Knock Knock

Changed

• Action request endpoints are now no longer protected.

Fixed

• Fix too-early call on User::getIdentity() when plugin is disabled, for better performance.

Fixed

• Fix an error when checking the enabled state of the plugin.

Added

• Add Cache-Control headers when redirecting.

Fixed

• Fix an incorrect check for enabled state for multi-site installs.

Fixed

• Fix unprotectedUrls as a config option not working correctly.

Changed

• Only admins are now allowed to access plugin settings.

Fixed

• Fix Protected URLs/Unprotected URLs not working correctly for multiple values when set via the control panel.

Added

• Add enableCpProtection plugin setting.

Fixed

• Fix login challenge when accessing the control panel.

Fixed

• Fix an error introduced in 2.0.4.

Added

• Add support for Cloudflare remote IP checking.
• Add support to block CP-based pages, not just site-based requests.

Fixed

• Fix an issue with live preview checks for access control.

Fixed

• Fix protectedUrls, and unprotectedUrls URLs partial-matching incorrectly due to Regex rules.
• Better normalising of allowIps, denyIps, protectedUrls, and unprotectedUrls settings.
• Revert infinite loop check, which results in incorrect redirect URLs.

Fixed

• Fix an error when installing the plugin.

Added

• Add resave console command for elements.
• Add checks for registering events for performance.
• Add archiveTableIfExists() to install migration.

Changed

• Now requires PHP 8.0.2+.
• Now requires Craft 4.0.0+.
• Now requires Knock Knock 1.2.16 in order to update from Craft 3.
• Rename service classes.
• Rename base plugin methods.
• Use Application::EVENT_INIT to test access to ensure Craft is initialized properly.

Added

• Allow arrays in config settings for allowIps, denyIps, protectedUrls, unprotectedUrls. (thanks @Diewy).

Fixed

• Fix a potential infinite redirect loop if changing from http to https.

Fixed

• Fix site-based custom templates not working correctly.

Added

• Add support for custom CP-based templates. (thanks @seibert-io).
• Add support for IPv4 and IPv6 CIDR blocks in allowIps and denyIps config. (thanks @onstuimig).

Changed

• Deny access to settings for non-admins.

Fixed

• Fix redirect URL not using the referrer URL after logging in.

Fixed

• Fix potential error redirecting to non-site URLs after login. In some cases, this caused redirecting to a cpresources asset.
• Fix cookie not respecting the Craft defaultCookieDomain config setting.

Fixed

• Fix incorrect loginUrl route, causing issues on some site setups (subdirectory installs).

Added

• Allow env variables to be used in allow/deny IPs.

Fixed

• Fix login path not resolving correctly for some multi-site installs.

Fixed

• Fix challenge URL not being correct for nested URLs.

Added

• Add useRemoteIp to opt-in to more stricter IP checks if security is your concern.

Fixed

• Revert behaviour of using remote IP for checking user IP. Too many issues and edge-cases.

Fixed

• Fix potential issue splitting multi-line settings (allowIps, denyIps, protectedUrls).

Fixed

• Fix error introduced in 1.2.9.

Deprecated

• Deprecate whitelistIps. Use allowIps instead.
• Deprecate blacklistIps. Use denyIps instead.

Fixed

• Fix fetching the IP for a user that could allow spoofing via headers. Vulnerability IP Whitelist bypass reported by Paweł Hałdrzyński.
• Ensure redirect param is validated to prevent malicious redirection. For custom forms, please update the redirect input to use {{ redirect | hash }} otherwise logins will not work. Vulnerability Open-redirect reported by Paweł Hałdrzyński.

Added

• Add forcedRedirect to force a redirected URL once logging in.

Fixed

• Fix logging error Call to undefined method setFileLogging().

Changed

• File logging now checks if the overall Craft app uses file logging.
• Log files now only include GET and POST additional variables.

Fixed

• Realllly fix live preview from cross-domains.

Fixed

• Fix error thrown for console requests.

Fixed

• Re-organise access testing code, and support cross-domain live preview (properly, through tokens).

Fixed

• Exclude live preview requests from blocking access.

Fixed

• Fix asset bundles causing style issues in the CP.

Added

• Add support for Regex in protected URLs.

Fixed

• Fix protected URL comparison taking into account query strings, when it shouldn't.

Added

• Add Craft 3.4 compatibility.

Fixed

• Fix yii\base\InvalidConfigException error thrown in some instances.

Added

• Added Custom login path. Thanks @X-Tender.
• Allow IPs to be whitelisted from login protection.
• Add Protected URLs to set specific URLs (and only those) for password protection.

Fixed

• Update redirect input. = Fix redirection after login.

Added

• Add lock-out and security behaviour.
• Add multi-site settings.
• Add custom template setting.
• New icon.
• Add override notice for settings fields.

Fixed

• Fix console requests throwing an error.

Changed

• Downgrade requirement to Craft 3.0.x.

Fixed

• Fix settings not saving.

Added

• Added enabled setting.

• Initial release.