Release Notes for uKnowva 2.4.4

  • Added a new configuration setting in com_uvwdocs. This can be used to set version upload access to users with upload or edit rights
    • Parameter name: Enable users with upload access to create new versions
    • Description: If set to no, the document creator and the users having edit access to the document will have the rights to create new versions of any document, else users with upload access to the folder shall also have access to do so
  • Warnings will now be displayed only to Admins. Added the following code in Juser::load function to implement this:
  • In authentication user function of com_custom, we have made provision to send the username and password in u and p variables, respectively, in the request; the values will be base64 encoded here
  • Added default class as inputbox to password fields in libraries/joomla/form/fields/password.php
  • Added the code of automatically subscribing users to uKnowva mailing list on save
  • Added enable_mailinglist_subscription in Global Configuration Admin setting plugin
  • Added REFERER & UKNOWVA_ALT_REFERER check in JRequest::checkToken function itself
  • Added uknowva-app as a mobile/tablet user agent
  • Added code in modal-uncompressed.js and modal.js to make modal popups responsive, as defined here
  • Compressed the JS of media/system/js/modal.js
  • Added the following code in com_community/helpers/access/groups.php groupsMemberRemove() function to allow group admins to remove members from a group
  • Made the com_community popups responsive by adding js code in window-1.0.js and some css in style.css
  • Added getProfileAnchor() in JUser as explained here
  • Created a $db object in uknowvatable::__construct if the $db is not passed
  • Added description as input in field types as spacer (to override layouts of plugins)
  • Security Enhancements

    • Added strip_tags in templates/color.php to avoid cross site scripting
    • Strengthened the security by adding a referrer restriction in JRequest::checkToken to prevent almost all kinds of CSRF/phishing attacks. For each request the URL of the previous page is now checked so that attacks can be prevented
    • Removed the jsoc include statements from error.php and made error message details visible only to logged in users
    • Made the Profile edit form safe from CSRF attack by adding the checkToken code in _saveProfile function of profile controller in /components/com_community/controllers/profile.php
    • Made chatrooms.js handle injection attacks by changing the /chat/modules/chatrooms/chatrooms.php and chat/modules/chatrooms/chatrooms.js
    • Added a check of view access as well in case of upload/edit/delete access in category/file model of com_uvwdocs
    • Added the following new options in php.ini of online installers for better security: = UKNOWVASESSID //now php sessions cookie will be stored in this name
       session.cookie_httponly = 1
       session.use_only_cookies = 1
    • Added the following in .htaccess to prevent SQL files from being downloaded via URL:
      Files ~ "\.sql$">
      Order allow,deny
      Deny from all
      Satisfy all
      </Files> (sec)