cloudscribe v8.7 released

We are pleased to announce the release of cloudscribe v8.7, which includes important security improvements, new features, enhancements, and bug fixes - particularly around two-factor authentication, performance optimisation, and user experience improvements.

Backward Compatibility: Unlike the v8.6 release which included breaking changes for TalkAbout Comments users, v8.7 is fully backward-compatible with v8.6. No breaking changes are included in this release.

Deprecation Notice

Bootstrap4 Views Projects

  • Deprecation: All Bootstrap4 Views projects across the cloudscribe platform are now deprecated
  • Removal Timeline: Bootstrap4 Views will be completely removed from the codebase in the next major release
  • Migration Path: Sites currently using Bootstrap4 Views should plan to migrate to Bootstrap5 Views
  • Recommendation: Begin migration planning now to ensure a smooth transition before the next release

Security Improvements

Display Name XSS Vulnerability

  • Fixed: Script injection vulnerability in the DisplayName field on /useradmin/useredit page
  • Impact: Users could inject malicious scripts through their Display Name on /manage/userinfo which would execute when administrators viewed or saved the user on the admin user edit page
  • Solution: Added HTML encoding and sanitisation to prevent XSS attacks through user-editable fields
  • Issue: #1269

Return URL Recursion Prevention

  • Fixed: Issue where web crawlers (particularly Facebook's meta-externalagent) could create deeply nested returnurl parameters causing extremely long URLs with multiple levels of URL encoding
  • Solution: Added detection and prevention logic to stop returnurl recursion, particularly on Login and Register pages
  • Benefit: Prevents log pollution and potential performance issues from recursive URL parameters
  • Issue: #1255

New Features

Require 2FA for Specified Roles

  • Feature: Added ability to enforce two-factor authentication for specific roles rather than all-or-nothing
  • Previous Limitation: 2FA was either enforced for all users (except administrators) or not enforced at all
  • Configuration: New role-based selector allows administrators to require 2FA for specific user roles
  • Behaviour: Setting only applies when site-wide 2FA enforcement is disabled, preserving authority of the existing global checkbox
  • Benefit: Provides granular security control - require 2FA for sensitive roles while allowing flexibility for other users
  • Issue: #1026

Policy Search by Role

  • Feature: Added ability to search authorisation policies by role name on the policy management page
  • Previous Limitation: Only policy name search was available using wildcard '%LIKE%' syntax
  • Functionality: Administrators can now search for roles to identify all policies where that role is referenced
  • Benefit: Useful for understanding role dependencies and preventing accidental role deletion when roles are in use by policies
  • Issue: cloudscribe.dynamic-authorization-policy #2546

Enhancements

Login Page Performance & Navigation Suppression

  • Enhancement: Improved performance of /account/login and related authentication pages by adding configurable navigation suppression
  • Implementation: Added Navigation Suppressor concept to cloudscribe.Web.Navigation that reads flags from HttpContext.Items
  • Configuration Options: UI allows choice between:
    • Suppressing navigation on Login page only
    • Suppressing navigation on Login, Register, and Forgot Password pages
  • Benefit: Reduces page load time and database queries for unauthenticated users by skipping unnecessary navigation tree processing
  • Compatibility: No breaking changes - works without requiring modifications to _Layout files in existing sites
  • Issue: #1200

OIDC Display Name on Manage Logins

  • Enhancement: Improved user experience on /manage/managelogins page by displaying configured friendly Display Name for OpenID Connect (OIDC) providers
  • Previous Behaviour: Displayed generic "OpenIdConnect" label for all OIDC providers
  • New Behaviour: Shows the custom Display Name configured in social authentication settings for better clarity when users manage their external login connections
  • Issue: #1136

Automatic User Approval Notification

  • Enhancement: Improved user approval workflow by automatically sending email notification to users when their account is approved
  • Previous Limitation: Administrators had to manually check a box for each approval, which was easy to miss and caused confusion when users didn't receive the promised notification
  • New Behaviour: Approval emails now send automatically when SMTP is configured and "Require approval before login" is enabled
  • Benefit: Ensures consistent user experience and reduces administrative overhead
  • Issue: #704

Bug Fixes

CsvHelper Compatibility

  • Fixed: Missing method exception on /formsadmin/downloadcsvresults caused by CsvHelper upgrade
  • Root Cause: CsvHelper 27+ introduced breaking changes requiring CultureInfo parameter in constructor
  • Solution: Updated Forms & Surveys CSV export functionality to be compatible with CsvHelper 33.1.0 which is required by cloudscribe.Core.Web 8.7.0
  • Issue: cloudscribe.Commerce #87

Cookie Consent Footer Link

  • Fixed: Issue where footer link to reset cookie consent preferences was displayed even when site is configured to not require cookie consent
  • Solution: Link now only appears when cookie consent feature is enabled
  • Implementation: Added SiteContext check to partial view to respect the RequireCookieConsent configuration setting
  • Issue: #1260

Admin Display Name Uniqueness

  • Fixed: Missing uniqueness validation when administrators edit user display names on /useradmin/useredit
  • Previous Behaviour: Only users editing their own display names on /manage/userinfo had uniqueness enforcement
  • Solution: Added uniqueness validation to administrator user edit page
  • Benefit: Ensures consistency across both user self-service and administrator-managed display name changes, preventing duplicate display names per tenant
  • Issue: #1268

Site Settings Cache Invalidation

  • Fixed: Cache invalidation issue for ISiteSettings when administrators change the recipient email string for new user notifications
  • Previous Behaviour: Changes to site settings did not properly invalidate the cache, requiring application restart for updated configuration values to take effect
  • Solution: Site settings changes now properly invalidate the cache immediately
  • Issue: #1249

UI/UX Improvements

Role Management User Access

  • Feature: Added ability to click through to view member details directly from role management pages
  • Previous Limitation: When viewing users within a role, the only available action was "remove from role"
  • New Behaviour: Now includes clickable links to access full user details for improved navigation and user management workflow
  • Issue: #692

Upgrading to v8.7

To upgrade your existing cloudscribe installation to version 8.7:

  1. Update all cloudscribe package references in your .csproj files to version 8.7.*
  2. If using Forms & Surveys: The CsvHelper compatibility fix (#87) ensures CSV export functionality works correctly with the updated CsvHelper dependency. No manual changes required.
  3. Optional Configuration:
    • To enable role-based 2FA enforcement, navigate to Site Settings and configure which roles require two-factor authentication
    • To improve login page performance, enable navigation suppression on authentication pages in Site Settings
  4. Run your application and verify all features are working as expected, paying special attention to:
    • Two-factor authentication behaviour for configured roles
    • Cookie consent footer link visibility
    • Site settings changes taking effect immediately without restart
    • Forms & Surveys CSV export functionality

Backward Compatibility: Version 8.7 is fully backward-compatible with v8.6. Unlike v8.6, which included breaking changes for TalkAbout Comments users, this release does not introduce any breaking changes. Sites upgrading from v8.6 can do so without modifications to existing code or view overrides.

Important: If you are still using Bootstrap4 Views, please note the deprecation notice above and plan for migration to Bootstrap5 Views before the next release.

Community and Support

We appreciate the continued support and feedback from the cloudscribe community. For questions or issues related to this release, please visit our GitHub repository or join the discussion in our community forums.

Thank you for using cloudscribe!

Comments