BigTree CMS logo

BigTree CMS

  •  0 ratings
In category: Content Management Systems (CMS)

About BigTree CMS

Straightforward, well documented, and capable written with PHP and MySQL.

  •   820  
  •   0  
  •   0  
  •   0  
Github stats:
  •  Commits: 3,998  
  •   202  
  •   53  
  •  Latest commit: Dec 31, 2022  

Deploy this app to Linode with a free $100 credit!

Languages/Platforms/Technologies:
Lincenses:

More about BigTree CMS

BigTree CMS 4.4

http://www.bigtreecms.org/

Licensing

BigTree CMS is publicly licensed under the GNU Lesser General Public License. If you would like to use BigTree under a different license, please contact us.

Contributing

We would love to have the community work with us on BigTree. Guidelines are currently being created for how community contributions will be worked back into the project. For more information, please contact contribute@bigtreecms.org. If you would like to begin developing the BigTree core, follow the process below:

  1. Fork it.
  2. Create a branch (git checkout -b 4.0_toms_branch)
  3. Commit your changes (git commit -am "Fixed My Broken Foot")
  4. Push to the branch (git push origin 4.0_toms_branch)
  5. Create an [Issue][1] with a link to your branch

Changelog

4.5.1

  • ADDED: Caching of image data from cloud hosted files to prevent downloading all images on each page edit
  • FIXED: Too many warnings to count
  • FIXED: Image rotation fixing being attempted on every check of an image rather than just uploads
  • FIXED: Drag and drop not working on matrix / callouts / media galleries
  • FIXED: Old certificate bundles failing to grab new bundles (fixes cURL HTTPS calls)

4.5

  • NEW: Experimental GraphQL API Support
  • NEW: Instagram Basic Display API support (old API is no longer available for general usage)
  • UPDATED: PHP 8.0+ support
  • UPDATED: Media Gallery, Matrix, and Callouts fields are now editable inline for a better full width editing experience
  • UPDATED: TinyMCE 6.2 is now the default editor
  • FIXED: A multitude of a warnings and notices have been fixed. More still remain and will be diagnosed and resolved in subsequent releases
  • FIXED: Incorrect link to the audit trail when editing a file
  • FIXED: Tags and Settings showing for users who are not administrators
  • FIXED: BigTreeAdmin::requireAccess not working properly
  • FIXED: Sitemap improperly including future published pages instead of past published pages when using a publish date

4.4.16

  • ADDED: Time and Datetime fields now allow you to not convert from the timeframe reference of BigTree users with non-default timezones
  • FIXED: Callouts and Matrix field types no longer break time and datetime fields when a user from a non-default timezone edits content without updating the callout/matrix entry.
  • FIXED: Re-cropping images not working in media galleries
  • FIXED: Matrix field settings breaking when encoded properly (not double escaped)

4.4.15

  • SECURITY FIX: Fixed a cross site scripting issue with searchable fields that can lead to privelege escalation (thanks to guiseppesec for the report)
  • FIXED: Matrix field settings being lost when updating a Setting in developer
  • FIXED: File reference field losing title hints when being used in a Matrix field

4.4.14

  • FIXED: Cloud storage settings not saving properly after choosing a bucket (e.g. CloudFront distribution)
  • FIXED: Media Gallery not drawing video icons properly when nested inside callouts
  • FIXED: Previously uploaded cloud files that lack size information should have it recalculated on upgrade

4.4.13

  • FIXED: Certificate Bundle failing to download for cURL requests causing cURL and Cloud Storage to fail.
  • FIXED: Include path for files in admin not allowing a custom override

4.4.12

  • FIXED: Searching via LIKE in grouped module views when no query is passed
  • FIXED: BigTree::currentURL when being served behind a proxy not returning proper HTTPS URLs.
  • FIXED: Losing GET vars when enforcing trailing slashes on URLs
  • FIXED: The properties menu in Pages not saving it's collapsed state in Safari and Chrome
  • FIXED: Cron sending daily digests every run rather than once every 24 hours (when manually set to run more frequently)
  • FIXED: XSS issue in Javascript routing in Internet Explorer (thanks to Mustafa Yalçın at Netsparker for the report)
  • FIXED: Uploading SVGs to the files tab failing

4.4.11

  • UPDATED: SVGs are now able to be uploaded to the Files tab (via upload file, not image)
  • FIXED: Auto rotation of EXIF rotated JPEGs failing to save
  • FIXED: Creating an extension failing to get related form properly
  • FIXED: Image list previews in the Files tab not being generated if the source image was less than 100x100
  • FIXED: Pages Javascript breaking when the current user is not allowed to change the page template
  • FIXED: BigTreeAutoModule's updateItem and createItem methods not properly supporting auto detection of null columns
  • FIXED: Cancel button on the front end editor's "locked" status screen not working
  • FIXED: Amazon S3 buckets from non US-East regions not deleting files properly
  • FIXED: Database populated list columns in module views sorting incorrectly
  • FIXED: PHP warnings showing when submitting a page change involving crops
  • FIXED: Caching Amazon S3 data not taking you back to the proper page when complete

4.4.10

  • FIXED: Base SQL failing to create the open graph table
  • FIXED: Missing keys on the open graph table causing slow lookups on very large sites
  • FIXED: BigTree::untranslateArray throwing warnings on non-array/non-string values
  • FIXED: Link generator functions in RSS 0.91 not working properly
  • FIXED: Setting content alerts on the entire site failing to save
  • FIXED: Native form elements (like radio and checkbox) failing to render properly on newer browsers
  • FIXED: Editing settings of a matrix field inside a matrix field
  • FIXED: Date & Time fields not initializing properly when switching page templates
  • FIXED: Incorrect time formatting when a user's timezone is null
  • FIXED: Sitemap being stale when not using a background cron task
  • FIXED: Embeddable forms failing to embed properly
  • FIXED: Searching for internal page links in the admin interface
  • FIXED: Switching a page to an external link or redirect lower causing an error on the content tab
  • FIXED: System settings showing in list views

4.4.9

  • CHANGED: Tags can now only contain alphanumeric characters and spaces.
  • FIXED: Installer creating the incorrect custom fields directory
  • FIXED: Core field type collision ID detection when creating custom field types
  • FIXED: Internal page links not properly encoding GET variables that contained the WWW_ROOT in them.
  • FIXED: Database columns named "image" inferring the File Upload field type rather than Image
  • FIXED: Cross site scripting issue when creating tags (thanks to Edric Teo for the report).
  • FIXED: Simple mode HTML fields not allowing span tags to be in the saved output (breaking underline functionality)

4.4.8

  • UPDATED: The default htaccess file now has a newer default set of cache headers
  • FIXED: Cropping on servers where the temporary upload directory is incorrectly reported
  • FIXED: Pending open graph data for pages not being properly escaped (thanks joeshu)
  • FIXED: pages.js is now cache busted
  • FIXED: Advanced Search edit buttons in views where the edit action is a custom URL
  • FIXED: View data for modules with group based permissions not caching properly
  • FIXED: The sitemap.xml file no longer includes pages marked SEO Invisible
  • FIXED: Phar injection through third party APIs not being case insensitive
  • FIXED: Filenames that contain a disabled extension not being able to be uploaded (when the actual extension was valid)
  • FIXED: Environments that have PHP random session garbage collection disabled never cleaning up (now runs during cron)
  • FIXED: Random letters being thrown on the end of a pages edit URL causing the homepage to be updated
  • REMOVED: Callout positioning from stored JSON as it is no longer used and causes merge conflicts

4.4.7

  • FIXED: Trunk being overwritten when a non-developer updates a page that has trunk set
  • FIXED: Permissions checks on re-ordering pages
  • FIXED: Images failing to upload when /site/files/ did not exist (for cloud storage setups)
  • FIXED: Dynamically compiled LESS failing to load properly on sites with basic routing
  • FIXED: Importing 301 redirects CSV failing when line endings were carriage return
  • FIXED: Matrix fields not properly setting post data (leading to issues such as re-cropping images from within a matrix failing)
  • FIXED: Two factor authentication crashing during setup
  • SECURITY FIX: Resolved authenticated SQL injection allowing an adminstrator level user to retrieve database information
  • SECURITY FIX: Resolved Phar deserialization vulnerability that could be exploited through CSRF when the website allowed for public uploads of Phar files

4.4.6

  • FIXED: Locale scope not being properly triggered when generating routes for other languages
  • FIXED: Settings table not being correctly created on new sites
  • FIXED: An odd edge case where a user could request the bar.js.php while not logged in and end up redirected to a Javascript file
  • FIXED: Route history redirection not properly throwing a 404 when hitting a non-routed URL
  • FIXED: Route history redirects being a 302 instead of a 301
  • FIXED: Database upgrade being run on a fresh install
  • FIXED: CSV report data having html encoded characters in it
  • FIXED: Reports not allowing for a report with no filters

4.4.5

  • ADDED: og:width and og:height are now drawn by BigTreeCMS::drawHeadTags (this will happen automatically if existing data is local but will require a re-save if cloud storage is used)
  • FIXED: Clearing caches of dependent views when data changes
  • FIXED: Resource rectification when switching between templates / callouts using media gallery fields
  • FIXED: Extension settings check when an extension setting had an empty value
  • FIXED: Link field not returning correct URLs in a multi-site environment
  • FIXED: http://www.bigtreecms.org URLs to target https://
  • FIXED: Incorrect closing tag on importing 404 CSVs page.
  • FIXED: YouTube URL parsing when whitespace existed or other unsupported GET variables were in the URL
  • FIXED: Path history checking not properly redirecting
  • FIXED: Route field type not seeing existing data properly
  • FIXED: Internal settings sometimes losing their encrypted state or not being read properly
  • FIXED: Browse should no longer show when replacing a file or image in the file manager
  • FIXED: After replacing images in the file manager, images should now be cache busted to show the updated image
  • FIXED: Image data being checked with URL instead of a local file path when stored locally
  • FIXED: File/image picker should now show the last time the file/image was replaced rather than always showing the created date
  • FIXED: When adding a tag, if the tag already exists an error is thrown rather than just silently failing
  • FIXED: Messages being able to store Javascript onclick and href events
  • FIXED: Getting the uploaded videos of a YouTube Channel failing sometimes
  • FIXED: Protocol agnostic image sources failing to draw as https for open graph tags
  • FIXED: Overlay admin editor (front-end) not properly loading config based admin_js

4.4.4

  • FIXED: Logging into a multi-site admin area when the homepage of one of the multi-site instances was a redirect
  • FIXED: A SQL injection data leak for admin area users
  • FIXED: Warning being thrown when searching settings and returning results for array-based values
  • FIXED: Link path generation for empty paths in a multi-site environment
  • FIXED: Overriding of core field types failing
  • FIXED: Cross-site scripting vector in tag names
  • FIXED: YouTube videos that have no GET parameters failing with an invalid URL error
  • FIXED: Photo Gallery to Media Gallery conversion leading to data loss on saving old data
  • FIXED: Edit links for module content on the Pending Changes page
  • FIXED: Parsing of 404 source URLs in a multi-site environment
  • FIXED: Multi-site key inferrence when adding 301s
  • FIXED: Several issues with saving configuration in the Developer area (Payment Gateway, Cloud Storage, Email Service) not sticking
  • FIXED: Sitemap generation file not being overridable in /custom/
  • FIXED: Route history not working properly in multi-site environments
  • FIXED: Route history not being properly removed when creating a 301 in a multi-site environment
  • REMOVED: Google+ references from the admin (the class still remains to prevent any fatal errors for sites that reference it but the service has closed)

4.4.3

  • ADDED: An alert is now thrown when attempting to navigate away from images that have been uploaded to the Files manager that are not yet processed
  • ADDED: Embed preview for the Video field type
  • ADDED: cron-run.php to the root directory as a replacement for /core/cron.php for sites that use a symlinked core for BigTree
  • CHANGED: The processing code for Matrix and Media Gallery field types was cleaned up dramatically to be more understandable
  • FIXED: Video / Media Gallery field types no longer check case sensitive values when determining what service a video is from
  • FIXED: BigTreeImage errors not properly showing when an error occurred processing a user uploaded image
  • FIXED: YouTube videos uploaded through the Video field type no longer lose all information if the secondary API lookup fails
  • FIXED: Nested image settings for fields (e.g. within a Media Gallery sub-field) should now be properly editable
  • FIXED: cURL requests getting a new cert bundle on every request
  • FIXED: Pending Changes returning inaccurate sets of results
  • FIXED: Video field type failing on YouTube URLs that contained a timestamp
  • FIXED: TinyMCE fields being used for titles not saving data properly on first save in Matrix and Callouts

4.4.2

  • ADDED: Creation / modification / file change status when editing files in the file manager
  • CHANGED: Sitemap.xml is no longer generated on the fly and is instead cached and updated during the cron run (thanks afi13)
  • FIXED: Images not showing image previews / the ability to re-crop in the file manager
  • FIXED: The "Remove" option showing up for a file in the file manager
  • FIXED: Pending Changes dashboard behavior
  • FIXED: Module based pending changes not properly applying the module ID to the change (this is not retroactive, existing broken content is not able to be fixed)
  • FIXED: cURL requests on servers with an unlimited maximum execution time ending immediately
  • FIXED: A cross-site-scripting issue when creating field types
  • FIXED: Giant set of crops coming by default in the file manager (should now be the defaults from earlier versions of BigTree - just 3 thumbnails)
  • FIXED: Some incorrect code documentation
  • FIXED: Warnings on empty responses breaking the caching of Google Analytics data
  • FIXED: Disconnecting and setting a profile for Google Analytics
  • FIXED: The drop zone for uploading images and files not being clickable directly on the help text.
  • FIXED: Video data in the Video and Media Gallery field types sometimes storing "YouTube" as the service and other times "youtube". It is now always "YouTube".
  • FIXED: File manager failing to detect an upload of a file that exceeds post_max_size as an error
  • FIXED: Trailing whitespace on URL requests not being stripped
  • FIXED: Embeddable forms not functioning properly post 4.4
  • FIXED: Video URLs that contained timestamp GET parameters failing to be recognized as valid YouTube URLs.

4.4.1

  • ADDED: Module views can now be explicitly excluded from search to improve performance
  • CHANGED: When calling BigTree::urlExists HTTPS validation is skipped
  • CHANGED: BigTree no longer saves failed login info in $_SESSION["bigtree_admin"]["email"] for security reasons
  • CHANGED: BigTreeCMS::autoSaveSetting is deprecated and no longer used by the core
  • FIXED: Using NULL in SQL::query calls when used in places other than WHERE statements.
  • FIXED: Some inaccuracies in documentation
  • FIXED: Deleting of alternate IDs in BigTreeJSONDB
  • FIXED: Error responses from MapQuest geocoding API
  • FIXED: Calls to the bigtreecms.org site not using HTTPS
  • FIXED: Email Service and Payment Gateway data being overwritten when upgrading to 4.4
  • FIXED: 301 CSV importer not respecting GET variables as distinct URLs
  • FIXED: Very large module view data caches are now paginated to avoid out of memory errors
  • FIXED: Some legacy calls in field types to options rather than settings
  • FIXED: Search no longer shows the entire database as results if you don't enter a query
  • FIXED: Resource permissions on a null parent now resolve properly
  • FIXED: Resources that a user does not have permission to edit now open in a new window rather than show just the name.
  • FIXED: Admin CSS/JS is now cache busted by version number
  • FIXED: Base install SQL not adding the deleted users and file metadata settings
  • FIXED: Date fields no longer attempt to convert a date to/from a user's timezone since there's no way to know exactly what it should convert to without time.
  • FIXED: Extension settings being overwritten if they were value-only settings.
  • FIXED: User level column missing from user emulator
  • FIXED: Editing the settings for the field of a setting.
  • FIXED: Multiple sub-crops not persisting through save.
  • FIXED: Vimeo video embed width/height not being correct when adding a video to the file manager (or using a video field).
  • FIXED: Incorrect button text when confirming the deletion of a folder.
  • FIXED: Installer not validating the CMS user's email address.

4.4

  • OVERHAUL: Environment independent configuration such as Modules, Templates, Callouts, Settings (structure, not value), etc is now stored in JSON files within /custom/ rather than the database for version control and deployment ease.
  • ADDED: User levels are now shown in the Users list view
  • ADDED: An indicator has been added to the Pages list view showing whether a page has child pages
  • ADDED: More hooks for Extensions:
    • Add content to the top and bottom of: Dashboard, Modules (landing), Developer (landing)
    • Add buttons to each of the sections of the Developer landing
    • Modify the BigTree admin navigation tree to add navigation entries
    • Add fields to callouts, templates, and module forms (draw and process)
  • ADDED: CSV Import for 301 redirects
  • ADDED: Link field type (based on the Link Finder extension)
  • ADDED: Video field type (based on the Video extension)
  • ADDED: Media Gallery field type (based on the Media Gallery extension)
  • ADDED: File Upload field type can now restrict the types of files being uploaded based on extension
  • ADDED: You can now duplicate pages (that are not top-level) as a new pending page
  • CHANGED: The Upload field type has now been separated into "Image Upload" and "File Upload"
  • CHANGED: $bigtree["bar_edit_link"] on your front end templates will now redirect the user back to the front-end after editing
  • CHANGED: The Vitals & Statistics landing no longer exists -- you can access the sub-sections directly via a dropdown from Dashboard now.
  • REMOVED: Packages are no longer supported. With the move to file based configuration, moving database configuration is no longer needed and was the only remaining use case for Packages over Extensions.
  • REMOVED: You can no longer upgrade from BigTree < 4.1 directly to 4.4, you will need to first upgrade to 4.1 at minimum before moving to 4.0.
  • REMOVED: Meta Keywords (which are no longer used by any significant search engine)
  • REMOVED: Photo Gallery field type (this has been replaced with the more robust Media Gallery and existing fields have been converted)

4.3.4

  • FIXED: Multi-site 301 creation when an existing 404 was already in place
  • FIXED: Head tags context when on a 404 page
  • FIXED: Open graph priorities for module content so that Open Graph explicit data title > context title.

4.3.3

  • ADDED: BigTreeCMS::getResource method for use with reference fields
  • ADDED: A confirmation dialog now appears when permanently deleting archived pages.
  • ADDED: Paginated caching when switching your cloud storage to an existing Amazon S3 bucket to prevent timeouts.
  • ADDED: $bigtree["config"]["ssl_only_session_cookie"] option to force delivery of session cookies over SSL.
  • CHANGED: Module Designer is no longer a nav element but rather an option after clicking Add Module in Developer
  • CHANGED: Resources are now "rectified" when switching templates in pages or types of callouts so that bad data doesn't persist.
  • FIXED: An error in the 4.3.2 upgrade script
  • FIXED: Warnings when switching from an empty callout to a non-empty callout
  • FIXED: Extensions not importing form relationships correctly
  • FIXED: SQL::backup not backing up table definitions
  • FIXED: The "View Analytics" button should no longer appear in the dashboard for non-admins
  • FIXED: Quick action buttons not showing when editing the homepage
  • FIXED: The site front end is now fault tolerant of a missing bigtree_open_graph table so that upgrading on a live site does not cause downtime
  • FIXED: Amazon S3 now uses local CA certificates for better tolerance of bad cURL environments
  • FIXED: CA Bundle updating causing an infinite loop

4.3.2

  • FIXED: Better checking of the writability of the vendor directory in bootstrapping (to properly throw errors on updated installs)
  • FIXED: Warnings when file manager presets are missing crops / center crops / thumbnails
  • FIXED: Pages lock not refreshing
  • FIXED: Redirects in a multi-site environment using 302 instead of 301 redirects
  • FIXED: One to Many not throwing a proper exception when setup incorrectly
  • FIXED: The BigTreeCMS::setHeadContext description being prioritized over an explicit open graph description
  • FIXED: Choosing a media preset for a field should now work again.
  • FIXED: Javascript errors when editing a pending page
  • FIXED: Previewing a pending page not providing proper edit buttons in the BigTree toolbar
  • CHANGED: Folders are now sorted by name when choosing a new parent folder for a file or folder
  • CHANGED: Multi-site cache JSON is now named more similarly to other BigTree static caches
  • CHANGED: When adding an explicit 301 redirect, route history that would override the redirect is now removed
  • CHANGED: BigTree::cURL requests now use strict SSL verification by default (via auto-updated cacert.pem)
  • ADDED: A progress indicator/animation to the upgrade screen

4.3.1

  • FIXED: Creating or updating a page clearing all of /cache/ and resetting the composer check flag
  • FIXED: Installer creating an old password hash on install

4.3

  • ADDED: File Manager with metadata and a dedicated tab
  • ADDED: Tag Manager with the ability to delete and merge tags
  • ADDED: Open Graph data support for pages and modules and the new BigTreeCMS::setHeadContext and BigTreeCMS::drawHeadTags methods to support the data
  • ADDED: New more robust example site that shows off more functionality and links to documentation
  • ADDED: Image Reference, File Reference, and Video Reference fields
  • ADDED: Database based session handling for better compatibility with load balancers and session timeout control
  • ADDED: Security settings to force logout all users, logout all user sessions when logging out, and logout user sessions when changing passwords.
  • ADDED: Progress indicators and some other UI improvements
  • ADDED: Support for processing LESS files in the admin CSS
  • ADDED: Support for external CSS and JS in admin_css / admin_js configuration settings
  • ADDED: Administrators can now view a report of a page to see what users have access to it
  • ADDED: Timezone support in the admin (users can now see and set dates and times in their frame of reference)
  • ADDED: New BigTreeImage class that encapsulates many image modification functions
  • UPDATED: Tagging interface now shows you the number of existing relationships
  • UPDATED: Audit trail now keeps track of who the originator of a change was if published without additional changes
  • UPDATED: Advanced search now respects view filters when showing results
  • UPDATED: The latest version of TinyMCE (4.8.3) is included
  • UPDATED: Checkbox fields can now have a default checked status
  • UPDATED: You can now reveal help text for a module's view after it has been hidden
  • UPDATED: Textarea field now supports maximum length restrictions
  • UPDATED: Added character counter to text and textarea when a max length exists
  • UPDATED: Files associated with pages and module content are now much more accurate at warning when the file is in use when trying to delete the file.
  • UPDATED: Previous page revisions now show when they contain deleted file manager referenecs.
  • CHANGED: BigTree now uses Composer rather than submodules for third party libraries
  • CHANGED: BigTree now uses full <?php tags for better compatibility
  • CHANGED: BigTree now requires PHP 5.5+
  • CHANGED: BigTree now upgrades via paginated AJAX to prevent timeouts of long running upgrade scripts
  • CHANGED: Field types now live in /custom/admin/field-types/{id}/ directories with draw, process, and settings files
  • CHANGED: Fields, module forms, module views, etc. now have "settings" rather than "options"
  • CHANGED: Processing crops now occurs via AJAX to prevent timeouts of large crop sets
  • CHANGED: Amazon S3 storage now uses the official AWS library for better cross region support and CloudFront invalidation
  • CHANGED: Passwords now use PHP's password_hash and will be re-hashed upon login to the default algorithm
  • CHANGED: When a minimum image width / height is not set, BigTree will try to create thumbnails of crops if the image is large enough for them.
  • CHANGED: Duplicate tags are now merged on saving a page / module entry
  • CHANGED: "Resources" permissions are now "Files" permissions when editing a user.
  • CHANGED: BigTree bar no longer shows edit buttons on 404 page and will draw on secure pages
  • CHANGED: BigTree should now be more reliable at getting the remote IP address when behind load balancers or firewalls
  • CHANGED: Simple mode HTML fields no longer contain the code button and instead have the remove formatting button
  • CHANGED: Simple mode HTML fields now remove any tags that are not supported (only leaves bold, italic, underline, links, paragraphs, and line breaks)

4.2.24

  • SECURITY FIX: Cross site scripting vulnerability for developers through form posts (Thanks Mithat Gögebakan!)
  • SECURITY FIX: Session IDs are now regenerated on login for better security (Thanks Juttikhun Khamchaiyaphum!)
  • SECURITY FIX: Path manipulation on Windows environments (Thanks pupiles!)
  • UPDATED: Logging into a multi-site environment now uses CORS to login to all sites in one go
  • CHANGED: The error users receive when a session timeout occurs now sounds less scary (used to be "Cross site request forgery detected.")
  • FIXED: Select dropdowns should now work better in Firefox
  • FIXED: Page editing should now be more accessible
  • FIXED: Page previewing in a multi-site environment
  • FIXED: SQL::unique call when not passing in an ID
  • FIXED: Deleting a top level thumbnail of an image deleting the thumbnails of the first crop
  • FIXED: SSL state lookups to be more accurate
  • FIXED: Audit trail not properly tracking the deletion of embeddable forms and reports
  • FIXED: Session IDs are now regenerated on login for better security (Thanks Juttikhun Khamchaiyaphum!)
  • FIXED: cURL requests should no longer hang indefinitely when blocked by a firewall (maximum of 5 seconds for urlExists requests and 5 seconds less than max execution time for cURL requests)

4.2.23

  • ADDED: A setting for session lifetime
  • ADDED: Support for a "bigtree-theme.sql" file in the install directory for bootstrapping a BigTree install
  • UPDATED: Geocoding API now provides better error responses
  • UPDATED: Geocoding API now supports API keys for Google
  • UPDATED: Installer no longer replaces files that already exist in the directory (for use in boilerplate installs)
  • UPDATED: BigTree will now dynamically increase memory limit when processing images to lead to less image processing failures due to RAM requirements
  • FIXED: Editor level users not being able to Save & Preview from the front end editor
  • FIXED: Uploading to a Google Cloud Storage pointer that wasn't URL safe
  • FIXED: Broken stored pointers for Google Cloud Storage
  • FIXED: Authenticated URLs for Google Cloud Storage when the URLs had unsafe characters
  • FIXED: .htaccess files are no longer allowed to store via BigTreeStorage
  • FIXED: Some warnings thrown by PHP 7.2
  • FIXED: Next buttons in forms not respecting the hidden state of tabs
  • FIXED: Incorrect closing tag on cloud storage form
  • FIXED: Using a draft of a page causing that pending change to not show on the dashboard properly
  • FIXED: Geocoding field getting added back into the form dropdown when deleted
  • FIXED: Not being able to edit Geocoding field settings after adding it to the form
  • FIXED: Forms that supported Save & Preview not showing the button on initially adding content
  • FIXED: OpenSSL not being verified in the installer
  • FIXED: Leftover temporary files sticking around when an image upload fails

4.2.22

  • CHANGED: The default BigTree install no longer tries to use php_flag in htaccess
  • UPDATED: Publish hooks are now run when a user approves, features, or archives an item from a View
  • UPDATED: Internal link encoding now properly supports hashes and GET variables
  • FIXED: Many warnings that showed in PHP 7.2 environments
  • FIXED: Deprecation and strict standards warnings
  • FIXED: CDN Domain usage that broke in 4.2.21
  • FIXED: Cross-site scripting in the Users view by lower-level users (thanks CHYbeta and zhzzhz)
  • FIXED: Deleting and replacing files from S3 when using subdomain or CDN-domain URLs
  • FIXED: PHP 5.4 requirement introduced in 4.2.20 (PHP 5.3 should still be the lowest supported version)
  • FIXED: Default configuration files throwing notices related to multi-site config
  • FIXED: Form tabs not switching to the proper form tab when an error occurs
  • FIXED: Deleting / replacing local files when default storage was set to cloud
  • FIXED: Database updates are now run without query logging enabled even if debug is on to help prevent out-of-memory errors.
  • FIXED: Failed extension installs redirecting back to the package install page
  • FIXED: Manually creating a 301 not working properly when an existing 404 with GET variables attached existed
  • FIXED: Integrity checking of URLs in a multi-site setup from the non-primary domain

4.2.21

  • FIXED: Admin crashing on PHP < 7.0 when the environment had support for the Locale class
  • FIXED: Using an EXIF rotated image from the file manager using a PNG version for the non-thumbnailed/cropped copy
  • FIXED: Images uploaded to the file/image manager not properly rotating based on EXIF data.

4.2.20

  • ADDED: Support for non-latin characters in URL routes (they are now transliterated before generating a route)
  • ADDED: Confirmation before rejecting a change in the dashboard
  • ADDED: GET variable support for 404 Manager (e.g. ?this=that can redirect to something other than ?this=this)
  • ADDED: SSL state checking for load balancers that pass along X_FORWARDED headers.
  • ADDED: CloudFront domain support for Cloud Storage.
  • ADDED: Google Authenticator two factor login support.
  • UPDATED: TinyMCE to the latest version (4.7.6)
  • UPDATED: jQuery to the latest version (3.3.1) and jQuery UI (1.21.1)
  • CHANGED: Session lifetime is now 24 hours rather than 24 minutes by default.
  • CHANGED: Upload fields for images now link off to the full file from the small preview.
  • CHANGED: Upload fields now link to the current file when viewed.
  • CHANGED: The Status column in list based views now shows "Inactive" for an entry that is archived or not approved
  • CHANGED: Twitter API now defaults to returning non-truncated tweets.
  • CHANGED: The math used for calculating the needed RAM for image manipulation to adjust it higher.
  • CHANGED: BigTree bar now uses window.postMessage to work cross domain
  • CHANGED: Replacing a file in the file manager should now update its timestamp
  • CHANGED: Uploading a file to Amazon S3 now uses the subdomain format (bucket.s3.amazonaws.com) to support non US-standard buckets
  • FIXED: Double encoding of titles / descriptions / keywords when approving a page change from the Dashboard
  • FIXED: Duplicate 404s in the 404 Manager
  • FIXED: Module Designer not properly adding indexes on stateful columns
  • FIXED: Missing action titles of several view types
  • FIXED: Preview action not working on image-based views
  • FIXED: Publish and Expiration dates for pages not using the defined date format
  • FIXED: Group based permissions on List fields that allowed empty entry.
  • FIXED: Twitter API not returning tweets when asking for non-truncated content.
  • FIXED: One to Many field not drawing properly within callouts
  • FIXED: Dropdown styles when
  • FIXED: Trailing slash behaviors for files that are 404s
  • FIXED: Large multi-site setups failing to login (you must now access the domains you want to login to individually if > 4 sites are in one CMS)
  • FIXED: Content Security Policy should no longer restrict the front end bar from other domains in a multi-site environment
  • FIXED: Double slash appear at the end of home URLs in a multi-site environment
  • FIXED: Potential authenticated SQL injection data leakage through unsanitized tags (thanks xcold for the report)
  • FIXED: 301 redirects that targeted the homepage looking empty
  • FIXED: Table header styles being slightly non-uniform
  • FIXED: Tables with a very large number of pages getting too large and breaking
  • FIXED: Inline date and date/time pickers that have a required value now default to current time and cannot be cleared.
  • FIXED: Some obscure XSS bugs
  • FIXED: Path manipulation issues on Windows possibly leading to authenticated file inclusion

4.2.19

  • ADDED: Generic SMTP Server support to the Mail Delivery options
  • ADDED: Quick link for viewing a user's audit trail when editing them
  • ADDED: Quick links to toggle between editing a Setting's value and configuration
  • UPDATED: TinyMCE to 4.6.5
  • UPDATED: 404 Manager now supports multi-domain sites
  • FIXED: Empty folder names being able to be created in the File Manager
  • FIXED: Attempting to logout on the front-end of the site throwing a CSRF error.
  • FIXED: Attempting to view an audit trail through the overflow menu shortcut throwing a CSRF error.
  • FIXED: phtml/pht files are no longer allowed file types to be uploaded to the File Manager as they are a security risk on some systems. (thanks xkfxkf)
  • FIXED: Unlocking pages being vulnerable to a CSRF attack. (thanks xkfxkf)
  • FIXED: A user being able to delete themselves if they tried very hard to do so. (thanks xkfxkf)
  • FIXED: Resizing of view columns occasionally breaking if the right column was resized.
  • FIXED: Unescaped data when viewing a package / extension's details before installing. (thanks xkfxkf)
  • FIXED: A plethora of minor CSRF vulnerable actions. (thanks xfkxfk)
  • FIXED: Unescaped description when saving page revisions. (thanks xfkxfk)
  • FIXED: Pending page changes not being properly escaped after updating. (thanks yjn818)
  • FIXED: Replacing files in the File Manager failing with a CSRF error. (thanks Joe @ Ignition 72)
  • FIXED: Duplicate results in the File Manager when searching for files that exist in multiple folders.
  • FIXED: Generated Route field type not saving its options. (thanks doon.mok)
  • FIXED: SQL Injection related data leakage in tags. (thanks songtancat)
  • FIXED: Duplicate required messages in custom fields with multiple sub-fields that are required.
  • FIXED: Recursive matrixes throwing errors in Integrity Check
  • FIXED: Deprecated TinyMCE settings (thanks mcongrove)
  • FIXED: XSS vulnerability in the photo gallery on the example site. (thanks lsg2409)
  • FIXED: An empty form not being editable.
  • FIXED: No error being thrown when a form failed to add an entry due to a SQL error.

4.2.18

  • SECURITY FIX: Updated PHPMailer to the latest version which patches the sender field allowing for code execution (CVE-2017-7881)
  • FIXED: When submissions exceed max_input_vars limit the user now receives a message rather than having the submission silently mangled
  • FIXED: Deleting media presets

4.2.17

  • NEW: A comprehensive cross site request forgery prevention system was added.
  • SECURITY FIX: Adding a space after a file extension no longer allows a file upload to bypass security checks (thanks math1as from L-team).
  • FIXED: BigTreeFlickrAlbum getPhotos call.
  • FIXED: Activating Rackspace Cloud Files failing.
  • FIXED: Deleting an extension with a missing manifest file no longer deletes all your extensions.
  • FIXED: Long file names with an exact matching crop will no longer generate improper file names.

4.2.16

  • ADDED: getAlbums, getAlbumPhotos, and BigTreeFlickrAlbum to the Flickr API (thanks Matt Briney)
  • ADDED: The file / image browser now shows a link to the folder a file is contained in when viewing file details
  • UPDATED: Facebook API now points to 2.8 API endpoint
  • UPDATED: BigTree should now attempt to remove installation files after installing
  • UPDATED: The forgot password function should no longer confirm whether a valid email was entered to prevent bruteforcing valid emails
  • REMOVED: Version information is no longer shown on the admin login page to prevent version-targeting exploits
  • FIXED: User ban system for too many failed logins
  • FIXED: User session chains not being correctly created
  • FIXED: Default "Advanced" htaccess failing to serve compressed Javascript when the MIME type reported text/javascript
  • FIXED: BigTreeCMS::getLink now properly returns the external link when a page is set to an external link
  • FIXED: More preview links problems in multi-site environments
  • FIXED: Deprecated endpoint in Flickr API
  • FIXED: Creating module views in Module Designer crashing when Xdebug was enabled
  • FIXED: One-to-many fields saving as an object rather than an array in JSON when rearranging (thanks Jordan Mason)
  • FIXED: Display bug in Chrome that visconti was experiencing

4.2.15

  • FIXED: Potential XSS attack vector in module integrity checker - thanks to Haojun Hou in ADLab of Venustech
  • FIXED: File uploads to the file manager not properly throwing errors when post max size was exceeded
  • FIXED: Media preset data being potentially corrupted with empty slots on save
  • FIXED: Several routing issues on multi-site environments in routed templates
  • FIXED: Hitting another domain's page in a multi-site environment now 301 redirects to the proper domain
  • FIXED: Previewing a page from a non-primary domain in a multi-site environment

4.2.14

  • FIXED: Static roots that began in // not encoding or decoding properly
  • FIXED: Routed template URLs losing their last command when used in multi-site mode
  • FIXED: Javascript, CSS, and page caching using the same cache on multi-site mode (www_root/ should now be different when referenced at different URLs)
  • FIXED: Multi-site failing to route properly when the homepage is a routed template
  • FIXED: Sending emails to servers that required sender headers in BigTree::sendEmail (thanks Matt DeWyer)
  • FIXED: Dates not working as matrix titles
  • FIXED: Cropping from the front-end overlay editor failing
  • CHANGED: LESS compiler in BigTree is now using less.php rather than the no longer supported lessphp
  • ADDED: Feeds can now have a filter function

4.2.13

  • FIXED: Breaking of UTF8 support in 4.2.12
  • FIXED: Core action icons can now be re-used by custom actions without Javascript hooking them

4.2.12

  • SECURITY FIX: Fixed authenticated SQL injection vulnerability (users with access to edit a page could make SQL calls that could leak data) - Thank you to Mehmet İnce (http://www.mehmetince.net)
  • SECURITY FIX: Fixed XSS vector in front end bar Javascript (would be very hard to attack) - Thanks to Mehmet İnce (http://www.mehmetince.net)
  • ADDED: Multi-domain multi-site support (you can now serve different branches of the page tree from different domains!) Learn More
  • ADDED: Generated Route field type can now accept multiple fields as source fields for route generation
  • ADDED: Edit hooks for Module Forms (data can be translated on load before presenting it to the form for drawing)
  • ADDED: Disable/Enable methods to custom radio, checkbox, and file input fields
  • ADDED: $bigtree["config"]["cache_ttl"] directive to set the default page cache expiration time (rather than it always being 5 minutes)
  • UPDATED: TinyMCE 4 to 4.4.3
  • UPDATED: Field options are now encoded (so you can enter a URL and have it translated properly from dev to live)
  • UPDATED: Facebook API (added new album calls, thanks David Newcomb)
  • FIXED: Resource links not properly getting irl:// protocol when stored in the db
  • FIXED: Warning when calling the disconnect method in BigTreeSFTP
  • FIXED: Permissions bug that allowed users to reply to a message thread they weren't a part of
  • FIXED: Modules not properly guessing that a view should be draggable
  • FIXED: Dialog not closing when working in the File Manager
  • FIXED: Double calls to form hooks no longer breaks the file manager
  • FIXED: Embedded form hashcash validation when whitespace was present (thanks Jordan Mason)
  • FIXED: Person information not being retrieved properly from Flickr API
  • FIXED: Authorize.net now uses POST rather than GET (as GET has been deprecated)
  • FIXED: Switching to Image/Image Group view type showing field lists
  • FIXED: Warning when a callout group had no callouts (thanks David Newcomb)
  • FIXED: Image based views having the view column styling option
  • FIXED: Reports on image views not respecting prefixes for file paths
  • FIXED: GET vars not being passed when enforcing trailing slash behavior
  • FIXED: Page tree not being in alphabetical order when expanding branches editing user permissions

4.2.11 Release

  • SECURITY FIX: Fixed Blind SQL injection attack for admin users with access to a module form (requires admin access).
  • SECURITY FIX: Logging out should now clear your login session chain (a cookie attack at the exact right time could previously give impervious session chain).
  • SECURITY FIX: Cross Site Request Forgeries should now be blocked across the board in the developer section.
  • SECURITY FIX: Fixed Cross Site Scripting vulnerability when editing a Module View (clicking a malicious link could steal cookies).
  • SECURITY FIX: Fixed Cross Site Scripting vulnerabilities when causing a sqlfetch error (clicking a malicious link could steal cookies).
  • FIXED: Bad admin_root replacement when accessing admin-side Javascript.
  • FIXED: Not being able to use the External Link field on initial page creation.
  • FIXED: PHP 7 throwing deprecation warnings on PasswordHash class (PHP 7.1 will drop support entirely for PHP 4 constructors)
  • FIXED: Some incorrect helper text and not-closed-properly tags.
  • FIXED: BigTree::cURL throwing a warning when posting string data (thanks Matt DeWyer).
  • FIXED: Facebook employer information causing a fatal error.
  • FIXED: Twitter API media posting

Thank you to Ashraf Alharbi at security-assessment.com for providing vulnerability analysis related to the security fixes in this release.

4.2.10 Release

  • UPDATED: Data parsers can now be used in both CSV reports and filtered view reports (thanks Jordan Mason)
  • UPDATED: TinyMCE to 4.3.10 (default config file settings now include the minified version rather than the developer version)
  • FIXED: Dropdowns with long options falling outside viewport (thanks Jordan Mason)
  • FIXED: Grammar errors (thanks Jordan Mason)
  • FIXED: Warnings appearing in CSV reports (thanks Jordan Mason)
  • FIXED: Twitter API not properly uploading images to tweets on PHP 5.5+
  • FIXED: BigTreeCMS::cacheDelete not being static
  • FIXED: Group Based Permissions not properly working in List field types
  • FIXED: Some documentation errors
  • FIXED: Administrator level users being able to access Developer level module actions
  • FIXED: Image upload fields accepting non-image file types (thanks dantaex)
  • FIXED: Generated URLs being incorrect when trailing slash behavior was set to remove
  • FIXED: Password reset hash to be slightly more secure and less random
  • FIXED: Page caching now works better with URLs that don't end in /
  • FIXED: BigTree::globalizeArray for arrays that contained the "key" array key (fixes editing Amazon S3 settings)
  • FIXED: Missing configuration based CSS/JS in Front End Editor view
  • FIXED: Nested callouts not working properly
  • FIXED: Incorrect PHP -> jQuery date format conversion
  • FIXED: Date range filters in reports
  • FIXED: Trunk and Redirect Lower not showing up when creating pages
  • FIXED: Embeddable Forms not working correctly for users that aren't logged into the admin
  • FIXED: BigTreeModule::getRecent and BigTreeModule::getUpcoming when the entries were on the current date
  • FIXED: BigTreeAdmin::ungrowl not doing anything
  • FIXED: State/Country list abbreviations when using the Address sub-type of a Text field
  • FIXED: Inability to edit users when using a protocol agnostic admin_root setting
  • FIXED: Lingering escape key hook after uploading a file to the File Manager
  • FIXED: Matrix/Callout fields not stripping HTML when setting the entry's title/subtitle
  • FIXED: Tooltips staying in DOM at 0% opacity (and block user actions)
  • FIXED: Field Types in extensions not getting the proper context (making them unable to access non-namespaced settings)
  • FIXED: $bigtree["commands"] array being incorrect when accessing a routed template that is a pending page
  • REMOVED: Yahoo BOSS and Yahoo Geocoder APIs (these were EOL'd by Yahoo some time ago and no longer work)

4.2.9 Release

  • ADDED: Clear Label button to callout editor in case you don't want to use any resource for the label
  • ADDED: $_SESSION["bigtree_referring_url"] is now set when your site is in maintenance mode (for use by your maintenance template for logging)
  • ADDED: Title Field Parser for Group Based Permissions to change the group name that appears when editing users (thanks Jordan Mason)
  • ADDED: Regular Text fields can now specify maximum lengths (thanks Jordan Mason)
  • FIXED: Not being able to click calendar/clock icons to open date/time picker
  • FIXED: Invalid guid in RSS2 feeds
  • FIXED: When deleting a callout, it should now be removed from all groups (thanks Jordan Mason)
  • FIXED: Field type cache not being cleared after deleting a field type
  • FIXED: Improper change type in daily digest emails
  • FIXED: Improper audit trail tracking for pages that were deleted because their ancestor page was deleted
  • FIXED: Improper audit trail tracking for deleting page drafts logging the incorrect ID
  • FIXED: Missing check for {adminroot} when finding admin backlinks
  • FIXED: Checkbox values can now be used for part of a matrix field's title/subtitle
  • FIXED: Page revisions should now be properly stored up to 10 entries or all entries in the past month
  • FIXED: Group query failing when the other table's sort field was a reserved mysql keyword
  • FIXED: Link returning functions (breadcrumbs, getLink, getNav) should now respect trailing slash behavior
  • FIXED: PHP 7 not working with BigTree::globalizeArray
  • FIXED: BigTree::cleanFile not properly sanitizing paths
  • FIXED: Preview URL not working if a trailing slash wasn't entered
  • SECURITY FIX: A privilege escalation issue that would enable Administrator level users to become Developer level for a session.
  • SECURITY FIX: Fixed object injection vulnerability in POST data that enabled any BigTree admin-side user to poison settings. Thanks to Tim Coen @ Curesec GmbH for the disclosure.

4.2.8 Release

  • ADDED: A ping to bigtreecms.org to help us maintain version usage numbers (you can disable this by setting $bigtree["config"]["disable_ping"] to true)
  • ADDED: Very limited Facebook API support to Service APIs.
  • ADDED: ChannelID property to BigTreeYouTubeVideo class.
  • ADDED: A $bigtree["config"]["trailing_slash_behavior"] configuration setting to always add or removing trailing slashes from URLS (thanks Randy Hook @ MindScape)
  • ADDED: BigTree front end bar's Edit button can now be changed by setting $bigtree["bar_edit_link"] to another URL in your template (thanks mdewyer)
  • ADDED: You can now manually add 301 redirects in the 301 Redirects section of the 404 report
  • ADDED: List Parser functions to the List field type (similar to the existing functionality for One/Many-to-Many)
  • ADDED: Callouts can now be nested inside callouts
  • UPDATED: Google API instructions
  • UPDATED: TinyMCE 4 to 4.2.8
  • UPDATED: 301 redirect URLs now only show the short slug version of the destination URL
  • UPDATED: 301 redirects now attempt to make internal page links out of short slug destination URLs for better tranisitioning over time
  • FIXED: Grayscale and Delete button for thumbnails being assigned to the wrong row.
  • FIXED: Background images not properly rewriting to https when BigTreeCMS::makeSecure is called.
  • FIXED: Media Presets not properly throwing inline errors on image uploads.
  • FIXED: BigTree::cURL's $bigtree["last_curl_response_code"] always being 0.
  • FIXED: BigTree::relativeTime returning plurals when it shouldn't
  • FIXED: Tags not having whitespace trimmed on creation
  • FIXED: Duplicate images being created when a crop didn't have a prefix and the exact file size was uploaded
  • FIXED: BigTreeAdmin::drawArrayLevel so that it can accept an array directly for recursive calling (i.e. nesting Matrix/Callout)
  • FIXED: BigTreeCMS::catch404 not clearing the existing buffer before drawing the 404 page
  • FIXED: Issues with TinyMCE not saving in Safari when used inside of Callouts or Matrixes
  • FIXED: Current date always being used in date pickers inside of callouts/matrixes and added ability to remove a date (thanks jmason03)
  • FIXED: 0 being considiered empty when doing type validation in auto modules (thanks jmason03)
  • FIXED: Tab indexing in nested matrixes and callouts
  • FIXED: Some configuration variables not properly being in the demo site's config
  • FIXED: Box sizing issue on input[type=search] that Firefox 41 introduced
  • FIXED: Mandrill API returning true for failed calls
  • FIXED: Various style issues inside of callout dialogs
  • FIXED: Missing column in bigtree_module_reports when upgrading from 4.0
  • FIXED: Not being able to add unused fields to an embeddable form after its creation
  • FIXED: Several field types not drawing properly in embeddable forms
  • FIXED: Embeddable forms not loading configuration-based Javascript and CSS
  • FIXED: Properties that were dangerous / not useful for the homepage no longer appear when editing the homepage.
  • FIXED: Date pickers failing on embeddable forms
  • FIXED: Errors bubbling up to higher fieldsets when fieldsets were nested
  • FIXED: Infinitely resizing embeddable forms
  • FIXED: Module actions permissions not being properly enforced (thanks Randy Hook @ MindScape)
  • FIXED: Packaging a setting, template, or callout into an extension not always working as intended (thanks Randy Hook @ MindScape)
  • FIXED: BigTreeModule::getRecentFeatured sorting by ASC rather than DESC by default
  • FIXED: FTP and SFTP upgrades failing for both Extensions and System upgrades
  • FIXED: Cloud caches not being populated properly when selecting a container
  • FIXED: Protocol agnostic URLs failing integrity checks
  • FIXED: Editing extension settings via the admin's Settings section failing
  • FIXED: Site status to better check all the directories that need writable permissions
  • REMOVED: Paste button from TinyMCE as modern browsers don't support it

4.2.7 Release

  • ADDED: Extension field types can now more easily add their own CSS and JS into the admin header by specifying the full path to their CSS file or JS file. For instance: $bigtree["css"][] = "*/com.fastspot.video-field/css/video-field.css";
  • ADDED: You can now hook BigTree's ready events via the Javascript BigTree.hookReady() function. BigTree will run the passed in function when it hits a ready state. Ready states include page load after BigTree init routines and callout/matrix dialog opening (after any requested Javascript is loaded).
  • UPDATED: jQuery to latest 1.11.3 stable build
  • FIXED: 30 day page views not showing in Pages when Google Analytics is setup
  • FIXED: Extensions that checked for the existence of BigTree internal settings that were not yet created (i.e. service APIs) should no longer create extension namespaced versions of the internal settings.
  • FIXED: Incorrect permission checking when sending out lists of pending changes in Daily Digest emails
  • FIXED: Google Analytics API storing things in bigtree_caches that it never uses
  • FIXED: Callout fields from an upgraded 4.1 installation not properly loading their groups in 4.2+
  • FIXED: Missing older style {key} replacements in Javascript (fixes embedded form issues)
  • FIXED: Embeddable Forms not processing their hooks properly
  • FIXED: Chrome in Windows rendering some select fields strangely (i.e. in the "Address" type of a Text field)
  • FIXED: Form fields' title and subtitle attributes not encoding properly on update (lead to issues with titles that had < or > or " in them)
  • FIXED: "Max" message not aligning properly in a matrix nested inside a matrix or callout
  • FIXED: The return-to-the-page-you-were-editing functionality when editing the template of the home page
  • FIXED: 301 redirects containing special characters (i.e. # or &) not redirecting correctly
  • FIXED: Deleting of pending items leading to a 404 page
  • FIXED: Callout access levels not functioning properly
  • FIXED: Resource type hints in template / callout files always being "Array"
  • CHANGED: TinyMCE 4's default configuration now allows for all tags and attributes rather than stripping tags randomly that it doesn't understand.
  • CHANGED: "Required" Javascript logic to work better with custom field types

4.2.6 Release

  • SECURITY FIX: Fixed a critical path manipulation bug that could expose private files
  • FIXED: Cron failing when using a custom admin class
  • FIXED: Fields that were set to ignore sometimes nulling the value of a good column.
  • FIXED: Feed parsers containing a " character not being editable
  • FIXED: Removing fields from a feed not working
  • FIXED: Related Menu dropdown looking broken in IE10/11
  • FIXED: Template editor showing related module for basic templates
  • FIXED: Permission errors when a module has the same route as a core ajax directory (i.e. callouts)
  • FIXED: Chrome issues with TinyMCE (updated to latest release)

4.2.5 Release

  • FIXED: A permissions breaking bug that prevented normal users from hitting the Pages tab
  • FIXED: Installation on Windows server setups
  • FIXED: BigTree::makeDirectory failing on Windows environments
  • FIXED: Missing underline icon in TinyMCE 4

4.2.4 Release

  • ADDED: CSS loaded in the admin now has access to the www_root/, static_root/, and admin_root/ variables
  • ADDED: BigTree::dateFormat method that parses dates set in $bigtree["config"]["date_format"] into another format
  • FIXED: Extensions that used module form hooks failing to import the form hooks properly
  • FIXED: "Trees" module in the example site not generating its URL routes properly
  • FIXED: Several XSS and SQL injection vectors that could possibly be exploited by users with admin access (thanks to Tim Coen @ Curesec GmbH)
  • FIXED: Deleting a pending page returning you to the wrong page tree
  • FIXED: Deleting cloud files with protocol agnostic URLs failing
  • FIXED: Packages that contained related forms for views failing to import the views properly
  • FIXED: Creating packages/extensions with callouts and templates failing to also include custom field types used by them
  • FIXED: Importing templates and callouts from a 4.1 package not importing the resource fields properly
  • CHANGED: A file is now only deleted from the file system / file manager after it has been removed from all the containing folders in the file manager

4.2.3 Release

  • FIXED: Ignoring an update notification not sticking
  • FIXED: Example site using old style index.php
  • FIXED: Service APIs that used off site redirects failing after 4.2.2 security hardening
  • FIXED: Incorrect error messages in Users section
  • FIXED: "columns" parameter not working in BigTreeModule's getAllPositioned method
  • FIXED: BigTreeYouTubeAPI's timeSplit method being protected (it's needed by other classes in the API)
  • FIXED: Launcher now works better with sym-linked cores (in fresh installs)
  • FIXED: Converting Array of Items (4.0/4.1 field type) into Matrix when upgrading (for real this time)
  • FIXED: Incorrect message when deleting callout groups
  • FIXED: BigTree admin bar not working on secure pages
  • FIXED: User's names and company names not being encoded properly (XSS)
  • FIXED: Date and Date/Time pickers losing their value if used in Matrix / Callouts and not edited
  • FIXED: Draggable views setting positions to be negative numbers (failed to sort if you were using unsigned columns)

4.2.2 Release

  • ADDED: You can now instantiate a BigTreePaymentGateway object with the desired payment gateway in the constructor for using multiple services
  • ADDED: When grouping by a special column such as featured, approved, or archived, groups now get meaningful titles and clicking the relevant icons reloads the view to show movement between groups.
  • ADDED: BigTreeCMS::cacheUnique method that allows you to specify only a identifier and will return a unique key for the data being stored
  • FIXED: Making updates to a pending change before publishing failing
  • FIXED: Example site's photo gallery field not functioning
  • FIXED: Protocol agnostic Cloud files URLs not working with copyFile
  • FIXED: Redirect Lower pages option failing if all the child pages were not visible in nav
  • FIXED: Importing a field type from an extension failing to properly set use cases
  • FIXED: 4.1->4.2 array of items to matrix field type conversion failing for modules
  • FIXED: Upload fields in matrix / callouts that were set to required failing to recognize existing data when resaving
  • FIXED: List-style matrix fields not drawing properly after a callout-style matrix or callouts field
  • FIXED: Matrix fields not properly using subtypes of text fields for titles properly
  • FIXED: Corrupt many to many data showing up when adding new content
  • FIXED: Issues with custom checkboxes in the admin sometimes not switching properly
  • FIXED: Module reports not being deletable
  • FIXED: Multiple cross-site scripting vectors that could lead to an admin user being phished
  • FIXED: Potential path abuse vectors that could lead to a admin user storing or including a file outside the proper directory
  • FIXED: BigTreeCMS::cacheGet failing to return values when max_age was not passed
  • FIXED: Potential abuse of cropping images through POSTing to the process-crops URLs with dummy data.
  • FIXED: Crops not occurring in Pages and Settings if errors occurred
  • FIXED: Potential phishing download abuse
  • FIXED: Potential SQL injection vectors that administrative users could possibly exploit
  • FIXED: Developer level AJAX calls often not requiring developer access.
  • FIXED: Possible variable scope override issues.
  • FIXED: Potential cookie manipulation via phishing.
  • FIXED: Module forms for extensions not properly importing.
  • FIXED: Reports in packages and extensions not properly packaging their related tables.
  • CHANGED: Old internal page links that used BigTree 3 format (serialized) are no longer support. This resolves a potential object injection attack.
  • CHANGED: BigTree::redirect can no longer be used to redirect outside the current domain when called within the admin. This helps prevent phishing attempt redirections.

4.2.1 Release

  • ADDED: SendGrid email service support (thanks zumbrunnen)
  • ADDED: Support for altnernate ports and sockets when connecting to MySQL (thanks zumbrunnen)
  • FIXED: Writability checks for directories when upgrading the CMS or an extension now occur before you try to install the update
  • FIXED: Invalid files (due to security implications) sticking around in /tmp when BigTreeStorage rejects them
  • FIXED: Failing to automatically find the FTP path when upgrading BigTree causing a loop
  • FIXED: Warning being thrown when manually calling processField when "crops" wasn't an array (thanks mdewyer)
  • FIXED: Cloud files URLs for Amazon / Google Cloud to be protocol agnostic
  • FIXED: Configuration based admin_css and admin_js not working properly inside a file routed by an extension (thanks mdewyer)
  • FIXED: Failure to properly encode arrays as strings when caching pending records (thanks jmason03)
  • SECURITY FIX: Fixed several possible SQL injection vulnerabilities that could be run by authenticated BigTree users (thanks sumitingole)
  • SECURITY FIX: Fixed several XSS attack vectors (thanks sumitingole)
  • SECURITY FIX: Session and login cookies are now set to HTTPOnly (less susceptible to XSS attacks, thanks sumitingole)
  • SECURITY FIX: Login cookies are now more secure one time tokens (based on http://jaspan.com/improved_persistent_login_cookie_best_practice, thanks sumitingole)

4.2 Release

  • ADDED: Email Service for SendGrid
  • ADDED: Extensions Support (see http://www.bigtreecms.org/docs/dev-guide/advanced/extensions/ for more information)
  • ADDED: Security Settings (password policies, temporary bans, IP bans, allowed IP lists)
  • ADDED: Matrix field type (essentially a generic Callout distinct to a template/setting/form).
  • ADDED: One-to-Many field type (similar to Many to Many but stores associations as JSON in the same table).
  • ADDED: Multiple Group support for Callouts. You can add callouts to multiple groups and allow multiple groups of callouts in a given Callouts field. Callouts are no longer supportable in the dropdown -- sorting is now alphabetical.
  • ADDED: On-Publish Hook support for forms
  • ADDED: "clear" method to BigTreeRadio / BigTreeCheckbox to uncheck
  • ADDED: Support for a custom default date format in $bigtree["config"]["date_format"] for date pickers and other fields that use dates.
  • ADDED: Reset / Add All buttons to Many to Many.
  • ADDED: Center Crops to photo-related fields.
  • ADDED: Media presets to re-use thumbnail/crop/center crop settings across fields.
  • ADDED: A country list with two letter abbreviations to BigTree::$CountryListWithAbbreviations
  • ADDED: Email Service settings and BigTreeEmailService class to allow transactional emails (daily digest, forgot password, etc) to be sent via Mandrill, Postmark, or Mailgun.
  • ADDED: Busy state for AJAX calls to prevent double clicking on a slow internet connection bringing up multiple dialogs.
  • ADDED: BigTree::dateFromOffset method to easily add an amount of time to a given date
  • ADDED: BigTree::getCookie and BigTree::setCookie methods to easily set cookies that apply to the whole site (you can also set array values, stored as JSON in the cookies).
  • ADDED: Confirmation dialog when leaving a page where you've changed form data.
  • ADDED: SFTP support for core updates.
  • ADDED: BigTree::urlExists (better version of BigTreeAdmin::urlExists)
  • ADDED: BigTree::createUpscaledImage (reverse of BigTree::createThumbnail)
  • UPDATED: Installer will now create a database for you if it doesn't exist.
  • UPDATED: BigTreeModule retrieval methods now allow you to pass a columns array to only retrieve the specified columns.
  • UPDATED: The upload field type now works with the FileReader API to provide file size and thumbnail information after selecting a file.
  • UPDATED: The photo gallery field type now works with the FileReader API to provide thumbnail previews of images before uploading.
  • UPDATED: The upload field type will now throw an error before uploading if the selected file will exceed PHP's max upload file size.
  • UPDATED: The File Manager now allows you to upload multiple files at once.
  • UPDATED: BigTreeModule class now supports passing in a table name for generic module classes.
  • UPDATED: When creating module and adding its initial view, if the table has a "position" column it will be assumed Draggable instead of Searchable.
  • UPDATED: When choosing a field type the dropdown is now split into option groups for "Default" and "Custom" to better differentiate your custom field types.
  • UPDATED: Callouts/Matrixes can specify the maximum number of entries in the field options.
  • UPDATED: When in a grouped view, if the last item is deleted from the group it will now disappear as well.
  • UPDATED: Embedded Forms now throw the bigtree-embeddable-form-resize event when resizing their iframe.
  • UPDATED: BigTreeModule's add method parameters now more closely align with the function and names of the update parameters (still backwards compatible, just more functional).
  • UPDATED: BigTreeModule's update method now allows you to pass in a key/value array as the second parameter instead of breaking it into two parameters.
  • UPDATED: Advanced Search's nav is now sticky and won't disappear when scrolling a long list
  • UPDATED: BigTree::cURL now allows output to a file for less memory-intensive file downloads
  • CHANGED: Field drawing and field processing now occurs in function scope with access to $admin, $bigtree, $cms, and $field. This limits the likelihood of one field type somehow breaking the main form's environment variables and also leads to much better code re-use.
  • CHANGED: Field options for templates, settings, and callouts are no longer stored in the top level JSON object but are instead stored in the "options" object -- this allows field options to now include keys such as "title" and "subtitle" (though "type" is still restricted when used in a Callout).
  • CHANGED: htmlMimeMail is no longer included in BigTree as it hadn't been updated in years. PHPMailer is now used as BigTree's default local mail sending tool.
  • CHANGED: Many Javascript classes/objects are now stored in closures and accept an object-based settings parameter instead of a long list of parameters (but should still be backwards compatible with the old parameter format).
  • CHANGED: Pre / Post callbacks for forms are now integrated into Hooks
  • CHANGED: BigTree running on PHP 5.4+ will now save its data in pretty-print JSON without escaped quotes for improved database editability.
  • CHANGED: AJAX folder routing will now include _header.php and _footer.php from the directories like templates.
  • CHANGED: You can now include links in
  • CHANGED: Many BigTreeCMS and BigTreeAdmin methods can now be called statically.
  • CHANGED: Many to Many no longer asks you to confirm removing something.
  • REMOVED: Array of Items field type -- existing fields will be automatically converted to Matrix but their display titles will be lost until they are re-saved.
  • FIXED: Lots of general JavaScript clean-up
  • BACKWARDS COMPATIBILTY: BigTree 4.1 packages that use the Array of Items field type for forms/templates/callouts/settings will need to have that field changed manually to a Matrix field after importing.

4.1.2 Release

  • FIXED: Editing HTML fields in the Array of Items field type when using TinyMCE 4
  • FIXED: Cloud Storage APIs throwing a warning when in PHP's safe mode
  • FIXED: Sorting issues when returning to a searchable view after interacting with a form
  • FIXED: Cloud Storage allowing you to choose a not-yet-connected storage service as the default storage service.
  • FIXED: Google Cloud Storage instructions and return page
  • FIXED/UPDATED: Default .htaccess for "Advanced" routing now includes latest deflate settings from HTML5 Boilerplate (fixes some edge case deflate issues)
  • FIXED: Cropping and other issues when using a cloud storage URL as your static root.
  • FIXED: Improper grammer in environment alert (thanks to jono_hayward on the forums)
  • FIXED: Missing

    in delete user dialog
  • FIXED: Date & Time field using a time format (g:ia) that was inconsistent with other places (h:ia elsewhere)
  • FIXED: Return page when updating a user fails
  • FIXED: Dropdowns in WebKit/Blink when using .callout_fields but not #callout_resources.
  • FIXED: Footers in dialogs having improper styling of regular links
  • FIXED: Dropdown options in styled boxes with the "multiple" attribute still being converted to BigTree's custom ones
  • FIXED: Embeddable forms weren't deletable
  • FIXED: Double encoding of callout groups (&)
  • FIXED: Usage of $val in callout resources causing havoc
  • FIXED: BigTree::trimLength still adding ellipsis on non-shortened strings (if the string was longer than the set # due to not truncating words)
  • FIXED: Some field options not being sortable (Array of Items)
  • FIXED: Hidden elements (display: none) being converted to BigTree custom ones and drawing.
  • FIXED: "Edit in Developer" showing up for everyone on forms/views
  • FIXED: BigTree Bar not showing up unless you selected "Remember Me" when logging into the admin.

4.1 Release

  • ADDED: Built-in core updater (via local write and FTP, SFTP coming in 4.2)
  • ADDED: Page ID in Page Properties section.
  • ADDED: Multiple WYSIWYG options (TinyMCE 3, TinyMCE 4) - the default is now TinyMCE 4.
  • ADDED: The ability to have a WYSIWYG area degrade to "simple mode" if a user is not an admin / developer.
  • ADDED: A Developer/admin maintenance mode that restricts access to the admin area to developer users.
  • ADDED: User Emulator for developers so that they can test how the admin behaves as a different user without knowing their password.
  • ADDED: Pages can now throw a "X-Robots-Tag: noindex" header via a checkbox when adding/editing a page (stops Google/Bing from indexing the page).
  • ADDED: Image option to automatically convert uploaded PNGs (that don't have an alpha channel) to JPGs to save space.
  • ADDED: Users can now hide Module View descriptions by clicking a close button.
  • ADDED: Titles to action buttons when hovering over them.
  • ADDED: Example content when using the Module View styler so that you can see how actual content will be affected by your changes.
  • ADDED: Quick links back to Developer edit page for module views/forms when viewing them.
  • ADDED: A setting to change the default number of items per page.
  • ADDED: Audit Trail tool to run reports on activity in the admin (the audit trail table has existed since 4.0, this new interface can use existing data).
  • ADDED: BigTreeModule::getInfo method that will return information about a given module entry (creation time, update time, who created, who last updated, etc).
  • ADDED: Module Reporting to create custom reports and CSV exports quickly.
  • ADDED: Nested Draggable view type (perfect for something like categories that have subcategories).
  • ADDED: Embeddable Module Forms — forms that you can embed via iframe in the front end of your site that will feed directly into your modules.
  • ADDED: Message Thread support in Message Center (you can now see the full conversation when viewing a message).
  • ADDED: Maintenance Mode option that will load /templates/basic/_maintenance.php and redirect users to a given URL (similar to the developer maintenance mode except for the front end).
  • ADDED: File Manager file/folder deletion ability.
  • ADDED: File Manager replace file ability.
  • ADDED: Support for "nested"