Release v0.31.8.0 - Security Patches

This release addresses two critical security vulnerabilities identified in the session management and theme management modules.

🛡️ Security Fixes

• Session Management Bypass: Fixed an issue where deactivated users could maintain active sessions. The system now performs account status verification on every request via Ci4MsAuthFilter.
• Arbitrary Database Table Drop: Fixed a vulnerability in the Theme module that allowed users with theme deletion permissions to drop any database table. A migration-based whitelist has been implemented to restrict table deletion exclusively to those belonging to the specific theme.

⚙️ Changes

• Bumps application version to 0.31.8.0 across CLI and Web installers.
• Updates .gitignore to refine module inclusion/exclusion rules.

---

Note: It is highly recommended to upgrade to this version immediately to ensure account management security and database integrity.

Full Changelog: 0.31.7.0...0.31.8.0

Release v0.31.7.0

🚀 What's New

UpdateService Library

Introduced a comprehensive UpdateService library that centralizes all update operations into a single, testable service class. Key capabilities:

• GitHub Releases API — Version checks now use the releases/latest endpoint for accurate release discovery
• Pagination-aware comparison — Bypasses GitHub's 300-file limit by iterating over individual commits when needed
• Atomic file operations — Uses rename() instead of direct file_put_contents() to prevent partial updates during patching
• Concurrency control — ci4ms_update.lock prevents simultaneous update attempts

Backup & Rollback Management

• Automatic backup of all modified files before applying any update
• New "Backups" button in the Settings dashboard header for quick access
• Interactive SweetAlert2-based restore workflow with progress feedback
• New REST endpoints: POST listBackups, POST rollbackUpdate

Controller Refactoring

• checkVersion(), downloadPatch(), and autoUpdate() methods refactored to delegate all logic to the new UpdateService, significantly reducing controller complexity
• Added validateVersionString() for strict SemVer input validation

Localization

• 12 new translation keys added for backup and rollback features in English and Turkish

Full Changelog: 0.31.6.0...0.31.7.0

Release v0.31.6.0

This release introduces a major modernization of the update system, full internationalization for the Settings module, and a more robust installation-to-developer-gate integration.

✨ Added

• One-Click Automatic Update: A new system in the Settings module that handles GitHub version discovery, secure file-by-file patching, and automatic database migrations.
• Automated Backup Support: System updates now automatically trigger a full backup of modified files before applying any patches for maximum safety.
• Refactored DevGate Integration: Improved the automated propagation of developer access credentials during the setup process with more robust, regex-based logic.

🛠️ Changed

• Full i18n for Settings: Completed translation support for the entire Settings module across all 11 supported languages (TR, EN, AR, DE, ES, FR, HI, JA, PT, RU, ZH).
• Modernized Update UI: Upgraded the version check and update workflow with an interactive, multi-step SweetAlert2 interface for better user feedback.
• Improved Installation Security: Enhanced the reliability of initial environment configuration and credential handling during web installation.

📦 Updated Dependencies

• Incremented internal application version to v0.31.6.0.
• Synchronized primary documentation and README guides.

---

For more details on how to use the new Auto-Update feature, please refer to the updated Settings Documentation.

Full Changelog: 0.31.5.0...0.31.6.0

Release v0.31.5.0

This release focuses primarily on mitigating several critical security vulnerabilities and hardening the core modular architecture against lateral movement and unauthorized manipulation.

We highly recommend all administrators running versions prior to v0.31.5.0 to apply this update immediately.

🛡️ Security Updates & Enhancements

• XSS Protection: Patched a Stored DOM Blind XSS vulnerability within the Backup module by applying output escaping esc() to dynamically loaded DataTables filename strings.
• Arbitrary File Write (Zip Slip RCE): Closed a severe directory traversal vulnerability present during .zip file extraction in both the Theme::upload and Backup::restore processes, preventing Remote Code Execution (RCE).
• Privilege Escalation: Addressed a critical IDOR behavior inside UserController which previously allowed unauthorized administrative roles to artificially grant themselves the superadmin profile group via modified HTTP requests.

🔄 General Changes & Fixes

• Configuration: Adopted modern .github/FUNDING.yml to support future project contributions easily.
• UI & Layout: Updated the application's default branding logo format to optimized WebP.
• Core Stability: Resolved an underlying PHP syntax issue in the Backup controller's restore method.

A special thanks to the security community, notably @offset, @bugmithlegend, @peeefour, @DexterHK for contributing to these coordinated disclosures and keeping ci4ms safe.

🚀 v0.31.4.0 - Critical Security Patch & Platform Stability

This release primarily focuses on mitigating several critical security vulnerabilities and fortifying the CI4MS application architecture against diverse attack vectors. We strongly recommend all users upgrade to this version immediately.
A massive shout-out to security researcher offset for responsibly disclosing these vulnerabilities and working with us to secure the CI4MS ecosystem. They have officially been added to our Security Hall of Fame! 🏆

🛡️ Security Highlights

• Installation Integrity: The post-installation setup wizard is now protected by a persistent filesystem limit (install.lock) instead of a volatile cache flag. This completely eliminates a critical re-entry bypass vulnerability where attackers could overwrite the database configurations during cache expiries.
• Fileeditor Authorization Bypass: Hardened the API layers in the Fileeditor module. The isHiddenPath logic is now strictly enforced across ALL API endpoints (Create, Read, Update, Delete, Move), safely blocking unauthorized exposure and alterations of classified core files like .env and composer.json.
• CRLF Injection Neutralized: Fixed a vulnerability in the Install.php controller where carriage returns (\r\n) within untrusted fields could be utilized to inject arbitrary payloads directly into the server’s .env configuration file.
• Multiple Stored XSS Mitigations:
  • Prevented a sophisticated iframe srcdoc payload from bypassing input validation into the Google Maps widget under Settings. We now use a robust attribute allowlist configuration.
  • Closed a DOM-based XSS opening within the UserController by strictly escaping banned accounts' status message blobs within the user's data table endpoint.
  • Patched an oversight where the Pages module frontend was rendering rich-text payloads raw by introducing the html_purify validation rule.

⚙️ Changes

• Bumped application core version values inside Ci4msSetup.php and Install.php to 0.31.4.0.
• Updated CHANGELOG.md with explicit details matching semantic versioning.
• The README.md has been updated referencing the latest security contributors.
  Have you discovered a potential security vulnerability? Please submit it to our team by reviewing the Security Policy instead of creating public issues.

📦 Full Changelog

0.31.3.0...0.31.4.0

🚀 v0.31.3.0 — CLI Setup Command & Docker Boot Fix

Released: 2026-04-02

This release introduces a new CLI setup command for streamlined installation,
and resolves a critical boot error affecting Docker and CI/CD environments.

---

⚡ New: php spark ci4ms:setup

You can now install the application entirely from the command line. The new ci4ms:setup command handles migrations, default data seeding, and initial configuration in a single step.

• Setup Slogan: You can now set your site's slogan during both CLI and Web installation.
• Robust CLI: Fixed directory creation (FCPATH) and route generation logic for better reliability.

🐛 Fix: SUPPORTPATH Fatal Error in Docker / CI

Added the missing $supportDirectory property to app/Config/Paths.php.
This resolves the Undefined constant "CodeIgniter\Config\SUPPORTPATH" fatal
error that prevented php spark from running in Docker and GitHub Actions
environments with CI4 4.4+.

📚 Synchronized Documentation

The Architecture Guide and Developer Handbook have been fully updated (both Markdown and HTML versions) to reflect the recent changes in Shield authentication, Docker environment, and CLI tools. Styling has also been improved for better readability.

⚙️ Other Changes

• Refactored InstallService and Install controller to support the unified setup flow.
• Updated docker-test.yml workflow: now uses ci4ms:setup instead of separate migrate + seed steps, removing the fragile Paths.php patch workaround.

---

📦 Full Changelog

0.31.2.0...0.31.3.0

🚀 v0.31.2.0 — Docker Support & Expanded Localization

This release introduces full Docker support for containerized development and deployment, expands localization coverage for two additional modules, and ships a wide range of refinements across the codebase.

---

🐳 Docker Support

The project can now be run entirely inside Docker. This release ships a production-ready Dockerfile, a docker-compose.yml for orchestration, a pre-configured Apache virtual host, and a custom php.ini tuned for CI4MS. A GitHub Actions workflow is also included to automatically build and validate the Docker image on every push. Refer to the new DOCKER_SETUP.md for full setup instructions.

🌍 Expanded Localization

Added complete translation packs for the DashboardWidgets and LanguageManager modules in 9 languages: Arabic, German, Spanish, French, Hindi, Japanese, Portuguese, Russian, and Chinese — bringing both modules up to par with the rest of the application.

⚙️ Module & Config Refinements

• Introduced DefaultRoutes.php for centralized default route management.
• Updated Auth configs and CustomActivationController for improved Shield compatibility.
• Refined AJAX.php and BaseController in the Backend module for consistent request/response handling.
• Improved Backup library and controller reliability.
• Updated ModuleInstaller and ModuleScanner in the Methods module.
• Refreshed configs, controllers, and views across Blog, Media, Menu, Pages, Settings, Theme, and Users modules.
• Updated all translation files across 11 supported languages for all affected modules.
• Refined App.php, Filters.php, .gitattributes, and .gitignore.

---

📦 What's Changed

• 158 files changed — 3,908 insertions, 1,846 deletions

Full Changelog: 0.31.1.0...0.31.2.0

🚀 CI4MS v0.31.1.0 - Theme Lifecycle Automation & UI Enhancements

This update brings a fully automated lifecycle for the CI4MS Theme Management system. We focused on reducing the manual database setup steps for developers while introducing a highly secure "smart delete" mechanism to keep your project completely clean.

🌟 What's New

• Automated Database Setup: When a new theme is activated from the Settings panel, the system now automatically triggers CodeIgniter's migration runner (latest()). No more manual table creations! If the theme has migration files, they are deployed instantly.
• Smart Deletion UI: Say goodbye to ghost tables. When removing a theme, the new confirmation modal actively parses the theme's schema logic and lists exactly which database tables will be affected. You can now selectively and cleanly drop these tables via the UI.
• Deep Clean Storage Cleanup: We introduced the remove_theme_files function. Once a theme is deleted, this specialized routine recursviely sweeps away both the MVC framework templates and public asset droplets without leaving any junk behind.

🔧 Improvements & Enhancements

• Enhanced User Feedback: The core _message_block powered by SweetAlert2 has been upgraded. It can now parse and display bulleted array logs (messages). So, if you drop 5 tables during uninstallation, you will see a clean list confirming each one.
• Theme Manager Protection: An extra CodeIgniter protection layer is added to ensure active templates cannot be deleted under any circumstances, preventing catastrophic application crashes.

🐛 Bug Fixes

• Fixed a core issue with the recursive directory deletion utility (deleteFldr). Corrected an argument count discrepancy caused by outdated function profiles, preventing fatal errors during legacy directory destructions.

Full Changelog: 0.31.1.0...0.31.1.0
Update Requirements: As always, ensure your PHP version is 8.2+ and review your writable/ directory permissions.

v0.31.0.0 - Major Security & Framework Update (CI 4.7.1 & Shield Integration)

🚀 Highlights

This version represents a revolutionary milestone for CI4MS. The core framework has been upgraded to CodeIgniter 4.7.1, the authentication system has been completely modernized with CodeIgniter Shield, and the minimum system requirements have been elevated to PHP 8.2 to meet modern standards.

🛡️ Security Enhancements

• Shield Integration: Replaced custom authentication with a Shield-compatible architecture. Removed 14 legacy migrations and introduced 6 new Shield-aligned migrations with proper foreign keys.
• Audit Trail (BackendLogFilter): Added detailed activity logging (IP, User Agent, Action, Module) for all backend user operations to enhance security monitoring.
• XSS & CSRF Protection: Implemented global input validation and enhanced CSRF token refreshing for AJAX operations to prevent injection and expiration issues.
• Native Log Viewer: Removed external vendor dependencies in favor of a high-performance, secure internal LogViewer library.

✨ New Features

• High-Performance Support: Added WorkerMode and Hostnames configurations to support modern environments like Swoole and FrankenPHP.
• Advanced Template Settings: A comprehensive UI for managing theme assets, global CSS/JS injection, Google Fonts preview, and widget visibility.
• Dynamic Sidebar: Implemented an auto-configuring sidebar that loads menus and icons directly from module Config parameters with improved caching.
• Version Checker: Built-in mechanism to notify administrators of available application updates.
• Migration Safeguard: Introduced $lock feature in migrations to prevent concurrent execution conflicts.

🔄 Important Changes

• System Requirements: Minimum PHP requirement upgraded to 8.2.
• Repository Optimization: Refactored asset management, reducing repository size by approximately 147MB (removed unused maps, source files, and unminified logic).
• Secure API Refactoring: Migrated all "Delete" actions from GET routes to secure AJAX POST requests.
• Shield-Compatible Views: Overhauled user management and permission group views to leverage Shield’s core capabilities.

🛠️ Bug Fixes

• Fixed pivot table insertion logic in CommonTagsLibrary to ensure correct tag persistence for blog posts.
• Corrected path validation regex in the File Editor module to allow multi-level folder traversal.
• Resolved sidebar navigation active-state logic issues for AdminLTE 3.
• Fixed PHP ternary operator precedence bugs affecting status switch states.

---

Important

Since this release includes major structural changes (especially the Shield migration), it is highly recommended to back up your database and run composer update before upgrading.

Security Hotfix: Critical RCE Patch & File Manager Hardening

⚠️ Security Critical Update

This release addresses critical security vulnerabilities. All users are strongly advised to upgrade immediately.

🔒 Security Patches

• Critical (RCE): Patched a Remote Code Execution vulnerability in the File Manager rename endpoint that allowed bypassing extension whitelists (Reported by Lars van Mil).
• High: Fixed a Directory Displacement vulnerability by disabling arbitrary folder move operations.
• Medium: Enforced stricter blacklist rules for system directories. Sensitive paths like .env, .git, .github, and vendor are now explicitly blocked from listing and access.
• Medium: Implemented missing CSRF token validation for File Manager AJAX operations (Delete, Save, Rename).

🛠 Improvements & Changes

• File Manager: Disabled "Drag & Drop" functionality to prevent accidental directory structure changes and improve stability.
• UI/UX: Updated Monaco Editor file tree configuration; folders now default to a collapsed state for better navigation.
• Refactor: Centralized file extension validation logic for better consistency across endpoints.

🏆 Credits

Special thanks to security researcher Lars van Mil for responsibly disclosing the vulnerabilities and assisting in the validation of these fixes.