Zenphoto 1.5
30 August 2018
Zenphoto version 1.5 is now available (major release).
Upgrading to Zenphoto 1.5
Zenphoto 1.5 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Zenphoto updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Zenphoto install to test the 1.5 upgrade prior to applying it live. Get started managing your Zenphoto installations with Installatron
What's New in Zenphoto 1.5
Security
- Fixes three very minor local file inclusion security issues on the backend and only if you already had access to the backend anyway [acrylian, Thanks to JPCERT/CC for the report]
- Setup now does not expose the MySQL password in the source code in case db credentials don't work or are wrong. However only admins with the full rights to run setup would have been exposed [acrylian|
Highlights
- Adds new option (Options > Security) to anonymize IP addresses which Zenphoto stores internally on some occasions (e.g. spam fighting & comments) for privacy concerns. Required and strongely recommended in e.g. EU countries especially regarding the new European General Data Privacy Rule (GDPR). The function getUserIP() also has a parameter to override the option if needed [acrylian, Thanks to Ralf Kerkhoff]
- Adds new options for a general data usage confirmation notice and a related defined data privacy page (static or Zenpage page) also to comply with the EU GDPR.
- This option is used by official form plugins (see next list entry and the plugin section below), others can implement it if needed. [acrylian]
- Themes that don't support the Zenpage CMS plugin and its pages features, can use the new printPrivacyPageLink() function to automatically add such a link if a data privacy page is defined on. The included Basic theme provides example usage. [acrylian]
- Official form plugins (contact, comment, register_user) got a GDPR compliant checkbox option for data storage and handling confirmation [acrylian]
- There is now a utitily button to export an overview of personal data stored about user name and mail address combinations. as HTML or JSON. Full admins can use this to export any user's data. Additionally users with lower rights can export their data from their own user account. [acrylian]
Full Changelog
- Some improvements on cookie/session handling. The login cookies are now set with https paths if the server uses it and always with the httponly parameter so scripts have no access. If sessions are used, they are properly destroyed on logout. NOTE: Since cookies can only be deleted safely if deleted with the same parameters as set and these parameters have changed, you may need to force clear cookies via your browser first if encountering login issues. [acrylian]
- Setup files are now automatically protected after setup has run successfully. [acrylian]
- Setup does not run automatically anymore if Zenphoto detects a (smaller) change. You will only get an info window. And if you know what you are doing you can now choose to skip the request. You will not be reminded again unless further changes are detected since a new install signature will then be generated internally! If the security_logger plugin is active this action will be logged. [acrylian]
- Fixes wrong trailing slash in .htaccess file's rewriteBase created by setup for root installs [fretzl]
- Adds table for albums by most viewed (popular) images to backend gallery statistics [wongm]
- The extra zenphoto.js file is not loaded on the frontend anymore if not logged in [acrylian, Thanks to Simounet]
- Access to files within the root /backup folder that is created when using the auto_backup plugin is now protected by .htaccess. Users on non Apache systems or systems not supporting .htaccess will need other server settings to achieve something similar [acrylian,Thanks to simonrash]
- Fixed missing automatic rotation of sidecar images like video/audio thumbs [acrylian]
- Owner of primary album is now set to the user's ID [fretzl]
- Improvements of unnecessary form warnings regarding unsaved data [acrylian, Thanks to vincent3569 and thany]
- Core rewrite token support for the standard custom index page gallery.php based on sbillard's old unsupported galleryToken plugin [acrylian, Thanks to vincent3569]
- Introduces new (internal) path constant SERVER_HTTP_POST [acrylian]
- New default sort order options for search results of Zenpage news articles and pages (Options > Search) [acrylian]
- Fixes for dynamic albums and search cache [acrylian]
- Improvements to custom text truncation and repairing broken HTML applied generally to Zenpage items but also if you are using shortendContent() [acrylian, vincent3569]
- The links to the functions/class documentation of included official plugins from the backend plugins page work again [acrylian]
- The admin tool box now provides links to delete items [acrylian]
- Title attribute added as optional parameter to all "print" image template functions [acrylian, Thanks to mebels]
- SQL improvements for print/getRandomImages() template functions [wongm]