Skip to content

Latest commit

 

History

History
1468 lines (1210 loc) · 110 KB

CHANGELOG.md

File metadata and controls

1468 lines (1210 loc) · 110 KB

Changelog

v1.8.2

Security advisories

  • [SEC-CORE-009]: Unzip vulnerability to slip-attack!

See the website for more information about reported security issues and their status.

Important fixes, changes, notes. Read them carefully.

  • The code has been scanned for new warnings emitted by PHP 7.2 and 7.3.

Important fixes, changes, notes. Read them carefully.

  • The code has been scanned for new warnings emitted by PHP 7.2. and PHP 7.3.

Security related

See the advisories.

Backward compatibility notes

  • Fieldset: An exception is thrown if you try to delete() a Fieldset field that does not exist.

System changes

  • Htmlawed, used by Security::clean(), has been updated to v1.2.4.2, to provide PHP 7.3 compatibility.

Specific classes

  • Fixed a bug in get_common_path() returning incorrect results when the first path passed is an empty string.
  • DB: Broken database cached results object has been fixed (1.8.1.1 hotfix).
  • DB: Fixed last_query() no longer returning the last query after a call to count_last_query().
  • DB: Fixed database result iteration (1.8.1.4 hotfix).
  • DB: Still capture any PDO errors in the event these have been disabled in the PHP configuration.
  • DB: New caching option on query() and a new caching() method allow you to enable/disable result caching on a per-query basis. NB: you need a result cache object if you need random access to database results.
  • Config: You can now use dot-notation when specifying group names, so you can load configuration data at any level in the tree.
  • DB: Fixed not being able to generate "ORDER BY group" due to a validation typo.
  • Crypt: Replaced a PHP5.6+ function that creeped in by a coded alternative (1.8.1.3 hotfix).
  • ErrorHandler: Added specific support for handling and displaying SoapFault error information.
  • Fieldset: New set_name() allows to you change the fieldname of an existing Fielset field.
  • Fieldset: An exception is thrown if you try to delete() a Fieldset field that does not exist.
  • Fieldset: New duplicate() method allows you to clone an existing Fieldset field.
  • Image: New extension() method returns the extension of the image file.
  • Input: Fixed incorrectly parsing multipart/form-data if the boundary contained + signs.
  • Input: Fixed a bug that could assign rubbish data to the put(), patch() or delete() data fields.
  • Input: URI parsing has been improved to fix issues with URI's containing encoded data.
  • Input: Incorrectly parsing multipart/form-data when the form boundary string contains + signs.
  • Pagination: Fixed bug which allowed page numbers not to be numeric. This is now enforced.
  • Session: Re-initialize if a session is started after it was closed (1.8.1.2 hotfix).
  • Unzip: Addressed the zip-slip security vulnerability (1.8.1.6 hotfix).

Packages

  • Email: Mailgun driver has been made compatible with the Mailgun v3 API.
  • Email: It is now possible to define stream socket options for SMTP connections.
  • Email: A bug that failed to strip HTML comments from HTML email bodies correctly has been fixed.
  • Oil: Fixed broken SQL being generated for tables with Unique indexes in migrations.
  • Oil: Fixed pagination when generating admin pages for tables.
  • Oil: Admin scaffolding has been updated to generate better code.
  • Oil: Everything related to Fuel Cells have been removed, it was never properly implemented.
  • ORM: A few PHP warnings have been fixed when calling to_array() on an object with relations.
  • ORM: to_array() now returns related data correctly.
  • ORM: Observer_Typing no longer truncates float values with more than 6 digits precision.
  • ORM: Observer_Typing now supports columns of type 'date', 'time' and 'datetime'.
  • ORM: Models now have the option to allow PK's to be set. This is required for non-autoincrement PK's.
  • ORM: Fixed a NestedSets bug that caused the tree-id not to be set on multi-tree models.
  • ORM: Fixed bug that allowed Models derived from a database view to be updated (causing a DB error).
  • ORM: Allow is_changed() to run observers before comparing, to prevent it always returning True when using the Typing observer bidirectionally.
  • ORM: Fixed bug in which not all Model properties were initialized on a forge() with partial data.

v1.8.1

Security advisories

  • [SEC-CORE-008]: Crypt encryption has been compromised!

See the website for more information about reported security issues and their status.

Important fixes, changes, notes. Read them carefully.

  • The code has been scanned for new warnings emitted by PHP 7.1.
  • Support for PHPUnit v6 has been added.
  • Support for php-fpm has been improved.
  • Function overloading for multibyte functions is no longer supported.
  • A workaround for PHP bug 55701 has been added.

Security related

The AES encryption used by the Crypt class has been compromised, as reported by Felix Widemann and Nils Rokita from Hamburg University. They have proven that with a powerful GPU, any encoded string can be decoded using brute force in a few minutes. If your application relies on the Crypt class (and most do, because the session cookie is using Crypt to encode it), upgrading your applications is highly advised!

If you manually want to convert data, for example because you have them stored in the database, simply use:

$new = \Crypt::encode(\Crypt::decode($old));

It will detect if the string is using the old encryption or the new encryption. Your crypt.php containing the keys will be automatically updated as well (assuming the application has write rights to the file).

Please note that due to the stronger encryption mechanism used, the encrypted strings are longer. This might be an issue where you have limited space available, for example is fixed or max width database fields, a session cookie that is already approaching the 4Kb limit, etc. So check the requirements of your application before upgrading!

Backward compatibility notes

  • When you post a form that exceeds max_input_vars, in some PHP 7.x versions the excess values were silently dropped, causing incorrect application behavior. Input now emits an E_WARNING if PHP doesn't do so.
  • The Session classes have been refactored. The methods create()/read() and write() are removed, and start() and close() added to more closely mimic native session behavior.
  • Database results can now be returned in list or collection (cached) form. A list can only be iterated over, a collection has direct (array) access. By default a collection is returned to retain BC with 1.8.0, but in most cases, a list is faster if random access isn't needed, especially if the resultset is big.
  • Function overloading for multibyte functions is no longer supported. When you have this enabled in your PHP config, Fuel will refuse to start.
  • If you require multibyte agnostic string functions for the functions of type 2 (see http://php.net/manual/en/mbstring.overload.php), use the methods in the Str class instead.

System changes

  • Markdown has been updated to v1.7.0.
  • Monolog has been updated to v1.18 (latest composer version).
  • PHPSecLib has been updated to v2.* (latest composer version).
  • URI parsing has been refactored for better NGINX and php-fpm support.
  • The autoloader has been patched to better support classnames in local charactersets.

Specific classes

  • Asset: You can now call custom defined asset types the same way as you would built-in types (js,css,img).
  • Config: load() has been refactored. It no longer overwrites on subsequent loads unless you want to. It also no longer returns false in that case, but always returns the loaded config.
  • Crypt: Has been rewritten using Sodium. Decrypting old encoded strings is transparent, and will be converted on encrypting.
  • Date: create_from_string() no longer allows you to create timestamps from before the Unix Epoch, which wasn't supported, and caused weird things to happen...
  • DB: you can now use on_open() and on_close() when creating JOIN clauses.
  • DB: UPDATE now supports the same JOIN clauses as SELECT.
  • DB: Database result objects are now sanitized automatically when passed to a View.
  • DB: You can now choose to return database results as a list (can only be looped over in sequence) or a collection (has random access). A list uses a lot less memory with large resultsets.
  • DB: Introduced a cache() method to return a list as a collection.
  • DBUtil: Now has a list_indexes() method.
  • Fieldset: Fixed invalid HTML for tabular forms being generated when it contained hidden columns.
  • Fieldset: Tabular forms now have built-in support for pagination.
  • File: Fixed several bugs that could cause errors when open_basedir was in effect.
  • File: Fixed broken file locking when using open_file(). Lock type validation added.
  • Form: Attribute usage with both configured attributes and passed attributes on open() calls has been fixed.
  • Format: Fixed a bug in which importing a multi-line CSV file could cause data loss.
  • Image: Alphablending has been fixed for Imagick.
  • Image: The Imagick driver now takes EXIF autorotation data into account, mimicing GD behaviour.
  • Input: Only parses raw input when PHP hasn't done so (p.e. on put, patch or delete requests).
  • Input: A new raw() method has been introduced to access the raw PHP input data (from php://input).
  • Log: Error and Exception objects are now passed on to Monolog for more detailing logging options.
  • Model_Crud: count() now uses the defined database connection, if available.
  • Model_Crud: Freezing/unfreezing error fixed when unserializing data into an object.
  • Module: You can now configure that you want routes loaded from the module when you load a module.
  • Pagination: You can now specify the starting page (number, or 'first' or 'last') when no page number is present in the URL.
  • Security: You can now configure NOT to rotate the CSRF token after validation.
  • Security: set_token() is now a public method, so a token can be rotated manually.
  • Session: Broken destroy() method has been fixed.
  • Session: You can now create a session instance without implicitly starting it.
  • Session: You can now reset an active session to an empty state.
  • View: Fixed unsanitizing of Traversable objects.

Packages

  • Auth: Fixed a bug in the validation rules of the User model.
  • Auth: When checking for access, you can now also pass the area name only (matches any right assigned in that area).
  • Auth: For security reasons, OpAuths response has been changed from serialized to jsob. This response is now supported.
  • Oil: Improved Model and Migration generation.
  • Oil: Improved index support when generating migrations from an existing database table.
  • Oil: Generated controllers now support pagination on their index page.
  • Oil: Generating from existing tables now yield more details about the column.
  • Parser: Markdown views no longer uses a dedicated version of Markdown, but the version installed via Composer.
  • Parser: Creating a parser view object without a view name passed no longer triggers an exception.
  • Parser: Support added for Handlebars templates though the LightnCandy composerpackage.
  • Orm: forge() now accepts an object implementing ArrayAccess to add data to the ORM object.
  • Orm: Observer_Typing now supports the fieldtype encrypt to transparently encrypt/decrypt data going into the database.
  • Orm: Observer_Typing now support a field definition 'db_decimals', which you can use if your internal representation is different from the column definition (so objects aren't marked as changed incorrectly).
  • Orm: Added a 'caching' config key to the ORM config, to configure default object caching behaviour.
  • Orm: Now has a caching() method to enable or disable ORM object caching.
  • Orm: Now has a flush_cache() method to flush the loaded ORM object cache.
  • Orm: You can now disconnect related objects by assigning null or array() to the relation, which behaves identical to using unset().
  • Email: Mailgun email header generation has been improved.

v1.8.0

Important fixes, changes, notes. Read them carefully.

This version provides full compatibility with PHP 7. To achieve this, the \Fuel\Error class had to be renamed to \Fuel\Errorhandler. The new error handler has full support for PHP 7's new Error exceptions. If your application calls the Error class directly, or has extended the Error class, make sure you make the appropriate changes after you have upgraded!

The oil installer has been updated to use composer to install Fuel, and to provide better support for MacOS.

Backward compatibility notes

  • The included PHPSecLib version has been swapped by the composer package. If your application creates instances of PHPSecLib classes, check your code for compatibility issues, for example with the use of namespaces.

Removed code (because it was deprecated in v1.7.3 or earlier)

  • The old "mysql" DB driver has been removed because of removal in recent PHP versions. You can keep using mysqli if for some reason you don't want to use PDO. A new "mysql" driver has been introduced that uses PDO underneath. This should be transparent for most applications.

Security related

  • Because of the swap to the composer PHPSecLib package, the pbkdf2() method that was added to the code by the Fuel team is no longer available. Fuel itself now uses the PHP hash_pbkdf2() function. If you are using a PHP version < 5.5.0, this function is emulated in base.php.
  • When using file based session, an additional check has been added to make sure the session file is loaded from the configured path.
  • The Security::clean_input() now has support for ArrayAccess and Traversable classes, and now fully recurses into these classes and arrays for a full deep clean.
  • Security::generate_token() now uses random_bytes(), openssl_random_pseudo_bytes() if available, and uses hash_algos() with SHA to generate the token hash.

System changes

  • The database classes have been refactored. Database_Query is now properly extendable, and DBUtil schema manipulations have been abstracted in order to support multiple DB platforms.
  • New drivers have been added for "dblib" (MS-SQL/Sybase), "sqlsrv" (MS-SQL on Windows) and "SQLite".
  • The framework now supports generic HTTP status 400 messages through the new HttpBadRequestException exception.
  • When a database migration is run, and the database schema is ahead of the migration configuration file, the status is synced before any migrations are run. This makes sure migrations don't run twice, which may happen when you update multiple application instances using a shared clustered database.
  • You can now correctly use "hybrid" controller (like "\Controller\Something_Class") names as documented.
  • new function get_composer() allows direct access to the Composer Autoloader instance.
  • The core's "base.php" code has been optimized for PHP 5.6+.
  • A new route keyword ":everything" has been added, which complements ":any" by also matching with "nothing".

Specific classes

  • The Agent class now supports the definition of an HTTP proxy for downloading the browscap file.
  • An issue in the Agent class is fixed where loading the browscap file could fail if it was defined as type "local".
  • Arr::key_exists() now has support for classes implementing ArrayAccess.
  • Asset now has a new method add_type() to define new types besides "js", "css" and "img". You need to pass a closure that is used to render the HTML for the given type.
  • Asset is now more compatible with Windows platforms when it comes to generating paths and URL's (correct use of slash vs backslash).
  • The Cache file driver has been improved to solve some locking race conditions.
  • Config class no longer caches the result of config keys defined as a closure. Closures are now evaluated at runtime instead of at load time.
  • Fixed a bug in Controller_Rest that would cause the HTTP status code to be overwritten when detecting an incorrect return format in production mode.
  • Controller_Rest now returns HTTP status 200 by default.
  • When calling the Database method count_last_query(), any ORDER BY is now stripped from the COUNT query to improve performance.
  • Return type detection has been improved for DB::query() calls, for SQL statements like "DESCRIBE", "EXECUTE", "EXPLAIN" and "SHOW".
  • Date::range_to_array() could return unexpected values when using more complex intervals. This has been fixed.
  • Added support for "runtime-created functions" in Debug detailed output.
  • Fixed a bug in File::create_dir() that causes directory creation to fail if the directory had the same name as its parent.
  • Form::open() can now automatically add a CSRF key field when the config key "security.csrf_auto_token" is set.
  • Lang now has a new method set_lang(), which allows you to switch the active language, optionally reloading all already loaded language files in this new language.
  • Migrate can now detect circular dependencies (two migrations depending on each other), and will now bail out with a loop detection error message.
  • Migration tasks can now define before() and after() methods. If either returns false, the migration is skipped. In case of after(), that implies the migration is reverted.
  • Mongo_Db has a new dump() method to allow dumping a collection or collections for backup purposes.
  • The Response class now has a new set_headers() method to set multiple headers in one go.
  • Request_Curl now returns the complete "raw" response in the response variable "response", which can be accessed in case of a returned http status >= 400.
  • Request_Curl now allows you to use fully qualified option names to be set (those starting with "CURLOPT_").
  • The Router now also returns the path of the controller on a found route match.
  • The Security class can now throw an HttpBadRequestException instead of a generic Security Exception when CSRF validation fails.
  • The Session file driver has been improved to solve some locking race conditions, and an additional validation of the session payload on session load.
  • The "randomness" of generated session ID's has been improved by using Security::generate_token() to generate them.
  • The Str class now checks if mbstring functions are available before using them.
  • Theme is now more compatible with Windows platforms when it comes to generating paths and URL's (correct use of slash vs backslash).
  • Validation valid_date rule can now handle incomplete date/time formats properly by using defaults for missing values.
  • You can now control the behaviour of the View class on closures assigned to a View variable through the config key "filter_closures".
  • For View variables supporting the Sanitation interface, sanitation is disabled after rendering the view to return the object in its original state.

Packages

  • Auth: login drivers now uses the internal PHP function hash_pbkdf2() function to hash passwords.
  • Auth: the Opauth driver will now pass a "group_id" back in the result if the login provider supplies this value in its response.
  • Auth: the Opauth driver now has a get_instance() method to return the current Opauth instance.
  • Auth: migrations now use the configured "db_connection" from the simpleauth/ormauth config, if defined.
  • Auth: auth_check() now also accepts the name of the login driver (as a string), besides the login driver instance.
  • Auth: updated the Auth classes to support the PHPSecLib composer package.
  • Email: Fixed bug in text wrapping where spaces could be stripped from HTML tags.
  • Email: Added a check on the availability of mbstring extensions before its functions are used.
  • Oil: migrate now has a new "--installed" option, which only runs migrations for packages and modules defined in the "always_load" section of the config. You can use it in conjunction with "--modules" and "--packages" to include some manually loaded modules or packages.
  • Oil: new "--with-test" option to scaffolding will generate corresponding test classes for each class generated.
  • Oil: "fromdb" task has a new "migration" command that allows you to generate migrations from an existing database. NOTE: these need to be checked as not all details can be retrieved from an existing table!
  • Orm: Fixed SQL generation error when DB::expression() was used at the left-hand side of a query statement.
  • Orm: Fixed a decimal point positioning issue in the Typing observer.
  • Orm: Fixed a problem in the Temporal model where the incorrect primary key values where used when generating a WHERE clause.
  • Orm: Added the option to dump_tree() to include a path URI, mainly useful when working with nested sets.
  • Orm: The typing observer can now handle floats in all locales (the decimal point is comma problem).
  • Orm: Implemented a workaround for slow access of large array entries by reference (see https://bugs.php.net/bug.php?id=68624)
  • Orm: A bug that caused related data in a many-many relation to be incorrectly hydrated has been fixed.
  • Parser: It is now possible to load Mustache partials. If none are defined, the UTF-8 partial is loaded by default.
  • Parser: for View variables supporting the Sanitation interface, sanitation is disabled after rendering the view to return the object in its original state.
  • Parser: for jade templates, now the Talesoft Jade renderer is supported too, besides the already supported Everzet renderer.
  • Parser: fixed a bug that caused loading template files with multiple dots to fail.
  • Parser: Twig templates now have access to the Auth::get() method through "auth_get".

v1.7.3

Important fixes, changes, notes. Read them carefully.

This release is mainly a bugfix release, although some minor functionality was added as well. The main goal of this release is increased stability of the version 1 code, now that it is approaching the end of it's life-cycle.

The final version will be v1.8, which will be released at the same time the first version of Fuel v2 will be released. It will be an LTS version, no new functionality will be accepted on the codebase anymore, but will will keep releasing bugfixes and security fixes.

Backward compatibility notes

  • The FuelPHP framework is now entirely loaded using composer. A check has been added to the frontloader to make sure composer has run and all components are installed, and die with a proper error message if that is not the case. The default minimum-stability is set to stable, so you might want to have a look at that if needed.
  • Activating the framework autoloader has been moved from the App bootstrap to the frontloader (oil for cli, public/index.php for web requests). When you upgrade, make sure to update both the frontloaders, otherwise you will get exceptions when the autoloader is loaded twice.
  • When loading multiple modules or packages through the load() method, the result will now only be true if all could be succesfully loaded.
  • When Fuel is run is CLI mode, output buffering is now disabled. Note that it might still buffer, for example because you have enabled buffering globally in your php.ini.
  • The match_collection validation rule now always returns true if no collection was passed to match against.

Removed code (because it was deprecated in v1.6 or earlier)

n/a

Security related

  • PHPSecLib has been updated to a more recent version.
  • Htmlawed has been updated to version 1.1.19.

System changes

  • The dependency with FuelPHP\Upload is now with version 2.0.2.
  • The frontloader now has a generic Exception catching mechanism. For every Exception caught you can have the frontloader route to a route entry of your choice. By default, these are defined: HttpNotFoundException (_404_ route), HttpNoAccessException (_403_ route) and the HttpServerErrorException (_500_ route).
  • The finder caching system has been updated to avoid incorrect cache hits when loading files from modules or packages.
  • Module and package paths are now forced to be lowercase to comply with the standards.
  • You can now configure additional paths to be cleaned, to avoid giving away FQFN in error messages.
  • When running migrations, your up() or down() method can return false to signal it can't execute the method at that point in time. Migrations that use this method are now automatically re-tried in a second migration run. This helps with dependencies, to make sure migrations run in the correct sequence (for example if an app migration requires a package migration to run first because it needs access to its tables).

Specific classes

  • Cache: The XCache delete_all() method now actually deletes it all.
  • Config: when using a database as backend storage, you can now specify the name of the database config that needs to be used to access the "config" table.
  • Config: you can now store config information in a memcached backend (think about persistency!).
  • Controller_Hybrid: calling a REST method from a browser now returns the correct result.
  • Crypt: can now be instantiated, if you need to use multiple crypt keysets in your application.
  • DB: count_last_query() now correctly handles SQL containing sub-queries.
  • DB: database result objects can now be assigned a custom sanitation for specific encoding/decoding logic when results are send to a View. This also means you will no longer get a "database results are read-only" exception when you do.
  • Error: the log level used for errors is now configurable.
  • Form: the label() method now has support for the "for" attribute.
  • Format: new parameter for to_xml() allows you to specify how booleans must be represented (0/1 vs false/true).
  • Inflector: the inflector ruleset has been moved to a lang file, so it can easily be amended, and provide support for introducting non-english language rulesets.
  • Input: new query_string() method to return the main requests query string.
  • Input: a header value lookup is now done in a case-insensitive manner.
  • Lang: now allows you to load the same lang filename for different languages concurrently.
  • Lang: load() now has support for dot-notation when loading into an existing group.
  • Log: Monolog initialisation has moved to a separate method, making it easier to overload it.
  • Migrate: will now autoload a module or a package before it executes its migrations.
  • Module: when unloading a module, the routes defined by the module will be correctly removed.
  • Pagination: page and item calculations have been improved, to allow more flexibility in passing page data to the object.
  • Presenter: now supports the "::" notation to force loading a presenter from a module.
  • Response: now has loop detection for redirect_back().
  • Session: driver garbage collection has moved to a separate method, making it easier to overload it.
  • Session: the rotation_time configuration key can now be set to false to completely disable automatic session id rotation. Use with care!
  • Theme: you can now specify the other in which partials must be rendered for output. This allows you to render content before headers and footers, needed to dynamically add assets.
  • Theme: the presenter() method now allows you to pass a custom view name (like Presenter::forge() that is theme aware. Validation: the match_collection rule can now be run in strict mode, which meanly helps when validating booleans.
  • Validation: new rule specials allows matching against non-latin characters considered alphabetic in unicode.
  • View: get() and set() now supports dot-notation for getting values from stored arrays.

Packages

  • Auth: the broken support for separate read- and write DB connections has been fixed.
  • Auth: Ormauth now correctly handles uses without any group.
  • Auth: Ormauth now keeps the current users effective rights in memory for faster access.
  • Auth: the use of force_login() now correctly registers the drivers logged-in state, so a global logout will now do what it promises.
  • Auth: drivers now force a session id rotation on login.
  • Auth: when using "Opauth", related provider records are now deleted when the user is deleted.
  • Auth: Orm models now correctly define their properties, to allow overloading.
  • Auth: login() now has multi-driver support (will attempt to login all drivers if configured)
  • Auth: the opauth interface class now also supports Opauth packages that are not HTTP based (like this LDAP driver).
  • Email: header encoding is now disabled for the "Mandrill" driver.
  • Email: the "Mailgun" driver now has support for attachments.
  • Oil: generated templates can now handle custom Auth drivers, as long as they extend one of the included drivers.
  • Oil: the PHP server command has been fixed for use on Windows platforms.
  • Orm: The slug observer now also works for Model_Soft models.
  • Orm: to_array() now handles multi-level relations of different type a lot better.
  • Orm: in a "many_many" relation, you can now define an ordering on a column in the "through" table.
  • Orm: models now allow you to define separate read- and write database connections.
  • Orm: better support for select(). Please not that is it still not advised to use this, and it is still required to have the PK as part of the result.
  • Orm: the behaviours filter_properties and array_excludes for to-array() now have getters.
  • Orm: where() now accepts a single DB::expr() object as argument.
  • Orm: set() now allows you to pass an array structure that can recursively set relations (currently "has_one" and "belong_to" only).
  • Parser: now also handles view files with a ".php" extension correctly.
  • Parser: you can now use Debug::dump() in a twig template.
  • Parser: in Twig templates you can now access the current Asset instance to load css, js or image files.

v1.7.2

Important fixes, changes, notes. Read them carefully.

Viewmodel

As of 1.7.2, the Viewmodel class is deprecated, and replaced by the Presenter class. Functionality has remained largely the same, and a Viewmodel alias is present to maintain backward compatibility.

It has proven difficult to explain what a Viewmodel is and does, and why you should use it. Also having a classes/view and a views folder was very confusing for a lot of people. It is also a step closer to Fuel v2, there this class is also called Presenter.

Backward compatibility notes

Request_Curl

As a result of the security issue mentioned below, the auto-format of the response in the Request_Curl class is now disabled by default, as it is possible for a malicious site to construct a response of a specific reponse type that can lead to code execution. This means that if you use Request_Curl, you have to either enable this manually in your code (ONLY if you absolutely trust the site you connect to!), or add code to validate the response before you process it.

Validation

The validation rule required rule no longer treats an input value false as a value, so passing this value will now trigger a validation error.

Database

The PDO driver now returns the error code of the underlying database driver back as the error code in the Database_Exception, instead of the PDO error code. This allows you to act on specific platform errors.

It also means you loose access to the original generic PDO error code, which you can work around by retrieving the current PDO database connection (through the connection() method on the database object) and call PDO's errorCode() method to retrieve the original generic PDO error code.

Removed code (because it was deprecated in v1.7.1 or earlier)

None.

Security related

Request_Curl

There was one security advisory issued for 1.7.1, which also impact all previous versions from 1.1 onwards (see http://fuelphp.com/security-advisories). The issue is mitigated in 1.7.2, it is strongly advised that you upgrade as soon as possible, or alternatively follow the advice in the advisory.

Database

A potentional vulnerability was discovered in the way column name quoting was done. This has been fixed. This means that coding SQL functions manually was something you could get away with earlier now require you to use DB::expr() to encapsulate the function.

// old code, no longer works
$result = DB::select("LOWER \"field\")")->from($table)->execute();

// has to be replaced by
$result = DB::select(DB::Expr("LOWER \"field\")"))->from($table)->execute();
Errors

Error messages are now escaped, to prevent a possible XSS through the generated error. Note that it is best practice not to display error messages in a production environment, so the possible risk for XSS is deemed to be very low.

System changes

  • A possible XSS vulnerabity in the Profiler output has been fixed.
  • The import() function can now also import third-party classes in APPPATH/vendor.
  • When using multiple DB connections, the profiler now shows the connection used for the query.
  • The Profiler now html encodes the output to avoid incorrect handling of the ampersand.
  • The internal Markdown class has been removed, and replaced by the Composer library.
  • Some methods were still defined as private. This has been changed to protected to allow extension.
  • Fully namespaced controllers are now supported. Now you can use class names like Controller\Foo\Bar, Controller_Foo_Bar, or Controller\Foo_Bar.
  • The Database layer now has support for nested transactions, either through native SQL support, or via SAVEPOINTS.
  • The Agent class has been switched back to the original browscap.org URL's.
  • Saving a Lang or Config file will now flush the APC and/or Opcode cache.
  • Double quotes inside an HTML tag attribute value are now escaped.
  • Debug logging has been added to the Session classes to aid in debugging session loss.
  • GZIP compression is now automatically disabled if the client indicates it doesn't support it.
  • Unit tests have been adapted where needed to support PHPUnit 4.
  • The html_tag helper function now generates compliant HTML.
  • Several pieces of file handling code has been modified to handle Windows file paths better.
  • The Autoloader now thows an exception if the class file can be found, but it doesn't contain the class expected.
  • The Autoloader now supports loading Traits.
  • The shutdown handler now logs any error if it fails to shutdown properly.
  • The included PHPSecLib version has been upgraded to the July 1st version of the php5 branch.
  • Unit testing now has support for AspectMock.
  • An entry to the phpunit xml has been added to run tests in modules.

Specific classes

  • Agent: Now correctly uses the defined browser agent instead of the system one.
  • Arr: New keyval_to_assoc() method converts key-value pairs into an associative array.
  • Arr: When passing an object as key to get(), it is now cast to string.
  • Asset: Has a new config option "always_resolve", which will do local asset resolving even for absolute URL's.
  • Cache: A check is added to avoid possible deadlocks with using files for caching.
  • Cache: Now has a driver for Xcache (http://xcache.lighttpd.net).
  • Cli: Backtrace output has been rewritten to make it more readable on the commandline.
  • Cli: Now has the option to disable output colouring.
  • Cli: New methods stdout and stderr allow you to redirect them to file.
  • Config: When saving a config file, the configured permission mask is now applied.
  • Controller_Hybrid: Now correctly handles returned array responses.
  • Controller_Rest: When no data is returned, "204 NO CONTENT" status is set.
  • Controller_Rest: Better support for Digest authentication.
  • Controller_Rest: The option to specify the return format in the URL now actually works.
  • Database: The PDO driver will now add the charset to the DSN if not specified.
  • Database: The MySQL drivers no longer use the "AUTOCOMMIT" value, which interferes with table locking.
  • Database: Insert now has the options to define multiple value sets, to insert multiple rows at once.
  • Database: Quoted strings can now passed to methods without requiring DB::expr().
  • DBUtil: Default values are now correctly quoted, instead of escaped.
  • DBUtil: Make sure the COMMENT keyword appears before AFTER and BEFORE.
  • DBUtil: Now allows you to set a specific DB connection to operate on.
  • Fieldset: field() without parameter will now correctly return all defined fieldset fields.
  • Fieldset: Now has a delete() method to remove an existing field from the fieldset.
  • Fieldset_Field: set_fieldset() now allows you to move a Field to a different fieldset.
  • File: download() now has the option to delete the file after download is completed.
  • File: New file_exists() method that will honour the defined Area.
  • File: Fixed possible infinite recursion in delete_dir().
  • File: Download now supports the option to select "inline" or "attachment" disposition.
  • Form: If no action is specified to open(), the current URI will be used.
  • Format: CSV conversion methods now have separate config for import and export of CSV data.
  • Format: Improved CSV parsing, to support non-standards formats created by Microsoft applications.
  • Format: CSV files without headers can now be imported.
  • Format: to_csv() now allows you to define custom headers.
  • Format: Incorrect handling of empty XML tags has been fixed.
  • FTP: Fixed directory recursion in delete_dir().
  • Inflector: The separator of friendly_title() is now configurable.
  • Input: Added better support for NGINX.
  • Lang: If multiple languages are defined, the lang files are now loaded in the correct order.
  • Log: New log_filename config key allows you to override the generated log file name.
  • Model_Crud: Can now correctly handle properties with a null value.
  • Mongo_Db: like() method now correctly uses it's wildcard parameters.
  • Mongo_Db: New method list_collections().
  • Pagination: Logic has been completely rewritten to fix all bugs.
  • Pagination: You can now define an offset to shift the active page in the navigation block left or right.
  • Session: set_flash() now correctly resets the state when setting an existing expired flash value.
  • Session: Deleting a session cookie now takes the configured path and domain into account.
  • Session: Now has emulation of $_SESSION, to support external code using this to access session data.
  • Str: The truncate method now correctly handles multibyte strings.
  • Uri: An empty URI string is valid input for Uri::create().
  • Uri: Uri suffixing has been rewritten to accept new long TLD names.
  • Validation: valid_string now allows you to test for "slash" and "backslash".
  • Validation: New valid_collection rule allows you to check against a predefined list of values.
  • Validation: The required rule no longer treats false as a value.
  • Viewmodel: Now has the option to unset a variable set on it.

Packages

  • Auth: The included ORM User model now supports both Ormauth and Simpleauth.
  • Auth: Ormgroup's member() method now correctly checks for group membership.
  • Auth: Calculating effective user permissions in Ormauth has been fixed.
  • Auth: Opauth: if no nickname is returned by the provider, try to find a match on email address.
  • Auth: Ormauth now supports database selection and DB's replication features.
  • Email: Recepient names are now quoted to support comma's in the name.
  • Email: New Mailgun driver to support sending email through Mailgun's email service.
  • Email: SMTP driver now only authenicates ones per connection, to facilitate bulk email.
  • Email: Added the option to strip or leave HTML comments in the HTML message body.
  • Email: New Mandrill driver to support sending email through Mandrill's email service.
  • Email: SMTP driver now supports STARTTLS for secure email. Used for example by Google mail.
  • Email: Now has a config option to automatically correct relative protocol URI's in HTML bodies.
  • Oil: oil server now has inline help.
  • Oil: Authentication in generated Admin controllers has been fixed.
  • Oil: Added the --module argument to add module support to the code generation commands.
  • Oil: Scaffolding templates are updated for Boostrap 3.
  • Oil: oil test now supports the PHPunit argument --testsuite.
  • Oil: oil test now supports the PHPunit argument --debug.
  • Oil: oil generate model now can generate ORM temporal or nestedset models.
  • Oil: the --with-viewmodel switch has been renamed to --with-presenter.
  • Oil: when refine calls an unknown command, it now lists the ones defined in the Task.
  • Oil: Generated view code now works properly cross platform and cross OS.
  • Orm: to_array now also also exports EAV value pairs.
  • Orm: The before_save observer is now called before the object is checked for changes.
  • Orm: New enable_event and disable_event methods for enabling/disabling observer events.
  • Orm: Fixed Soft_Delete::purge, now it actually deletes the purged records.
  • Orm: You can now pass custom data when forging an ORM object.
  • Orm: Observer_Slug now has a configurable separator.
  • Orm: Observer_Slug now allows you to generate duplicate slugs, or to assign slugs manually.
  • Orm: Fixed validation of new objects, now all fields are correctly validated.
  • Orm: There is now support for DB::expr() in ORM select().
  • Orm: There is now support for select('*').
  • Orm: You can now add custom sanitation code to a model (used when a model object is passed to a View).
  • Parser: Twig driver now support Input::post, Session::get and Auth::check.
  • Parser: Smarty driver how has the same Fuel interface plugins as Twig.
  • Parser: Now supports the "Lex" parser (http://github.com/pyrocms/lex).

v1.7.1

Important fixes, changes, notes. Read them carefully.

  • The index.php has been updated to make sure the Response body is rendered, and rendered only once. When upgrading to 1.7.1, don't forget to apply these changes!
  • When using the REST controller and returning an array as a response, the controller now checks if the response format is compatible. If not, it will return an error messsage and set a 406 HTTP status when in production mode. In other modes, it will return a warning and a JSON encoded dump of the array.

Backward compatibility notes

None.

Removed code (because it was deprecated in v1.7 or earlier)

None.

Security related

There were one security advisory issued for 1.7, which also impact all previous versions (see http://fuelphp.com/security-advisories). These issues are addressed in 1.7.1, it is strongly advised that you upgrade as soon as possible.

System changes

A new Sanitization interface has been introduced to the core. Objects can implement this interface, and when you pass such an object to a View, the object will not be cleaned, but the individual properties will be cleaned by the object itself when the properties are requested by the view.

ORM and Model_Crud models now implement the sanitization interface by default, and when enabled, they will return a cleaned copy of the property, instead of the property itself. This means you can now pass ORM model objects to Views, without the ORM object being destroyed.

Specific classes

  • Cache_Storage_Redis: Support for non-default Redis DB configs has been fixed.
  • Arr: get() now allows you to get array values using a key that contains a dot.
  • Arr: search() now has a new parameter to enforce a strict search.
  • Asset: css() now accepts the 'type' attribute.
  • DB: Now allows a DB connection to be set, to make sure SQL is compiled using the correct driver.
  • DB: You can now disconnect() and connect(), allowing you to reconnect when the connection has dropped.
  • DBUtil: set_connection() now accepts null to reset the connection instance set previously.
  • DBUtil: add_foreign_key() now has support for custom DB connections.
  • DBUtil: create_index now allows you to create a PRIMARY KEY index.
  • DBUtil: drop_index now allows you to drop a PRIMARY KEY index.
  • File: download() will now be executed after cookies have been written.
  • Form: select() now accepts zero or null as selected value.
  • Format: from_xml() now has support for XML namespaces.
  • Format: to_json() now accepts JSON encoding options, with configured default options.
  • Fuel: Make sure the locale is set before processing 'always_load'.
  • Image: create_hex_color() now correctly processes the alpha value.
  • Image: convert_number() can now deal properly with numbers using a decimal comma.
  • Image: Imagemagick driver now correctly stores the image size in its cache.
  • Input: uri() now always returns the URI with a leading slash.
  • Input: You can now control double decoding of urlencoded forms.
  • Lang: No longer uses a fixed path delimiter, causing issues on Windows.
  • Lang: When multiple languages are defined, the files are now loaded in the correct order.
  • Migrate: Now displays the correct migration version when migrating down.
  • Migrate: Now checks for existence of packages and modules before attempting to migrate them.
  • Model_Crud: Now implements lazy sanitation when an object is passed to a View.
  • Theme: You can now call render() more than once.
  • Uri: When $_GET is reassembled, it will now be security cleaned.

Packages

  • Auth: Problems with direct updates of permission join tables (PK=FK) have been fixed.
  • Auth: The multiple-logins config setting is now ignored unless there actually are multiple login drivers.
  • Email: A background color (#aabbcc) in an img tag is no longer seen as an attachment.
  • Parser: auth_has_access has been added as a Twig function.
  • Oil: Improved error reporting when it is unable to parse the given field definition.
  • Oil: When running a module task, the module path is now added at the front of the finder path list.
  • Oil: Duplicate migration filename detection has been fixed.
  • Oil: Refine will no longer dump the callstack when an exception occurs in production mode.
  • Oil: Generating a drop table migration has been fixed.
  • Orm: Models now implement lazy sanitation when an object is passed to a View.
  • Orm: Missing config for Temporal models has been fixed.
  • Orm: Model_Temporal find_revision() no longer throws an exception when no revision could be found.
  • Orm: The UpdatedAt observer now has the option to mark the object as updated if a related object was changed.
  • Orm: The Slug observer now has the option to define a custom separator.

v1.7

Full List of core changes since 1.6.1

Important fixes, changes, notes. Read them carefully.

  • A fix has been added to deal with PHP bugs #42098/#54054, which cause an SPL autoloader to malfunction when trying to autoload from an exception handler. This will fix erradic "class not found" messages when processing exceptions.
  • File::close_file() was broken when using locking. This has been fixed.
  • Date::test_format() no longer resets the current timezone to UTC.
  • Output buffering is now disabled when in CLI mode. This allows you to get messages from your tasks in realtime, instead of having to wait until the task has finished.
  • A bug in all session drivers (except cookie) that caused the session timestamp not to be updated has been fixed. The session will now not expire as long as there is activity within the expiration timeout.
  • PHP E_ERROR's are now reported as "Fatal error".
  • Profiler data will no longer be added to the output if the request is an ajax call.
  • The finder now checks for "?:" to detect a Windows path, so that one-letter module names can be used in finder filenames ("?:filename").
  • Where relevant calls to file_exists() have been changed to is_file() for performance reasons.
  • Where relevant calls to call_user_func_array() have been changed to call_fuel_func_array(), our internal equivalent which is about 30% faster.
  • Lots of bugfixes in the Auth package, especially in relation to OpAuth and the Ormauth drivers.
  • Lots of bugfixes in the Orm package, especially related to Model_Soft and Model_Nestedset.

Backward compatibility notes

  • The CSV configuration for the Format class has been split into a separate config for imports and exports. Also, the default escape character has been changed from a backslash to a double quote, to be more standards compliant. If your application relies on the backslash, make sure to create a custom format config after you have upgraded.
  • The Redis class has been renamed to Redis_Db, to avoid collisions with the Redis PECL class, which seems to be installed by default on a lot of systems. If the PECL extension is not found, Redis_Db will be aliased to Redis, to make sure existing applications that use the Redis class don't break. If you use the Redis class, it is advised that you change it to Redis_Db.
  • Cookie::set() now returns false when called in CLI mode.

Removed code (because it was deprecated in v1.6 or earlier)

  • The Event::shutdown() method has been removed. This is replaced by two events, 'shutdown' which can be used by applications to run code after the script has finished, and 'fuel-shutdown', which runs after the application shutdown events, will close any open session, and runs the framework cleanup.

Security related

There were two security advisories issued for 1.6.1, which also impact all previous versions (see http://fuelphp.com/security-advisories). These issues are addressed in 1.7, it is strongly advised that you upgrade as soon as possible.

System changes

  • Composer now runs "oil refine install" when you run the initial installation.
  • A web.config file is now included to support rewriting for those using PHP/IIS on Windows.
  • Twitter Bootstrap has been upgraded to 3.0. Check for dependencies with your current code if you upgrade, oil will now generates 3.0 compliant view files.
  • FuelPHP\Upload has been switched to version 2.0.1. If you upgrade, don't forget to change your composer.json and run php composer.phar update.
  • Exception handling in the index.php now resets the main Request, to avoid subsequent Requests to be seen as HMVC calls.
  • index.php now only updates the output with profiling data if the placeholders are present in the output.
  • All code using preg_replace() with the \e modifier has been rewritten to be compliant with PHP 5.5+.
  • Reverse routing now works with regex routes.

Specific classes

  • New Arr::merge_assoc() method as alternative to array_merge_recursive(), which does not alter numeric keys, and does not merge mixed values (see docs).
  • New Arr::reindex() method to recursively reindex an indexed array, or the numeric keys in an assoc array.
  • New Arr::subset() method returns a subset of an array based on a list of (dot-notated) keys.
  • Asset methods css() and js() now allow inline code to be passed as a string.
  • Cache_Storage_Memcached now creates and reuses a single connection to the Memcached server.
  • Cache_Storage_Memcached now supports a relative expiration time, like the native PHP functions.
  • Cache_Storage_Redis now creates and reuses a single connection to the Redis server.
  • Config now has a driver to store config data in a database table.
  • Date has a new emulation function for strptime(), for better Windows support.
  • DB now supports master/slave configurations, completely transparent for the application.
  • DB where() method now has support for DB::expr().
  • DB configuration now has support for speciying the collating sequence.
  • New has_connection() method for DB::instance() to check if a valid DB connection is present.
  • You can now create nameless Fieldset objects.
  • File_Handler_File now has a new method get_path() to retrieve the file's path.
  • New Form::csrf() method to add a hidden field to your form with the CSRF token.
  • Form::select() now allows you to pass a default value via the attributes array.
  • Form::to_xml() now has a configuration option to escape data using CDATA instead of converting to HTML entities.
  • Fuel has improved base_url detection, to work better with installations inside the document root.
  • New Image extension() method to retrieve the extension of the loaded image.
  • Input now supports the HTTP method PATCH.
  • Lang now has a driver to store language data in a database table.
  • Log now tells you why it couldn't open or write to the logfile.
  • Migrate now prints a warning if one or more migration steps were skipped.
  • Mongo_Db now uses the MongoClient class, instead of the deprecated Mongo class.
  • Pagination now casts all numeric values to int after calculation.
  • Pagination now has a __toString() method to render when the object is cast to string.
  • Pagination render methods now correctly use the configured default values when called without arguments.
  • Pagination::render() now has the option to return the raw pagination data array instead of the rendered HTML.
  • New config section for Pagination to support Bootstrap v3.
  • New Redis_Db method psubscribe() allows you to listen and define a callback for every response.
  • Request now writes the request type to the log, together with the requested URI.
  • Request now checks if all required action arguments are present, and throws HttpNotFoundException if not.
  • Response now has an updated HTTP status code list (including the famous 418!).
  • The use of wildcards in a URI for Response::redirect() is now configurable.
  • Security::xss_clean() is now using htmLawed v1.1.16.
  • New options parameter for Security::xss_clean() to pass custom configuration to htmLawed.
  • Security::check_token() now uses Input::param() to fetch the token. This allows HTTP methods other then POST to be secured with a token.
  • New Str::random() feature to generate UUID v4 strings.
  • Uri::segment_replace() now allows you to force the URL scheme to HTTP or HTTPS.
  • New Uri::update_query_string() method allows you to add query string data to an existing URL.
  • Validation::valid_date() will now ensure the date value format is valid.
  • New Validation::get_error_message() to retrieve all or individual error message from validation error objects. This saves you having to loop over the objects in your code to get the messages out.
  • Validation::valid_string() now has support for "brackets" and "braces".
  • Viewmodel::forge() now allows you to pass a custom view name or View object.
  • New Theme::viewmodel() method allows you to create theme aware Viewmodel objects.
  • Upload init method has been modified to make sure uploaded files are not processed twice.
  • New Uri::build_query_string() method to generate a query string from a list of arrays or strings.

Packages

  • Auth: Opauth driver now has a config switch to allow auto registration after OAuth login.
  • Email: Added support for images in base64 encoding.
  • Email: Fixed additional blank line in the mail header causing some mailservers to barf...
  • Email: New getter methods get_from(), get_to(), get_cc(), get_bcc(), get_subject(), get_body() and get_reply_to().
  • Oil: There is now support for the _init() static method for tasks.
  • Oil: test now has (expiremental) support for phpunit.phar.
  • Oil: Scaffolding menu links are now rendered as buttons.
  • Oil: Running create inside a valid FuelPHP installation now displays an error message.
  • Oil: Generating a migration without the correct arguments now fails with an error message.
  • Oil: Scaffolding and Admin scaffolding now generate Bootstrap v3 compliant view files.
  • Oil: New package command generates a skeleton for a new package.
  • Oil: You can now use dashes and underscore in generate field options (p.e. enum values).
  • Oil: All commands now have a help screen.
  • Orm: Observer_Typing now creates an empty array when calling unserialize() on a NULL column value.
  • Orm: get_one() now uses rows_limit(1) when fetching an object with related objects.
  • Orm: New Model_Soft::purge() method allows bypassing the soft-delete functionality and delete an object permanently.
  • Orm: Model::to_object() can now be called with the same arguments as to_array().
  • Orm: group_by() Query method now supports relation name prefixes for column names.
  • Orm: You can now pass additional conditions to a lazy get() of a related object.
  • Orm: Model_Soft now has support for count(), min() and max().
  • Orm: min() and max() results are no longer cast to int, so they can be used on date columns.
  • Orm: Model::to_array() has better object tracking to prevent recursion.
  • Orm: from_array() now has support for the EAV extension. Importing non-model properties will now create EAV records instead of custom data if the model has an EAV container configured.
  • Orm: There is now support for EAV containers in Model_Nestedset.

v1.6.1

Backward compability notes

Orm: You can no longer use property assignment to create a custom property on a model object if that model implements an EAV container. It will set an EAV value instead.

Removed code (because it was deprecated in v1.6 or earlier)

Orm: calling find() with no parameters or with a single parameter that is null will return null as a result. It will no longer throw an exception.

System changes

  • Fixed broken CSS code in the welcome controller views.
  • Improvement to the query analysis information displayed in the profiler (MySQL only).
  • The included Markdown library has been upgraded to v1.2.6.
  • Lots of path processing improvement to have the framework work better on Windows.
  • Finder now ignores the cache if there are permission issues on the cache file.

Specific classes

  • Agent: Don't try to fetch browser information if no user agent is present in the server data.
  • Arr: New previous_by_key() method to fetch the previous key or value from an array using the current key.
  • Arr: New previous_by_value() method to fetch the previous key or value from an array using the current value.
  • Arr: New next_by_key() method to fetch the next key or value from an array using the current key.
  • Arr: New next_by_value() method to fetch the next key or value from an array using the current value.
  • Cache: delete_all in the File driver now properly recurses all folders.
  • Controller: Now has a response_status property to set the HTTP status for automatically created responses.
  • Controller_Rest: Fixed using a controller method to determine the authentication status.
  • Controller_Rest: Fixed warning when the format passed in the URL is not a valid format.
  • Crypt: Now uses the file permissions defined in the file.php configuration file when generating the crypt configuration file.
  • Format: "to" methods now deal with a passed null value correctly.
  • Html: Now enforces HTML5 by default.
  • Input: New headers method allows you to fetch HTTP headers.
  • Input: New allow_x_headers configuration key controls if using X-headers are acceptable.
  • Inflector: Method friendly_title() now correctly deals with apostrophes by replacing them with a separator.
  • Request_Curl: Added support for the 'HEAD' method to the cURL driver.
  • Response: New redirect_back() method to redirect back to the previous page in your application.
  • Session: Now supports passing the session id as a string in get/post variables.
  • Session: Now supports passing the session id in the "Session-Id" HTTP header.
  • Session: Now allows you to disable creating a session cookie if you want to pass it manually.
  • Session_Redis : Fixed recovering from expired sessions when using the Redis driver.
  • Theme: Now allows you to store module theme views inside the module folder.
  • Theme: New partial_count and has_partials methods.
  • Upload: Implemented missing save() argument behavior, for backward compatibility.
  • Viewmodel: New get_view() method returns the associated View object.

Packages

  • Auth: Now includes secure "remember_me" functionality.
  • Auth: Fixed typo in the Simpleauth migation file, causing a missing 'group' column
  • Auth: Ormauth's create_user() method now supports updating profile fields (which are mapped to EAV attributes) for compatibility with Simpleauth.
  • Auth: Now includes an OpAuth interface to integrate OAuth authentication with Simpleauth or Ormauth.
  • Auth: When running migrations for Ormauth, groups and roles created now mimic the functionality of Simpleauth.
  • Email: Support added for pipelining, sending multiple emails out over a single connection. Currently only supported by the SMTP driver.
  • Oil: Command processor updated to work from Windows' powershell.
  • Oil: The refine() method of the Command processor now accepts arguments so you can call it from code with the same arguments as from the commandline.
  • Oil: New "--csrf" switch adds the CSRF token to generated forms.
  • Oil: CSS in generated forms has been updated to the new Bootstrap version.
  • Oil: Generated Admin code now has support for Ormauth.
  • Orm: You can now create new EAV attributes by simply assigning a value to a new property (note: this disables Custom data for models with EAV support!).
  • Orm: You can now use unset() to delete an EAV attribute.
  • Orm: Several bugfixes in Model_Soft and Model_Temporal.
  • Orm: New "Nestedset" Model to work with nested sets (hierarchical structures).
  • Orm: No longer signals an insert failure if you don't use auto-increment PK's.
  • Orm: Observer_Slug now works correctly with Model_Temporal.
  • Orm: Added count(), min() and max() support to Model_Soft and Model_Temporal.
  • Orm: Complex find_this_and_that_or_other() calls now work correctly.
  • Parser: You can now call Markdown::parse() from within a Twig template.
  • Parser: You can now call Session::get_flash() and Session::set_flash() from within a Twig template.

v1.6

Full List of core changes since 1.5

Important fixes, changes, notes. Read them carefully.

  • This release officially introduces Composer to FuelPHP. You will have to install it, and run a 'php composer.phar update' to pull in any required packages. Without this step, 1.6 WILL NOT WORK!!!
  • Class names in the Auth package have been modified to match FuelPHP coding standards. Check your configuration ('SimpleAuth' is now 'Simpleauth'!) and any class extensions you have made.
  • The Log functionality has been moved back in the core. If you are upgrading from 1.5, please remove the old 'Log' package from the always_load section in your config.php, and remove the package from the packages folder.
  • The environment 'stage' has been renamed to 'staging', the corresponding constant to Fuel::STAGING.
  • You now get a proper error message if your PHP timezone settings are not correctly configured.
  • You now get a proper error message if there is an issue with rights to the log file.
  • All code that creates files or directories has been rewritten to properly set the configured permission mask without using umask(), which is not thread-safe.

Backward compability notes

  • The names of the Auth classes have been changed to comply with FuelPHP coding standards (Auth_Login_Simpleauth instead of Auth_Login_SimpleAuth), this can cause a class-not-found error if you have extended an Auth class in your application.
  • The ORM validation_observer now has multiple events. Do not define it without specifying which events to call, as it would cause validation to be called twice!
  • The Orm behaviour with regards to relation assignments has been changed. Now, when you do an unset(), a set to NULL or array(), or you assign a new value, the previous relation will be unset. Regardless of whether you had fetched that relation or not. This might impact your application if you have used this 'bug' as a shortcut to adding additional objects to an existing relation!

Removed code (because it was deprecated in v1.5 or earlier)

  • Orm: find() and find(null) functionality is now removed. Use query() instead.

Code deprecated in v1.6 (to be removed in the next release)

  • ViewModel: when determining the name of the ViewModel class to load, it will search for classes with and without the 'View_' prefix. This behaviour is deprecated, as of the next release ViewModel classes MUST be in classes/view, and MUST be prefixed with 'View_'.

Security related

  • The default security filters have been removed from the core configuration, to allow you to define your own security filters. Note: if you're migration from previous versions and relied on this default config, make sure your app config file has the default security filters defined!

System changes

  • The Markdown library has been upgraded to 1.2.6.
  • The cache option in the global configuration now correctly caches finder paths to speedup file lookups.
  • Controller methods can now return 'false' or 'array()' as valid values, for use in HMVC requests.
  • Exceptions in shutdown event are now properly caught and handled.

Specific classes

  • Agent: will now re-use an expired download if a new browscap file could not be downloaded.
  • Arr: New search method allows you to search for values in array structures, and get the (dot-notated) key returned.
  • Arr: New unique method allows you to de-dup an array. Like array_unique(), but this one supports objects and closures, and doesn't sort the source array first.
  • Arr: New sum method allows you to sum up specific values in a multi-dimensional array structure.
  • Asset: now generates the correct Asset URL when using a CDN.
  • Controller_Rest: now allows auth checks using a controller method (avoids before() or router() hacks).
  • DB: new identifier method allows you to properly quote an identifier for use in custom queries.
  • DB: the Database_Transaction class that was already deprecated in v1.2 has been removed. All drivers support transactions natively.
  • DButil: now supports the keyword "PRIMARY KEY" on field updates.
  • Cache: index mechanism has been refactored. Dependency checking now works properly when using APC, Memcached or Redis backends.
  • Error: a new configuration option allows you to render already generated output to be shown in error messages via the 'prior output' link, instead of the HTML.
  • File: create_dir method now works properly on Windows.
  • Form: select now doesn't use inline css to generate optgroups unless needed.
  • Fieldset: fixed generation of invalid labels.
  • Html: anchor method now generates URL's without a trailing slash.
  • Input: uri method now works properly on Windows.
  • Lang: delete method now works properly when passing a $group value.
  • Pagination: now generates the last link correctly.
  • Profiler: DB query profiling now includes a stack trace for every query to make it easier to find it in your code.
  • Router: now supports protocol specific routes (http/https) in verb based route notation.
  • Upload: has been rewritten to use the FuelPHP v2 composer library.
  • Viewmodel: now calls before before rendering the view, instead of when constructing the object.
  • Viewmodel: ViewModel class name is now correctly determined from the passed view name.
  • Viewmodel: Will now look in the global namespace for the ViewModel class if called from a module and not found in the module namespace.

Packages

  • Auth: Class names have been modified to match FuelPHP coding standards.
  • Auth: update_user now verifies if the new email address is unique before updating it.
  • Auth: Number of PBKDF2 iterations can now be configured in the auth config file.
  • Auth: Multiple concurrent user logins can now be configured through the driver configuration file.
  • Auth: Auth login drivers now set 'updated_at' correctly.
  • Auth: new get method allows unified access to all user properties.
  • Auth: new groups method which returns the list of all defined groups.
  • Auth: new roles method which returns the list of all defined roles.
  • Auth: new 'Ormauth' driver set that uses the database through ORM as datastore.
  • Auth: Package now contains migrations for both Simpleauth and Ormauth.
  • Auth: New 'Simple2Orm' task can migrate your existing Simpleauth config to Ormauth.
  • Email: Attachments can now be named.
  • Log: The Log package, introduced in 1.5 as a temporary solution, has been removed again.
  • Oil: Fixed redirect loop in the generated admin backend code.
  • Oil: Improved exception handling and reporting.
  • Oil: Added support for ORM soft-delete models.
  • Oil: Modified the scaffolding templates to work better with bootstrap.
  • Oil: New commandline options for PHPunit allow for more granular testing and logging.
  • Orm: Validation observer now supports 'before_insert' and 'before_update'.
  • Orm: Now correctly resets foreign keys if cascade_delete is false.
  • Orm: Added view support to count(), min() and max() queries.
  • Orm: min() and max() now return integers instead of strings.
  • Orm: Added temporal support (data versioning).
  • Orm: You can now test for existence of EAV attributes using isset().
  • Orm: Validation observer can now validate on insert and update too.
  • Orm: It is now allowed for models to have a FK as part of the PK.
  • Orm: You can now order a many_many result on an attribute in the through table.
  • Orm: You can now pass custom (non-column) data when forging a new model object.
  • Orm: Current relations are now properly unset when using unset() or a new assignment.
  • Orm: from_array now returns $this so you can chain on it.
  • Orm: from_array now allows you to load custom data.
  • Orm: from_array now allows you to load related objects from a multidimensional array.
  • Orm: Several speed improvements in Observer_Typing.
  • Orm: Observer_Typing float conversions are now locale aware.
  • Orm: Observer_Typing now uses property defaults on null values if defined.
  • Orm: Observer_Typing can now handle MySQL '0000-00-00 00:00:00' datetime values.
  • Orm: new from_cache method allows you to enable/disable object caching on a query.
  • Orm: 'join on' now works correctly as documented.
  • Orm: 'order_by' now works correctly when a subquery is generated.
  • Orm: is_changed now does loose-typing, so 1 => '1' doesn't trigger an update query anymore.
  • Parser: Added support for mthaml (HamlTwig)
  • Parser: Switched to using Composer for smarty, mustache, mthaml and twig template engines.
  • Parser: Markdown has been upgraded to 1.2.6.

v1.5

Full List of core changes since 1.4

Important fixes, changes, notes. Read them carefully.

  • The "Undefined constant MYSQL_ATTR_COMPRESS" issue that pops up under certain conditions has been fixed.
  • It has been reported that under certain circumstances there might be issues with serialized data stored in the Auth user table, field "profile_fields", and the "payload" field in the sessions table. It is strongly advised to define those columns as "blob" to avoid these issues.
  • A new Log package has been introduced in preparation for the transition to 2.0, which replaces the Log class.

Backward compability notes

  • Uri::to_assoc() no longer throws an exception with uneven segments, but returns null as value of the last segment
  • ORM Model::find() no longer accepts null as only parameter. If you want to use that, you are now REQUIRED to also pass the options array (or an empty array).
  • Sessions have been refactored, all validation and validation data has been moved server side. Because of this, pre-1.5 sessions are not longer compatible.
  • The Log class has been removed and replaced by the log package. If you have extended the Log class in your application, you will have to extend \Log\Log instead, and check the compatibility of your changes. If they are about logging to other locations, you might want to look into the Monolog stream handlers instead.

Removed code (because it was deprecated in v1.4 or earlier)

  • ORM Model::find() can no longer be used to construct queries using method chaining. Use Model::query() instead.

System changes

  • Controller_Hybrid: Now sets the correct content-type header on empty responses.
  • Controller_Rest: Now sets the correct content-type header on empty responses.

Specific classes

  • Agent: Will now honour 301/302 redirects when trying to fetch the browscap file.
  • Arr: New filter_recursive method, a recursive version of PHP's array_filter() function.
  • Debug: dump() method now html encodes string variables.
  • Debug: dump() and inspect() can now be styled using CSS (a classname has been added to the div).
  • Fieldset: New set_tabular_form() method allows creation of one-to-many forms.
  • Fieldset: New get_tabular_form() method to check if a fieldset defines a tabular form.
  • Image: New flip() method for vertical/horizontal image flipping.
  • Inflector: friendly_title() now has an option to deal with non-ascii characters.
  • Inflector: pluralize() now has an count parameter to return a singular value if the count is 1.
  • Migrate: Now allows you to define the DB connection to be used for migrations in the global migrations config file.
  • Model_Crud: Now has a $_write_connection property to support master/slave database setups.
  • Mongo_Db: Will now log it's queries to the profiler if enabled.
  • Mongo_Db: Now has a method get_cursor() to directly get a mongodb cursor.
  • Pagination: Now support pagination using a Query String variable.
  • Pagination: Now has support for first/last page links.
  • Response: Will now add a "Content-Length" header when generating the output.
  • Session: Now correctly erases the session cookie on a destroy.
  • Session: Now silently (re)creates the session if data is present by no session is created.
  • Session: Cookie encryption can now be disabled using a session configuration key.
  • Session: Session cookie now only contains the session id. Validation now happens with server-side data.
  • Session: New configuration key expire_flash_after_get controls get_flash() expiration.
  • Session: get_flash() now has to override the configured flash variable expiration rules.
  • Session: set_flash() now has to partial array dot-notation support.
  • Uri: to_assoc() now accepts a start parameter allowing you to skip leading segments.
  • Validation: Now has a new built-in rule 'numeric_between' allowing you to specify a range.
  • Database_Query_Builder_Join: Now supports both AND and ON chaining of join condition.

Packages

  • Orm: Supports the new tabular form fieldset in it's models.
  • Orm: find() options array now has support for 'group_by'.
  • Orm: New Model_Soft implements soft-delete functionality (thanks to Steve West).
  • Orm: from_array() can now also populate related objects.
  • Orm: Model now has a $_write_connection property to support master/slave database setups.
  • Oil: oil install now installs packages without 'fuel_' prefix too.
  • Oil: scaffolding now supports subdirectories.
  • Oil: Now has a config file that allows you to configure the location of phpunit.
  • Oil: Now has a task fromdb that can generate models, migrations, scaffolding or admin from an existing database.
  • Parser: Twig driver has been updated to work with Twig v1.12.0.

v1.4

Full List of core changes since 1.3

Important fixes or changes

  • fixed DB class error about missing PDO::MYSQL_ATTR_COMPRESS constant
  • you are now REQUIRED to set a correct php timezone. The FuelPHP default value of 'UTC' has been removed, as it would cause date conversion errors that are difficult to find. Most notable, you will have issues with session and cookie expiration.
  • ALL default configuration has been moved to core/config. Only use the app/config folder for application specific overrides of default values, or for custom configuration.

Backward compability notes

This release features a new Pagination class that isn't completely backward compatible with the API from previous versions. We have put a lot of effort in emulating the old behaviour of the class, but as PHP doesn't support magic getters/setters for static properties, you'll have to replace those in your code manually when you upgrade to v1.4. The required changes can be found in the documentation.

Removed code (because it was deprecated in v1.3)

  • Removed "auto_encode_view_data" config key, deprecated in v1.2
  • Fuel: Removed Fuel::add_module(), deprecated in v1.2. Use Module::load() instead.
  • Fuel: Removed Fuel::module_exists(), deprecated in v1.2. Use Module::exists() instead.
  • Theme: Removed $theme->asset(), deprecated in v1.2. Use $theme->asset_path() instead.
  • Theme: Removed $theme->info(), deprecated in v1.2. Use $theme->get_info() instead.
  • Theme: Removed $theme->all_info(), deprecated in v1.2. Use $theme->load_info() instead.
  • Orm\Model : Removed $model->values(), deprecated in v1.3. Use $model->set() instead.

Code deprecated in v1.4 (to be removed in the next release)

  • Redis: Redis::instance() will no longer create new objects. Use Redis::forge() for that.
  • Orm\Model: Using the find() method without parameters is deprecated. Use query() instead.

System changes

  • Config and Lang loading with forced reload now bypasses the file cache and always reload.
  • Controller_Hybrid: Is now fully hybrid, with support for get/post methods, and no longer restricted to ajax calls when returning json.
  • Fieldset, Form and Validation now have full support for input tags using array notation.
  • Input and Route now support a new configuration key routing.strip_extension to control wether or not the extension must be stripped from the URI.
  • Lang: fixed double loading of language files when the active and fallback language are the same.
  • Pagination: Class completely rewritten, now with instance and template support.
  • Uri: Has improved extension processing, and now handles dots in URI parameters correctly.
  • The active language is now a per-request setting instead of a global setting. Changing it in an HMVC request will no longer affect the language setting of the parent request.

Specific classes

  • Arr: New filter_suffixed() method to filter an array on key suffix.
  • Arr: New remove_suffixed() method to remove keys from an array based on key suffix.
  • Asset: DOCROOT can now be specified as the asset root path (by using "").
  • Controller_Rest: Now allows you to specify a basenode when returning XML.
  • DB: select() now has an option to reset previous selects.
  • DB: Added error_info() to return information about the last error that occurred.
  • DB: join() can now be used without conditions for a full join.
  • DB: group_by() now supports passing an array of columns.
  • Fieldset: New enable()/disable() methods to control which fields will be build.
  • Fieldset: New get_name() method allows retrieval of the fieldset object name.
  • Fieldset: set_config() and get_config() now support dot-notation for accessing config values.
  • Finder: Fixed PHP notices after removing a finder search path.
  • Format: Added JSONP support.
  • FTP: Now supports a timeout on the connect.
  • Image: Fixed forcing an image extension when using ImageMagick.
  • Inflector: friendly_title() now has the option not to filter non-latin characters.
  • Input: Fixed skipping IP validation when reserved_IP ranges were excluded.
  • Lang: Now supports multiple languages concurrently. Loaded files for a given language code will no longer be overwritten when you switch the active language.
  • Lang: load() method now also returns the loaded group on subsequent calls.
  • Markdown: Has been upgraded to v1.2.5.
  • Migrate: Fixed PHP notice when a non-existent package was specified.
  • Migrate: An up or down migration can now be rejected by returning false.
  • Migrate: Added support for processing out-of-sequence migrations.
  • Redis: Now has a forge() method to create multiple instances.
  • Redis: Added support for Redis authentication.
  • Response: If the body contains an array it will be converted to a string representation before outputting it.
  • Response: redirect() now supports wildcards in the URL.
  • Router: Re-introduced support for routing using URI extensions.
  • Session: Fixed passing a session cookie via POST to allow access to the session by flash objects.
  • Session: Added support for dot_notation to get_flash().
  • Session: Fixed flash variables not being stored when retrieved in the same request.
  • Session: Fixed session key data not available for new sessions until after a page reload.
  • Str: Now has an is_xml() method.
  • Theme: Is now module aware, and can prefix view paths with the current module name.
  • Upload: process() now throws an exception if $_FILES does not exist (due to missing form enctype)
  • Uri: New segment_replace() method allows for replacement of wildcards by current segments.
  • View: get() now returns all variables set when no variable name is given.
  • Viewmodel: get() now returns all variables set when no variable name is given.

Packages

  • Auth: No changes.
  • Email: Added a Noop dummy driver, which can be used to prevent test emails going out.
  • Oil: Added "generate TASK" option to generate task classes.
  • Oil: Added support for Viewmodels to scaffolding.
  • Oil: Fixed errors on false results in the console.
  • Oil: Added support for "drop_{field}from{table}" to migrations.
  • Oil: oil -v now also displays the current environment setting.
  • Oil: New --singular option to force the use of singular names in scaffolding.
  • Orm: Fixed PK overwrite issue when PK is not auto_increment.
  • Orm: Observer_Slug now supports the before_update trigger.
  • Orm: Added support for filter conditions to the model through the $_conditions property.
  • Orm: Fixed incorrect sequence of multiple order_by() clauses.
  • Orm: Implemented full support for partial selects.
  • Orm: Fixed circular reference problem when using to_array() with included relations that self reference.
  • Orm: get_one now uses rows_limit() instead of limit() when set.
  • Orm: Model objects now support custom properties
  • Orm: Added support for custom properties to to_array()
  • Orm: is_changed() now deals better with null values.
  • Orm: Introduced support for EAV containers (emulation of EAV via one or more related tables)
  • Orm: get_diff() now deals better with unset relations.
  • Orm: Relations of new objects can now be fetched if the FK is known.
  • Orm: Added support for group_by().
  • Parser: forge() functionality now equals that of View::forge().
  • Parser: Markdown has been upgraded to v1.2.5.

v1.3

Full List of core changes since 1.2

Removed code (because it was deprecated in v1.2)

  • Controller: Deprecated $response property has been removed from all base controller classes. All controller actions now HAVE TO return their results, either a Response object, or something that can be cast to string. If you are still on pre v1.2 controller code, your application will NO LONGER work after the upgrade to v1.3.

Code deprecated in v1.3 (to be removed in v1.4)

  • Orm: Model method values() has been deprecated. Use set() instead.

Security related

  • PHPSecLib: Has been updated to v0.2.2.
  • HTMLawed: Has been updated to v1.1.12.

System changes

  • Debug_: You can now modify the default display behaviour of dump() through Debug::$js_toggle_open.
  • Upload: Now allows you to set custom messages in validation callbacks.
  • Config: Config::load now always returns the loaded configuration.
  • Pagination: Now uses anchors for all pagination enties, which allows for better styling.

Specific classes

  • Arr: Arr::pluck has been added.
  • Arr: Arr::remove_prefixed has been added.
  • Arr: Arr::insert_assoc has been added.
  • Asset: Has been updated to work better on Windows.
  • Asset: Asset::find_file has been added.
  • Asset: Asset::add_type has been added.
  • DB: DB::in_transaction has been added.
  • DB: Added support for compressed MySQL connections through the new compress config key.
  • Error: PHP notices/warnings/errors are now caught and thrown as an Exception.
  • Event: The Event class has been converted to be instance based.
  • Fieldset: You can now choose to overwrite existing options when using set_options.
  • File: download() has been made to work when shutdown events are defined that set headers.
  • Image: New option on load() to force a file extension.
  • Format: CSV file handling has been improved.
  • Log: Now supports custom log levels.
  • Log: Now allows you to configure an array of specific log levels to log.
  • Migrate: Now supports multiple package paths.
  • Mongo_Db: Mongo_Db::get_collection has been added.
  • Pagination: Added attrs keys to the configuration to define custom anchor attributes.
  • Redis: Added support for connection timeouts through the new timeout config key.
  • Str: Str::starts_with has been added.
  • Str: Str::ends_with has been added.
  • Str: Str::is_json has been added.
  • Str: Str::is_html has been added.
  • Str: Str::is_serialized has been added.

Packages

  • Auth: get_profile_fields() now allows you to fetch a single profile field.
  • Email: New NoOp email driver allows testing without sending emails out.
  • Oil: Now returns a non-zero exit code on failures.
  • Oil: Added support for PHPunit clover, text and phpformat Code Coverage methods.
  • Orm: New model method register_observer() and unregister_observer() to define new observers at runtime.
  • Orm: Added support for where and order_by clauses to relation conditions.
  • Orm: set() method has been updated to provide the same API as Model_Crud.
  • Orm: PK's are now typecast on retrieval if a type has been defined in the properties.
  • Orm: Update query code has been improved for better support of PostgreSQL.
  • Parse: Smarty driver now supports the plugin_dir path.

v1.2

Full List of core changes since 1.1

Removed code (because it was deprecated in v1.1)

  • All factory() methods. The have been replaced by forge().
  • Agent::is_mobile(). Replaced by is_mobiledevice().
  • Arr::element(). Replaced by get().
  • Arr::elements(). Replaced by get().
  • Arr::replace_keys(). Replaced by replace_key().
  • Controller::render(). Is no longer used as actions need to return a Response object now.
  • Database_Connection::transactional(). Was already a NOOP.
  • DB::transactional(). Called Database_Connection::transactional().
  • Fieldset::errors(). Replaced by error().
  • Fieldset::repopulate(). Undocumented parameter was removed, functionality is offered by populate().
  • Fuel::find_file(). Replaced by Finder::search().
  • Fuel::list_files(). Replaced by Finder::instance()->list_files().
  • Fuel::add_path(). Was used by find_file(), no longer needed.
  • Fuel::get_paths(). Was used by find_file(), no longer needed.
  • Fuel::add_package(). Replaced by Package::load().
  • Fuel::remove_package(). Replaced by Package::unload().
  • Fuel_Exception class. Replaced by FuelException.
  • Input::get_post(). Replaced by param().
  • Lang::line(). Replaced by get().
  • Request404Exception class. Is replaced by HttpNotFoundException.
  • Uri properties $uri and $segments are now protected. Use Uri::get() and Uri::get_segment() or Uri::get_segments().
  • Validation::errors(). Replaced by error().
  • Viewmodel property $_template. Is replaced by $_view.
  • Viewmodel::set_template(). Replaced by set_view().

Code deprecated in v1.2 (to be removed in v1.3)

  • Pagination: Class will be removed and replaced by a new Paginate class.
  • Fuel::add_module(). Is replaced by Module::load().
  • Fuel::module_exists(). Is replaced by Module::exists().
  • Theme::asset(). Replaced by asset_path().
  • Theme::info(). Replaced by get_info().
  • Theme::all_info(). Replaced by load_info().

Security related

  • Security class now requires you to define the security.output_filter application config setting. An exception is thrown if it isn't present.
  • Security::htmlentities() now defaults to use ENT_QUOTES instead of ENT_COMPAT as flag. This is configurable in the second argument for the method and the default can be overwritten in config as security.htmlentities_flags.

System changes

  • Controller: action methods, or the controllers after() method if present, now must return a Response object.
  • Controller: before() and after() methods are now optional, as documented.
  • Controller_Hybrid: combines Controller_Template and Controller_Rest in a single base controller for mixed HTTP and REST responses.
  • Controller_Rest: added a fallback to "action_" when no HTTP method action is found.
  • Controller_Rest: you can now define custom HTTP status codes.
  • Controller_Template: the $auto_render setting has been removed, to prevent rendering return whatever you want to use instead.
  • Database: The PDO driver now supports list_columns().
  • Module: new Module class to load or unload modules.
  • Uri: the URL extension is no longer part of the URI. A new extension() method allows you to fetch it.
  • Request: Request_Curl now properly deals with succesful requests that return a 4xx or 5xx HTTP status.
  • Request: Request_Curl and Request_Soap now supports returning header information. A get_headers() has been added to fetch them manually.
  • Router: can now be configured to treat URI's without regards to case.

Specific classes

  • Arr: Arr::to_assoc() now throws a BadMethodCallException on bad input.
  • Arr: Arr::assoc_to_keyval() now requires all parameters and first parameter must be an array or implement Iterator.
  • Arr: Added reverse_flatten(), is_assoc() and insert_before_key() methods.
  • Arr: Added in_array_recursive() to do a recursive in_array() lookup.
  • Asset: Separated into the static front (Asset) and dynamic instance (Asset_Instance).
  • Asset: Separated into the static front (Asset) and dynamic instance (Asset_Instance).
  • Asset: css(), js() and img() methods are now chainable.
  • Asset: you can now specify a URL as location, for CDN support.
  • Asset: new fail_silently config value allows you to skip missing assets.
  • Cli: now supports ANSICON on Windows for colored commandline output.
  • Config: is now driver based to support php, ini, yaml and json type configs.
  • Config: now allow you to load a file by FQFN.
  • Cookie: all cookie data can now be fetched like Input class does.
  • Date: All fuel notices have been replaced by UnexpectedValueExceptions.
  • Date: On windows an extra fallback has been added for the create_from_string() method.
  • Date: new display_timezone()' and get_timezone_abbr()`, and changes to support working with multiple timezones.
  • DB: cache() now has the option not to cache empty resultsets.
  • DB: where() do now support closures to specify the where clause.
  • DB: Update now supports limit() and order_by().
  • DB: now tries to reconnect when a disconnected DB connection is detected.
  • DButil: create_database() now supports 'IF NOT EXIST'.
  • DButil: Better support for the CONSTRAINT keyword.
  • DButil: new add_foreign_key() and drop_foreign_key() methods.
  • Event: shutdown events are now also executed after exit and die statements.
  • Fieldset: added set_fieldset_tag() to define the fieldset tag. Fieldset: added add_before() and add_after() methods to insert a new field before/after a specific field.
  • Fieldset_Field: added add_description() method and {description} tag to templates.
  • Fieldset_Field: added add_error_message() method to create error message overwrites per field.
  • File: download() now allows you to continue processing after calling it.
  • Form: Separated into the static front (Form) and dynamic instance (Form_Instance).
  • Inflector: now supports Hungarian accepted characters when converting to ascii.
  • Input: method() now supports the X-HTTP-Method-Override header.
  • Input: new json() and xml() methods to fetch json or xml from the HTTP request body.
  • Lang: load() method now supports overwriting when merging language files.
  • Lang: now allow you to load a file by FQFN.
  • Lang: is now driver based to support php, ini, yaml and json type language files.
  • Lang: language files can now be saved (as php, ini, yaml or json) using save().
  • Migrate: now tracks individual migrations, so they don't have to have a sequence number anymore.
  • Model_Crud: now supports created_at and updated_at fields, like ORM\Model does.
  • Model_Crud: now has full callback support.
  • Model_Crud: you can now run validation separately (::validates) and skip validation when saving a model.
  • Profiler: profiler logging methods are now NO-OP's when the profiler is not loaded.
  • Profiler: now writes it's output under the page content, instead of using an overlay.
  • Session: Added session task to create and remove sessions table.
  • Session: New sessions are not saved until there is data present in the session.
  • Theme: Separated into the static front (Theme) and dynamic instance (Theme_Instance).
  • Theme: now supports installation outside the docroot (for views).
  • Theme: now uses the Asset class to load theme assets.
  • Theme: instances now support templates, template partials and partial chrome templates.
  • Validation: You can now disable fallback to global input using the 'validation.global_input_fallback' config setting.

Packages

  • Auth: Auth login drivers no have a validate_user method to validate a user/password without setting up a logged-in session.
  • Auth: SimpleAuth SimpleUserUpdateExceptions are now numbered to be able to identify the exact error after catching the exception.
  • Email: Now handles SMTP timeouts properly.
  • Email: You can now specify the return address.
  • Email: Now handles BCC lists correctly when using SMTP.
  • Email: Respects new lines in alt body better.
  • Email: You can now specify the return address.
  • Oil: Use phpunit.xml from APPPATH if present when running unit tests.
  • Oil: Reinstated oil package command to install packages from git repositories.
  • Oil: You can define the environment the command has to run in using the -env commandline switch.
  • Oil: Scaffolding now supports both Model_Crud and Orm\Model.
  • Oil: Scaffolding now supports adding created-at and updated-at.
  • Oil: Scaffolding now supports skipping the creation of a migration file using -no-migration.
  • Oil: There is now a core task to generate the table for the database session store.
  • Orm: New model method is_fetched() checks if relation data is fetched without triggering a new query.
  • Orm: Validation section of the properties has a new key skip to indicate the field should not be validated.

v1.1

Full List of core changes since 1.0.1

System changes

  • Deprication of Request::show_404(), replaced with throw new HttpNotFoundException that has a handle method to show the 404
  • Support for handle() method that is run when an exception isn't caught before Error::exception_handler() catches it.
  • Support for special _404_ route now in public/index.php thus no longer part of the core but still supported as a 'official default'
  • Closures are now also supported in routes, thus routing to a Closure instead of a controler/method uri. Also added support for any type of callable in Route extensions you write yourself.
  • Closure support in all getters & setters: if you get a value and also input a default the default can also be a Closure and you'll get the result of that. For setters the input can also be a closure and the result of the Closure will be set. (except for View::set() as one might want to pass a closure to the View)
  • Moved the Environment setting from the app/config/config.php file to the app/bootstrap.php file.
  • All factory() methods have been renamed to forge(). This name better states the method's function. The factory() methods are still there for backwards compatibility, but are deprecated and will log warning messages when used.
  • The $this->response Response object is now deprecated. Your action methods should return either a string, View object, ViewModel object or a Response object.
  • Added the fuel/app/vendor directory to the default install.
  • You can now have an unlimited number of sub-directories for your controllers. (e.g. classes/controller/admin/users/groups.php with a class name of Controller_Admin_Users_Groups would be at site.com/admin/users/groups)
  • There is no longer a default controller for directories. It used to be that going to something like site.com/admin would bring up Controller_Admin_Admin in classes/controller/admin/admin.php. Now you must place that controller at it's expected location classes/controller/admin.php with a name of Controller_Admin.
  • A Controller::after() method now gets passed the response of the controller, it must return that response (or modified) as well.
  • Added new function get_real_class() to which you can pass a classname and it will return the actual class, to be used on classes of which you're not sure whether it is an alias or not.
  • Module routes are prepended to the routes array when Fuel detects the fist URI segment as a module, therefor parsing them before an (:any) route in the app config.
  • Config is now environment aware and allows partial/full overwriting of the base config from subdirectories in the config dir named after the environment.
  • Added a new Theme class. It allows you to easily add Theme support to your applications.
  • Fuel_Exception has been renamed to FuelException
  • Fuel::find_file() and related methods are now deprecated. Use the Finder class instead (e.g. Finder::search()).
  • Migrations are now supported in Modules and Packages
  • Routing has 3 new shortcuts:
    • :almun matches all utf-8 alphabetical and numeric characters
    • :num matches all numeric characters.
    • :alpha matches all utf-8 alphabetical characters
  • Put the Autoloader class into Fuel\Core to allow extending it, it must now be required in the app bootstrap file which is also the location where you must require your own extension.

Security related

  • Added Fuel's own response object class Fuel\Core\Response to default whitelist in app/config/config.php of objects that aren't encoded on output by the View when passed.
  • The security.auto_encode_view_data config option in app/config/config.php has been renamed to security.auto_filter_output.
  • stdClass was part of the default whitelisted classes from output encoding, this was a bug and it has been removed.

Specific classes

  • Arr: Added methods Arr::get(), Arr::set() and Arr::prepend().
  • Arr: Arr::element() and Arr::elements() have been deprecated. Use the new Arr::get() instead.
  • Database: Using transactions will no longer prevent exceptions, exceptions are thrown and should be handled by the dev. The Database_Transaction class has been deprecated as it has little use because of this change.
  • File: File::read_dir() (and related methods on Area and Directory handler) now return dirnames with directory separator suffix
  • Fieldset_Field: Parsing of validation rules has been moved from Fieldset_Field::add_rule() to Validaton::_find_fule(), from the outside the method still works the same but notices for inactive rules are now only shown when running the validation.
  • Form: Added inline error reporting, which must first be switched on in config and will replace an {error_msg} tag
  • Form: New default form template which puts it inside a table.
  • Fuel: Added Fuel::value() which checks if the given value is a Closure, and returns the result of the Closure if it is, otherwise, simply the value.
  • Image: No longer throws Fuel_Exception for any type of exception but instead RuntimeException, InvalidArguementException and OutOfBoundsException where appropriate.
  • Input: Input::post(null) doesn't work to get full post array anymore, just Input::post() without params - same for all other Input methods
  • Input: Input::get_post() has been deprecated and replaced by Input::param(). It now also includes PUT and DELETE variables.
  • Input / Uri: Uri::detect() moved to Input::uri() as it is part of the input and thus should be part of the input class
  • Request: You can now also do external requests through the Request class, for now only a curl driver: Request::forge('http//url', 'curl') or Request::forge('http//url', array('driver' => 'curl', 'method' => 'post', 'params' => array()).
  • Validation: Validation::errors() is depricated and replaced by singular form Validation::error() to be more in line with other class methods
  • Validation: New 3rd parameter added to Validation::run() that allows adding callables for the duration of the run.
  • View: The view class has been refactored and works much better now. Output filtering is vastly improved.
  • View: View::capture() has been split into two protected instance methods: process_file() and get_data(). You will need to update your View class extensions.
  • View: View::$auto_encode has been removed. It has been replaced but auto_filter, which is per-view instance.
  • ViewModel: Refactored the class internals to work more transparently with the View.
  • ViewModel: Deprecated $this->_template and renamed it to $this->_view.
  • ViewModel: Updated to work with the refactored View class. Added $this->bind().
  • ViewModel: Deprecated $this->set_template() and renamed it to $this->set_view().
  • Html: Removed (not deprecated) the following methods: Html::h(), Html::br(), Html::hr(), Html::nbs(), Html::title(), Html::header(). You should simply write the HTML yourself.
  • Config: Added Config file drivers for PHP, INI, JSON and Yaml. They are detected by file extension (e.g. Config::load('foo.yml') will load and parse the Yaml).

Packages

  • Auth: Renamed default table name from simpleusers to users.
  • Auth: Added config options for DB connection and table columns used for fetching the user.
  • Auth: Removed default config for groups & roles in simpleauth.php config file, only commented out examples left.
  • Orm: Lots of tweaks to Observer_Validation related to changes to Validation & Fieldset_Field classes. Also changed it to only save properties that are actually changed.
  • Orm: The ValidationFailed thrown when the Observer_Validation fails now includes a reference to the Fieldset instance that failed: $valfailed->get_fieldset();
  • Orm: Added support for changing the type of join used when fetching relations, example: Model_Example::query()->related('something', array('join_type' => 'inner'))->get();
  • Orm: Observers are no longer singleton but one instance per model with per model settings, check docs for more info.
  • Parser: Added Parser package to the default install.
  • Parser: Mustache is now part of the Parser package by default. Version 0.7.1.
  • Email: The Email package is added.

v1.0

Core

Full Changelog

Auth

Full Changelog

Oil

Full Changelog

Orm

Full Changelog

v1.0-RC3

Core

Full Changelog

Auth

Full Changelog

Oil

Full Changelog

Orm

Full Changelog

v1.0-RC2.1

Core

  • Fixed a security issue where the URI was not being properly sanitized.

v1.0-RC2

Core

  • oil refine install now makes the config directory writable. (Dan Horrigan)
  • Added auto-id to select fields (Kelly Banman)
  • Fixed typo in ::analyze_table (Frank de Jonge)
  • replaced the regex that processes :segment in the Route class. closes #33. (Harro Verton)
  • Closes #31: logic error caused the Crypt class to update the config when nothing is changed. (Harro Verton)
  • Fixed up XML output so that singular versions of basenode names are used when a numeric value is provided as a key.XML doesn't like numeric keys and item, item, item is boring. Also moved formatting logic out of the REST library. (Phil Sturgeon)
  • Added Format::to_php(). (Phil Sturgeon)
  • Updated Form config file to work with the Form class we've had for the past 3 months (oops). Fixes #93 (Jelmer Schreuder)
  • Fixes #115: Form::button() now produces a <button> tag instead of <input> (Harro Verton)
  • Fixed #116: Throw an error if File::update can't open the file for write (Harro Verton)
  • Added a check to File::open_file() to make sure $resource is a valid resource before we attempt to flock() (Harro Verton)
  • Fixed badly named variable in profiler. (Phil Sturgeon)
  • Show full file paths in the Install task. No security concern if you're already in the terminal. (Phil Sturgeon)
  • Fixed bug in \Date::create_from_string() where the date produced would always be exactly one month behind the actual date. (Ben Corlett)
  • updated the Crypt class to make the generation of the random keys more secure (Harro Verton)
  • fixed error in Fuel::find_file(), causing a PHP notice on repeated finds (Harro Verton)
  • The DBUtil class now respects the table prefix if set (Fixes #103). (Dan Horrigan)
  • If an empty string is passed to Format::factory('', 'xml') it will no longer error, just return an empty array. (Phil Sturgeon)
  • Added PHPSecLib to vendor to provide encryption features if no crypto is available in PHP. (Harro Verton)
  • Rewritten the crypto class to use AES256 encryption, and a HMAC-SHA256 tamper validation hash. (Harro Verton)
  • Added Redis to the bootstrap. (Jelmer Schreuder)
  • Made Inflector::camelize() return camelcased result again but the Inflector::classify() won't use it anymore and still respect underscores. (Jelmer Schreuder)
  • Allow setting labels as array including attributes instead of just tring in form->add (Jeffery Utter)
  • Fix Date class. strptime returns years since 1900 not 1901. Dates were a year in the future. (Jeffery Utter)
  • Options wasn't being passed when adding a radio.. thus it wasn't making all the separate fields. (Jeffery Utter)
  • fixes bug #96: advanced regex must use non greedy match to properly match segments (Harro Verton)
  • fixes bug #99: PHP notice due to not-initialized property (Harro Verton)
  • Using memory_get_peak_usage() instead of memory_get_usage() for more reliable memory reporting. (Jelmer Schreuder)
  • Form generation: Fixed issue with "type" attribute set for textareas and selects. Also prevented empty for="" attributes by ignoring null values. (Jelmer Schreuder)
  • Moved page link creation into separate method for more flexibility (Kelly Banman)
  • fixed broken database profiling (Harro Verton)
  • Input::real_ip() now returns "0.0.0.0" if IP detection fails (Harro Verton)
  • Bugfix: hidden inputs created with the Fieldset class caused unending loops. (Jelmer Schreuder)
  • Fixed a bug that caused the image library to refuse all image types. (Alexander Hill)
  • Corrected typos in the image class. (Alexander Hill)
  • Fuel::find_file() now caches files found per request URI, instead of a global cache. (Harro Verton)
  • Fixed a bug in the response constructor. Response body was not setting. (Dan Horrigan)
  • Bugfix: Fieldset::build() didn't match Form::build() for which it should be an alias. (Jelmer Schreuder)
  • Changed Controller_Rest formatting methods from private to protected so they can be extended (Tom Arnfeld)
  • Improved the Fieldset::repopulate() method to also take a Model or array instead of using the POST values. Will accept any array, ArrayAccess instance, Orm\Model or object with public properties. (Jelmer Schreuder)

Auth

  • Fixed an issue with the casing of the Simple-driver classnames. (Jelmer Schreuder)
  • Fixed small bug in Auth check method. (Jelmer Schreuder)
  • Bugfix: ACL rights merging went wrong because the base was a string instead of an array. (Jelmer Schreuder)

Oil

  • Updated scaffolding to work better with the new ORM package. Fix #81.
  • Suppress the error message for PHPUnit in oil, if it can't load the file from include it should just error as usual. (Phil Sturgeon)
  • Fixed PHPUnit, said it wasn't installed when it was. (Phil Sturgeon)
  • Fix #85: Scaffolding still referred to ActiveRecord instead of Orm. (Phil Sturgeon)

Orm

  • Added to_array() method to export current object as an array. Improved ArrayAccess and Iterable implementation to work with relations. (Jelmer Schreuder)
  • Finished the unfinished __clone() method. (Jelmer Schreuder)
  • Fixes #84 - now an exception is thrown when an invalid Model classname is given to a relation. (Jelmer Schreuder)
  • Implemented __isset() and __unset() magic methods for Orm\Model (Jelmer Schreuder)
  • Moved Query object creation into its own method to allow the more accurate Model_Example::query()->where()->get(). (Jelmer Schreuder)
  • order_by() didn't return $this with array input. (Jelmer Schreuder)
  • Fixed issue with constructing new models without adding properties. (Jelmer Schreuder)