Elgg Blog: Elgg 1.7.9 released

The latest stable version of Elgg has been updated to 1.7.9. This is relatively small release to address a mild security issue and bugs in Elgg 1.7.8. All users are encouraged to upgrade immediately.

The security enhancement resolves a rare situation in which a page that should be displayed only to logged in or admin users is be exposed when output is sent prematurely. Thanks to Vazco for submitting the report and for debugging the issue!

Other changes include:

  • Admins can delete Pages again.
  • TinyMCE upgraded to 3.4.2 to fix IE support.
  • Autocomplete input works correctly.
  • Fixed Message Board "all" posts.
  • Fixed deleting internal messages on some non-English sites.
  • Better feedback if an error occurs when saving widgets.
  • Messages from deleted users no longer show the recipient's avatar.
  • Https logins on fully https sites work correctly.
Developers will be interested in the following changes to the API:
  • Added "creating", "river" plugin hook.
  • User metadata is registered as independent higher in the boot sequence.
  • Group ACLs are updated correctly when joining a non-logged in user to a group.
  • Can return 0 for plugin hook 'comments', 'count'.

Elgg 1.7.9 is the current stable release. All networks should be running this version of Elgg.

  • Admin panel doesn't look so good, or should it look like that below:

    Elgg Admin

    In reference to this, http://docs.elgg.org/wiki/Configuration/Plugins,

    Go to Administration -> Configure -> Plugins -> Advanced

    I don't see configure under administration panel.

  • @Camille - what browser are you using? I have not seen that layout issue before on a clean install.

    As for the documentation, we have the problem that some documentation is written for 1.0-1.7 and some is written for 1.8 (which is still in beta). That documentation that you just posted here is for an early version of 1.8.

  • On the "security" issue, it only happens if you have a corrupted language file. What happens is that the corrupted language file causes the server to send data to the browser. Then when the user gatekeeper detects that the user does not have access to a page, it is suppose to send a forward request to the browser. This does not go out because the server has already sent something to the browser. The rest of the page is then rendered and sent to the browser. The fix throws an exception so that the rendered page is never sent.

  • @Camille: it looks like you might have increased the zoom factor in your browser resulting in the content not being able to be displayed like it would with the original size. Sometimes this happens to me unintentionally, too, by clicking CTRL + "Mousewheel down". You can restore the original zoom factor either be clicking CTRL + "Mousewheel up" or by clicking CTRL + "0".

  • That seems to be a float issue. I had fixed it on my $projects.

Latest comments