v2.6 🦣
What's Changed
Breaking changes ⚠
With this release, the auth system was restructured to be more flexible, convenient and powerful. All previous "auth modes" are still supported and you don't have to change anything apart from the Tobira config file! See the "Migration" section at the bottom of these release notes. As part of this, the documentation about auth was reworked. See those new docs or this PR for more information.
- Remove
auth.mode
in favor ofauth.source
plusauth.session.*
- Move
auth.session_duration
toauth.session.duration
- Remove a
auth.*_header
configs. These were not useful, see this commit for the reasoning. - Move role-related configs into
auth.roles
. That'smoderator_role
,upload_role
,studio_role
,editor_role
,user_realm_role
, anduser_role_prefixes
. - Always add
ROLE_ANONYMOUS
andROLE_USER
to logged in users. Technically a breaking change, but this should always be the case. It might not have been in the past if fauly auth integrations forgot to add those roles.
Apart from the auth related changes, there are two other breaking changes:
- Tobira moderators (
ROLE_TOBIRA_MODERATOR
) cannot edit all pages anymore. OnlyROLE_ADMIN
can do that implicitly. To retain the old behavior, addROLE_TOBIRA_MODERATOR
as "page admin" to the home page. (You might have to add a "known group" for that purpose.) - The libc requirement for the
tobira-x86_64-unknown-linux-gnu
binary increased to 2.31 (which is Ubuntu 20.04 kind of old). If this is a problem for you, you an always use the-musl
build.
User-facing changes
- Add granular permissions to the page tree in #1097
- This allows you to give users access to only parts of the page tree. Access is inherited down the tree, meaning that giving a user access to one page means that user also has access to all sub-pages. There are two levels of permissions: page admin (can do everything) and moderator (cannot delete the page, change its path, or change access rules).
- Add configurable "terms and conditions" popup in #1112
- Useful in combination with the added basic Matomo integration.
- Update Paella and add support for fallback fullscreen mode on iOS in #1113
- Revise download menu listitems in #1111
- Add arrow navigation to remaining popover menus in #1001
- Fix overlarge thumbnails in series slider view in #1078
- Group edit series options by @geichelberger in #1079
- Left align "about tobira" page content in #1084
- Add breadcrumbs to series pages in #1085
- Make logout button work with keyboard in #1083
- Hide child list in "change order" UI if sorted alphabetically in #1105
- Fix login page redirect when
login_link
is not configured in #1117 - Extend edit series block by @geichelberger in #1058
- Change edit series block label "layout" to "Metadata" in #1076
Changes primarily for admins
- Add auth callbacks in #1032
- This is a new way to include your custom auth logic with Tobira. It is preferred over the existing "auth header" solution for several reasons. It usually makes setup a lot easier and the whole system faster. See the new auth docs for more information.
- Add initial support for Matomo data collection via Paella player in #1099
- Fix bug in
auth.mode = "opencast"
in #1109 - Fix deserialization bug for harvesting in special cases in #1109
- Add logging of useful DB server information in #1089
- Future proof harvest sync code for new items in #1115
Changes primarily for developers
- Add
url
field to routes to build path and use it everywhere in #1035 - Split
ci
action into two jobs to start deploy faster in #1073 - Actually pass relevant options through to
start-dev.sh
by @JulianKniephoff in #1104 - Stop using non-existent Roboto fonts in Paella in #1106
- Add realm ACL roles to db dump in #1110
Full Changelog: v2.5...v2.6
Migration
This section should make the it easy to adjust to the auth system changes that replace auth.mode
. Be sure to check the other breaking changes as well.
You currently have auth.mode = ...
"opencast"
[auth]
source = "tobira-session"
session.from_login_credentials = "opencast"
"login-proxy"
[auth]
source = "tobira-session"
session.from_session_endpoint = "trust-auth-headers"
Consider migrating to login callbacks.
"full-auth-proxy"
[auth]
source = "trust-auth-headers"
Consider migrating to auth callbacks.