5.9.4

• Added craft\models\FieldLayout::getEditableCustomFieldElements().
• Fixed a bug where {% case %} tags with three or more values within {% switch %} tags weren’t working properly. (#18334)
• Fixed a bug where Matrix fields in Blocks view could lose their existing values when they became editable.
• Fixed a bug where Content Block fields and Matrix fields in Blocks view weren’t updating their nested fields’ editability states.
• Fixed an error that could occur when executing a GraphQL query with a Link field. (#18339)
• Fixed a bug where read-only custom fields could be treated as required. (#18342)

5.9.3

• Fixed a bug where multi-value {% case %} tags within {% switch %} tags weren’t working properly. (#18334)

5.9.2

• Fixed an error that occurred when upgrading to Craft 5.
• Fixed a bug where assets weren’t being rendered correctly immediately after being uploaded to an Assets field. (#18318)
• Fixed a bug where it was possible to rename existing entry index pages to a blank name. (#18321)
• Fixed a bug where element save notifications weren’t hyperlinking the element label. (#18326)
• Fixed a bug where sidebar states weren’t being remembered across page loads. (#18323)
• Fixed an error that could occur when displaying an embedded element index that included field layouts with generated fields. (#18320)
• Fixed errors that occurred when performing user administration actions on Craft Team. (#18331)
• Fixed a warning that was getting logged when accessing the Plugin Store. (#18324)
• Fixed a bug where component names weren’t getting trimmed of leading/trailing whitespace on save. (#18315)

5.9.1

• Fixed an error that could occur when updating to Craft 5.9. (#18309)
• Fixed a bug where custom entry index pages that only contained native sources weren’t getting their own nav items. (#18311)
• Fixed a bug where element selector modals were blank, for relational fields that weren’t limited to specific sources. (#18313)
• Fixed a bug where image transforms with invalid position properties weren’t being handled properly. (#18310)
• Fixed a bug where image transforms weren’t being sorted by their translated names. (#18315)

4.17.2

• Fixed an error that could occur when updating to Craft 4.17 on environments with allowAdminChanges disabled. (#18332)

4.17.1

• Fixed a bug where image transforms with invalid position properties weren’t being handled properly. (#18310)
• Fixed a bug where image transforms weren’t being sorted by their translated names. (#18315)

5.9.0

Content Management

• Matrix fields set to the “Cards” or “Blocks” view modes now show an “Add” button per entry type group, when the viewport is wide enough to support it. (#17731)
• Matrix fields set to the “Cards” view mode now have “Copy selected entries”, “Duplicate selected entries”, and “Delete selected entries” field-level actions, if any entries are selected. (#18251)
• Matrix fields set to the “Blocks” view mode now have a “Expand/collapse selected blocks”, “Copy selected blocks”, “Duplicate selected blocks”, and “Delete selected blocks” field-level actions, if any entries are selected. (#18001, #18251)
• Matrix fields set to the “Blocks” view mode now have block action menus with “Expand/Collapse”, “Entry type settings”, and “Copy” actions, even if the field isn’t editable. (#18013)
• Chips and cards are generally no longer hyperlinked. (#17591)
• Entry revision menus now always include a “View all revisions” link. (#18050)
• Timestamps within entry revision menus now have tooltips that reveal the full date and time. (#18050)
• It’s now possible to add new sites to entries via their slideout editors. (#17795)
• Entry “Duplicate” bulk actions now duplicate entries as drafts. (#18260)
• Elements created via “Save as a new…” actions now initially have an empty slug. (#17932)
• The control panel is no longer scrollable when a menu is expanded. (#17960)
• Most site breadcrumbs no longer include selection menus if there’s only one selectable site. (#16526)
• Number fields with “Step Size” and “Min Value” or “Max Value” settings will now get min/max attributes set on their input. (#17973)
• Element, field, and entry type edit pages now redirect back to the previous page’s URL on save. (#16140)
• Bulk element actions are now available on element indexes for mobile devices.
• Textual condition rules are now case-insensitive. (#18107)
• Added support for exporting elements as XLSX and YAML files. (#18160)
• Non-editable fields now have “Read Only” badges. (#18215)
• Revisions now keep track of which element attributes/fields were modified for the revision.
• Improved the styling of tips and warnings in field layouts. (#18261)

Accessibility

• Improved the accessibility of the Orientation setting within the Image Editor’s crop tool. (#17690)
• The Image Editor’s focal point tool is now keyboard accessible. (#17880)
• All sortable checkbox select options, selected Dashboard widgets, and site listings now have keyboard-accessible “Move up” and “Move down” action items. (#18067)
• Improved the accessibility of user permission lists and GraphQL schema component lists. (#18290)

Administration

• It’s now possible to divide entry sources into multiple index pages, via the Customize Sources modal. (#17779)
• The Customize Sources modal now supports mobile devices. (#18067)
• Added the “UI Label Format” entry type setting. (#18044)
• Added the “Allow line breaks in titles” entry type setting. (#18265)
• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Added the “View user” GraphQL schema option for Craft Solo. (#17863)
• Users’ User Groups settings now show a component select input, and support inline group editing/creation on environments that allow administrative changes.
• Address labels can now be made optional. (#11410)
• Relational fields now have an “Inline list” view mode. (#17744)
• Relational fields and Matrix fields now have a “Card grid” view mode, replacing the “Show cards in a grid” setting. (#17744)
• Relational fields’ selectable element conditions can now have “Status” condition rules. (#17945)
• Added the “Show ON/OFF labels in cards” setting to Lightswitch fields. (#17743)
• Control panel-defined routes now have action menus with “Move up”/“Move down” actions. (#17706)
• “Generate image transform” jobs now include the asset’s filename in the job description. (#17753)
• “Field” and “Section” condition rules now show field/section handles for users with the “Show field handles in edit forms” preference enabled. (#17909)
• Native fields within element edit pages now have “Copy attribute name” actions. (#18114)
• “Remove” actions on the Plugins index page now show a confirmation dialog. (#17922)
• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• entrify commands no longer require a category group/tag group/global set handle to be passed.
• entrify commands now automatically assign newly-created channel/structure sections to “Categories” or “Tags” pages. (#17779)
• The clear-cache command now accepts a space-delimited list of cache IDs that should be cleared.
• The up command now warns about any astray license issues before running migrations. (#18297)
• Compiled templates are now deleted by the up command rather than from migrate commands.
• Added the enableTwigSandbox config setting. (#18208, #18216)
• Added the useIdnaNontransitionalToUnicode config setting. (#17946)
• The maxCachedCloudImageSize config setting is now set to 0 by default. (#17997)
• The disableGraphqlTransformDirective config setting is now deprecated.
• System message emails are now rendered using GitHub-flavored Markdown. (#18058)
• Drag-and-drop icons are now longer shown for devices that don’t support pointer events. (#18067)
• The Caches utility now keeps track of which options were previously selected. (#9447)
• Field layouts can now set editability conditions on custom fields, based on the edited element. (#18181)
• Element cards and table views can now include fields nested within Content Block fields. (#18206, #18252)
• Element table views can now include generated fields. (#18253)
• Element indexes can now be sorted by generated fields. (#18253)
• Generated fields now normalize true/false/null/integer/float values to the appropriate types. (#18267)
• Money fields’ icons now indicate their selected currency, for common currencies.

Development

• Reference tags now support fallback values when no attribute is specified. (#17688)
• Added support for referencing environment variables anywhere within settings that support them (e.g. foo/$ENV_NAME/bar or foo-${ENV_NAME}-bar). (#17794)
• Environmental settings can now reference CRAFT_SITE (the current site’s handle) and CRAFT_SITE_UPPER (the current site’s handle in UPPER_SNAKE_CASE) environment variables, which are defined at runtime. (#17794)
• It’s now possible to create unpublished drafts via GraphQL. (#17805)
• It’s no longer possible to instantiate objects that don’t extend yii\base\BaseObject via the create() Twig function, which fixes a moderate-severity SSTI issue. (GHSA-94rc-cqvm-m4pw)
• Added the randomString() Twig function. (#18020)
• Added the uuid() Twig function.
• The Twig hash filter now supports passing a hashing algorithm, such as 'md5' or 'sha256'. (#17885)
• The @parseRefs and @transform GraphQL directives are now optional for each GraphQL schema, which ...

4.17.0

Administration

• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Added the “View user” GraphQL schema option for Craft Solo. (#17863)
• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• The clear-cache command now accepts a space-delimited list of cache IDs that should be cleared.
• The up command now warns about any astray license issues before running migrations. (#18297)
• Compiled templates are now deleted by the up command rather than from migrate commands.
• Added the enableTwigSandbox config setting. (#18208, #18216)
• The disableGraphqlTransformDirective config setting is now deprecated.

Development

• Added support for referencing environment variables anywhere within settings that support them (e.g. foo/$ENV_NAME/bar or foo-${ENV_NAME}-bar). (#17949)
• It’s no longer possible to instantiate objects that don’t extend yii\base\BaseObject via the create() Twig function. (GHSA-94rc-cqvm-m4pw)
• Added the uuid() Twig function.
• The @parseRefs and @transform GraphQL directives are now optional for each GraphQL schema. (GHSA-7x43-mpfg-r9wj)

Extensibility

• Added craft\base\ElementInterface::setAttributesFromRequest().
• Added craft\services\Search::deleteOrphanedIndexJobs().
• Added craft\web\GqlResponseFormatter.
• Added craft\web\Response::FORMAT_GQL.
• Added craft\web\View::renderSandboxedObjectTemplate().
• Added craft\web\View::renderSandboxedString().
• Added craft\web\View::renderSandboxedTemplate().
• Added craft\web\twig\AllowedInSandbox. (#18219)
• Added craft\web\twig\SecurityPolicy.
• Added craft\web\twig\nodes\BaseNode.
• craft\helpers\FileHelper::writeToFile() now throws an exception if the file path isn’t writable, or there isn’t sufficient free space on the disk. (#17762)
• craft\helpers\UrlHelper now encodes square brackets in generated URLs. (#17840)
• craft\web\Request::accepts() now accepts wildcard characters (*) in the $contentType argument, to check for a range of MIME types (e.g. application/*+json).
• craft\web\Request::getAcceptsJson() now returns true for requests with Content-Type headers that match application/*+json, in addition to application/json.
• The _includes/forms/radio.twig template now escapes the label variable. A raw HTML label can be passed by wrapping the label value in raw() or craft\helpers\Template::raw().
• Craft.ui.createCheckbox() now escapes the config.label property. A raw HTML label can be passed via the config.labelHtml property.
• Craft.ui.createSelect() now escapes options’ label properties. Raw HTML labels can be passed via labelHtml properties.

System

• GraphQL API responses now set their Content-Type header to application/graphql-response+json.
• GraphQL API responses now set cache headers based on whether a mutation was performed, regardless of the request type.
• Global set queries no longer register cache tags.
• A rate limit is now enforced for users/send-password-reset-email requests. (#17337)
• Updated Yii to 2.0.54.
• Updated Twig to 3.19. (#17603)
• Fixed a bug where Table fields with the “Static Rows” setting enabled would lose track of which values belonged to which row headings, if the “Default Values” table was reordered. (#17090)
• Fixed a bug where deadlocks could occur when updating elements’ search indexes. (#18139)
• Fixed a bug where element index pages weren’t retaining their search query param if present on the initial request.
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed low-severity XSS vulnerabilities. (GHSA-4mgv-366x-qxvx)
• Fixed a moderate-severity RCE vulnerability. (GHSA-v47q-jxvr-p68x)
• Fixed moderate-severity permission escalation vulnerabilities. (GHSA-2xfc-g69j-x2mp, GHSA-jxm3-pmm2-9gf6)
• Fixed a high-severity SSRF and SSTI vulnerability. (GHSA-5fvc-7894-ghp4)
• Fixed a moderate-severity SSTI vulnerability. (GHSA-qc86-q28f-ggww)
• Fixed a high-severity user account enumeration vulnerability. (GHSA-234q-vvw3-mrfq)

5.9.0-beta.2

• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• The up command now warns about any astray license issues before running migrations. (#18297)
• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Improved the accessibility of user permission lists and GraphQL schema component lists. (#18290)
• config/twig-sandbox.php can now include an allowedClasses array, with class names whose entire collection of properties and methods should be allowed in sandboxed Twig environments.
• craft\fields\data\ColorData, craft\fields\data\IconData, craft\fields\data\JsonData, craft\fields\data\LinkData, craft\fields\data\MultiOptionsFieldData, and craft\fields\data\OptionData are now allowed in their entirety within sandboxed Twig environments.
• Fixed a bug where element index pages weren’t retaining their search query param if present on the initial request.
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed an error that could occur when loading elements with provisional changes.
• Fixed an error that could occur when reverting content from an entry revision.
• Fixed a bug where field layout elements weren’t always getting saved in the correct position, if the layout config referenced custom fields that no longer exist. (#18268)
• Fixed a bug where custom entry index pages weren’t visible when viewing other entry types’ index pages. (#18284)
• Fixed a bug where element index pages could show a spinner indefinitely if there weren’t any visible sources. (#18286)
• Fixed a bug where ineditable fields appeared to be editable via the inline editing mode on element indexes. (#18291)
• Fixed a high-severity user account enumeration vulnerability. (GHSA-234q-vvw3-mrfq)
• Fixed a moderate-severity permission escalation vulnerability.

4.17.0-beta.2

• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• The up command now warns about any astray license issues before running migrations. (#18297)
• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Fixed a bug where element index pages weren’t retaining their search query param if present on the initial request.
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed a high-severity user account enumeration vulnerability. (GHSA-234q-vvw3-mrfq)