v0.19.1
Minor gem updates
Wed Apr 04, 2021 (0.19.1)
Minor gem updates
Wed Apr 04, 2021 (0.19.0)
Important changes
Fixed XSS flaw in tags_helper
Credit Antonin Steinhauser (asteinhauser) for discovery and responsible disclosure.
Devise replaces Authlogic for user authentication
Ticket #742 replaces Authlogic with the latest Devise (4.3.0) which has wider adoption.
This change requires a database migration on the User model. Please note:
- Most User fields are renamed and can hence be rolled back. Existing Authlogic passwords will continue to work.
- Users will be forced logged out. Existing user sessions will not be kept and the fields
persistence_token, single_access_token, perishable_tokenwill be dropped from the database. - Though the migration is generally safe we recommend to make a backup of your database before migrating.
Existing OAuth broken
The Devise change will break any OAuth login plugins which depend on Authlogic.
You can configure OAuth for Devise using the guides here.
Login and user-related routes changed
The login URL routes have been changed to use the defaults of Devise.
User mailers changed
Mailers related to user password reset, etc. are changed to use the defaults of Devise.
PaperClip version updated from 5.2.1 to 6.0.0
PaperClip now only depends on aws-sdk-s3 instead of aws-sdk. For more info see thoughtbot/paperclip#2481.
Replace the Cocaine gem with Terrapin. https://github.com/thoughtbot/terrapin/ Apart from the namespace change, this is a drop in replacement.
Rails 5.2
The underlying framework is now rails 5.2.*
Ruby 2.4 deprecated
Ruby 2.4 has reached end of life and is no longer activity tested against.
Other changes
- #794 Fix defect with unpermitted params in advanced search
- 2bc6184 Remove broken support for delete links on arrays.
- #851 upgrade paper_trail
- Security fixes CVE-2019-16109, CVE-2019-16676, CVE-2019-5477, CVE-2019-16892
- Dependency updates
- Simple Form upgrades to use HTML5 and browser validations by default