publify

This is a bug fix and security release. It updates the dependency on publify_core from ~> 10.0.0 to ~> 10.0.2. This includes the following two security updates:

• Safely link target URLs for Redirects in admin (publify_core#148 by mvz)
• Upgrade jquery-ui-rails to version 7.0 (publify_core#149 by mvz)

See the publify_core changelog for further details.

It also update various other dependencies

This major release updates Publify to Rails 6.1 in preparation of the upgrade to Rails 7.0. It also updates the set of supported Rubies to 2.7 through 3.2.

Security-related changes

• Require at least Rails 6.1.6.1 #1068
• Update puma dependency to require at least version 5.6.4 #1064

Updated dependencies

• Upgrade to Rails 6.1 #987, #1014,
• Support only Ruby 2.7 through 3.2 #1013, #1041, #1115, #1120
• Update various other dependencies (various pull requests)

Breaking changes

• Remove support for Textile as a text format #1001
• Require email uniqueness to be case-insensitive #1080

Other changes

• Add arabic language to the project #1060 by ahmedhamid13
• Fix article search rendering in bootstrap theme #1101
• Remove local copies of engines and use external ones instead #1099
• Require AWS configuration to be present when choosing AWS storage #1082
• Replace deprecated non-digest-assets configuration #1019

Internal changes

• Remove sitealizer table #1089 by SupriyaMedankar
• Remove itunes fields from resources #1092 by SupriyaMedankar
• Remove page_caches table #1090 by SupriyaMedankar
• Remove dynamic_form dependency #991

See also the changelogs for publify_core,publify_textfilter_code and publify_amazon_sidebar.

This release fixes several security issues:

• Disallow comments on draft articles #1048
• Disallow images in comments #1054
• Hide bodies of password-protected articles in search results #1057
• Do not create article meta description for password-protected articles #1061

Additionally, it includes the following changes:

• Clean up Feedback validation #1051
• Bump mimimum puma and Rails versions #1050
• Fix password reset process #1055
• Fix password protected article reveal #1049
• Provide correct article_id input in bulkops form #1058
• Bump minimum required Rails version #1062

This release fixes a security issue:

• Fix setting the article password from the Admin #1044

This release fixes a minor security issue:

• Rate-limit Devise logins and password resets

Additionally, it includes the following change:

• Add documentation about use of the media library

This release fixes several security issues. Please upgrade as soon as possible

• Force session cookie to be secure in production
• Block ability to switch themes using a GET request; use a POST instead
• Disallow user self-registration rather than hiding it
• Let the browser not cache admin pages
• Limit the set of allowed mime types for uploaded media
• Limit allowed HTML in articles, pages and notes

Additionally, it includes the following changes:

• Fix resource size display in admin resource list
• Trigger download of media in the Media Library in admin instead of displaying them directly

This release fixes a security issue and includes the following changes

• Explicitly require at least version 1.12.5 of nokogiri to avoid a security issue
• Drop support for Ruby 2.4 since it is incompatible with nokogiri 1.12.5

This is a bugfix release that includes the following changes

• Bump Rails dependency to 5.2.6
• Replace mimemagic with marcel

This is a bugfix release

• Fix the publify:textile_to_markdown task. This task failed on feedback and pages.

This is a small release that just updates some dependencies to fix security issues:

• Bump minimum Rails version to 5.2.4.5
• Update activerecord-session_store dependency to 2.0.0

This release updates Publify to use Rails 5.2. It also introduces some breaking changes:

• Drop support for custom mail.yml configuration. Mail settings should now be configured in config/environments/production.rb
• Drop support for custom timezone.yml configuration. If relevant, the timezone can be set in config/application.rb
• Drop support for Ruby 2.2 and 2.3
• Drop support for humans.txt
• Deprecate use of Textile. The admin will warn about any content that uses Textile formatting. A task has been added to convert this content to Markdown. The next release of Publify will drop Textile support entirely

This minor release updates Publify to use Rails 5.1

• Upgrade to Rails 5.1 (#814)
• Update Danish translations (#831)
• Extend Polish translations (#829)
• Fix a bunch of issues (#840)
• Remove outdated converters
• Fix google analytics tag rendering (#849)

This is a bug fix release. It provides the following updates:

• Enforce use of at least Rails 5.0.4.
• The email field is handled correctly when users sign up (#819)
• The sign-up and login forms use the correct layout (#819)
• Theme-related JavaScript files are served correctly (#823)
• Russian translations have been updated (#820)
• The link_to_author setting that no longer had an interface has been removed (#816)
• Dependencies were updated (#815)

This is a major release and brings big changes to Publify. First of all, Publify now uses Rails 5.0. Moving ahead to Rails 5.1 will come in Publify 9.1, but for now this smaller step should make it easier to migrate any customizations.

Second, Publify has been split up into several Rails engines (publify_core, publify_amazon_sidebar and publify_textfilter_code). This should allow easier re-use and customization. For now, the core engine still contains many parts that can be considerd optional. These may be extracted into their own gems at a later stage.

Apart from those two large changes, there are some smaller potentially breaking changes:

• Publify now uses Rails' default method of setting secret_key_base in production: Through an environment variable. This means you will have to update your production environment so this variable is actually set.
• Support for Ruby 2.1 is dropped.
• Automigration is dropped. You will need to run db:migrate yourself.
• Support for using feedburner is dropped.
• Trackbacks and pingbacks are no longer sent. Trackbacks are no longer accepted.
• Full-page caching is dropped in favor of default Rails' Russian-doll partial caching.

All the little details can be read in the change logs:

• The main Publify change log
• The Publify Core change log
• The Publify Textfilter Code change log
• The Publify Amazon Sidebar change log

As always, ensure you have your database backed up before upgrading!

Alvaro Folgado identified several security issues in Publify that are fixed in this release:

• Rails' protection from CSRF was not active for all actions. This was fixed.
• Devise' password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise' 'paranoid' mode.
• Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.
• Publify used Rails' cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.
• The blog name was not properly escaped in the views used for Devise.

Additionally, the following small bugs were fixed:

• There was an error on the sign-in due to the use of a deprecated method in Devise.
• Failed resource uploads were reported as succesful.

It is recommended you update to this release as soon as possible.

Another simple bug fix release. This fixes a couple of bugs that were reported since version 8.3.1 came out. Have a look at the change log for more details.

This is just a simple bug fix release. It fixes some old bugs, and some that were reported since version 8.3.0 came out. Have a look at the change log and milestone for more details.

This release brings a lot of small changes and a few big ones under the hood. The big ones shouldn't really change anything from a functional standpoint right now, but they will allow some new possibilities and directions in the future. Enough with the vague words, here is a list of large or breaking changes:

• Make Publify multiblog-ready: All models should now be directly or indirectly linked to a blog, opening the way for finally supporting multiple blogs in some form. What form? That is still up for debate, but you can join the discussion in the GitHub ticket.
• Replace custom Publify authentication system with Devise. This just gives use less code to maintain ourselves.
• Replace custom Publify authorization system with CanCanCan. As with Devise, it's better to use a well-maintained gem for this.
• Remove Profile model. This wasn't really doing anything in standard Publify, but beware if you've put any customization there.
• Remove long-deprecated view_root method for sidebars. Just some simple house-keeping, but if you haven't been paying to Publify's warnings for the past years, this is a breaking change.
• Provide registration mechanism for themes, allowing them to be stored anywhere. This opens the way for turning Publify into a Rails Engine, and for having themes as plug-ins.

As always, there are many small changes as well. See the change log for details.

Publify master has been running on Rails 4.2 for some time, so a new release is long overdue.

Some important changes:

• Dependency on Rails has been updated to 4.2, including recent security fixes.
• Migrations have been rolled up to 113 according to our upgrade policy. You must now first upgrade to at least version 7 before upgrading to the latest version.
• The default bootstrap theme was replaced with bootstrap-2. You can find the old theme at https://github.com/publify/themes-bootstrap.
• A Plain theme was added that uses only Publify's default templates with a sprinkle of custom css.

In addition, there have been numerous smaller changes, bug fixes and improvements. See the change log for details.

Short after pushing 8.1.0, we're releasing a quick bugfix one. We obviously have some work on automated tests.

#497 Publishing breaks before adding tags and publishing time.

#498 Pages and articles editor appears on 2 lines only

#499 Autosave is broken on PostgreSQL