HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 3.0 is now available (Updated 3.0.2)
charrondev Developer Lead (PHP, JS)Montreal Vanilla Staff
edited June 2019 in Releases
After a successful RC1 and RC2 releases the 3.0 release is here! Thank you to everyone who helped test things on staging servers and who filed issues along the way.
Without further ado:
- New Rich Editor features and improvements.
- 100s of bug fixes.
- Many medium-severity security issues reported via our HackerOne campaign are now resolved.
- Improved default cache headers.
- Deprecated some old classes, and removed some already deprecated ones.
- Laid the groundwork for a new drafts & reaction systems.
- Image upload limits.
- Improvements to the Keystone theme.
- Google SignIn.
- Better SEO and performance w/ the
Please note the next comment containing breaking changes in this release. Many sites will be unaffected by these changes, but please read the notes to see if additional steps will be needed for your site.
- Vanilla 3.0 requires PHP 7.1 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.3 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
- Follow the normal upgrade process, including running /utility/update.
- Follow additional specific upgrade instructions.
- Test your plugin & theme compatibility in a safe place before upgrading your production forum.
Get over in the addon directory. https://open.vanillaforums.com/addon/vanilla-core-3.0.2
Starting with this release Vanilla requires a minimum version of PHP
7.1. Starting with this release Vanilla's automated test suite now runs on PHP versions
Beginning in this release the following classes are now deprecated.
Additionally the following methods are now deprecated.
If you are using any of these methods please see their inline documentation for their newer alternatives.
New Database Tables
In this release we are laying the groundwork for bringing reactions into core. The user facing feature is not a part of this release but we have created new core models and a database structure for it. As a result there are two 2 database tables that will be created.
If you use a case-insensitive filesystem & the YAGA addon this will be breaking change.
Unfortunately some open source addons has taken the database table `GDN_Reaction`. This is the cause of the conflict. If you are affected here your options are essentially:
For people creating addons in the future I would recommend name-spacing both your classes and database tables. Was you code created as part of
\Vanillaor part of the
GDN_framework? If not you should probably use a different prefix or append some additional prefix.
Removed classes, method, & interfaces
The following items were all deprecated with the
2.5release. They have been removed starting in this release.
URL rewriting is mandatory!!!
This was part of the 2.5 release upgrade notes, but if becomes more and more important as time goes on.
If your forum still uses URLs including
?p=, support for this URL structure has ended. Follow these steps to switch to the simpler format:
.htaccessfile provided will accomplish this. Additional setup is required on nginx and other platforms.
/discussions- if you see a discussions list (rather than a 404), it is likely setup correctly.
/conf/config.phpand find the line with
$Configuration['Garden']['RewriteUrls'] = false;and delete the entire line.
APIv2 is not compatible with
?p=style URLs. Going in forward more and more parts of Vanilla will be built on top of our API. Rich Editor requires it. Some upcoming UI features in this years releases will be built on the API.
nginxcan refer to following resources as examples:
Updated Cache Headers on /entry/*
If you have any view override for a view in EntryController, eg. signin, register, etc, you have to update it. Otherwise all entry forms will no longer work for signed out users.
Work was done in this release to allow caching
/entry/*pages for guests. As a result Vanilla now sends down standard cache headers for these HTML pages, whereas previously it would prevent caching on these pages.
The reason for the previous lack of caching was because these entry forms required a
TransientKeyin a cookie for every user and these need to be private & per user. Eg. cannot be cached.
These forms no longer require a
TransientKeyif the request is submitted over AJAX with the
X-Request-Withheader, but the forms must now be submitted over Ajax. The core views have been updated, but if you overrode one of those views, you will need to update it or users signing in will begin seeing errors when signing in or registering.
Emoji Extender case sensitive rename
Some changes renaming has occurred within the EmojiExtender plugin and additional upgrade steps are required on certain systems to prevent having duplicate versions of the plugin.
EmojiExtenderfrom your plugins directory. The plugin directory now matches its addon key
Rich Editor saw a number of enhancements in this release.
New paragraph level formatting menu
We've added a new paragraph level formatting menu in order to surface more formatting options.
Currently it is broken down into 4 categories.
New Rich Editor formats
Along with the paragraph formatting menu, we've added support for
Improved Pasting Robustness
This iteration of Rich Editor see much improved ability to paste content into the editor.
The following may now be pasted from other web pages
Rich editor now has support for markdown based macros. Try out standard markdown input syntax and watch as it is transformed into your Rich Post.
Image Upload Limits
It is now possible to limit maximum image upload dimensions through and enhanced dashboard posting page. Any images uploaded above this limit will be resized (while preserving aspect ratio) to fit within the configured dimensions.
These dimensions will be respected in Rich Editor, Advanced Editor, and the
The keystone header on desktop now contains core & contextual navigation items. Additionally these items can be found on mobile devices by opening the navigation menu.
AfterBodyevent in to the end of the body in Keystone & Theme Boilerplate #8857. Thanks @R_J
SEO & Performance
Blocking Script Tags
Site’s may now opt-in to better behaviour here and load all scripts after the main document loads. This can be done by setting the configuration value.
or in JSON (Vanilla console)
If this is done properly all scripts in the of the page should have the defer attribute set.
This can lead to large increases in score on google’s page-speed index as well improved load times for users, especially on mobile.
Warning: This may not be compatible with certain custom Pockets or custom themes. Please test on staging environments first.
Sitemaps & Robots.txt
Google Sign In
Due to the fact that Google is sunsetting Google+ Sign In method we are adding Google Sign In. Forums that are using Google+ now are strongly recommended to create an OpenID OAuth 2.0 application at Google and turn on the Google Sign In plugin.
For more information about the user authentication workflow that is being implemented please read this documentation on Google.com. For instructions on how to set up the plugin see Vanilla user docs for Google Sign In
New or Expanded API endpoints
Set the canonical URL of a discussion
Expand accepted answer IDs
GET /api/v2/discussions/:idendpoint now offers an expand parameter
acceptedAnswers. When set the commentID & rendered text of the accepted answer will be included in the response.
Current user endpoints
These 2 endpoints may be used to fetch information about the currently signed in user.
Record a page view
Updated File Release Permissions
Note: This fix is also present in the 2.8.4 release.
It has been brought to our attention that our file system permissions were far to open in our open source releases. These concerns were initially dismissed because in our version control repository and on all of our infrastructure the permissions were correct.
Thanks to the insistence of @R_J I discovered a bug in our OSS release build tool that reset all of the file permissions to 777 (very dangerous).
Starting in this release file system permissions are essentially 755 for directories and 644 for files.
This update fixes a bug where sometimes a user resetting their password would not get redirected properly after successfully resetting it.
Update 3.0.2 contains multiple important security fixes and bug fixes.
This fix required copying over the new files and doing the following:
This Vanilla release improves security by allowing sites to enable stricter security on their domains.
This feature is now on by default and means that once a user has visited a site over
https://their browser will always use
https://for this domain in the future. This is a more secure mechanism for enforcing
https://than redirects, and prevents user from accidentally browsing the insecure version of a site.
This should not affect sites without
https://support as it only applies if a site is visited by a user over
Various configuration options and their descriptions can be found on the Security page in the Vanilla dashboard.
Other Security Fixes
Get it here.
Doesn't seem that the issue with "blur effect" on the sign in popup is solved yet. I'm also having troubles with uploading pics with rich editor (although I've no problems with wysiwsg) it give me server error 400, any suggestions?
On the other hand pics optimization is a amazing, well done! Thank you
@Lorenzo Is there an issue filed somewhere to track the sign in popup thing? I'm not sure what issue you're referring to.
I'd recommend starting a separate help thread about the upload endpoint. It's likely server configuration related.
Thanks Vanilla team for fixing mobile search issue (#8960) and other ones. Vanilla 3.0 with new impressive Rich editor looks like almost perfect.
But what about issue #8680? After updating 3.0.2 the search results still replaced with “There was an error rendering this rich post”.
Fatal Error in PHP.slugify();
Call to undefined function iconv()
The error occurred on or near: /home/htcadmin/public_html/discuss/library/core/functions.general.php
Your PHP installation is missing the iconv extension.
Love Love Love! the image upload limits. Thank you to the vanilla team!