Version 3.0.1

July 21, 2024

Added

  • Allow enabled to be set using a callback function in config files.

Changed

  • Update English translations.

Fixed

  • Fix multi-site protected/unprotected URLs not being honoured.
  • Fix an error when trying to determine multi-site plugin settings for installs where no primary site exists yet.

Version 3.0.0

May 13, 2024

Changed

  • Now requires PHP 8.2.0+.
  • Now requires Craft 5.0.0+.

Version 2.0.12

July 21, 2024

Added

  • Allow enabled to be set using a callback function in config files.

Changed

  • Update English translations.

Fixed

  • Fix multi-site protected/unprotected URLs not being honoured.

Version 2.0.11

November 9, 2023

Changed

  • Action request endpoints are now no longer protected.

Fixed

  • Fix too-early call on User::getIdentity() when plugin is disabled, for better performance.

Version 2.0.10

June 5, 2023

Fixed

  • Fix an error when checking the enabled state of the plugin.

Version 2.0.9

May 27, 2023

Added

  • Add Cache-Control headers when redirecting.

Fixed

  • Fix an incorrect check for enabled state for multi-site installs.

Version 2.0.8

March 2, 2023

Fixed

  • Fix unprotectedUrls as a config option not working correctly.

Version 2.0.7

January 18, 2023

Changed

  • Only admins are now allowed to access plugin settings.

Fixed

  • Fix Protected URLs/Unprotected URLs not working correctly for multiple values when set via the control panel.

Version 2.0.6

December 10, 2022

Added

  • Add enableCpProtection plugin setting.

Fixed

  • Fix login challenge when accessing the control panel.

Version 2.0.5

November 16, 2022

Fixed

  • Fix an error introduced in 2.0.4.

Version 2.0.4

November 15, 2022

Added

  • Add support for Cloudflare remote IP checking.
  • Add support to block CP-based pages, not just site-based requests.

Version 2.0.3

October 19, 2022

Fixed

  • Fix an issue with live preview checks for access control.

Version 2.0.2

July 13, 2022

Fixed

  • Fix protectedUrls, and unprotectedUrls URLs partial-matching incorrectly due to Regex rules.
  • Better normalising of allowIps, denyIps, protectedUrls, and unprotectedUrls settings.
  • Revert infinite loop check, which results in incorrect redirect URLs.

Version 2.0.1

July 12, 2022

Fixed

  • Fix an error when installing the plugin.

Version 2.0.0

July 10, 2022

Added

  • Add resave console command for elements.
  • Add checks for registering events for performance.
  • Add archiveTableIfExists() to install migration.

Changed

  • Now requires PHP 8.0.2+.
  • Now requires Craft 4.0.0+.
  • Now requires Knock Knock 1.2.16 in order to update from Craft 3.
  • Rename service classes.
  • Rename base plugin methods.
  • Use Application::EVENT_INIT to test access to ensure Craft is initialized properly.

Version 1.2.17

July 10, 2022

Added

  • Allow arrays in config settings for allowIps, denyIps, protectedUrls, unprotectedUrls. (thanks @Diewy).

Fixed

  • Fix a potential infinite redirect loop if changing from http to https.

Version 1.2.16

September 17, 2021

Fixed

  • Fix site-based custom templates not working correctly.

Version 1.2.15

June 30, 2021

Added

  • Add support for custom CP-based templates. (thanks @seibert-io).
  • Add support for IPv4 and IPv6 CIDR blocks in allowIps and denyIps config. (thanks @onstuimig).

Changed

  • Deny access to settings for non-admins.

Fixed

  • Fix redirect URL not using the referrer URL after logging in.

Version 1.2.14

November 29, 2020

Fixed

  • Fix potential error redirecting to non-site URLs after login. In some cases, this caused redirecting to a cpresources asset.
  • Fix cookie not respecting the Craft defaultCookieDomain config setting.

Version 1.2.13

September 10, 2020

Fixed

  • Fix incorrect loginUrl route, causing issues on some site setups (subdirectory installs).

Version 1.2.12

August 14, 2020

Added

  • Allow env variables to be used in allow/deny IPs.

Fixed

  • Fix login path not resolving correctly for some multi-site installs.

Version 1.2.11

August 10, 2020

Fixed

  • Fix challenge URL not being correct for nested URLs.

Version 1.2.10

July 13, 2020

Added

  • Add useRemoteIp to opt-in to more stricter IP checks if security is your concern.

Fixed

  • Revert behaviour of using remote IP for checking user IP. Too many issues and edge-cases.

Version 1.2.9.2

June 22, 2020

Fixed

  • Fix potential issue splitting multi-line settings (allowIps, denyIps, protectedUrls).

Version 1.2.9.1

June 18, 2020

Fixed

  • Fix error introduced in 1.2.9.

Version 1.2.9

June 17, 2020

Deprecated

  • Deprecate whitelistIps. Use allowIps instead.
  • Deprecate blacklistIps. Use denyIps instead.

Version 1.2.8

May 20, 2020
Critical

Fixed

  • Fix fetching the IP for a user that could allow spoofing via headers. Vulnerability IP Whitelist bypass reported by Paweł Hałdrzyński.
  • Ensure redirect param is validated to prevent malicious redirection. For custom forms, please update the redirect input to use {{ redirect | hash }} otherwise logins will not work. Vulnerability Open-redirect reported by Paweł Hałdrzyński.

Version 1.2.7

April 21, 2020

Added

  • Add forcedRedirect to force a redirected URL once logging in.

Version 1.2.6

April 16, 2020

Fixed

  • Fix logging error Call to undefined method setFileLogging().

Version 1.2.5

April 15, 2020

Changed

  • File logging now checks if the overall Craft app uses file logging.
  • Log files now only include GET and POST additional variables.

Version 1.2.4.2

April 1, 2020

Fixed

  • Realllly fix live preview from cross-domains.

Version 1.2.4.1

March 31, 2020

Fixed

  • Fix error thrown for console requests.

Version 1.2.4

March 31, 2020

Fixed

  • Re-organise access testing code, and support cross-domain live preview (properly, through tokens).

Version 1.2.3

March 30, 2020

Fixed

  • Exclude live preview requests from blocking access.

Version 1.2.2

March 14, 2020

Fixed

  • Fix asset bundles causing style issues in the CP.

Version 1.2.1

February 25, 2020

Added

  • Add support for Regex in protected URLs.

Fixed

  • Fix protected URL comparison taking into account query strings, when it shouldn't.

Version 1.2.0

January 30, 2020

Added

  • Add Craft 3.4 compatibility.

Version 1.1.2

January 7, 2020

Fixed

  • Fix yii\base\InvalidConfigException error thrown in some instances.

Version 1.1.1

November 27, 2019

Added

  • Added Custom login path. Thanks @X-Tender.
  • Allow IPs to be whitelisted from login protection.
  • Add Protected URLs to set specific URLs (and only those) for password protection.

Fixed

  • Update redirect input. = Fix redirection after login.

Version 1.1.0

June 5, 2019

Added

  • Add lock-out and security behaviour.
  • Add multi-site settings.
  • Add custom template setting.
  • New icon.
  • Add override notice for settings fields.

Version 1.0.3

February 9, 2019

Fixed

  • Fix console requests throwing an error.

Version 1.0.2

February 2, 2019

Changed

  • Downgrade requirement to Craft 3.0.x.

Fixed

  • Fix settings not saving.

Version 1.0.1

January 30, 2019

Added

  • Added enabled setting.

Version 1.0.0

January 26, 2019
  • Initial release.