Update Feed

Zenphoto 1.5.8

2 June 2021

Zenphoto version 1.5.8 is now available (major release).

Upgrading to Zenphoto 1.5.8

Zenphoto 1.5.8 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Zenphoto updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Zenphoto install to test the 1.5.8 upgrade prior to applying it live. Get started managing your Zenphoto installations with Installatron

What's New in Zenphoto 1.5.8

Security

Updates PHPMailer library to fix several security issues
Fixes non properly sanitzied paths allowing possible access to directories above the installation itself which the user may not be authorized to.
In case you encounter an "unfixed security issue" on the internet and missed our separate post about it: https://www.zenphoto.org/news/why-not-every-security-issue-is-really-an-issue/. Also if you just disable the elFinder plugin the "issue" is disabled as well.
Reconfigure action changes:

** Zenphoto will not autorun setup anymore if database credentials are not set correctly or missing in the config file. Since we cannot check for login status without database access this might expose install information to the outside world and offer setting MySQL credentials to anyone. Instead a generic "configuration error" page will now be shown both on the front- and the backend. The debug log will have an entry about this and you need to edit the config file via FTP now. Setup will now only autorun if the config file is missing completely as we then have to "assume" this is a fresh install.
** Better checks to avoid showing the reconfiguration on "minor install signature" changes on the frontend for non loggedin visitors and confusing them. The debuglog will have an entry about this instead. Loggedin users will still get to see it.

General

Cookie related changes:

** All native Zenphoto cookies have been renamed to use the prefix "zpcms_". So you will need to re-login. The reason is that for privacy concerns it is now clear where these cookies come from. Additionally to"zpcms_" there is a sub prefix for certain types:
*** Authentication related cookies start with "zpcms_auth_"
*** Administration related cookies start with "zpcms_admin_"
*** Search related cookies start with "zpcms_search_"
*** Setup related cookies start with "zpcms_setup_"
** There are now several functions to print info about all native cookies you can use on your privacy page: getCookieInfoData(), getCookieInfoHTML() and printCookieInfo(). Additionally there is a content macro you can use on for example your privacy info page:
** Note that this does not cover plugins that rely on additional external services like Google Maps or Matomo. Zenphoto's own cookies do not track, except of course the login cookies.

Fix forgotten proper default setting for db config mysql port
Improve checks for duplicated user mail addresses and make the method checkUniqueMailAddress() properly return true if it is as the doc tells instead of false
Theme folder names now allow version numbers like "mytheme-v2.3"
Added missing semicolon to Content-Security-Policy
Plugins may now set the following optional definitions

** $plugin_name: The optional name. If not defined the filename will be used, as before.
** $plugin_date: The date of the last update (yyyy-mm-dd format preferred).
** $plugin_siteurl: A URL where users can find info and hopefully updates for the plugin, like a GitHub repository. This should not be used for the author website in general.
** $plugin_disable: Currently this allows one ternary operator condition for e.g. a compatibility or dependency check. Since this might get a little inconvenient if you have more complex requirements this now allows an array of several ternary operators. These operators should return an explaination that is now peristently shown or false if everything is okay.
** $plugin_notice: A notice message about special dependencies, requirements, using external sources, etc.
** $plugin_deprecated A message about the plugin being deprecated or parts of it.
** $plugin_description, $plugin_notice, $plugin_deprecated, $plugin_disable: These allow (one dimensional) array definitions instead of just one string for better readability of longer texts. Each array entry will be output as a single paragraph. This also allows using ternary operators (see $plugin_disable above).

Themes may now set the following optional themeinfo values

** $themeinfo['siteurl']: See $plugin_siteurl above.
** $themeinfo['disable']: See $plugin_disable above.
** $themeinfo['notice']: A message about special dependencies, requirements, using external sources, etc.
** $themeinfo['deprecated'] A message about the theme being deprecated or parts of it
** $themeinfo['desc'] , $themeinfo['notice'],$themeinfo['deprecated'], $themeinfo['disable'] :These allow (one dimensional) array definitions instead of just one string for better readability. Each array entry will be output as a single paragraph. This also allows using ternary operators (see $plugin_disable above).

Fix distorted thumb generation for non image items by using the actual dimensions of the sidecar thumbimage. Introduces new image class methods getThumbDimensions(), getThumbWidth() and getThumbHeight() for central handling via image objects and child classes textobject and video.
Deprecate template functions getRandomImages(), getRandomImagesAlbum(), printRandomImages() which actually only got "one" image and also just double functionality of the image_album_statisics plugin
Adds new filter hooks for RSS feeds to filter a single item: "feed_image", "feed_album", "feed_news", "feed_page", "feed_comment"
All content images especially theme related (so not icons) now feature the new HTML attribute loading="lazy" by default for native browser lazyloading supported by most (very) modern browsers.
Fix session cookie and general cookies regarding SameSite (PHP 7.3+ only)
Comment RSS feeds for single items fixed
New filters for filtering attributes for all printImage* template functions
Sort direction fixed for search results and therefore also dynamic albums
Sorting of multi-lingual content like titles (these use an array structure) now supports locale aware sorting internally if the native PHP intl extension and its Collator class are available on the system. So for example titles with French accents or German umlauts are sorted correctly as you would expect them to if the locale of those languages is currently active.
Fix issue of some element attributes and especially id's being removed from text HTML content on the front end unwantedly

Backend

Default order of theme and plugin options is now the order of the option definition array instead of forced numerical order, unless order is defined specifially
Disable or notice messages on the admin plugins (and theme) page are not hidden behind a clickable icon and always shown now. Important info was too easily to be missed
Fixes issue with redirections from the license acceptance page on new installs
User accounts now can store the "lastvisit" if the related options are enabled (default). Also all dates stored for account creation, current login, last previous logon, last password change and last visit are now listed additionally to the already listed last change info.
Fix GDPR user data export not correctly exporting user account data.
Sorting images and articles search results by title now works properly again
The default allowed tags have been extended with more tags (elements) and attributes now include the lang attribute
Some layout changes to themes and plugins admin pages listing some additional info like author(s), date and siteurl

** There are now Individual "use_side" (width/height/longest/shortest) option settings for uncropped default thumbs that in function follow those of default sized images

User accounts now can store the "lastvisit" if the related options are enabled (default). Also all dates stored for account creation, current login, last previous logon, last password change and last visit are now additionally listed to the already listed last change info.
Uncropped thumbs on admin image edit and images sorting tabs for an overall better impression of the images while managing them,
The zoom button on image edit pages has been removed. The thumb itself triggers zooming instead of doubling the thumb crop button from the sidebar.
The thumbcrop button on image edit pages is now properly hidden if thumb cropping is inactive.
Fix image and album bulk actions failing after processing the first item if using the filter for custom actions
Adds new admin filter hook "bulk_actions_message" to return a meaningful message after processing custom registered image or album bulk actions instead of just the registered function/method handling the action
Fix protect_full_image option values to not contain spaces and be strictly lowercase. Running setup should cover the changes. Also the option text has been clarified what the modes actually mean.

** "Unprotected" =>"unprotected"
** "Protected view" => "protected"
** "Download" => "download"
** "No access" => "no-access"

New site and image copyright options. These are primarily used internally by the html_meta_tags plugin but can also be used on themes or plugins. There are no template functions so you have use the Gallery and Image class methods instead which also provide some internal fallbacks. See the functions documentation

** Site copyright notice – use $galleryobject->getCopyrightNotice();
** Site copyright rightsholder – use $galleryobject->getCopyrightRightsholder();
** Site copyright url – use $galleryobject-->getCopyrightURL()
** Image copyright notice – use $imageobject->getCopyrightNotice();
** Image copyright rightsholder – use $imageobject->getCopyrightRightsholder();
** Image copyright url – use $imageobject->getCopyrightURL();

General speed improvements for album list dropdown selectors used for move/copy and others especially for site with lots (thousands) of albums (although a little less accurate lists regarding sortorder), consistent sublevel indicator, removal of background styles most browsers don't support anyway.

Themes

zenpage: Fix empty link for newsOnIndex()

New Plugins

lazyload: Plugin to provide JS image lazyloading as fallback for older browsers and to the now included native browser lazyloading via the new loading attribute

Plugins

cacheManager:

** Allow caching of images in a dynamic album from its admin panel and remove the useless button for cache cleaning
** Fixes bug ignoring all album sublevels past the first

class-textobject / class-video: Sidecar thumb generation fixed by using the actual thumb image dimensions instead of the non-image file
class-video: Update getID3 to 1.9.20
comment_form:

** The RSS subscription link is now not shown if comments are closed
** If the plugin is disabled, no comment releated interfaces like checkbox or bulk action options are listed

cookieconsent: Now supports the complicance modes "opt-in" and "out-out". It also now supports the revokable option if a visitor changes its mind. Note that the plugin does not block or delete cookies itself as that cannot safely be done for cookies set by third parties. Therefore it is now an option to add scripts that only should be executed on consent. So if you for example use privacy related scripts like Google Analytics you need to add the script there to comply with e.g. the GDPR
elFinder: Update to 2.1.57
html_meta_tags: Implements internal usages of the site and image copyright options
image_album_statistics:

** Support for missing standard image html filters has been added
** All print*Album() and print*Image() functions have been deprecated. These were only wrappers for the base printImageStatistic() and printAlbumStatistic() functions anyway which now should be used with appropriate settings instead
** New function getPictureOfTheDay() to retain only unique functionaltiy provided by deprecated randomImages() and randomImagesAlbbum() tempalte functions

GoogleMaps: Geo-coordinates are now generally validated to be in the actual range
matomo:

** If option is set to require consent it includes new Matomo 3.14+. method for cookie consent. Requires the usage of the content macro on your site's privacy page. Compatible with Matomo 4+
** Fix issue with admin tracking option

mergedRSS: Fix issue with non properly encoded titles and decriptions breaking the feed
openstreetmap:

** Leaflet 1.7.1 Update
** Geo-coordinates are now generally validated to be in the actual range

PHPMailer: Update to 6.4.1
print_album_menu: Assigns the active class to list item instead of the link to be consistent with all other menu types

** security-logger: Fix privacy issue ignoring the IP anonymisation option

sitemap-extended: The licences URL option was incorrectly defined as multilingual and therefore caused wrong output if you used the Google image extension option. You need to re-save this option to fix it
slideshow2: Fix small bug regarding getting theme based custom CSS
zenpage:

** Category/pages menu (more exact the base printNestedMenu() function) assigns the active class to list item instead of the link to be consistent with all other menu types
** Fix default sortorder for newly created Zenpage pages and categories via the backend so they don't kill nested sortorders anymore. Pages table sort_order field gets a null default value to align with others.
** Rename name Zenpage classes internal properties $sortorder and $page_sortorder to $sorttype and $page_sorttype to reflect what they refer to actually. NOTE these are protected internal properties so there are no deprecations.
** Zenpage::getAllCategories(), getZenpageStatistics(), printZenpageStatistics(): Parameter $sortdirection respectivley $sortdir changed from string ('asc'/'desc') to boolean (true for descending (default), false for ascending) to be consistent with general boolean parameter usages for sortdirection. A deprecation notice will be triggered.
** Zenpage::getPages() now properly sorts by title

Translations Updated

Dutch
French
German
Italian
Slovak
Spanish
Argentinian Spanish