You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(settings): introduce UpdateService library with rollback management
- Add UpdateService library centralizing GitHub API version check,
atomic file patching, and automated backup/rollback operations
- Refactor checkVersion, downloadPatch, and autoUpdate controller
methods to delegate logic to UpdateService
- Add listBackups and rollbackUpdate endpoints with SweetAlert2 UI
- Add concurrency control via ci4ms_update.lock
- Add 12 new i18n keys for backup/rollback features across all 11 supported languages
- Acknowledge dapickle in Security Hall of Fame
- Bump version to 0.31.7.0
Copy file name to clipboardExpand all lines: CHANGELOG.md
+22-3Lines changed: 22 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,13 +4,31 @@ All notable changes to this project will be documented in this file.
4
4
5
5
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) conventions adapted to the existing four-component version numbers.
6
6
7
+
## [0.31.7.0] - 2026-04-17
8
+
9
+
### Added
10
+
11
+
-**UpdateService Library:** Introduced a comprehensive `UpdateService` library (`modules/Settings/Libraries/UpdateService.php`) to centralize all update logic. Features include GitHub Releases API integration (via `releases/latest`), atomic file writing with `rename()`, automatic backup of modified files, concurrency control via `ci4ms_update.lock`, and pagination-aware file comparison (bypassing GitHub's 300-file API limit).
12
+
-**Rollback Management:** Added `listBackups()` and `rollbackUpdate()` endpoints with a SweetAlert2-based interactive UI for browsing and restoring system backups from the Settings dashboard.
13
+
-**Security Advisory:** Added `security-advisory.md` documenting the authenticated RCE vulnerability via theme upload (GHSA-fw49-9xq4-gmx6).
14
+
15
+
### Changed
16
+
17
+
-**Settings Controller:** Refactored `checkVersion()`, `downloadPatch()`, and `autoUpdate()` methods to delegate all logic to the new `UpdateService` library, reducing controller complexity and improving testability.
18
+
-**Setup Command:** Updated version reference in `Ci4msSetup.php` to `0.31.7.0`.
19
+
-**Settings Routes:** Added new `listBackups` and `rollbackUpdate` POST routes under the `backend/settings` group.
20
+
-**Settings UI:** Added "Backups" button to the settings header and integrated rollback confirmation workflow with progress feedback.
21
+
-**Localization:** Added 12 new translation keys for backup and rollback features across English and Turkish language files.
22
+
7
23
## [0.31.6.0] - 2026-04-15
8
24
9
25
### Added
10
26
11
-
-**Automatic Update:** Introduced a new "One-Click Update" (Auto-Update) system in the Settings module. Features include automated GitHub version discovery, secure file-by-file patching, and automatic database migration.
12
-
-**Backup Support:** Updates now automatically trigger a full backup of modified files before applying patches.
13
-
-**Refactored DevGate:** Improved the integration of developer access credentials during the setup process with a more robust and modular logic.
27
+
-**Automatic Update:** Introduced a comprehensive `UpdateService` library in the Settings module. Features include automated GitHub version discovery via `releases/latest` endpoint, secure file-by-file patching (bypassing 300-file API limits), and automatic database migration support.
28
+
-**Atomic Operations:** Implemented atomic file writing using temporary storage and `rename()` to prevent partial updates.
29
+
-**Backup & Rollback:** Integrated an automatic backup mechanism that captures modified files before patching, with a new manual rollback management interface in the Settings dashboard.
30
+
-**Concurrency Control:** Added `ci4ms_update.lock` to prevent concurrent update attempts.
31
+
-**Update UI:** Modernized the version check and update workflow with an interactive SweetAlert2-based interface and detailed progress feedback.
14
32
15
33
### Changed
16
34
@@ -268,6 +286,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
268
286
269
287
- Expanded database migrations and introduced new supporting libraries.
Copy file name to clipboardExpand all lines: README.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,8 @@ CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
11
11
-**Modular backend:** Each feature ships as an independent module (Blog, Pages, Menu, Media, Users, Settings, Theme, etc.) under `modules/*`.
12
12
-**Flexible content management:** Page and blog entries include SEO metadata, categories, tags, and full comment workflows.
13
13
-**Media & files:** Includes elFinder-powered media management, a built-in file editor, and an in-panel log viewer.
14
-
-**Automatic Updates:** New "One-Click Update" system allows seamless system upgrades with automatic backups and migration support.
14
+
-**Automatic Updates:** Modernized `UpdateService` provides a "One-Click Update" system with atomic file operations, automated GitHub version discovery (bypassing 300-file limits), and secure rollback management.
15
+
-**Backup Support:** Updates automatically trigger a full backup of modified files before applying patches, with a dedicated management interface for restores.
15
16
-**Theme system:** The `public/templates/*` structure and the `Modules\Theme` module enable installing or upgrading themes from ZIP packages.
16
17
-**Setup & automation:** Offers a web-based installer (`/install`) plus a single CLI command (`php spark ci4ms:setup`) for automated installation, default data seeding, and route generation. Module scaffolding is available via `php spark make:module`.
17
18
-**Docker support:** Ships with a production-ready `Dockerfile`, `docker-compose.yml`, and a GitHub Actions CI workflow out of the box.
@@ -200,5 +201,6 @@ A huge thank you to the security researchers who have helped make **ci4ms** more
200
201
|**[offset](https://github.com/offset)**| Identified Critical vulnerabilities including multiple Stored XSS, Authorization Bypass in Fileeditor, Install Guard Bypass, and CRLF Injection. | Apr 2026 |
201
202
|**[fg0x0](https://github.com/fg0x0)**| Identified Critical Arbitrary File Write (Zip Slip RCE) vulnerabilities in Theme::upload and Backup::restore modules. | Apr 2026 |
202
203
|**[0xAlchemist](https://github.com/bugmithlegend)** , **[peeefour](https://github.com/peeefour)** and **[DexterHK](https://github.com/DexterHK)**| Identified Critical Full Account Takeover and Privilege Escalation via Stored DOM Blind XSS in Backup Management (v2). | Apr 2026 |
204
+
|**[dapickle](https://github.com/dapickle)**| Identified Critical Authenticated Remote Code Execution (RCE) via unrestricted PHP file upload in Theme installation | Apr 2026 |
203
205
204
206
> If you find a security vulnerability, please report it via [Security Policy](SECURITY.md).
0 commit comments