HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 3.0 is now available (Updated 3.0.2)
charrondev
Vanilla Staff
After a successful RC1 and RC2 releases the 3.0 release is here! Thank you to everyone who helped test things on staging servers and who filed issues along the way.
Without further ado:
Highlights
- New Rich Editor features and improvements.
- 100s of bug fixes.
- Many medium-severity security issues reported via our HackerOne campaign are now resolved.
- Improved default cache headers.
- Deprecated some old classes, and removed some already deprecated ones.
- Laid the groundwork for a new drafts & reaction systems.
- Image upload limits.
- Improvements to the Keystone theme.
- Google SignIn.
- Better SEO and performance w/ the
DeferredLegacyScriptsflag.
Upgrade Notes
Please note the next comment containing breaking changes in this release. Many sites will be unaffected by these changes, but please read the notes to see if additional steps will be needed for your site.
- Vanilla 3.0 requires PHP 7.1 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.3 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
- Follow the normal upgrade process, including running /utility/update.
- Follow additional specific upgrade instructions.
- Test your plugin & theme compatibility in a safe place before upgrading your production forum.
Download
Get over in the addon directory. https://open.vanillaforums.com/addon/vanilla-core-3.0.2
4
Comments
Breaking Changes
Starting with this release Vanilla requires a minimum version of PHP
7.1. Starting with this release Vanilla's automated test suite now runs on PHP versions7.1-7.3.Deprecations
Beginning in this release the following classes are now deprecated.
\Gdn_ApplicationManager\Gdn_ThemeManager\Gdn_PluginManager\Gdn_PluggableAdditionally the following methods are now deprecated.
\Gdn::applicationManager()\Gdn::pluginManager()\Gdn::themeManager()\PagerModule::rel()If you are using any of these methods please see their inline documentation for their newer alternatives.
New Database Tables
In this release we are laying the groundwork for bringing reactions into core. The user facing feature is not a part of this release but we have created new core models and a database structure for it. As a result there are two 2 database tables that will be created.
If you use a case-insensitive filesystem & the YAGA addon this will be breaking change.
Unfortunately some open source addons has taken the database table `GDN_Reaction`. This is the cause of the conflict. If you are affected here your options are essentially:
For people creating addons in the future I would recommend name-spacing both your classes and database tables. Was you code created as part of
\Vanillaor part of theGDN_framework? If not you should probably use a different prefix or append some additional prefix.Removed classes, method, & interfaces
The following items were all deprecated with the
2.5release. They have been removed starting in this release.Gdn_FactoryISingletonGdn::getFactory()Gdn::factoryInstallDependency()Gdn::factoryInstallDependencyFromConfig()Gdn::factoryInstallFromConfig()URL rewriting is mandatory!!!
This was part of the 2.5 release upgrade notes, but if becomes more and more important as time goes on.
If your forum still uses URLs including
?p=, support for this URL structure has ended. Follow these steps to switch to the simpler format:.htaccessfile provided will accomplish this. Additional setup is required on nginx and other platforms./discussions- if you see a discussions list (rather than a 404), it is likely setup correctly./conf/config.phpand find the line with$Configuration['Garden']['RewriteUrls'] = false;and delete the entire line.APIv2 is not compatible with
?p=style URLs. Going in forward more and more parts of Vanilla will be built on top of our API. Rich Editor requires it. Some upcoming UI features in this years releases will be built on the API.Users using
nginxcan refer to following resources as examples:Updated Cache Headers on /entry/*
If you have any view override for a view in EntryController, eg. signin, register, etc, you have to update it. Otherwise all entry forms will no longer work for signed out users.
Work was done in this release to allow caching
/entry/*pages for guests. As a result Vanilla now sends down standard cache headers for these HTML pages, whereas previously it would prevent caching on these pages.The reason for the previous lack of caching was because these entry forms required a
TransientKeyin a cookie for every user and these need to be private & per user. Eg. cannot be cached.These forms no longer require a
TransientKeyif the request is submitted over AJAX with theX-Request-Withheader, but the forms must now be submitted over Ajax. The core views have been updated, but if you overrode one of those views, you will need to update it or users signing in will begin seeing errors when signing in or registering.Emoji Extender case sensitive rename
Some changes renaming has occurred within the EmojiExtender plugin and additional upgrade steps are required on certain systems to prevent having duplicate versions of the plugin.
EmojiExtenderfrom your plugins directory. The plugin directory now matches its addon keyemojiextender.Release Notes
Rich Editor
Rich Editor saw a number of enhancements in this release.
New paragraph level formatting menu
We've added a new paragraph level formatting menu in order to surface more formatting options.
Currently it is broken down into 4 categories.
New Rich Editor formats
Along with the paragraph formatting menu, we've added support for
Improved Pasting Robustness
This iteration of Rich Editor see much improved ability to paste content into the editor.
The following may now be pasted from other web pages
Markdown Macros
Rich editor now has support for markdown based macros. Try out standard markdown input syntax and watch as it is transformed into your Rich Post.
Other
Image Upload Limits
It is now possible to limit maximum image upload dimensions through and enhanced dashboard posting page. Any images uploaded above this limit will be resized (while preserving aspect ratio) to fit within the configured dimensions.
These dimensions will be respected in Rich Editor, Advanced Editor, and the
/api/v2/mediaendpoint.Keystone Theme
The keystone header on desktop now contains core & contextual navigation items. Additionally these items can be found on mobile devices by opening the navigation menu.
Other
AfterBodyevent in to the end of the body in Keystone & Theme Boilerplate #8857. Thanks @R_JSEO & Performance
Blocking Script Tags
By default Vanilla blocks a page from rendering until most of its javascript is loaded. This is not considered best practice, because it negatively impacts user’s page load times. Search engines like google penalize sites that do this.
Site’s may now opt-in to better behaviour here and load all scripts after the main document loads. This can be done by setting the configuration value.
or in JSON (Vanilla console)
"Feature": { "DeferredLegacyScripts": { "Enabled": false } }If this is done properly all scripts in the of the page should have the defer attribute set.
This can lead to large increases in score on google’s page-speed index as well improved load times for users, especially on mobile.
Warning: This may not be compatible with certain custom Pockets or custom themes. Please test on staging environments first.
Sitemaps & Robots.txt
Google Sign In
Due to the fact that Google is sunsetting Google+ Sign In method we are adding Google Sign In. Forums that are using Google+ now are strongly recommended to create an OpenID OAuth 2.0 application at Google and turn on the Google Sign In plugin.
For more information about the user authentication workflow that is being implemented please read this documentation on Google.com. For instructions on how to set up the plugin see Vanilla user docs for Google Sign In
Dashboard
New or Expanded API endpoints
Set the canonical URL of a discussion
PUT /api/v2/discussions/:id/canonical-urlDELETE /api/v2/discussions/:id/canonical-urlExpand accepted answer IDs
The
GET /api/v2/discussions/:idendpoint now offers an expand parameteracceptedAnswers. When set the commentID & rendered text of the accepted answer will be included in the response.Current user endpoints
GET /api/v2/users/meGET /api/v2/users/me-countsThese 2 endpoints may be used to fetch information about the currently signed in user.
Record a page view
POST /api/v2/tickUpdated File Release Permissions
Note: This fix is also present in the 2.8.4 release.
It has been brought to our attention that our file system permissions were far to open in our open source releases. These concerns were initially dismissed because in our version control repository and on all of our infrastructure the permissions were correct.
Thanks to the insistence of @R_J I discovered a bug in our OSS release build tool that reset all of the file permissions to 777 (very dangerous).
Starting in this release file system permissions are essentially 755 for directories and 644 for files.
Other Fixes
Discussions/Comments
Categories
Embedded Comments
Twitter SSO
Accessibility
Profile
Update 3.0.1
This update fixes a bug where sometimes a user resetting their password would not get redirected properly after successfully resetting it.
Update 3.0.2
Update 3.0.2 contains multiple important security fixes and bug fixes.
Updating
This fix required copying over the new files and doing the following:
container.htmlutility/updateFixes
AdvancedSearchplugin. #8960Security
HSTS Configuration
This Vanilla release improves security by allowing sites to enable stricter security on their domains.
This feature is now on by default and means that once a user has visited a site over
https://their browser will always usehttps://for this domain in the future. This is a more secure mechanism for enforcinghttps://than redirects, and prevents user from accidentally browsing the insecure version of a site.This should not affect sites without
https://support as it only applies if a site is visited by a user overhttps://.Various configuration options and their descriptions can be found on the Security page in the Vanilla dashboard.
Other Security Fixes
frame-ancestorsheader #8970Get it here.
Doesn't seem that the issue with "blur effect" on the sign in popup is solved yet. I'm also having troubles with uploading pics with rich editor (although I've no problems with wysiwsg) it give me server error 400, any suggestions?
On the other hand pics optimization is a amazing, well done! Thank you
@Lorenzo Is there an issue filed somewhere to track the sign in popup thing? I'm not sure what issue you're referring to.
I'd recommend starting a separate help thread about the upload endpoint. It's likely server configuration related.
Thanks Vanilla team for fixing mobile search issue (#8960) and other ones. Vanilla 3.0 with new impressive Rich editor looks like almost perfect.
But what about issue #8680? After updating 3.0.2 the search results still replaced with “There was an error rendering this rich post”.
Fatal Error in PHP.slugify();
Call to undefined function iconv()
The error occurred on or near: /home/htcadmin/public_html/discuss/library/core/functions.general.php
4036: // replace non letter or digits by - 4037: $text = preg_replace('/[^\pL\d]+/u', '-', $text); 4038: 4039: // transliterate 4040: $text = iconv('utf-8', 'us-ascii//TRANSLIT', $text); 4041: 4042: // remove unwanted characters 4043: $text = preg_replace('/[^-\w]+/', '', $text); 4044:Backtrace:
Your PHP installation is missing the iconv extension.
Love Love Love! the image upload limits. Thank you to the vanilla team!