running winter:version --changes would always display "We have detected the following modifications:" even when no modifications were detected.
• winter:passwd now returns the status codes instead of using exit($code)
• Fixed issue where if the underlying data behind a datasource changes through manual intervention (either in the database or the filesystem) before running theme:sync it wasn't being detected by the theme:sync command.
• The ThemeInstall, ThemeRemove, ThemeList, ThemeUse, & ThemeSync console commands have been moved from the System module to the CMS module.

Project Configuration & Helper Files

• An application key is no longer provided by default, if your Winter instance is missing one just run artisan key:generate and one will be generated and set for you.
• The .env file is now a first class citizen in Winter and configuration files refer to it by default. You can continue to run winter:env to generate a file pulling from your configuration to provide the default values.
• Changed recommended language mode for component partial files to wintercms-twig instead of twig in .vscode/extensions.json
• server.php is no longer needed in order for artisan serve to function; it can be removed.
• Removed varcharmax as a configuration option for mysql database connections.
• Added app.tempPath configuration option to set the application's temporary path.

Testing

• The default configuration for the testing environment now includes an override to store files generated / modified throughout the test suite in a folder under system/tests/storage instead of polluting your regular local storage folder with files from tests that failed to clean up after themselves well enough.
• PHPUnit arguments can now be passed to the winter:test command by first separating the arguments meant for Winter and the PHPUnit arguments / options with a --. Example: winter:test --module=system -- --filter=ImageResizerTest
• Unit tests have been moved from the project's tests/ folder into individual tests/ folders under each core module. Modules can now be tested individually by running winter:test with the -m or --module options (ex. winter:test -m cms -m system -m backend)
• The base TestCase & PluginTestCase classes are now namespaced under the System module, extend System\Tests\Bootstrap\TestCase & System\Tests\Bootstrap\PluginTestCase instead.

Plugin Manager

• The PluginManager logic now runs off of a "flag" system internally allowing for greater insight into why a particular plugin is disabled and greater control over programmatically disabling / enabling plugins at runtime via the new PluginManager::DISABLED_REQUEST flag. The following changes were made the System\Classes\PluginManager's public API:
  • Removed the following methods:
    • bindContainerObjects(): No replacement.
    • clearDisabledCache(): Use clearFlagCache() instead if required.
    • registerReplacedPlugins(): Now handled as a part of loadPluginFlags().
  • Added the following methods:
    • loadPluginFlags(): Loads the plugin flags (disabled & replacement states) from the cache regenerating them if required.
    • clearFlagCache(): Resets the plugin flag cache
    • getPluginFlags(PluginBase|string $plugin): array: Retrieves any flags that are currently set for the provided plugin.
    • freezePlugin(PluginBase|string $plugin): Flags the provided plugin as "frozen" (updates cannot be downloaded / installed).
    • unfreezePlugin(PluginBase|string $plugin): "Unfreezes" the provided plugin, allowing for updates to be performed.
• Added checkDependencies() method to the PluginBase class to handle checking if the plugin's dependencies are present.
• Improved PluginManager performance & reliability by using the Cache system instead of a local JSON file for managing plugin flags.
• Improved performance of projects using plugins with plugin.yaml files by caching the parsed results of said files.
• Changed System\Classes\VersionManager->getDatabaseHistory($pluginCode) from protected to public.
• Fixed issue where plugins using v in their version identifiers would sometimes have issues when migrating between versions.

Backend UI & UX

• Icon library updated from Font Awesome version 4 to 6, bringing over 1,300 new icons.
• Added improved UX for invalid date values being provided to the datepicker FormWidget.
• Backend template files (layouts, views, & partials) now use the .php extension which reduces confusion about what templating language is used for backend template files. .htm files are still supported, but not recommended.
• Fixed support for morphOne/hasOne relations in FormModelSaver
• Fixed issue where paths returned by the UploadableWidget could have two leading directory separators.
• Improved German translation.
• Improved Russian translation.

Media Manager & Image Resizing

• Made it easier to track down issues with the ImageResizer class by only removing the resizer configuration from the Cache after the resizer has been successfully instantiated.
• Added ImageResizer::getDefaultDisk() method to get the default Storage disk used by the ImageResizer
• Added (ImageResizer)->getDisk() method to get the disk for the currently active image
• Made getMediaPath($path) and getStorageDisk() on System\Classes\MediaLibrary public (previously protected)
• Made the getStorageDisk() and getMediaPath() methods on System\Classes\MediaLibrary public instead of protected.
• Improved MediaManager performance by using the ImageResizer's lazy resized images for thumbnails.
• Improved MediaManager & ImageResizer support for read-only environments (i.e. Laravel Vapor)
• Resized images are now cached by the modified time of their source image allowing replacements of the source image to trigger the resizing to regenerate based on the new source image.

Themes

• Added support for generating a TailwindCSS based theme via artisan create:theme mytheme tailwind
• Added @snowboard.base, @snowboard.request, @snowboard.attr, @snowboard.extras, & @snowboard.extras.css AssetCombiner aliases.
• Fixed issue where the Cms\Classes\Page isActive property wasn't being set if the URL was set to / and the currently requested URL was the home page.
• Added support for multiple: bool property on type: fileupload fields in the Theme Customization section to choose between an attachOne and attachMany relationship.

Twig

• The following Twig environments are now registered by the application and can be resolved by calling App::make($environmentName);:
  • twig.environment The default System TwigEnvironment, is used by the Twig::parse() parser
  • twig.environment.mailer The Mailer TwigEnvironment, used by the MailManager class when rendering emails
  • twig.environment.cms The CMS TwigEnvironment, used by the CMS when rendering CMS templates
• Added the System\Classes\MarkupManager::makeBaseTwigEnvironment(TwigLoader $loader, array $options) static helper method that returns the basic TwigEnvironment that should be used by any custom Twig implementation in Winter CMS (i.e. applies the default security policy and SystemTwigExtension).
• Removed the transaction(), beginTransaction(), and endTransaction() methods from System\Classes\MarkupManager since "markup transactions" was a hacky workaround originally implemented due to global polution of the single Twig environment. This is no longer required with the use of multiple, separate twig environments.
• Added support for the {% spaceless %} and {% filter %} Twig tokens to the core as Twig v3 removed them; it is recommended to avoid using them however.
• The signature for $twig->loadTemplate() has been changed, use $twig->load() instead.
• Replaced usage of {% filter %} in the demo theme with {% apply %} instead.
• Fixed issue where the default CMS twig environment was unable to be extended or reused, resolve twig.environment.cms before it's used by the CMS in order to use or modify it.
• Fixed issue where calling Twig::parse() before doing anything that rendered Mail content (i.e. sending an email) would cause the Mail twig rendering to stop working.
• Fixed inconsistency where CmsCompoundObject instances were not using the default CMS twig environment.
• Removed requirement for a Cms\Classes\Controller instance on the Cms\Twig\DebugExtension making it easier to reuse elsewhere.

Events

• Added two new events (system.beforeRoute and system.route) that fire before and after the system route registration respectively and moved the registration of the Backend and CMS module routes to be after the system route registration. The CMS module's routes should now always be the last routes registered regardless of what happens.
• The backend.layout.extendHead event now passes auth or default as the value for layout instead of auth.htm or default.htm.
• Fixed issue where attempting to interact with a Model instance before the DatabaseServerProvider boot() method was called would prevent any "nice" model events from actually working.
• Removed translator.beforeResolve event, use Lang::set($key, $value, $locale) instead.

Database

• Added support for anonymous migrations and made them the default when creating new migrations with artisan create:model.
• Added add{$RelationType}Relation($name, $config) methods to the HasRelationships trait that make it easier to dynamically add new relationships to existing model classes.
• The pivot model for a morphTo relation now uses the Winter\Storm\Database\MorphPivot class, similar to Laravel's own MorphPivot class. If you wish to use a custom pivot model for a morphTo relation, the pivot model must extend this class.
• Added Winter\Storm\Database\Traits\ArraySource trait that allows a model to be created, queried and managed from arbitrary data as opposed to a database table.

Filesystem

• Removed the getAdapter() method from Storage disk instances
• Added getPathPrefix() and setPathPrefix() methods to Storage disk instances

Modules

• Module route registration should no longer require being wrapped in App::before() to support plugin's overriding them
• The base ModuleServiceProvider no longer needs a call to parent::register($module) in the register() method as route registration is now handled in the boot() method.

Internals

• Winter\Storm\Support\Facades\Str facade has been removed, use Winter\Storm\Support\Str directly instead.
• Symfony\Component\Debug\Exception\FatalErrorException has been removed, use Symfony\Component\ErrorHandler\Error\FatalError instead.
• Facades must return string keys rather than objects (See https://github.com/laravel/framework/pull/38017)
• Changed how YAML processors (added in v1.1.3) work; preprocessors are now only engaged if parsing the provided contents throws an exception.
• The SchemaBuilder is now bound to db.schema instead of only resolved directly through the Schema facade.
• Added Winter\Storm\Parse\EnvFile parsing class for handling modifying the contents of environment (.env) files through PHP.
• Added Winter\Storm\Parse\PHP\ArrayFile parsing class for handling modifying the contents of Array Files (PHP config & localization files that return a single array and are used for storing data). The Winter\Storm\Config\ConfigWriter class has been rewritten to use the ArrayFile parser internally.
• The load order of deferred Service Providers has been changed slightly, now the application will be made aware of the existence of deferred providers before it begins to register the eager loaded providers to allow for use of the deferred providers within the registration of the eager loaded providers. Actually doing so is still not recommended, but it was required for core internals of the PluginManager to perform better. See https://github.com/laravel/framework/pull/38724 & https://github.com/wintercms/storm/pull/86 for more details.

New Contributors

• @meesiris made their first contribution in https://github.com/wintercms/winter/pull/34
• @dhawton made their first contribution in https://github.com/wintercms/winter/pull/38
• @rubenvanerk made their first contribution in https://github.com/wintercms/winter/pull/43
• @RomainMazB made their first contribution in https://github.com/wintercms/winter/pull/54
• @najbo made their first contribution in https://github.com/wintercms/winter/pull/56
• @josephcrowell made their first contribution in https://github.com/wintercms/winter/pull/74
• @arvislacis made their first contribution in https://github.com/wintercms/winter/pull/128
• @josieit made their first contribution in https://github.com/wintercms/winter/pull/134
• @helmutkaufmann made their first contribution in https://github.com/wintercms/winter/pull/135
• @WebVPF made their first contribution in https://github.com/wintercms/winter/pull/140
• @luciandex made their first contribution in https://github.com/wintercms/winter/pull/185
• @RickAcb made their first contribution in https://github.com/wintercms/winter/pull/222
• @datune made their first contribution in https://github.com/wintercms/winter/pull/245
• @rezalaal made their first contribution in https://github.com/wintercms/winter/pull/293
• @msimkunas made their first contribution in https://github.com/wintercms/winter/pull/337
• @ericp-mrel made their first contribution in https://github.com/wintercms/winter/pull/361
• @matteotrubini made their first contribution in https://github.com/wintercms/winter/pull/370
• @damsfx made their first contribution in https://github.com/wintercms/winter/pull/365
• @gergo85 made their first contribution in https://github.com/wintercms/winter/pull/374
• @AIC-BV made their first contribution in https://github.com/wintercms/winter/pull/377
• @ArchimedeSolutions made their first contribution in https://github.com/wintercms/winter/pull/394
• @evan70 made their first contribution in https://github.com/wintercms/winter/pull/403
• @sheck87 made their first contribution in https://github.com/wintercms/winter/pull/420
• @tukuyo made their first contribution in https://github.com/wintercms/winter/pull/435
• @der-On made their first contribution in https://github.com/wintercms/winter/pull/457
• @Flynsarmy made their first contribution in https://github.com/wintercms/winter/pull/491
• @marcomessa made their first contribution in https://github.com/wintercms/winter/pull/485
• @davidlueder made their first contribution in https://github.com/wintercms/winter/pull/563
• @multiwebinc made their first contribution in https://github.com/wintercms/winter/pull/603

UX/UI Improvements

• The base Snowboard framework has been included in the Backend by default, allowing people to use Snowboard requests and included functionality in their plugin's backend pages if they wish. Please see https://github.com/wintercms/winter/pull/548 for more information on what is included.
• Dates displayed on the Theme Logs & Event Logs pages in the backend now display in the current user's preferred locale & timezone.

API Changes

• Dependency checking and management for Snowboard plugins has been improved. Singletons that have a ready callback will not be fired until dependencies are loaded.
• Added a flash.create and flash.remove global event in Snowboard to listen when a flash message is created and removed, respectively.
• Added URL handling and base URL detection in Snowboard via the Snowboard.url() plugin.
• Added sortable property to the Repeater FormWidget, defaults to true.
• Added a mix:update command to allow updating of Node dependencies for Mix assets.
• Added support for type: nestedform fields to the ThemeData theme customization forms.
• Added helper methods for Snowboard event listening - the on method registers a simple listener for a Snowboard event, the off de-registers the listener. The ready method is a shortcut method that registers a listener for when the DOM is ready, synonymous with $(document).ready() in jQuery.
• Added an Asset Loader component for Snowboard, which is now included in the extras and allows simple loading of script, style and image assets on the fly.
• Added a Data Configuration component for Snowboard, which is now included in the extras and allows widgets to retrieve configuration from an element's data attributes, similar to the current widgets within Winter CMS.
• Added the public flag trimStringAttributes to Winter\Storm\Database\Model to make it possible to disable the default behaviour of automatically trimming string attribute values on model instances.

Bug Fixes

• Improved support for read-only filesystems by using the Storage facade to handle the disabled plugins cache file instead of directly interacting with the local disk and checking if the local filesystem is writable before attempting to create the temporary directory required by the UpdateManager.
• Fixed the System Status dashboard widget on read-only filesystems.
• Fixed issue where calling Snowboard.request() with the element parameter set to false or null would fail.
• Fixed issue where changes made to $this->vars in a Partial's PHP code section wouldn't be available in the Twig section.
• Fixed issue where a Snowboard plugin that had been removed could not be re-added.
• Backported a fix from the 1.2 branch which resolves timeout issues with the mix:install command.
• Fixed issue where using the useRelationCount option with a relation in a List widget would not retrieve the count if the relation name was not snake-cased.
• Fixed an issue where passing configuration that had been generated by $this->makeConfig() to a ReportContainer would cause it to fail to initialize.
• Fixed missing variable in error message with mix:watch command if packages are missing from the overall workspace.
• Fixed issue where Snowboard requests in the Backend did not include the CSRF token.
• Fixed issue where using a time limit with data-track-input in Snowboard for input debouncing was being overwritten on entering a value due to misnamed variable.
• Fixed issue where any value returned by a success or error callback in Snowboard would prevent further execution (including no value); instead of just preventing execution on receiving a value of false.
• Fixed issue where string values (query selectors) were not able to be provided as the data-request-form attribute to Snowboard as it was requiring an instance of an element.
• Fixed issue where passing an already URL-encoded string to the UrlGenerator could cause its query parameter keys to become double encoded, disrupting the original data structure.

Security Improvements

• Improved reliability of the CMS Safe Mode feature. See https://github.com/wintercms/winter/security/advisories/GHSA-q37h-jhf3-85cj for more information
• Improved reliability of Winter\Storm\Database\Attach\File->fromData(). See https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp for more information.

Translation Improvements

• Improved German translation
• Improved Spanish translation
• Improved Farsi translation

Community Improvements

• Fixed file language hinting for backend controller views for VS Code

Dependencies

• The Winter core modules now report via composer that they replace the associated version of the October core modules to improve compatibility with the October ecosystem.

New Contributors

• @der-On made their first contribution in https://github.com/wintercms/winter/pull/457
• @marcomessa made their first contribution in https://github.com/wintercms/winter/pull/485
• @davidlueder made their first contribution in https://github.com/wintercms/winter/pull/563
• @multiwebinc made their first contribution in https://github.com/wintercms/winter/pull/603

Security improvements backported from v1.1:

Security Improvements

• Improved reliability of the CMS Safe Mode feature. See https://github.com/wintercms/winter/security/advisories/GHSA-q37h-jhf3-85cj for more information.
• Improved reliability of Winter\Storm\Database\Attach\File->fromData(). See https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp for more information.

Dependencies

• The Winter core modules now report via composer that they replace the associated version of the October core modules to improve compatibility with the October ecosystem.

UX/UI Improvements

• All default backend controller behaviors (i.e. FormController, ListController, RelationController, etc) no longer require a configuration property (i.e. $formConfig, $listConfig, $relationConfig, etc) defined on the implementing controller if the default config file is being used (i.e. config_form.yaml, config_list.yaml, config_relation.yaml, etc).
• The winter:down command now requires a user to explicitly confirm the action by typing DELETE in their CLI.
• The plugin:remove command now requires a user to explicitly confirm the action by typing the plugin code in their CLI.
• Added Created At & Updated At columns to the Backend User & User Roles lists, marked invisible by default.
• Updated the syntax highlighting language used by the backend custom CSS brand setting to acurately reflect the actual language in use (LESS, not CSS).
• The Markdown editor will now add a https:// template when adding a link or image, to encourage use of secure links.
• Removed the timeout when running winter:test.
• Fixed styling issue with color pickers on the Mail Brand Settings page in the backend.
• Files in the CMS Theme Editor AssetList component will now be sorted alphabetically.
• Added ability to manage the list of users associated with a given role from that role's update page.
• Added "slug" input preset to the Administrator Role's code field.

API Changes

• Permissions registered without the roles property defined will now only be inherited by the developer system role, not all system roles.
• Added Snowboard.js, a new JS framework intended to replace the existing AJAX Framework that is more modular and no longer depends on jQuery.
• Added support for Laravel Mix via the following commands: mix:install, mix:compile, mix:watch, & mix:list.
• Added autodetection of Laravel Mix package configuration files when winter.mix.js is present in a plugin, theme, or module.
• Added System\Classes\MixAssets for managing Laravel Mix packages provided by plugins, themes, & modules. See registerMixAssets() now available as a registration method for Plugin.php, MixAssets::registerCallback() for Modules, and the mix property on theme.yaml definitions
• Classes implementing the System\Traits\PropertyContainer trait to provide dynamic property options for Inspector fields no longer need to have zero (or one optional) parameters in their constructor in order to work correctly. Note that if your constructor requires a value in any property and does not define a default, this will still fail, so ideally you should still use a class specifically set up for handling Inspector properties.
• Added | md_line Twig filter to make use of the Markdown::parseLine() method in Twig templates.
• Replaced Winter\Storm\Auth\AuthException with Winter\Storm\Auth\AuthenticationException, added Winter\Storm\Auth\AuthorizationException.
• The plugin:remove command now provides a --no-rollback option which disables the rolling back of database migrations for a plugin when it is being removed, allowing the plugin data to be retained.
• Added support for the app.asset_url & ASSET_URL configuration options for use with the Url::asset() & asset() helpers.
• Added | asset Twig Filter
• Made app(), media(), asset(), resize(), imageWidth(), imageHeight() available as Twig Functions

Bug Fixes

• Integers can now be used as values for options provided to the Inspector set field.
• Fixed issue with list of available encodings for importing where ISO 8859-9 was incorrectly referenced as ISO 8859-0.
• Fixed issue that could occur when running console commands on a project that had replaced plugins and their replacing plugins present at the same time.
• Fixed incorrect exception message when attempting to impersonate a user without authorization.
• Fixed color picker widget not allowing empty values.
• Fixed color picker widget showing misleading mouse cursors in read-only mode.
• Fixed color picker widget not triggering dependent fields on change.
• Fixed issue where attempting to render a theme without a database present would fail because the AssetMaker trait was attempting to get the system build information from the database even though the DB wasn't present.
• Fixed PHP 8 compatibility issue where a component with no controller throws an error when checking the existence of a method on the non-existent controller.
• Fixed bug introduced in v1.1.5 where an infinite loop would occur when attempting to impersonate a backend user while logged in as a user without the is_superuser flag.
• Modules will now be seeded before plugin migrations are run to support plugin migrations that interact with module seeded data.
• Fixed issue where setting the readOnly property to true on datepicker FormWidgets would leave the field greyed out but still editable.

Security Improvements

• Improved the Twig SecurityPolicy to block more potentially dangerous entry points from being abused by accounts with access to Twig but not PHP.
• Themes can no longer be imported while cms.enableSafeMode is active.
• Added a warning message to the system status dashboard widget when the default admin user is detected on the system.
• Limited inheritance of "orphaned" (permissions without default roles assigned) to just the "Developer" role instead of all system roles.
• Fixed issue where users without the backend.access_dashboard could still access the dashboard if they did not have access to any other main menu items in the backend.
• Removed the is_safe="html" flag from the System Twig filters (| app, | media, | resize, | imageWidth, & | imageHeight) as none of them should ever return values that should be injected into templates without escaping the results.

Translation Improvements

• Improved Latvian translation.
• Improved Ukrainian translation.
• Improved French translation.
• Improved Italian translation.
• Improved Slovak translation.
• Improved Russian translation.
• Improved Persian translation.
• Improved Japanese translation.

Community Improvements

• Winter.Notes, a new first party plugin for adding notes to any record type in Winter was released. It provides a custom notes FormWidget that presents a note management experience similar to the Mac OS Notes App.
• All code examples in the official documentation now has proper language highlighting depending on the language of each example.
• The console commands documentation has been signficantly refactored with an introductory page with a list of all commands now available. Commands are now grouped by their logical function.
• Added a default .vscode/settings.json to the project to help VS Code correctly identify the language (PHP, Twig, or WinterCMS Template) used for .htm files based on where in the project they are located.
• Added a default .vscode/extensions.json to the project to provide recommendations on extensions for VS Code that work well with Winter

Dependencies

• Laravel 6.x LTS does not support PHP 8.1 so Winter has limited the supported PHP versions to PHP 7.2.9 -> PHP 8.0.*. PHP 8.1 support will come with Winter 1.2 using Laravel 9.x LTS in February/March 2022.

UX/UI Improvements

• The color picker widget has been redesigned with a fresh look and additional features. See https://github.com/wintercms/winter/pull/324 for more information.
• You can now define one or more IP addresses that may view the site during maintenance mode via the Maintenance mode Settings screen.
• Console scaffolding commands (i.e. create:controller, create:plugin, etc) will now list the files that were created during the scaffolding process for clarity.

API Changes

• Added $data as the fourth argument to the mailer.prepareSend and mailer.send events.
• Added create:settings {plugin} {settings=Settings} scaffolding command to generate a Settings model for the provided plugin.
• Added winter:test {?--p|plugin=} {?--c|configuration=} {?--o|core} --ANY-PHP-UNIT-FLAGS-HERE command to easily run the core and plugin's PHPUnit testing suites.

Bug Fixes

• Fixed issue introduced in v1.0.466 where copying the default RelationController markup to use in a controller-level override of RelationController partials would result in an "undefined index" exception.
• Client language files for child locales (i.e. en-ca) will now include fallback strings from their parent locales.
• Fixed an issue with the Markdown Editor in Chrome clipping the editor content if the viewport height is restricted while the widget has "stretch" enabled.
• Fixed Backed\Helper\Backend::makeCarbon() to correctly default to the backend timezone set in cms.backendTimezone
• Large numbers of options (250+) are now better handled with the group filter
• Added support for base64 encoded data:image URIs in image type columns.

Translation Improvements

• Improved Persian translation.
• Improved Latvian translation.
• Improved Russian translation.
• Improved German translation.

Community Improvements

• Winter CMS can now be accessed via the Gitpod service, providing near-instant, fully working copies of Winter CMS for testing and development. Please see https://github.com/wintercms/winter/pull/295 for more information.
• The Architecture Concepts section has been added to the documentation and provide an higher level overview of Winter CMS and some of the advanced time-saving features available within the project.
• The Maintainer Guide has been added to the documentation.

Security improvements backported from v1.1:

API Changes

• The URL generator (URL::to() and url()) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out.
• Added getRealUser() to Winter\Storm\Auth\Manager to get the real user for the current request, taking into account user impersonation
• Added canBeImpersonated($impersonator = false) to Winter\Storm\Auth\Models\User and models extending it (i.e. Backend\Models\User); used to determine if the provided impersonator can impersonate the selected user.
• Changed model.user.beforeImpersonate to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not

Bug Fixes

• Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.

Security Improvements

• URLs generated by Url::to() and url() now return properly URL-encoded values
• Fixed issue where post() could return values when the request was not a valid POST request
• Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
• Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
• CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.

Bug Fixes

• Fixed a CSS issue from v1.1.5 where pages that were less that 100% of the viewport's height would only display a sliver of vertical content.

UX/UI Improvements

• Added a notice to the top of every page in the backend when using the user impersonation functionality.

API Changes

• Added getRealUser() to Winter\Storm\Auth\Manager to get the real user for the current request, taking into account user impersonation
• Added canBeImpersonated($impersonator = false) to Winter\Storm\Auth\Models\User and models extending it (i.e. Backend\Models\User); used to determine if the provided impersonator can impersonate the selected user.
• Changed model.user.beforeImpersonate to a halting event so that third party plugins are able to override the default return values from canBeImpersonated() to implement more or less strict impersonation protection policies as desired on a per project basis by returning a boolean flag indicating if the user can be impersonated or not

Bug Fixes

• Fixed critical issue introduced in 1.1.4 where post() didn't return the default value when the request was not a POST request. This caused issues with forms relying on session keys (i.e. file upload fields etc.) as well as the form context property.

Security Improvements

• Triggering user impersonation while already impersonating a user will now record the original impersonator as the impersonator for the second impersonation action as well, previously the impersonated user would have been recorded as the impersonator in those cases.
• Impersonated users will now have their access filtered to only include permissions that the impersonator would have also had access to.
• CMS Theme logs now reflect the real user behind a request; taking into account user impersonation.

UX/UI Improvements

• Fixed visual issue with checkboxes in inspector popups where they would take up space but not be visible.
• The order of columns in the Lists widget will be reset when pressing the "Reset to Default" button in the List config popup.
• The password restore and reset pages in the Auth controller now provide a body class (restore and reset, respectively) for targeting CSS.

API Changes

• The URL generator (URL::to() and url()) will now always return a slash after the hostname and properly URL-encode values with the dot segments processed out.
• SystemExceptions are now thrown for code paths resulting in not found exceptions (AJAX handlers, partials, content, components, etc) to make it easier to identify and resolve issues before end users are affected.
• Added the getNamespaceAliases($namespace) & getReverseAlias($class) methods to the ClassLoader class.
• Added Winter\Storm\Support\Testing\MocksClassLoader trait for mocking the ClassLoader in unit tests.
• The Http helper in the Storm library now stores and makes available all response headers in the $headers property even if the toFile() method is used - previously, headers would be discarded to prevent them being added to the file content.
• Custom Twig filters & functions registered in plugins via registerMarkupTags() can now specify the options to be used when registering the filters / functions with Twig.
• Added support for Trusted Proxies in Winter CMS, allowing sites behind proxies to still be served under HTTPS even if the HTTPS connection terminates at the proxy. Previously, the Backend of Winter CMS would redirect the user to the real underlying web address, which may not exist if it is proxied.
• Added support for providing a default image to be used for type: image backend list columns.
• Added the following global helper functions:
  • array_accessible(): Arr::accessible()
  • array_has_any(): Arr::hasAny()
  • is_associative(): Arr::isAssoc()
  • array_shuffle(): Arr::shuffle()
  • str_ordinal(): Str::ordinal()
  • str_after_last(): Str::afterLast()
  • str_ascii(): Str::ascii()
  • str_before_last(): Str::beforeLast()
  • str_contains_all(): Str::containsAll()
  • str_is_uuid(): Str::isUuid()
  • str_limit_words(): Str::words()
  • str_plural_studly(): Str::pluralStudly()

Bug Fixes

• Fixed issue where warnings about removing replaced plugins were still shown even when the plugins had already been removed.
• Fixed support for multiple where clauses on the unique model attribute validation rule.
• Fixed support for uppercase file extensions when using the ImageResizer (i.e. .JPG, etc)
• Fixed a few issues with the unique validation rule (couldn't specify multiple where conditions, minor inconsitencies in how it was being parsed, etc) and added unit tests to cover all valid variations fo the rule
• Fixed issue where calling url() or temporaryUrl() on a filesystem driver that didn't support those methods would throw a Class not found exception instead the appropriate RuntimeException.
• Backported a fix from Laravel 7 to allow pagination for queries with having clauses.
• Fixed issue with NavigationManager items that had invalid order values causing the backend to crash.
• Fixed issue where requests to non-existant Asset Combiner routes would return a 500 error code instead of 404.
• Fixed issue where the replacing plugin would be disabled on the first request after an aliased plugin was disabled.
• Fixed issue where namespace aliases registered via the ClassLoader (usually through the plugin replacement functionality) would not be evaluated by the Extendable trait (i.e. behaviors were not resolving correctly).
• Fixed issue where 0 couldn't be used as the min or max value for number field types.
• Fixed an issue with SSL connection failures and the winter:version command on Mac OS by using the Http helper as opposed to the file_get_contents() method.
• Fixed issue where the user impersonation system would sometimes fail to restore the original user correctly.

Security Improvements

• URLs generated by Url::to() and url() now return properly URL-encoded values
• Fixed issue where post() could return values when the request was not a valid POST request

Translation Improvements

• Improved French translation.
• Improved Latvian translation.
• Improved Italian translation.
• Improved Romanian translation.
• Improved Russian translation.
• Improved German translation.

Performance Improvements

• Improved speeds with path resolution for Halcyon File datasources sharing the same base directory.

Community Improvements

• Dropped old "build" files in the Storm library that were previously used for subsplitting the modules in the main Winter CMS repository for Composer. This has been replaced by a command in the Winter CMS CLI utility.
• Changed the default database host config option to be 127.0.0.1 instead of localhost. localhost may be slightly faster in some environments, but 127.0.0.1 is more reliable in all environments and the default can always be changed for specific projects that require it.
• Added automatic regeneration of the docs on wintercms.com/docs whenever a commit is made to the docs repository meaning that the public docs will finally be always up to date with the underlying git repository that powers them! Huge thanks to Marc Jauvin for finally taking care of a long standing annoyance with the project documentation.
• Updated the default config files to more closely match Laravel 6's default configurations.
• Improved issue templates on the main Winter CMS repository

UX/UI Improvements

• Added support for choosing the default backend locale and timezone in php artisan winter:install.
• Controller scaffolding now uses the default backend localization keys for the default titles in the FormBehavior config instead of hardcoded English strings
• The unique validation rule can now be used without any additional information, previously it required the table name to be specified in the form of unique:table_name. This also means that unique validation rules will respect the current model's $table property.

API Changes

• Added support for modifying the RichEditor's allowed attributes list through the EditorSettings in the backend
• Added support for saving deferred bindings with pivot data.
• Added Backend::makeCarbon($dateTime) helper for setting the backend timezone on date values.
• Added support for Dependency Injection in console commands.
• Added support for php artisan winter:util purge orphans command that removes any system_files records that do not have matching files stored on the filesystem.
• Added support for registerValidationRules in the Plugin.php plugin registration file to register custom validation rules.
• Added support for specifying min, max, and step values on the number and numberrange List Filter scope types.
• Added support for pre and post processing of YAML being parsed which should pave the way for supporting YAML v4
• Added support for array views to the MailFake class
• Added support for HTTP HEAD requests from the Http utility.
• Added boolean $ok indicator to the Http utility to indicate if the last response was successful (ie. an HTTP 2xx response code was returned)
• Added support for automatic cache busting for the assets loaded by the {% framework %} Twig tag based on the current version stored in the database. Use artisan winter:version to set the correct version for your project.
• Added support for translator namespace aliases by adding Lang::registerNamespaceAlias('real.namespace', 'aliased.namespace').
• Added Config::registerNamespaceAlias($original, $alias); to allow aliasing a config namespaces to another config namespace, i.e. Config::registerNamespaceAlias('winter.debugbar', 'debugbar'); would return the config items from winter.debugbar when accessing the debugbar config. This is useful for forked packages or when integrating Laravel packages into Winter.
• Added Config::registerPackageFallback($original, $fallback) to allow the config items to be loaded from the global $fallback config when present if the $original global config isn't present. Useful when forking plugins to ensure existing installations with customized configs at the global level continue to work.
• Added support for lazy loading class aliases only when needed through the new Winter\Storm\Support\ClassLoader->addAliases(['Real\Class' => 'Alias\For\Class']) method.
• Added support for aliasing entire namespaces in the class loader via the new Winter\Storm\Support\ClassLoader->addNamespaceAliases(['Real\Namespace' => 'Aliased\Namespace']) method.
• Added support for getting the original class name of an aliased class when registered through the ClassLoader via the Winter\Storm\Support\ClassLoader->getAlias($aliasedClass) method
• Added support for plugins specifying that they "replace" other plugins via the replaces key in the pluginDetails() method. See wintercms/winter#41 & wintercms/docs#11 for more details. Methods added to PluginBase: getReplaces($includeConstraints = false), canReplacePlugin($plugin, $version), getPluginIdentifier(), getPluginPath(), and getPluginVersion().

Bug Fixes

• Fixed issue with Schedule->withoutOverlapping() by bringing the Halcyon MemoryRepository more inline with the parent class.
• Fixed an error thrown when using the "package:discover" command when app.loadDiscoveredPackages set to false, as the manifest was reset to null as opposed to an empty array.
• Fixed issue where tooltips set on the first column of the Lists widget were not working.
• Fixed issue where components that used dependency injection in their constructors would break in the backend.
• The RecordFinder FormWidget will now automatically determine what to use for the key column if the model used is not using the default of id. This used to be controlled by the undocumented keyFrom option on the recordfinder, but is now handled behind the scenes automatically.
• Reverted "Fixed issue introduced in Laravel 5.7 where eager loading File relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed"" introduced in 1.1.2 since it was causing issues when strict typing was enabled.
• Fixed an issue where PluginManager->getRegistrationMethodValues() would attempt to call protected methods on PHP 7.4.
• Improved Media Library path validation logic by allowing // but not allowing :// to account for poorly constructed paths that are still technically valid.
• Fixed issue where sending emails using the Laravel Notification system could cause an exception in the System module when it attempted to extend a view instance while it was expecting a view string reference.
• Fixed issue where a TagList field that is disabled or readOnly would fail to correctly render if the value was an array.
• Added branching support for winter:version, different version branches (1.0, 1.1, etc) can now be correctly identified.
• Improved handling of dates by the Filter widget, specifically when ignoreTimezone is set on only one of a few date inputs in a given filter, and when using the daterange filter type with certain date values.
• Changed the default value of database.connections.sqlite.database to base_path('storage/database.sqlite') to better support applications using a mirrored public directory.
• Fixed issue where redirects to slow loading pages via AJAX could stop the loading indicator (and thus enable the triggering element) before the redirect actually completed, potentially leading to users triggering multiple requests unintentionally. As a side-effect due to how browsers process file downloads triggered by AJAX, this broke the loading indicator for AJAX redirects that cause the browser to download files instead of leaving the page; see the test plugin for how you can manually fix that functionality within your projects.
• Fixed long standing issue with the pagelinks plugin in the richeditor where inserting a link from the pagelinks popup would insert it at the start of the content instead of where the selected text was, and fixed another issue that would cause any preset text to be overwritten when selecting a link to use from the pagelinks popup.
• Fixed issue where exceptions / errors that were thrown before the Event facade was available would always be reported as "Class Event does not exist" instead of the actual problem.
• Fixed support for CSS variables within the asset compiler / combiner, this is a step closer towards native Tailwind support within Winter CMS.
• Fixed issue where resizing certain .gif images would result in imagecolorsforindex(): Argument #2 ($color) is out of range.
• Fixed issue where resizing .gif images with no transparent colour set would result in the white colour being replaced with the default transparent colour.
• Fixed issue where passing null as the image source to the | resize filter resulted in an exception being thrown instead of more gracefully silently ignoring the input and returning an emptry string.
• Fixed issue where init.php wouldn't be loaded by the plugin boot process when running unit tests.
• Fixed long standing issue where disabled plugins wouldn't be uninstalled by the winter:down command
• Fixed issue where routes registered via plugin's routes.php file would not have names registered via Route::name() actually registered with the internal route name mapping meaning that route($name) would not be able to resolve to those routes.

Security Improvements

• Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
• Tightened up the permission checking logic by requiring strict type matches.
• Removed xml from the list of default allowed extensions to upload, can be added back through the configuration if required.

Translation Improvements

• Improved French translation.
• Improved Russian translation.
• Improved Dutch translation.
• Moved Media Manager rename and move action language keys to the backend module instead of the CMS module.

Community Improvements

• Documented the Lists widget's perPageOptions configuration property

Dependencies

• Refactored the Winter\Storm\Events\Dispatcher class to extend and override the base Laravel Event Dispatcher rather than just duplicating and implementing the contract for greater compatibility with Laravel.
• Switched away from the abandoned fzaninotto/faker package to the maintained fakerphp/faker package.

Security Improvements

• Improved password reset flow by no longer throwing an error message if the provided email address doesn't exist in the system.
• Tightened up the permission checking logic by requiring strict type matches.
• Removed xml from the list of default allowed extensions to upload, can be added back through the configuration if required.

NOTE: As of v1.1.2, the core maintainer team has left October CMS and forked the project into Winter CMS.

UX/UI Improvements

• Fixed issue where the browser's number increment/decrement control would cover up the placeholder text in type: number inputs when hovered over or focused on.
• Added ability to select the default backend locale when running the winter:install command
• Added ability for CMS editor to auto detect which editor should be used based on file type, bringing the editor in line with the documented feature.
• Added the List Behavior's new perPageOptions config property to the default stub for scaffolding new controllers.
• Fix support for browser-based validation of checkboxes and radio options

API Changes

• Added support for the {colorpicker} field in the Dynamic Syntax parser.
• The availableColors attribute can now be specified for colorpicker type variables in the Dynamic Syntax parser.
• Added new getRelationTypeDefinitions and getRelationTypeDefinition methods to models to query relationship definitions through methods as opposed to interacting with the relation properties directly.
• The "Customize" button is now disabled for all themes that are not the currently active theme.
• Added registerOwnerAlias($owner, $alias) to the NavigationManager to add aliases for given owners of registered menu items.
• Added registerPermissionOwnerAlias($owner, $alias) to the AuthManager to add aliases for given owners of registered permissions.
• Added registerOwnerAlias($owner, $alias) to the SettingsManager to add aliases for given owners of registered setting items.
• Added support for using the sort_order_column property on a model implementing the Winter\Storm\Database\Behaviors\Sortable behavior to define the name of the sort order column as constants cannot be defined on classes dynamically.
• Added ability to control the auto-detaching behavior of BelongsToMany relationships by setting detach (default true) on the relationship definition.

Bug Fixes

• Fixed a duplicate AJAX call being fired when using the "Apply" or "Clear" buttons in a group filter.
• Fixed an exception thrown on viewing or logging into the Backend when attempting to load the backend localization files of a missing theme.
• Fixed issue where /0 would return the result from /.
• Fixed issue where plugins with external dependencies referenced in their migration files would fail to install correctly via the plugin:install CLI command while installing normally in a web environment.
• The listAllDirectories() method in the MediaLibrary helper now correctly excludes paths and directories that are specified in the storage ignore rules configuration.
• Fixed issue where field options specified using a static method in the form of options: "\Path\To\Class::staticMethod" were not receiving the Form widget instance or the Field widget instance as per the documentation.
• Fixed issue introduced in Laravel 5.7 where eager loading File relationships on PostgreSQL would fail with the message "Varchar <> Integer comparison is not allowed".
• Fixed issue where having safeMode enabled when editing a CMS CompoundObject with different line endings from the user's browser (i.e. \r vs \r\n) would cause the safe mode protection to unnecessarily trigger (preventing any changes to non-protected properties from being saved) because the user's browser would modify the original line endings.
• Fixed an issue with integers being used as keys for the options in the checkbox list.
• Fixed an issue with syncing belongToMany relationships introduced in v1.1.1.
• Fixed an issue where the user-provided password for the default admin account during winter:install was not being respected and was instead always being set to a random string of characters as if no password had been provided.
• Fixed an issue where the ImageResizer was always provided absolute URLs instead of respecting the value of cms.linkPolicy.
• Reverted previous fixes to the BelongsToMany relationship related to conditions and scopes being defined during detach() as they were causing more problems than they solved.
• Added a default value of SQLite to the database options question of the winter:install command so that --no-interaction will work.
• Fixed a breaking change in how empty route parameters with default values are handled that was introduced in v1.0.466
• Fixed an issue where fields that use dependsOn to depend on another field that is itself dependent on other fields wouldn't be triggered when the first field was updated through the dependsOn functionality.

Security Improvements

• Tightened up the Twig SecurityPolicy. Calling insert(), update(), delete() methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead.
• Added a new config value (app.trustedHosts) to protect against host header poisoning. The following values can be used: true will allow only the naked and www versions of app.url as trusted hosts, the default of false will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns.
• Session identifiers are now invalidated on logging out instead of just flushed.

Translation Improvements

• Improved Slovakian translation.
• Improved Hungarian translation.
• Improved Brazilian Portuguese translation.
• Improved Dutch translation.
• Improved French translation.

Community Improvements

• Added a new EventFake class to provide mocking and testing services for events in unit tests.
• Fixed the order of parameters in the docblock for the mailer.beforeAddContent event.

Dependencies

• Updated Pikaday to 1.8.2
• Updated wikimedia/less.php to ~3.0
• PHP 8 is now supported
• Switched back to the source repository for the wikimedia/composer-merge-plugin as Composer 2.0 support has fully arrived. Update your composer.json files to require "wikimedia/composer-merge-plugin": "~2.0.1"

NOTE: As of v1.0.472, the core maintainer team has left October CMS and forked the project into Winter CMS.

UX / UI Improvements

• Fix support for browser-based validation of checkboxes and radio options

API Changes:

• Added registerOwnerAlias($owner, $alias) to the NavigationManager to add aliases for given owners of registered menu items.
• Added registerPermissionOwnerAlias($owner, $alias) to the AuthManager to add aliases for given owners of registered permissions.
• Added registerOwnerAlias($owner, $alias) to the SettingsManager to add aliases for given owners of registered setting items.

Security Improvements

• Tightened up the Twig SecurityPolicy. Calling insert(), update(), delete() methods on all PHP objects are now blocked from within Twig, data modifications should not be done at the view layer. If absolutely necessary, consider firing a view event instead. Backported from v1.1.2.
• Added a new config value (app.trustedHosts) to protect against host header poisoning. The following values can be used: true will allow only the naked and www versions of app.url as trusted hosts, the default of false will disable the feature (except on the backend password reset flow), and finally an array of trusted host patterns.
• Session identifiers are now invalidated on logging out instead of just flushed.

UX/UI Improvements

• Adjusted winter:fresh to remove the demo plugin even when the demo theme has already been removed.
• Allowed for the "fancy" breadcrumb widget to be styled based on custom branding colors specified in the "Customize back-end" settings.
• System will now throw an exception with a helpful error message if image resizing fails because an unsupported cache driver is being used (i.e. array).
• Switched the order of the "Install plugins" & "Install themes" buttons to match the order of the tabs on the actual install page
• Plugins that are already present in the local system and also exist in the marketplace will no longer be re-downloaded when a Project ID is attached.
• The plugin management page will now reload after making changes that would affect which plugins are currently active.
• Custom messages can now be provided for bulk deletions in Lists, defined by the deleteMessage property for successful deletions, and noRecordsDeletedMessage property for when no deletions occurred due to missing selections or an altered list query not returning any applicable records.

API Changes

• The initial seeding process for empty databases no longer uses a default password; instead a secure random password is generated and reported in the console. If you need to change the admin account password run php artisan winter:passwd admin NewPasswordHere
• The winter:env command is now privileged and will run even if plugins are failing to boot.
• A new syntax for specifying the available options for field types that use the options property is now available: \Path\To\Class::staticMethodName will use the array returned by calling the static method \Path\To\Class::staticMethodName() as the options
• The noRecordsMessage configuration value to specify a message when a list is empty can now be specified for list-type widgets in the Relation controller.
• CMS pages that are hidden (only accessible to logged in backend users) will now be automatically removed from RainLab.Pages menus.
• session.same_site now defaults to Lax instead of null and any invalid configurations will be automatically corrected to the default value of Lax. See #5293 for a detailed breakdown.
• Added new removeSideMenuItems() helper method to NavigationManager, which can quickly remove one or more side menu items for a specific owner and menu.
• The app locale at the time of a message's entry onto the queue is now stored with the message on the queue as _current_locale.
• Added support for $query->selectConcat(array $parts, string $as) to concatenate an array of parts into a single column/attribute $as.
• Added support for the upsert($values, $uniqueBy, $updateColumns) QueryBuilder method added in Laravel 8.x which allows for bulk updates or inserts at the database level.
• Added separate backend.manage_own_editor permission to allow users to manage their own personal editor preferences without being able to modify the global ones.
• Added new media_path() helper function to return the fully qualified path to the media directory.
• Added new Storage::identify($disk) method to identify the name of the disk configuration used to instantiate the given disk instance.
• Template blocks in Backend templates are now correctly terminating the output buffering used. Block processing uses layers of output buffering to determine applicable block content, however, a particular scenario occurred where subsequent blocks were not rendered due to content in between two blocks cancelling another layer, causing issues with further blocks. The block functionality will now capture the content in between blocks and hold it until the final content is generated, keeping the correct layer intact so that subsequent blocks are kept in the right location. See https://github.com/wintercms/library/pull/517 for more information.
• Added new Winter\Rain\Database\Behaviors\Sortable behavior that mirrors the functionality of the Winter\Rain\Database\Traits\Sortable trait except with the ability to dynamically attach it to models at runtime allowing for third-party plugins to be extended with the functionality.
• Themes can now register localization keys to be used only on the backend using a similar file structure to plugins & modules. Ex: themes/mytheme/lang/en/lang.php contains 'ga_api_key' => 'Google Analytics API Key', referenced by themes.mytheme::lang.ga_api_key.
• Quick actions can now be defined in the top-right of the Backend. Quick actions act as shortcuts to common actions, such as previewing the website. See https://github.com/wintercms/winter/pull/5344 for more information.

Bug Fixes

• Fixed issue where displaying protected file thumbnails with a width or height set to nothing would fail.
• Fixed issue where URLs to resized images were not being properly URL encoded
• Fixed an issue introduced in Build 1.1.0 where plain Twig templates couldn't be loaded through the {% include 'path' %} or {{ source(path) }} Twig functions.
• Fixed issue introduced in build 1.0.458 where non-grouped repeaters with minimum items specified via the minItems option did not pre-fill the repeater with the minimum items.
• Fixed issue where the ImageResizer would attempt to process image types that it couldn't handle instead of just passing them through untouched.
• Fixed issue where resized images were not correctly identified as already having been resized when atomic (blue/green) deployment strategies are used in conjunction with files being stored on the local filesystem in a shared symlinked storage folder.
• Fixed issue where the media manager would not display a folder that a contained a filename with characters that are considered invalid by the MediaLibrary class (i.e. '+', various unicode characters).
• Fixed issue where resized images with spaces in their filenames would not pass the resizer validation checks because the target URL would be decoded three times instead of the intended two.
• If a model's dateFormat includes microseconds (.u) or milliseconds (.v) but a given value provided to an attribute that is cast as a date does not include that information, then the date casting logic will now automatically add the appropriate number of zeros to the end of the provided date value for it to be accepted when parsing the provided value according to the defined dateFormat for the model. This fixes an issue with databases that have .u or .v in date columns that are managed by the datepicker in the backend which doesn't support sending micro or milliseconds.
• Fixed a long-standing issue where returning a redirect to a file in response to an AJAX request in order to get the browser to download the file wouldn't stop displaying the AJAX loading indicator.
• Fixed the uploads_path() helper.
• Fixed support for AWS S3 as a source for the ImageResizer.
• Fixed issue where backend administrators list could not be filtered by "Is superuser?" filter on SQL Server due to that database engine not supporting literal boolean values.
• Fixed adjacent block placeholders not working in Backend templates - the initial block is rendered, but the subsequent block is ignored. See API change above regarding block termination for more information.
• Fixed issue where an exception is thrown when scanning template content for mail templates and layouts that have been orphaned by a disabled or removed plugin. This prevented plugins such as the Translate plugin from scanning messages correctly.
• Fixed issue where models with guarded properties were failing to allow attributes that don't have a corresponding column to be processed in events (for example, the "data" attribute in the File model).
• Fixed issue with the included http_build_url() polyfill where the current and replacement URLs couldn't be passed as strings.
• Fixed issue where having multiple belongsToMany relationships defined and differentiated by the conditions property would cause one of the relationships to be wiped out on saves of a separate relationship. See wintercms/winter#4952 for more information.
• Fixed issue where paths provided to the theme:sync command were too loosely matched, which could lead to files that weren't intended to be synced being synced anyways.

Security Improvements

• The admin account password is now securely randomly generated during the initial seeding process for empty databases and is reported in the console. If you need to change the admin account password run php artisan winter:passwd admin NewPasswordHere
• Tightened up the default permissions granted to the "Publisher" system role out of the box
• Improved handling of custom editor styles to prevent HTML injection
• Locked down the Twig sandbox even more to prevent allowing users with access to Twig templates from defining and running PHP code

Translation Improvements

• Improved Taiwanese translation
• Improved French translation
• Improved Slovenian translation
• Improved Russian translation
• Improved Italian translation
• Improved Dutch translation
• Improved German translation

Dependencies

• The Composer merge plugin was temporarily cloned to the WinterRain GitHub organization to resolve an issue with Composer 2.0 support.

Community Improvements

• Fixed a bug with the marketplace build server that required a bump in the version number.

API Changes

• The Winter\Storm\Database\Attach\File model now uses "fillable" attributes as opposed to "guarded" attributes to control mass assignment. If you extend the File (or the main System\Models\File) model to provide additional fields, you must now copy the "fillable" attributes to your extension and add any additional fields to this definition (backported from 1.1.0)

Bug Fixes

• Temporarily fixed an issue with existing code-bases that abuse the Twig engine by loading template files in unsupported ways (.js / .svg files rendered as partials through {% partial %}, {% include %}, or $this->renderPartial()). NOTE: This hotfix will not be available in Build 1.1.x so existing code still needs to be fixed to not use those unsupported file types.
• Fixed an issue introduced in Build 1.0.469 where plain Twig templates couldn't be loaded through the {% include 'path' %} or {{ source(path) }} Twig functions
• Fixed issue introduced in a security update to Laravel 5.5 where models with guarded properties were failing to allow attributes that don't have a corresponding column to be processed in events (for example, the "data" attribute in the File model). (backported from 1.1.1)

Security Improvements

• Tightened up the default permissions granted to the "Publisher" system role out of the box (backported from 1.1.1).
• Locked down the Twig sandbox even more to prevent allowing users with access to Twig templates from defining and running PHP code (backported from 1.1.1).

NOTE: This build contains a number of changes made as a part of the upgrade from Laravel 5.5 LTS to 6.x LTS, it is highly recommended that you review the upgrade guide to ensure you aren't affected.

UX/UI Improvements

• Added new "sensitive" field widget that provides a revealable password field for forms.
• Finished implementing the php artisan winter:util purge uploads console command that purges invalid files (Files that don't have a matching entry in system_files) and empty directories from the uploads directory. This only works on uploads stored on the local disk for now.
• Added built in support for easy and fast resizing of images with three new Twig filters (| resize(width, height, options), | imageWidth, | imageHeight) and a new backend List column type (image). See https://github.com/wintercms/winter/pull/5231 for more information.
• The SMTP port field in the Mail Settings page will be pre-filled with the default port depending on the encryption type selected, if it is using a standard port. Custom ports will not be overwritten.
• Added a link to the backend in the demo theme header menu to make it easier for new users to find the backend.

API Changes

• Added new development configuration option develop.allowDeepSymlinks which allows for symlinks at any subdirectory level when generating a public URL from a local path.
• The System\Controllers\Settings controller now provides a formGetWidget method to retrieve the form widget used for Settings forms.
• The default password validation rules for Backend\Models\User and Winter\Storm\Auth\Models\User have been loosened by no longer having a max length since passwords are stored in the database as hashed values and the length of the input has no effect on the length of the output.
• winter:env will now use QUEUE_CONNECTION instead of QUEUE_DRIVER to refer to the queue connection when generating a .env file from the config files.
• The individual composer.json files for each of the Winter Rain library components have been removed as using individual components of the Winter Rain library is no longer supported.
• Support has been added for hasOneThrough relationships.
• Support has been added for the eloquent.retrieved Model event that Laravel added in 5.5.2.
• The app:name Artisan command was removed as Laravel removed it in L6 and Winter never really had a need for it.
• Added new public static method Model::flushDuplicateCache() to flush a given model's duplicate query cache during a request lifecycle.
• Added polyfill for the http_build_url() core PHP function.
• Added new php artisan create:theme $code scaffolding command.
• Added new Arr::undot() and array_undot helper methods / functions (transforms a flat, dot-notated array into a normal nested array)
• Added new config_path() helper function.
• Added new resolve_path() helper function that closely emulates the PHP realpath() function, but supports resolving paths for missing files and subdirectories. This is provided by the Winter\Rain\Filesystem\PathResolver helper class, which can resolve canonical paths and determine if given paths are within given directories.
• The Winter\Storm\Database\Attach\File model now uses "fillable" attributes as opposed to "guarded" attributes to control mass assignment. If you extend the File (or the main System\Models\File) model to provide additional fields, you must now copy the "fillable" attributes to your extension and add any additional fields to this definition.
• The Winter\Storm\Database\Attach\File model will now log exceptions when getThumb() fails in addition to generating the broken image file as the thumbnail as per existing behaviour.
• The Winter\Storm\Html\HtmlBuilder::limit() method now considers whitespaces and line breaks to be one character, regardless of the line break type or number of spaces. This ensures a consistent result across both Windows and Linux.
• Added File::isLocalDisk($filesystemAdapterDisk) method to check if the provided disk is using the Local Flysystem adapter. Winter\Rain\Database\Attach\File has switched it's internal method isLocalStorage() to using it, so if you are overriding that method you may be able to remove your overridden method implementation so long as your getDisk() method is returning the correct disk for your custom FileModel.
• Removed data-browser-validate from the default controller scaffolding files as HTML5 form validation does not play nice with anything beyond the most basic forms. Also removed from the System Settings backend forms.
• Plugin view & configuration files are now registered on protected routes even if the plugin doesn't have elevated permissions to run on those routes in order to support views and configuration being used in database migrations.
• Added getAllPlugins() method to the System\Classes\PluginManager class to retrieve all plugins detected on the system instead of just the enabled ones.
• Bound Illuminate\Foundation\Application to Winter\Storm\Foundation\Application in the application container to better support Laravel packages that typehint the Application class directly rather than the contract.
• Improved handling of Rule objects when used in validation - the message() method is now used to return a fallback message (optionally translated), and there is no need to specify a validate() method anymore.
• The winter:util set build command has been replaced with the winter:version command, which now does a more accurate build version check by comparing the Winter CMS installation files with a manifest kept on GitHub, and no longer queries the Winter CMS servers simply for the latest stable or edge build.
• Added a unique ID to the Filter widget container to support being targeted through the AJAX framework.

Bug Fixes

• Improved stability of the FieldParser when parsing fields without the type property specified.
• Fixed issue where the QueryBuilder->remember() method did not properly support being passed DateTime instances for cache expiry.
• Fixed an issue introduced in Build 1.0.466 where asset files were unable to be created through the CMS section.
• Fixed issue where removing the currently sorted by column from the list's visible columns would cause an error.
• Fixed issue where not having the GD extension loaded would cause the process to exit with an error message instead of throwing an Exception.
• Fixed issue where non-compound use statements that were aliasing imported classes in CMS code sections (i.e. use Session as WinterSession) were no longer being included in the parsed PHP because of a bug fix in Build 1.0.468.
• Fixed issue introduced in Build 1.0.466 where BelongsTo relationships were unable to be updated using the RelationController behavior.
• Fixed issue where not specifying a thumbnailWidth (even when providing a thumbnailHeight) for the FileUpload FormWidget would cause it to default to 100x100.
• Fixed issue where unlinking a HasOne or BelongsTo relationship with the RelationController would not fully clear it from the view widget being displayed.
• Fixed issue where creating or adding a new record to a HasOne or BelongsTo relationship with the RelationController would not fully remove any existing relationship.
• Fixed issue introduced in Build 1.0.461 where all SystemExceptions would be logged twice to the EventLog.
• Fixed an exception that would be thrown when editing Mail Templates if any partials recorded in the database were no longer provided by the plugin due to it being removed or disabled.
• Fixed issue where a JS exception would be thrown if attempting to load a page with tabs where the hash part of the URL contained a /.

Translation Improvements

• Improved Spanish translation.
• Improved Russian translation.

Community Improvements

• Added the Laravel framework dependency to each of the core modules to improve stability of existing composer installations
• The ftp and sftp storage drivers are now included with the core.
• The postmark mail driver is now included with the core.
• The Winter CMS and Storm Library are now tested against both Linux and Windows, PHP versions 7.2 to 7.4, to ensure that functionality works correctly across both supported operating systems.

Dependencies

• The Laravel framework has been added as a dependency to the core modules and library to improve the stability of existing Composer installations.
• The Assetic library is no longer an external dependency as the key functionality has been absorbed by the Winter Rain library.
• The Jenssegers/Date library is no longer an external dependency as the key functionality was included in Carbon 2.0 and Argon took over whatever small pieces were left behind.
• The unmaintained leefo/scssphp dependency has been replaced with scssphp/scssphp
• The unmaintained lessc.inc.php included dependency has been replaced with wikimedia/less.php

API Changes

• .svg has been removed from the default list of allowed extensions for uploading for security reasons, will be re-added in Build 1.1.1 alongside sanitization to protect against XSS attacks. Use storage.media.defaultExtensions to override the default list of allowed extensions in order to re-add support for it at your own risk.
• $fileName was removed as a parameter for the Winter\Storm\Halcyon\Builder->delete() method as it wasn't actually being used internally and had no effect.
• Partials included via $this->renderPartial(), {% partial 'path/to/partial' %}, and {% include 'path/to/partial %} now properly block all extensions other than .htm by default.
• Attempting to load & render partials from outside of the theme using the CMS Twig engine will no longer work (note, this was never officially supported, it was a bug that it ever worked in the first place). If you are trying to render Twig from outside the theme you should always use the System Twig engine instead of the CMS one by calling \Twig::parse($templateContents, $templateVars);)

Bug Fixes

• Fixed issue where cookies that were generated at some point between pre-Laravel 5.5.* cookie security fix and the latest cookie security fixes in Build 1.0.468 could fail to be processed correctly.
• Fixed an issue where some SystemExceptions include unfiltered user input in the response to the browser, which would cause security researchers to think that they've found a XSS vulnerability which would then take resources to explain how it wasn't exploitable by just stripping any potential XSS from SystemException messages.

Security Improvements

• Fixed issue where the FileDatasource could be abused to load files outside of the intended location.
• Fixed issue where the Twig sandbox could be escaped allowing users with access to Twig templates to define and run PHP code.

Community Improvements

• Winter has moved to a slightly different versioning scheme, major changes such as Laravel framework upgrades will now be indicated by the "minor" version number, and the build / patch number will reset on every increment of the minor version number. Winter builds from initial conception to Laravel 5.5 EOL will be the v1.0.319 to v1.0.469 range, and the Laravel 6 upgrade will be v1.1.0. EOL branches will not be supported with bug fixes or feature additions, but will continue to have security issues IN winter CODE ONLY (i.e. security fixes for dependencies will not be included) fixed as they are reported to the core team through our Security Policy.

UX/UI Improvements

• Added new Paragraph Formats option to the Editor Settings page, which allows you to control the available tags in the Paragraph Formats button.

API Changes

• The Encryptable trait now encrypts "empty" values correctly, such as the number zero and an empty string. The only value that is left unencrypted is a null value.
• Fixed docblocks in the Winter\Storm\Network\Http class that referred to the $options property as an array instead of the callable that is actually used

Bug Fixes

• Unit tests involving authentication are now namespaced to backend.auth, to prevent conflicts with other authentication libraries.
• Fixed "use statement with non-compound names has no effect" when attempting to import classes already in the root namespace (like facades) in the CMS PHP code section.
• Fixed a bug where the text entry of a taglist field would remain after the tag has been created.
• Resolved an issue where PHP max_input_vars limits would prevent "group" filters from working if they contained more options than max_input_vars would allow.
• Fixed support for ignoreTimezone in date and daterange filter scope types.
• Fixed issue with Arabic translation in the backend where Indic numerals were being used instead of Arabic numerals for the datepicker FormWidget which was confusing the serverside processing of date values.
• Fixed issue where an incorrect <textarea> tag definition broke the popup editor for stringList and text type fields in the Inspector.

Security Improvements

• Improved validation of encrypted cookies by locking cookie values to the cookie they were created for. See the security advisory for more information.

Translation Improvements

• Improved French translation.

Community Improvements

• Added note in config/cms.php for handling URL generation for uploaded files when using Winter in a subfolder installation.

UX/UI Improvements

• Added docblocks to the controller scaffolding.
• Added support for decompiling nested compiled asset files when cms.decompileBackendAssets is enabled.
• Improved error handling for failed fileuploads

Bug Fixes

• Fixed bug introduced in 466 where :number stopped working in transChoice translation strings.
• Fixed bug introduced in 466 where it was impossible to upload images to the Media Library while on a page that included the AssetList widget.
• Fixed bug introduced in 466 where plugin dependencies wouldn't be loaded all of the time.
• Fixed bug where belongsToMany relationships with pivot data could not be added to through the RelationController if a custom order property was set on the relationship definition.
• Fixed empty tags being stripped in RichEditor (Froala) widget.
• Fixed bug where a field with @context in the name would completely break forms if it also utilized the dependsOn API other fields.
• Fixed bug introduced in 466 where backend throttle records were no longer recording the IP address correctly of authentication attempts.
• Fixed visual glitch on Inspector autocomplete dropdown fields
• Fixed an issue where using File()->fromUrl() on very long URLs would result in a filename that was too long for the database.
• Fixed issue where application bootstrappers could hard crash the application by throwing an exception that wouldn't be able to passed on to the user for them to resolve.
• Improve error handling for invalid counter properties on backend menu items.
• Fixed issue where the onSave() AJAX handlers of the FormController behavior weren't getting being affected by context-specific configuration values.
• Fixed issue where refreshing the entire form through JS would cause an issue because the toggleEmptyTabs delayed function would be run after the original form element it was targeting was replaced in the DOM
• Improved error message when attempting to fork an unforkable component (component without a default.htm partial)

Security Improvements

• Fixed security issue where content pasted into the Froala richeditor wasn't properly sanitized exposing users to self-XSS attacks from malicious websites when copying & pasting content into the editor.

Community Improvements

• Documented the Select field widget's dynamic option creation (tagging) feature.

Translation Improvements

• Improved the Polish translation.

UX/UI Improvements

• Improved the disabled styling of the markdown, richeditor, mediafinder, & colorpicker FormWidgets.
• Fixed long standing issue where on initial page load the backend nav bar would be an incorrect width until the JS loaded to correct it by switching to a flex layout for the backend nav bar.
• Improved UX when an AJAX request is made while the application is in hard maintenance mode (php artisan down).
• Added three preset buttons (Default, Full, & Minimal) to the backend richeditor toolbar settings to simplify the experience of selecting a custom richeditor toolbar.
• Form tabs in the backend are now tracked in the URL bar by default making linking to specific tabs easier and retaining the place of the currently active tab across page reloads. Disable this behaviour by setting linkable: false on the form tab configuration.
• Added button on backend user record pages that allows admins to unsuspend a user account that has been locked out due to failed login throttling.
• Added new plugin:rollback Author.Plugin 1.2.3 command to rollback a specified plugin all the way to before it was installed or to the provided version.
• Added new create:reportwidget Author.Plugin ReportWidgetName command to scaffold ReportWidget creation.
• Added button on the Updates page in the backend to take users directly to the Install Themes page.
• Update management page & dashboard status widget now list plugins that are missing their dependencies and what dependencies are missing specifically.

API Changes

• Menu items controlled by NavigationManager are now objects, and $manager->getMainMenuItem($owner, $code) has been added to make it easier to manipulate existing menu items without having to deregister and reregister menu items to apply changes.
• The postbackHandler property for DataTable form widgets now defaults to null - the widget will interpret a null value as to detect the save handler for the form that contains the widget (this is usually onSave, the old default value, but it will now detect other handlers such as those used by the relation controller).
• The getParameter method in Cms\Classes\Router is now correctly type-hinted.
• External parameters may now use dot notation to get a deeper-nested value when used for component parameters in a CMS object.
• Added auth.throttle.* configuration options to configure the login throttling for the backend.
• Added formGetRedirectUrl($context, $model) method to the FormController behavior, overrideable by the implementing controller. Used to get the redirect URL for a given context & model if a redirect is requested.
• If uploaded files are missing an extension Winter will now try to automatically determine one based on the MIME type of the file.
• Added support for the attributes property on the colorpicker, codeeditor, markdown, richeditor, mediafinder, & fileupload FormWidgets.
• Added support for the placeholder attribute on the password field type.
• Added support for defining custom values for the title and toolbarButtons labels of the RelationController behavior.
• Added support for a badge property on main & side menu items in the backend to display string values as the menu item badge instead of the only numeric values already supported by the counter property.
• Added a unique HTML id attribute to the Filter widget popups for targeting individual filter scopes in CSS.
• Added usingSource($source, $closure) method to the Cms\Classes\AutoDatasource to force the AutoDatasource to only use the specified source for that closure.
• Media items now only return an absolute URL if either cms.linkPolicy is set to force or the path property of the media storage disk starts with an absolute URL. This limits the breaking change from Build 1.0.444 to only installations using a force link policy.
• Implemented the new Backend\Traits\UploadableWidget trait intended for Widgets that need to handle uploading files to the Media Library.
• Added support for "soft" or "optional" components, a way for themes to include components only if they're present without breaking the theme if the relevant plugin is not installed and / or enabled. To make a component "soft" or "optional", prefix its name with @. Example: [@staticPage]
• Added support for ignoreTimezone to date and daterange filter scope types.
• Changed optional .htaccess line forcing HTTPS to default to returning a 301 response instead of 302.
• Added ability to translate List column default values
• Added ability to specify the filename of files uploaded directly via the AJAX framework and Blob objects.
• Added new data-browser-validate option to trigger browser-based client side validation on AJAX requests within <form> elements.
• Plugins & themes included as git submodules are now properly detected as valid git sources in the winter:util git pull command.
• PluginManager->findMissingDependencies() now returns an array of arrays of missing plugin codes keyed by the plugin code that requires the missing plugins.
• Added support for the trigger field property in the FieldParser.
• Finished the implementation of the (array) $cssClasses property on the Filter widget.
• Inspector dropdown properties now refresh dependent fields if the values are loaded remotely through the API (ie. through a getOptions method).
• Inspector dropdown properties now support the emptyOption option as a synonym for placeholder, to show a value if no dropdown option is selected.

Bug Fixes

• Fixed an issue where data in a DataTable widget inside a relation model popup form would not be saved on submit.
• Record Finder widgets will now correctly save and load a record when using a column other than ID in the keyFrom configuration value, when the widget is not in relation mode.
• Fixed issue where custom validation rule strings starting with unique would not register correctly.
• Fixed propertyExists() method to correctly detect properties added through addDynamicProperty().
• Fixed options support for checkboxlist and balloon-selector field types in the Syntax Parser
• Fixed issues with properly quoting values when running winter:env
• Fixed issue where Excel wouldn't properly detect the encoding of CSV files exported using the useList option
• Asset files uploaded in the CMS will now take their default permissions from the value set in the configuration.
• Repeaters will now trigger change.oc.formwidget when adding or removing items.
• Fixed issue where the richeditor toolbar popups were z-index clashing with other form elements.
• Fixed issue where mail layouts that didn't exist in the database but did exist in the filesystem weren't being loaded correctly.
• Fixed issue where some browsers would incorrectly check off list checkboxes after a page reload through the autocomplete functionality which would cause visual & behavioural inconsistencies.
• Fixed support for importing CSV files with encodings not supported by mb_convert_encoding() by using iconv() as a fallback.
• Fixed issue where translations for related models managed by the RelationController behavior would not save when creating the related model, or updating a pivot model.
• Fixed issue where model scopes applied by the relation FormWidget didn't support joins being used.
• Fixed issue where php artisan theme:sync --target=database wouldn't properly sync to the specified target.
• Improved the flexibility of the PluginManager in accepting plugin identifiers that are not perfectly matched to the desired plugin's casing (i.e. Rainlab.Blog would be considered an invalid plugin identifier prior to this change, it is now correctly identified as belonging to RainLab.Blog).
• Fixed issue where pivot records being created or updated through the RelationController would not trigger the form field change events.
• Update manager now respects the values of cms.pluginsPathLocal and cms.themesPathLocal when installing new plugins & themes.
• Improved support for opcache when opcache.restrict_api is in effect.
• Fixed issue where Lang::choice method would not use the plural form for a locale with a sublocale (ie. "English (United Kingdom)" / en-uk).
• Fixed issue where theme:install Artisan command would throw an exception if the database templates feature was enabled.
• Fixed issue where using the search query input in a filter for a relation list modal would throw a "not bound to controller" exception, due to the request not being tied to the relation list modal.
• Fixed weird outline styling around :focused elements introduced in Build 1.0.465
• Fixed bug that prevented the Purgeable database model behavior from being used with the SimpleTree & NestedTree traits.
• Fixed error that would occur when using the Revisionable model trait with a date value that was null.
• Fixed long standing problem where if a user attempts to use the list search feature on a list that has improperly configured (i.e. searchable: true set on a column that doesn't support DB searching) then that list would remain broken for the rest of the session's lifetime.
• Fixed issue where model slugs weren't generated before model validation ran, meaning that autogenerated slugs would not be considered present when attempting to validate a slug attribute as required.
• Fixed issue where creating records with the TagList would require the nameFrom attribute to be marked as fillable for mass assignment.
• Fixed issue where having a filter config with no scopes defined would cause issues with the ListController behavior.
• Fixed typos referencing the Halcyon library
• Fixed IE11 support for deregistering service workers in the backend
• Fixed issue where if a template was manually removed from cms_theme_templates when using databaseTemplates would cause an exception to be thrown.
• Redid Winter's Translation service to extend Laravel's to improve compatibility with Laravel packages
• Fixed issue where the unique validation rule wouldn't work on models with a custom DB connection.
• Fixed issue where calling createMany() on a BelongsToMany relationship would cause the relationships to be created as deferred bindings with a session key of 0 even when the parent model exists.
• Fixed an issue where some ApplicationExceptions include unfiltered user input in the response to the browser, which would cause security researchers to think that they've found a XSS vulnerability which would then take resources to explain how it wasn't exploitable by just stripping any potential XSS from ApplicationException messages.
• Fixed issue where the filter widget wasn't supported by ManyToMany relations with the RelationController.

Security Improvements

• Fixed vulnerabilities that required the cms.manage_assets permission to execute (local file inclusion, arbitrary file deletion, & arbitrary upload of asset file types). Credit to Sivanesh Ashok for the discovery.
• Fixed vulnerability where maliciously crafted CSV files could lead to a self-XSS attack when using the ImportExportController behavior. Credit to Sivanesh Ashok for the discovery.
• Prevented potential CSV injection attacks via the ImportExportController behavior. Credit to Sivanesh Ashok for the discovery.
• Prevented potential stored XSS attacks by authenticated users with access to the markdown FormWidget. Credit to Sivanesh Ashok for the discovery.
• Prevented potential XSS attacks that could be enabled by passing untrusted user input to jQuery HTML manipulation functions. Credit to Matthew Guillot for reporting it, see the jQuery Security Advisory for more information.

Translation Improvements

• Improved German translation.
• Improved Russian translation.
• Improved Hungarian translation.
• Improved Slovenian translation.
• Improved Dutch translation.
• Added Serbian translation.

Performance Improvements

• Minor performance improvement by not calling Lang::get() every time a CMS Page object is instantiated.
• Minor performance improvement in the plugin manager by not looping over all plugins everytime a plugin identifier needs to be normalized.
• Implemented DB query de-duplication for the DbDatasource when using databaseTemplates reducing the number of queries run when pulling from the DbDatasource.
• Vastly improved performance when using remote storage for the Media Library by reducing the amount of network calls required to list the contents of the storage directory.

Community Improvements

• Web installer now automatically cleans up after itself.
• Added method hints to Facade classes to allow IDE software to provide autocomplete and hints for methods provided by a Facade.
• Added UI docs for indeterminate checkboxes

Dependencies

• Switched from the abandoned jakub-onderka/php-parallel-lint library to php-parallel-lint/php-parallel-lint for code linting purposes in the Winter CMS and Rain library test suites.
• Locked the wikipedia/composer-merge-plugin dependency to version 1.4.1.
• Updated the version of jQuery pulled in by @jQuery to 3.4.0 from 3.3.1 to match the version used in the backend.

UX/UI Improvements

• The Event Log list now shows the entire first line of a logged error message, up to 500 characters maximum, in order to provide more context of errors in the list.
• When searching for plugins to install in the backend plugin management screen author names are now included in the search results.
• A consistent cross browser focus ring style is now utilized in the backend.
• Fixed a small typo when using number range filters with no value provided for the minimum.
• Removed excess space from tab titles when hovering over them.
• Added styling to distinguish a disabled unchecked checkbox from a enabled unchecked checkbox.
• Added ability to middle mouse click on list rows to open them in a new tab.
• Added new style attribute for repeater widgets, which controls repeater item behaviour. Allows items to be expanded or collapsed on load, or allows a repeater to act as an "accordion" widget.
• If a lazily loaded tab is the first tab or only tab displayed it will now be automatically loaded on page load instead of remaining empty.

API Changes

• Type hint for registerSchedule method in PluginBase updated to correctly hint the Illuminate\Console\Scheduling\Schedule object that is passed to it.
• Added exception.beforeReport and exception.report events
• cms.backendForceSecure no longer supports the value of null (where it would be considered the inverse of app.debug) as this resulted in confusion when disabling debug mode while the application was behind a proxy causing an infinite loop. Ultimately it's the server's responsibility to handle forcing HTTPS.
• User preferences for list widgets are now ignored if the list widget has disabled the setup modal via showSetup being false.
• Return type hint documentation for PluginBase::boot method changed from array to void.
• Re-added the db:seed artisan command

Bug Fixes

• Fixed issue with the queueOn and laterOn methods of the Mail facade throwing an invalid argument exception due to queue name string being defined where the queue manager is meant to be defined. The queue name is now injected into the Mailable object that is created, and the default queue manager is used instead.
• Implemented another fix for the temporary monkey patched LESS compilation to support PHP 7.4 until the Laravel 6 upgrade is completed.
• Fixed a bug where attempting to set a simple value on a BelongsToMany relationship as a collection would produce a collection wrapped in an array instead of an array of values which would confuse the sync() command.
• Fixed an issue with composer.json which could cause some installations to load a version of Laravel newer than actually supported.
• Fixed issue where un-elevated plugins weren't being loaded on any routes starting with /combine (should have been /combine/)
• Fixed a change in default behavior where a recent update to Dropzone.js (used for uploading files) added a timeout property that defaults to 30 seconds. Timeout has been set to 0 (infinite) to retain the previous behaviour of no timeout utilized on file uploads.
• Fixed a bug where reloading a Lists widget with a custom search term applied would reset the pagination.
• Improved error handling on invalid model attributes being used for form fields.
• Improved preview mode support for type: number fields with 0 as their value.

Security Improvements

• Improved escaping of option values provided to the dropdown field type

Translation Improvements

• Improved Slovakian translation.
• Improved French translation.
• Improved Dutch translation.
• Minor cleanup to English translation.

Bug Fixes:

• Fixed the trans() helper function to match the updated signature required by the Translator.

UX/UI Improvements:

• Fixed display of checkbox lists when quickselect is selected.
• Added new winter:passwd Artisan command to change the password of a Backend user through the command-line.
• Secondary branding colour is now applied to the active media filter in the MediaManager widget
• Lists can now disable the click event by applying the nolink CSS class to table row (TR) elements in addition to table data elements (TD) elements.

API Changes:

• System\Classes\PluginManager->sortByDependencies() is now deprecated as plugins are now sorted by key & dependencies by default.
• Changed the Winter\Rain\Database\Builder->simplePaginate() signature to match paginate() ($perPage, $currentPage, $columns, $pageName)
• Added engine => InnoDB to the default mysql database driver configuration
• Added support for varcharmax to the mysql database driver configuration to specify the default length used for varchar / string columns when running migrations. If using utf8mb4 on MySQL < 5.7 or MariaDB < 10.2 this should be set to 191, newer versions can be safely set to 255 however.
• Translator trans and transChoice method arguments have changed to match the Laravel 5.5 base package.

Bug Fixes:

• Fixed the LESS compiler using PHP 7.4 that was previously throwing an error.
• Added support for tab lazy loading to all forms of tabs, not just primary tabs.
• Fixed hard coded Form widget alias in the recently added tab lazy-loading functionality.
• Fixed support for Laravel's Builder::paginate() signature paginate($perPage, $columns, $pageName, $currentPage) in addition to Winter's paginate($perPage, $currentPage, $columns, $pageName). Additionally fixed support for Laravel's simplePaginate() signature.
• Fixed issue where errors thrown during the page processing of the RelationController would be silently consumed without being reported to the user.
• Fixed issue where popups can still be interacted with when they are in a loading state using data-popup-load-indicator.

Dependencies:

• Updated minimum required PHP version for the installer to match Build 1.0.472's minimum of 7.0.8

UX/UI Improvements:

• Documented session.http_only config property in the default config/session.php

API Changes:

• Event logs are now double-encoded for HTML characters before being displayed as both HTML and text in the event log viewer. This allows encoded HTML entities to be parsed and displayed correctly in the HTML view, but displayed exactly as entered in the text view.

Bug Fixes:

• Fixed janky behaviour with the javascript sortable plugin when sorting items on a scrollable container (affected RainLab.Sitemap, RainLab.Pages, Menus, etc).
• Fixed issue where linked data in singular relation controller (hasOne or belongsTo) would remain populated in the relation fields even after unlinking or deleting the linked record.

Dependencies

• Changed Laravel dependency to require 5.5.40 as a minimum due to the breaking change Laravel made in that version, some composer installs were not recognizing anything newer than 5.5.38 so this bump makes it more obvious that a stale composer is the issue.

UX/UI Improvements:

• Set the CMS codeeditor field to readonly and added a warning message above it when safemode is enabled.

API Changes:

• Bumped minimum required version of PHP from 7.0 to 7.0.8 to enable support for PHP 7.4.
• Added support for the customViewPath configuration property in the RelationController when rendering lists to be able to override the partials used for rendering the Lists widget.
• Using the ImportExportController's useList property will now pass the list header values through the backend.list.overrideHeaderValue event just like a regular list would.
• ApplicationException are no longer logged if unhandled (they're meant as more of a validation / sanity check exception. SystemExceptions are logged instead.
• All Artisan commands that are unusable in Winter (typically because they rely on a "Laravel" project structure) are no longer registered and thus no longer made available. Full list of removed commands here: wintercms/library#447
• Added static method Cms\Helpers\Cms::safeModeEnabled() to check if safe mode is enabled.
• Add support for lazy loading backend form tabs with the lazy configuration property that takes an array of tab names to apply lazy loading to.

Bug Fixes:

• Fixed scrolling issue in the MediaManager that would occur on some browsers causing scrolled content to no longer become visible erratically.
• Added smoother support for old serialized cookie data to retain sessions during the upgrade process.
• Fixed issue where similarly-named repeaters in a CMS page or layout would conflict when checking for AJAX actions on a child repeater.

Translation Improvements:

• Added Slovenian translation

Community Improvements:

• Switched to using Discord instead of Slack: https://discord.gg/D5MFSPH6Ux
• Launched Premium Support: https://wintercms.com/premium-support

Dependencies

• Minimum PHP version bumped from 7.0.0 to 7.0.8
• Support for PHP 7.4 added

UX/UI Improvements:

• Moved CodeEditor's full screen buttons to the bottom of the widget.
• Fixed keyboard support for checkboxes
• Added keyboard support to lists
• Improved the UX of checkbox lists "Select All", "Select None" bulk actions
• Changed the cursor to be a grab cursor when hovering over table headers to indicate that they are a scrollable container
• Made the record "Delete" button consistent across the core backend controllers by replacing User Roles & User Groups delete buttons with the standard trash can icon button
• Fixed issue where form tabs would initially be unstyled until the JS had loaded and initialized them
• Added support for making radio fields display inline by adding cssClass: 'inline-options' to their properties
• Added auto detection of the field required property for fields that have required_if model validation rules

API Changes:

• Cookies are no longer serialized. This brings the behavior back in line with Laravel's default behavior as of the 5.5.42 update. IMPORTANT: If you are passing non-scalar values to Cookie::set() (i.e. objects & arrays) then you will need to change your code so that those values are JSON encoded / decoded before and after being stored in the cookie.
• Added new System\Traits\ResponseMaker trait to the base Backend\Classes\Controller class (and the Cms\Classes\Controller controller). Adds the following methods: setStatusCode($code), getStatusCode(), setResponse($response), setResponseHeader($key, $values, $replace = true), setResponseCookie($cookie), getResponseHeaders(), and makeResponse($contents).
• media.file.upload event now passes the $path argument by reference.
• Added ability to specify a LESS file to be used as a default backend brand CSS override with the config item brand.customLessPath
• Updated references to deprecated event.which and other methods of determining the selected keys to the new event.key
• Added new method removePermission($owner, $code) to the BackendAuth manager class to enable plugins to dynamically remove permissions from the available list registered with the BackendAuth manager class.
• Added support for SparkPost mail driver
• Added support for a string option to be provided to Winter\Rain\Network\Http->setOption($option, $value) as long as it corresponds to a valid CURLOPT_ constant
• Added getConfig($value, $default = null) method to the Backend\Classes\ListColumn class to mirror what's available on the Backend\Classes\FormField class
• Added order option to the relation FormWidget to allow relation options to be ordered by a custom order statement.
• Added email field type (type: email)
• Documented newly available services.mailgun.endpoint config item in config/services.php
• Replaced existing handling of disabling CloudFlare's rocket loader on backend scripts by adding a new event (system.assets.beforeAddAsset) that is listened to by the HeathDutton.CloudFlare plugin. Recommend any CloudFlare users using Rocket Loader to use that plugin going forward
• Added support for permissions property on form fields, list columns, and list filter scopes. Property supports either a single string or an array of permissions that the current backend user must have access to at least one of in order to access the field / column / filter scope.
• Added support for mode: switch to the Backend\FormWidgets\PermissionEditor FormWidget that defines permissions as either expliclity allowed (1) or denied (-1).
• Added support for availablePermissions property to the Backend\FormWidgets\PermissionEditor FormWidget that accepts an array of permission codes to filter the list of permission codes to be managed by that widget instance down to.
• Added clear-full, clear-left, and clear-right CSS classes that can be used to apply clearfixes to form fields by adding them to the field's cssClass property
• Added support for the CURLOPT_POSTFIELDS cURL option to be manually overriden when using the Winter\Rain\Network\Http wrapper.
• Added support for dependsOn to filter scopes of type: group. All current filter scopes (including their current values) will be passed to the options method as an array of scope objects to be used in redetermining the available options to provide when the scopes that are targeted with dependsOn are updated.
• Added support for unregistered translation strings to still have the replacement engine run on them
• Added support for minimum or maximum values in number range filter to be left unspecified - this is treated as an "at least" minimum value or "at most" maximum value filter.
• Added getSortColumn() and getSortDirection() public methods to the Lists widget.
• Added two more valid characters to filenames managed by the MediaLibrary, ' and &.
• Added parseClean() method to Winter\Rain\Parse\Markdown that enables safe mode on the markdown parser used.

Bug Fixes:

• Reverted improvements to table column width handling on Chrome (specifically for long unbroken text values in columns) introduced in Build 1.0.444 as it was causing other issues on mobile.
• Reduced inconsistencies with results generated by \Winter\Rain\Database\Attach\Resizer class, specifically for .gif images by processing .gif images with imagescale() instead of imagecopyresampled()
• Fixed an issue where attempting to modify the available Settings Items through the SettingsManager could fail if a user wasn't provided to filterItemPermissions() at that point in the request
• Removed caching of Theme configuration, this is now handled by YAML::parseFile() caching which simplifies the Theme processing code and fixes some bugs related to cache invalidation
• Fixed issue with trying to create multiple CMS templates at once
• Fixed issue where the cached classes file would not be removed along with the cached services file when running php artisan clear-compiled
• Fixed issue with PHP 7.0 compatibility introduced with new PreferenceMaker trait in Build 1.0.457
• Fixed issue where message subjects set in Mail callback functions were not available to the system mail layouts because the layouts were generated before the callback was called. Note that this was accomplished by calling the callback before content is added to the message instead of after, so it could be considered a breaking change
• Fixed styling for switch fields that are required
• Fixed bug where '0' was returned as NULL from $this->param() but returned as '0' from {{ this.param.slug }}
• Fixed issue where updating a record through a RelationController would not trigger a change event on the RelationController field like creating a record would by triggering the change event on successful update
• Fixed issue where FormWidgets in Repeaters that made orphaned AJAX requests (AJAX requests fired on an element outside of the repeater's markup structure, ex. from a popup modal instead) were not being initialized which was causing the orphaned requests to fail
• Fixed issue where the databaseTemplates feature from Build 1.0.456 wouldn't support templates in subfolders. Nesting limit is still 2 (/template-type/subfolder1/template.htm) but the issue where it was just 1 when databaseTemplates was enabled has been fixed.
• Fixed issue where the change event was not triggered on removing a recordfinder's value with the clear button
• Improved default email branding styles compatibility with Outlook mail clients by preventing harsh word breaks.
• Fixed issue where the Model class would try to trim an attribute that was a PHP resource (pgsql:bytea) by simplifying the trim detection logic to just use is_string instead of checking if value wasn't every other type of variable available.
• Fixed issue where an infinite loop could occur when trying to resolve a circular required_with or required_if validation rule chain.
• Fixed issue where having no class lists configured for the RichEditor markup class options would break the RichEditor.
• Fixed issue where the model.beforeSave event would be fired twice under some conditions when using a HasOneOrMany relationship.
• Fixed PHP fatal error under some cases where argv is not available in the server variables.
• Fixed issue where the FileUpload FormWidget was checking if the file model was protected before generating the URL to the file even though the File model itself handles that operation since Build 1.0.447.
• Fixed issue where the mediafinder formwidget wouldn't work when the user didn't have access to the Media Manager by switching the formwidget to preview mode under those conditions
• Fixed issue where text in an error message popup could not be selected for copy-pasting.
• Fixed issue with parsing the select2 options format over AJAX requests introduced in Build 1.0.457.
• Fixed conflict between input.trigger.js & filter.js that caused filter popup buttons to disappear when searching for records in a group filter popup.
• Fixed faulty type cast for belongsToMany deferring bindings table when using PostgreSQL
• Fixed support for mobile devices (touch screens) in the jquery.sortable.js plugin
• Fixed issue introduced in Build 1.0.459 where some server configurations could cause the AssetCombiner to stop working
• Fixed issue with number range filter not working with a value of 0 for either the minimum or maximum value.
• Fixed issue where attempting to sort by a column that isn't actually supported as a sortable column by the database could cause the session to enter an invalid state where it would be impossible to remove that column sorting preference.
• Fixed issue where changing just the "time" field on a datepicker FormWidget wouldn't trigger the JS change event on the field.
• Fixed issue with the numberrange filter on PostgreSQL when attempting to filter the range by infinity in either direction.
• Fixed issue where a custom sorting constraint on a relationship definition could cause the RelationController's Lists widget to no longer support users choosing their own columns to sort by. This also fixed a related issue where sorting by pivot data in the RelationController would throw an exception when trying to add a new record.
• Fixed longstanding issue where attempting to return a response from App::error() would fail with FormatException not found.
• Fixed an infinite loop that could occur when using the field Parser functionality to define a repeater variable that defines its fields in an external file.
• Fixed a race condition that could occur when clearing a recordfinder field's value where having fields that dependsOn that recordfinder field would receive the old value in the AJAX refresh.
• Fixed issue where emails sent with Mail::queue would ignore the subject set in the mail template and instead use Mailable as their subject if a custom subject wasn't set in the callback.
• Fixed issue when attempting to use a dropdown inside of a DataTable inside of a popup modal.

Security Improvements

• Prevent tabnabbing that could theoretically occur from a backend user clicking the "Preview" button in the backend navigation and having the tab taken over by the frontend site
• Added new global JS function ocJSON() to framework.js for parsing loose JSON safely

Translation Improvements:

• Improved Polish translation
• Improved Chinese translation
• Improved French translation
• Improved Dutch translation
• Improved Portuguese translation
• Improved Hungarian translation
• Improved Russian translation
• Improved Czech translation
• Improved Slovak translation
• Added a translation key for the Repeater's "Add new item" text (backend::lang.repeater.add_new_item)

Performance Improvements:

• Very minor performance improvement calling JSON.parse() instead of $.parseJSON() in core JS
• Added support for lazy loading the backend navigation menu icons / images
• Added caching of YAML::parseFile() when debug mode is disabled. The cache key is prefixed with yaml:: and is generated from the path provided along with the last modified time of that file to ensure that it's always properly invalidated. Cache is stored for a maximum of 30 days.
• In instances where there is only one theme present and its code matches the code set in cms.activeTheme the database will no longer be asked what the currently active theme is, it will just be assumed that the only one present is the active theme.

Community Improvements:

• Switched to using GitHub actions instead of Travis for CI on the main wintercms/winter and wintercms/library repositories
• Added GitHub action to auto archive issues / pull requests after a month of inactivity
• Added initial frontend testing suite under tests/js
• Added API docs for backend.page.beforeDisplay, backend.menu.extendItems, backend.user.login, backend.beforeRoute, backend.route, cms.beforeRoute, cms.route, cms.block.render, cms.combiner.beforePrepare, system.settings.extendItems, and system.extendConfigFile

Dependencies

• Updated Dropzone from v4.0.1 to v5.5.1
• Updated jQuery.Mousewheel from v3.1.9 to v3.2.0
• Updated Mustache from v2.0.0 to v2.3.2

UX/UI Improvements:

• The theme Delete button is now hidden for the currently active theme as you cannot delete the active theme anyways.
• Added a warning to the System Status dashboard ReportWidget when debug mode is enabled as debug should never be enabled in production.
• Invalid menu items now throw a ValidationException when debug mode is enabled and log an error instead when debug is disabled.
• Added support for Repeater item titles to be pulled from dropdown field types.
• Added the Validation trait to model stubs when calling create:model.
• Made the CodeEditor fullscreen button easier to see by increasing the contrast.

API Changes:

• When setting relationship values model mutator methods ('set' . $attribute . 'Attribute') are now taken into account meaning that you can control how specific relationship values are set by defining a custom mutator method for the relationship.
• Added getReportWidgets() method to Backend\Classes\WidgetManager to return the protected array of currently registered report widgets
• Custom theme data stored in cms_theme_data is now removed when the theme it belongs to is deleted.
• Added develop.decompileBackendAssets configuration flag to decompile the backend assets in order to simplify making changes to backend asset files for the purpose of making PRs to the Winter CMS core.
• Switched parsing of stub files for the generator commands to use Twig instead of basic str_replace(), this will enable more complex stub files

Bug Fixes:

• Fixed issue where the TagList FormWidget in mode: relation wasn't respecting relationship constraints (conditions and scope) set on the relationship definition.
• Fixed issue where using the ::class magic constant in database migrations would cause them to break due to flawed parsing logic.
• Fixed use of Storage::url() for local disks that haven't been configured correctly
• Moved the translation for plugin's "By $author" text in the plugin update view to the System module instead of the CMS module to support installations without the CMS module enabled or installed.
• Removed old "Holly Hack" for IE5-IE7 support, we don't support those browsers anymore.
• Fixed Theme importing/exporting that was broken as of 457-458.
• Fixed issue where the session expiring would throw a vague exception when attempting to check the CSRF token instead of just throwing a general CSRF invalid error message.
• Fixed issue where multiple instances of the PermissionEditor could not exist on a single page.

Translation Improvements:

• Improved Arabic translation

Performance Improvements:

• The file extension has been added to the end of asset combiner URLs (ex. /combine/asqw3ljkqw421323.js or /combine/lkj23jlk13j1l.css) in order to allow CDNs to more easily identify the URL as cacheable to improve overall site performance.

Community Improvements:

• Added documentation on keeping local forks of the Winter CMS codebase up to date with upstream.
• Improved the CONTRIBUTING.md guide
• Added security policy
• Added documentation for testing pull requests

Dependencies

• Updated to v1.8.0 of Spectrum.js (Note: Winter was already using 1.8.0, however jQuery API updates were made without the vendor tagging a new release)