LUYA Admin module release 1.2 and CMS module release 1.0.4

Admin Security Improvements

Security is a top priority for any web framework and web application, therefore it was also a very important aspect in the development of LUYA from day one. The Yii framework provides a good foundation with its security features, but every line of code built on top of it has to be as bulletproof as its foundation. When there was an opportunity to have LUYA tested with a security audit executed by a Swiss security company, we gladly took the chance. This resulted in a list of security improvements included in this update:

• Unparsable JSON Cruft: all JSON responses are now prepended with an unparsable cruft )]}', in order to prevent "JSON hijacking".
• The Angular source code is now uglified and minified. Therefore Angular strict-di mode is enabled by default.
• If a user changes the account's email in the admin, we now provide the option to send a security code to the old email address which has to be entered to authorize the change.
• The admin login security token now has an expiration time that can be configured.
• Login attempts are now tracked by the session (session based attemption limit). If the user email is correct, another limit for user identifed login is available. After five attempts, a lockout for one hour is enabled by default. The max number of attempts can be configured.
• The maximum idle time of admin users can now be configured.

There is also a new LUYA security best practice guide.

Admin General Improvments

• NgRest attributes can now be displayed based on conditions. Assuming you have a select with categories, this allows you to display a certain field only when a specific category is selected. Read more
• The filemanager provides the option to switch between inline or download for file delivery. The renaming of files is now possible, too. We also made some improvements with the display of file details, including a fullscreen preview.
• The storage system is now completely swapable: this makes using Amazon S3 possible and available as a feature LUYA aws extension
• The speed of the storage system was improved: we have significantly reduced the time it takes the admin to load the list of all files and images.
• The general PHP docs were improved and deprecated methods were removed, see upgrade.md
• The Roboto font used in the admin now supports (+Extended), Cyrillic (+Extended), Greek (+Extended), Vietnamese.

You can download and install LUYA admin version 1.2 (~1.2.0 in composer). Make sure to run the migrate command afterwards as the update includes database migrations. See the full changelog und upgrade document.

CMS

Along with the Admin module we also released CMS module version 1.0.4, which includes:

• Minification and uglification of Angular code.
• New command to cleanup the cms, remove deleted pages, blocks and log files: cms/page/cleanup.
• New property to provide import paths for blocks: luya\cms\frontend\Module::$blocks.
• New commands to list blocks and migrate them from the console: cms/block/find and cms/block/migrate. The migrate command is helpful when you want to delete an old block but assign its contents to a new block.

22 May 2018, LUYA developer team

Another issue of Yii development notes was posted giving overview of what happened last months.

Yii team tagged two releases:

• Smarty 2.0.7
• Swiftmailer 2.1.1

Both are fixing bugs. Smarty has an enhancement on board as well. Both are safe to upgrade via Composer.

The extension is for creating email templates and managing them in a website dashboard. You can create email templates with CRUD module in your backend or Gii generator. Version 4.0.0 chages are:

• Improved extension architecture
• Changed minimum Yii version from ^2.0.0 to ^2.0.13
• Fixed a bug with yii\base\Object on PHP 7.2
• Removed unused composer packages from dependencies
• Other minor improvements and fixes

All changes are avaliable in changelog file.

Paul Klimov from Yii team released new versions for extensions he maintains:

• Admin 1.1.0 - provides controllers, actions, widgets and other tools for administration panel creation in Yii2 project.
• Config 1.0.6 - provides support for application runtime configuration, loading config from database.
• AR search 1.0.0 - provides unified search model for Yii ActiveRecord.
• AR role 1.0.3 - provides support for ActiveRecord relation role (table inheritance) composition.
• AR variation 1.0.4 - provides support for ActiveRecord variation via related models. In particular it allows implementing i18n feature for ActiveRecord.
• HTML2PDF 1.0.3 - provides basic support for HTML to PDF and PHP to PDF conversion.
• Spreadsheet 1.0.1 - provides ability to export data to spreadsheet, e.g. Excel, LibreOffice etc.
• FileDB 1.0.6 - provides ActiveRecord interface for the data declared in static files. Such solution allows declaration of static entities like groups, statuses and so on via files, which are stored under version control instead of database.

Yii2 Inspections plugin for PhpStorm, adding many useful features, was updated to version 1.0.3. In this version some false positives in inspections were fixed along with fixing unexpected autocomplete being triggered.

LUYA Q1 2018

3 months ago we released LUYA version 1.0. Since then we have received a lot of positive feedback from developers around the world as well as requests for additions, improvements and bug fixes. Packagist notes more than 113'000 downloads and installs, including LUYA modules and extensions, and the project has received almost 500 stars on GitHub.

The LUYA future is headless

With the continuing development, we started to take LUYA into the direction of a headless system, which makes it rather unique among its kind. Headless systems will become more and more popular as they allow for lean, flexible and scalable applications that combine multiple specialized systems through their APIs.

The client library still need a lot of work, but they will get to the point where you can make a website without installing any dependencies by connecting to LUYA's headless client to retrieve menus, contents, properties or layouts. PSR6 compatible Caching will make the output blazingly fast! You won't have to deal with the application or the environment (e.g. get cms content and menu within your symfony application). Of course, collecting data from the built in or your own admin APIs is possible too.

We created a new API users endpoint which provides information about API access. You can test your endpoints and see what permissions are available:

In order to see what the API users (or any other admin users) have done, we have also built a more detailed user activity summary:

All these changes are available now in luya admin module in version 1.1.0. A new guide section about the headless features is under development: https://luya.io/guide/concept-headless

Dockerized LUYA kickstarter

We also have released the luya kickstarter in version 1.0.1 with a dockerized development environment, which is now an integral part of the kickstarter. Thanks to contributor rainerCH who did a fantastic job in bringing all these LUYA specific requests into one place. We will evolve the Docker environment and provide a single image on dockerhub in the future.

Development environments for extension and module developers

LUYA env dev repo for extension and module developers is finished. The main purpose for this repo is an easy way for developers to create and maintain their own modules and extensions. It is also a good way for contributors who would like to help improve luya core modules as it will auto clone all core modules and update these with a single command ./vendor/bin/luyadev repo/update.

As the repos are bound into the env dev application with PSR4, we have written a library which auto updates your composer.json so you can easily clone your own repos into the env dev like ./vendor/bin/luyadev repo/clone USERNAME/LUYA_MODULE_REPO_NAME which will then update your composer.json and run composer dump-autoload. Don't miss to take a look at this shiny and new dev env. if you are interested in the development of modules, extensions or contributions.

Overview of enhancements and new features

• A new user summary active window in the admin provides diff for changes inside ngrest tables.
• The configuration now includes security options like luya\web\Application::$ensureSecureConnection or luya\web\Composition::$allowedHosts. See the new guide about security in LUYA: https://luya.io/guide/app-security
• The admin security has been improved with permissions.
• Admin and cms now have Chinese language support.
• The testsuite includes new test cases and helper methods.
• The error API was updated to provide a more detailed summary mail with application trace.
• The JSON-LD output was improved for SEO purposes
• Various fixes for PHP 7.2 compatibility

The remote admin provides an option to display the installed LUYA modules/extensions with their version numbers and info about whether they are current or outdated:

We added a Matomo Module (former Piwik) dashboard object to provide information about visits via API:

The LUYA composer plugin now provides a plugin list in the admin UI:

New LUYA based open source project

A new open source project is almost ready: a time tracking tool based on LUYA, Angular and Bootstrap 4.

We want you!

We are looking for people who help us with

• Translations
• Documentation (guide and phpdoc)
• Module/extension development

If you are interested, please get into contact.

• Twitter
• Gitter
• Slack
• luya.io

29 March 2018 LUYA developer team
luya.io

New issue of Yii development notes: 2.0 releases, 2.1 post by Paul, https for Yii-realted websites and, finally, official site launch.

Yii team is ready to release new yiiframework.com website. The announcement itself is interesting but since it may not be available for some time, here's most important part:

We are going to switch to the new website on March 23, 2018 in the time frame 8:00 to 12:00 UTC. During the switch, you will not be able to write comments, wikis, forum entries etc. Also the documentation may not be available. You can use http://stuff.cebe.cc/yii2docs/ to view the documentation.

We will be avilable in the Slack chat and on IRC #yii on freenode, so if you need help, get there.

Yii team released security fixes for framework and extensions. Details are in the announcements. Please update.