We are pleased to announce the release of cloudscribe v8.6, which includes important security improvements, new features, enhancements, and critical bug fixes - particularly around reCAPTCHA support and multi-tenancy improvements.

Breaking Changes

TalkAbout Comments System - Summernote Editor Migration

  • Change: Replaced Markdown editor with Summernote HTML editor in commenting system
  • Impact: Requires manual updates to local partial view overrides (CommentWrapperPartial.cshtml, CommentScriptsPartial.cshtml, CommentStylePartial.cshtml) and appsettings.json configuration
  • Data Migration: Legacy Markdown comments are preserved and automatically converted to HTML on first edit (one-way migration)
  • Architecture Change: CommentThread table now central to comment organization
  • Deprecation: Bootstrap4 views deprecated
  • Fixed: PostgreSQL/MySQL/SQLite migration issues
  • Upgrade Effort: Expect approximately half-day manual work for sites with custom comment view overrides
  • Documentation: See upgrade documentation for detailed partial view changes required
  • Issues: TalkAbout #85 & #90

Security Improvements

Server-Side Posting Protection

  • Enhancement: Added server-side enforcement of configuration parameters to prevent unauthorized comment and forum posting
  • Protection: Ensures anonymous users cannot bypass client-side restrictions to post when anonymous posting is disabled
  • Testing: Includes unit tests for validation logic
  • Security Review: Reviewed EF Core usage to ensure protection against SQL injection in posted comment data
  • Issue: TalkAbout #98

New Features

Forms & Surveys reCAPTCHA Support

  • Feature: Added reCAPTCHA validation to Forms & Surveys system
  • Configuration: Each form can be configured to require reCAPTCHA for unauthenticated users
  • Integration: Respects site-wide cloudscribe Core reCAPTCHA settings for both visible and invisible modes
  • Benefit: Addresses spam prevention in public-facing forms
  • Issue: Commerce #82

Comment Administration Dashboard

  • Feature: Added comprehensive administrative page for viewing and managing all comments across the site
  • Location: New dashboard available at /talkadmin/administercomments
  • Functionality:
    • View all comments with sorting and filtering options
    • Search capabilities to find specific comments
    • Direct links to the page/post where each comment was made
    • Default sorting by date (most recent first)
  • Authorization: Protected by CommentModerationPolicy authorization policy
  • Workflow: Edit and delete operations are performed on the original page where the comment was posted, maintaining context
  • Issue: TalkAbout #53

Email Comment Authors

  • Feature: Added ability for moderators to email users directly from the comment administration page
  • Functionality: New "Email user" button in /talkadmin/administercomments allows moderators to compose and send plain-text emails to comment authors
  • Context: Includes contextual link back to the original comment page (when approved)
  • Authorization: Respects per-project moderator authorization policies
  • Localization: Fully localized with new ResX strings
  • Issue: TalkAbout #95

Role Copying with Authorization Policies

  • Feature: Added ability to copy roles in role management
  • Policy Integration: When copying a role, any dynamic authorization policies referencing the original role are automatically updated to also reference the new role
  • Configuration: User specifies new role name during copy operation
  • Behavior: New role starts empty (no users)
  • Restrictions: Excludes system "Administrators" role from copying
  • Compatibility: Works seamlessly with or without dynamic authorization policies installed
  • Issue: #921

Enhancements

Visible reCAPTCHA Support - Commenting System

  • Enhancement: Added support for visible/checkbox reCAPTCHA in the TalkAbout commenting system
  • Previous Limitation: Only invisible reCAPTCHA was supported with hardcoded implementation
  • New Behavior: Now respects cloudscribe Core reCAPTCHA settings and supports both visible and invisible modes
  • Consistency: Matches the behavior of the core login system
  • Issue: TalkAbout #75

Visible reCAPTCHA Support - Forums System

  • Enhancement: Added support for visible/checkbox reCAPTCHA in the TalkAbout forums system
  • Previous Limitation: Forums hard-coded invisible reCAPTCHA implementation
  • New Behavior: Now respects cloudscribe Core reCAPTCHA settings for both visible and invisible modes
  • Issue: TalkAbout #79

IP Address Restrictions Authorization

  • Enhancement: Added dedicated IPAddressRestrictionPolicy to protect IP address restriction management endpoints
  • Configuration Update: Updated navigation configuration to use AdminMenuPolicy instead of AdminPolicy for IP restriction admin menu items
  • Compatibility: Tested compatibility with template systems without dynamic authorization policies installed
  • Issue: #1243

IP Address Restrictions Configuration

  • Feature: Added ability to enable or disable IP address restriction feature via configuration
  • Configuration: New SiteConfigOptions.EnableIpAddressRestrictions setting in appsettings.json
  • Benefit: Allows administrators to disable the feature when not needed
  • Default: Defaults to enabled (true) for backward compatibility
  • Issue: #1241

Bug Fixes

reCAPTCHA Validation - Commenting System

  • Fixed: Missing server-side reCAPTCHA verification when anonymous users submit comments
  • Impact: Ensures proper validation to prevent spam attempts
  • Additional Fix: Resolved race condition issues in reCAPTCHA initialization
  • Issue: TalkAbout #74

reCAPTCHA Validation - Forums System

  • Fixed: Missing server-side reCAPTCHA verification for anonymous forum posts
  • Impact: Analogous fix to comment system to ensure proper spam prevention
  • Issue: TalkAbout #80

Duplicate CommentSystemSettings Records

  • Fixed: Issue where duplicate rows were incorrectly created in csta_CommentSystemSettings table
  • Root Cause: Confusion between Id, ProjectId, and TenantId fields
  • Solution: Lookups now consistently use TenantId
  • Impact: Prevents creation of hundreds/thousands of duplicate configuration rows while preserving existing comment data
  • Issue: TalkAbout #67

Newsletter Sign-up Widget reCAPTCHA

  • Fixed: Hard-coded invisible reCAPTCHA in newsletter sign-up widget
  • Solution: Widget now respects cloudscribe Core settings for both visible and invisible reCAPTCHA modes
  • Issue: Messaging #81

Role Removal from Policies

  • Fixed: UI bug where roles could not be reliably removed from authorization policies
  • Root Cause: Indexing issue that caused sporadic failures when de-selecting roles and saving policy changes
  • Issue: dynamic-authorization-policy #30

IP Address Restrictions Multi-Tenancy

  • Fixed: Critical bug where first tenant's IP restrictions would incorrectly apply to all tenants
  • Root Cause: Cache key missing tenant ID component
  • Additional Fix: Resolved thread locking issue caused by synchronous data access in constructor
  • Service Change: Service changed from Transient to Scoped registration
  • Impact: IP restrictions now work independently per tenant
  • Issue: #1245

IP Restriction UI Address Display

  • Fixed: Incorrect IP address display in IP restriction admin UI
  • Previous Behavior: Used historical login data from cs_user_location table which could be outdated or wrong when users switch devices, VPNs, or have dynamic IP changes
  • Solution: Now retrieves current IP address directly from HTTPContext for accurate real-time display
  • Issue: #1197

UI/UX Improvements

User Display Name Editing

  • Feature: Added ability for users to edit their display name on the /manage/userinfo page
  • Previous Limitation: Users could only edit first and last name, but display name (used throughout the system including TalkAbout comments) was only editable by administrators
  • Validation: Includes uniqueness enforcement per tenant, character validation with international character support, and HTML sanitization
  • Issue: #1058

Developer Tools & Features

Policy Definition Documentation

  • Enhancement: Clarified the relationship between Roles and Claims in policy definitions
  • Documentation: Now explicitly states that:
    • Roles use OR logic (user needs ANY role)
    • Claims use AND logic (user needs ALL claims)
    • When both are specified, users must satisfy both requirements (be in ANY role AND have ALL claims)
  • Issue: dynamic-authorization-policy #46

IdentityServer Integration Tests

  • Feature: Added comprehensive integration tests for IdentityServer4 authentication and authorization
  • Coverage: Tests cover client credentials grant type flow, JWT token validation, and role-based authorization
  • Modernization: Updated to use modern Microsoft.AspNetCore.Authentication.JwtBearer (v8.x) library instead of deprecated IdentityServer4.AccessTokenValidation (v3)
  • Test Harness: Includes published test harness page for live validation testing
  • Issue: #1231

Upgrading to v8.6

To upgrade your cloudscribe installation to version 8.6:

  1. Update all cloudscribe package references in your .csproj files to version 8.6.*
  2. If using TalkAbout Comments: Review the breaking changes documentation for required partial view updates if you have custom view overrides. The migration from Markdown to Summernote editor requires manual updates to CommentWrapperPartial.cshtml, CommentScriptsPartial.cshtml, and CommentStylePartial.cshtml files.
  3. If using IP Address Restrictions: The critical multi-tenancy bug fix (#1245) may affect how IP restrictions behave in multi-tenant environments. Test thoroughly in a staging environment before production deployment.
  4. Optional Configuration: If you want to disable the IP Address Restrictions feature, add SiteConfigOptions.EnableIpAddressRestrictions: false to your appsettings.json
  5. Run your application and verify all features are working as expected, paying special attention to:
    • reCAPTCHA functionality on forms, comments, and forums
    • IP address restrictions (if enabled and in multi-tenant mode)
    • TalkAbout comment submission and display

Important: This release includes breaking changes for TalkAbout Comments users with custom view overrides. We strongly recommend testing the upgrade in a development environment and reviewing the upgrade documentation before deploying to production.

Community and Support

We appreciate the continued support and feedback from the cloudscribe community. For questions or issues related to this release, please visit our GitHub repository or join the discussion in our community forums.

Thank you for using cloudscribe!