-
- Password policy endpoint at
GET /auth/password-policy(public, no auth). Parses the configuredsystem.pwd_regexinto a structured{ regex, min_length, rules[] }response by recognizing the common lookahead form ((?=.*\d),(?=.*[a-z]),(?=.*[A-Z]),(?=.*\W),.{N,}) and mapping each to a human-readable rule label. Admins can override the auto-detected rules with an optionalsystem.pwd_rules: [{id, label, pattern}, …]list for custom or localized messaging without touchingpwd_regex. The same structure is piggybacked on theGET /auth/setupresponse so the first-run setup screen can render its strength meter without a second round-trip.POST /auth/setupadditionally validates the first-user password againstpwd_regexserver-side (previously only enforced>= 8chars) — keeps the server authoritative regardless of what the UI is showing. - HTTP method override fallback for shared-hosting nginx configs that 405
DELETE/PATCH/PUTat the edge before the request ever reaches PHP. A newMethodOverrideMiddlewareruns right after CORS/body-parse and transparently rewrites anyPOSTthat carries anX-HTTP-Method-Override: DELETE|PATCH|PUTheader to the target method before dispatch, so the FastRoute handlers downstream see the semantic verb they expect. Only the three mutation verbs are honored (neverGET), and the override is opt-in per request — clients that don't need it pay zero cost. Admin-next complements this with client-side auto-detection: a failed mutation that 405s is retried once asPOST + override, and the fallback is cached insessionStorageso subsequent requests in the same session skip straight to the compatible path. - Destination-aware blueprint file uploads at
POST /blueprint-uploadandDELETE /blueprint-upload. Accepts a blueprintdestination(Grav stream liketheme://images/logo,user://assets,account://avatars;self@:subpathrelative to a blueprint owner; or a plain user-rooted relative path) plus ascope(plugins/<slug>,themes/<slug>,pages/<route>,users/<username>) and writes the uploaded file to the right place, mirroring admin-classic'staskFilesUploadsemantics. Streams resolve through Grav's locator so symlinked theme/plugin folders (common in dev setups) work cleanly — the response returns a logical user-rooted path (user/themes/quark2/images/logo/foo.png) independent of realpath, so a subsequentDELETEround-trips through the symlink to remove the actual file. Enforces the usual safety gates:..traversal and absolute paths are rejected, filenames are sanitized, and the dangerous-extension allowlist is checked. This gives admin-next parity with admin-classic's file-field uploads for theme/plugin config forms that previously only worked on page-media contexts.
- Password policy endpoint at
-
PATCH /config/{scope}(and every other ETag-guarded endpoint) no longer returns a spurious409 Conflictwhen the admin is served behind Apachemod_deflateor an nginx build that applies gzip/br compression. Both servers weaken the ETag on compressed responses by suffixing it (<hash>-gzip,<hash>-br, sometimes;gzip), and clients echo that suffixed value back inIf-Matchon the next PATCH. The PATCH response body is typically uncompressed, sogenerateEtag()produced the bare hash and the strict equality check failed on every first save.validateEtag()now strips known transport suffixes (-gzip,;gzip,-br,-deflate) and the weak-validator prefix (W/) from inboundIf-Matchheaders before comparing, so the hash round-trips cleanly through a compressing proxy. Invisible onphp -S/ MAMP; only reproduces behind real reverse proxies with content compression enabled.GET /usersno longer emits phantom entries for stray files inuser/accounts/. Grav's FlexFileStorage::buildIndex()indexes every file in the accounts folder regardless of extension, so snapshot/backup files from other plugins (e.g. revisions-pro's.revsnapshots) surfaced as indexable "user" objects.UsersController::indexViaFlexnow constrains the collection to keys matching the username pattern[a-z0-9_-]+before search / sort / pagination, so stray files are filtered out before they ever reach the serializer.PATCH /config/{scope}now uses Grav's blueprint-aware merge (Blueprint::mergeData()) instead of a blindarray_replace_recursive. The old recursive merge deep-merged map values at every level, so when a client sent a file field as{}after the user removed the last file, the old path keys from$existingsurvived the merge and the YAML kept referencing the deleted file. Blueprint-aware merge respects field-type semantics —type: file(and any other "collection of items" field) is REPLACED wholesale from the incoming body, so removing map entries actually propagates. Falls back toarray_replace_recursivewhen no blueprint is available (rare — mostly test fixtures).DELETE /blueprint-uploadis now idempotent: a missing file returns204 No Contentinstead of404 Not Found. The endpoint's contract is "this file should not be on disk" — already-gone and just-deleted are indistinguishable end states, and surfacing a 404 forced clients into special-case error suppression. Real misuses (path resolves to a directory or something non-file) still error.
-
- Environment management API at
GET /system/environments(now returning a richer shape:detectedhost,environments[]withname,label,exists,hasOverrides) andPOST /system/environmentsto create a newuser/env/<name>/config/folder. Writes toconfig/plugins/*,config/themes/*, andconfig/{system,site,media,security,…}now honor a newX-Config-Environmentrequest header that targets an existing env folder — empty/missing defaults to baseuser/config/, and a non-empty value that doesn't match an existing folder returns a clear400instead of silently creating anything. Env folders are never created implicitly; clients must opt in viaPOST /system/environments. A sharedEnvironmentServiceowns resolution acrossuser/env/*and legacy Grav 1.6user/<host>/layouts so both the listing endpoint and the write path see the same set of envs. - Differential config saves. Config writes now persist only the delta against the relevant parent yaml, matching the hand-edit workflow instead of forking full defaulted copies. Parent resolution:
system / site / media / security / scheduler / backups→system/config/<scope>.yaml(Grav core defaults)plugins/<name>→user/plugins/<name>/<name>.yaml(the plugin's own shipped defaults)themes/<name>→user/themes/<name>/<name>.yaml(the theme's own shipped defaults)- Env-targeted writes (
X-Config-Environmentset) additionally layeruser/config/<scope>.yamlon top of defaults, so env files only carry keys that differ from the effective base — move a key from base to env by setting it to a different value; leave it alone to inherit. - Defaults come from the raw yaml files on disk, not from blueprints — blueprints describe the admin form and routinely diverge from what actually loads at runtime. Sequential arrays (
languages.supported,pages.types, etc.) are treated atomically: any difference retains the whole new list, avoiding the classic admin-classic bug where shortening a list silently merged removed entries back in. Ships with 24 unit tests covering diff semantics, deep merges, key-ordering tolerance, null overrides, and a full parent-resolution round trip against a tempdir Grav layout.
- Environment management API at
-
- Config saves no longer return a
409 Conflicton every second edit when sensitive fields are present.ConfigController::update()was hashing the PATCH response body from the in-memory$merged(non-redacted) but the next save'sIf-Matchvalidation hashed the redactedconfig->get()representation, so the etag the client stored was never going to match on the next round-trip. Both the response body and theIf-Matchcomparison now flow through a singleconfigEtagData()helper that reads viaconfig->get()after the save and applies the same redaction, so the client's stored etag stays valid across consecutive saves and reflects the shape a freshGETwould return (including any blueprint defaults or type coercion applied server-side during the filter step). - Config writes no longer silently create
user/<hostname>/config/folders on save.writeConfigFile()was resolving the target directory vialocator->findResource('config://', true, true), whose first match can be the hostname-derived env path Grav auto-infers whenuser/env/doesn't exist — thenmkdirmaterialized the path on first save, producing orphanuser/localhost/config/,user/<ddev-host>/config/, etc. that then began overridinguser/config/on every subsequent read. The write path now explicitly resolves touser://config(or an existinguser/env/<env>/whenX-Config-Environmentis set), and themkdiris reserved for plugin/theme sub-directories inside an already-existing write root. Env roots must be created deliberately viaPOST /system/environments.
- Config saves no longer return a
-
POST /gpm/installandPOST /gpm/updatenow install missing blueprint dependencies before installing the requested package — mirroring admin-classic's behavior viaGPM::checkPackagesCanBeInstalled()+GPM::getDependencies(), which resolves version constraints, checks PHP/Grav requirements, and returns a slug-keyedinstall/update/ignoremap. Previously the naive recursive branch inGpmService::install()passed the raw blueprintdependencies:list (arrays of{name, version}) back into itself wherearray_mapsilently filtered them all tofalse, so deps were never installed and the user got a half-wired plugin (e.g. installingshortcode-uiwithoutshortcode-core). Response bodies andonApiPackageInstalled/onApiPackageUpdatedevents now carry adependencies: string[]list of slugs that were installed alongside, and cache-invalidation tags cover each new dep so list views refresh accordingly. Failure modes are surfaced cleanly: requiring a newer Grav core, a newer PHP version, or hitting an incompatible version constraint between packages returns a422 Unprocessable Entitywith the originalGPM::getDependencies()error message (e.g. "One of the packages require Grav 1.8.0. Please update Grav to the latest release.") — the API never auto-upgrades Grav itself, matching admin-classic. CLI color markup (<red>,<cyan>, …) is stripped from the propagated message. Deps are installed one-at-a-time so mid-install failures report partial state — the 500 detail includes a "Dependencies already installed before failure: foo, bar." suffix so callers know exactly what got through before the failure.
-
GET /pagesnow returns accuratepublishedandvisiblevalues for every page. Flex-indexedPageObjectinstances expose an empty header during listings, so$page->published()/visible()fell back to Grav's default "true" even when the frontmatter explicitly set them to false — making draft / hidden pages indistinguishable from published ones in list/tree/columns views.PageSerializernow parses the YAML frontmatter directly from the.mdfile on disk (with multilang filename resolution: page language → active language → untyped default → glob) whenever it gets a flex page with an empty header, and re-exposes the full header dict alongside correctpublished/visiblebooleans.PATCH /pages/{route}now reflectspublished/visiblechanges in the response without requiring a reload. LegacyPagecaches$this->publishedand$this->visibleat init and doesn't re-derive them from header mutations, so after updating the header the API was returning the pre-save values. The update controller now calls thePage::published()andPage::visible()setters in addition to header replacement whenever those fields are sent (either as top-level keys or nested underheader), keeping the in-memory object in sync with the just-written file.
-
GET /blueprints/pages/{template}now honours the newer'@extends':and'@import':directives (string or{type, context}array form) alongside the legacyextends@:/import@:spellings. Previously, page blueprints using the newer syntax silently lost their inheritance chain — fields defined in the parent (e.g.content: type: markdown,header.media_order: type: pagemediafromsystem://blueprints/pages/default.yaml) were dropped, leaving only the fields the child blueprint declared locally. Caused custom page templates in themes like Helios to render with raw text inputs instead of markdown editors / page media uploaders in admin-next.GET /blueprints/pages/{template}now firesPages::getTypes()before resolving, which triggers theonGetPageBlueprintsevent and registers plugin-contributed blueprint paths into theblueprints://pages/locator stream. Without this, blueprints declared by plugins (via$types->scanBlueprints('plugin://.../blueprints')) were unreachable from the API even when the plugin was subscribed correctly.
-
description_htmlfield added to the plugin/theme package serializer. Plugin and themedescriptionstrings are YAML-authored and routinely contain inline markdown (links, bold, emphasis) that renders as literal syntax in admin UIs. The API now ships a safe-mode Parsedown rendering alongside the rawdescriptionso clients can{@html}it for detail views and strip tags for one-line list cards without reinventing a markdown pipeline. Present onGET /gpm/plugins,GET /gpm/plugins/{slug},GET /gpm/themes,GET /gpm/themes/{slug}, and the/gpm/repository/*endpoints.
-
GET /pages/{route}?summary=trueno longer 500s on pages whose content contains plugin shortcodes that rely on the frontend Twig/theme environment (e.g.[poll]). Shortcode processing runs as part of Grav'ssummary()pipeline and can throw when it tries to render template partials that aren't wired up in the API request context. The page serializer now catches the failure and falls back to a plain-text rendering of the raw markdown (shortcodes stripped, trimmed tosummary_sizeor 300 chars) so admin previews keep working.
-
X-API-Tokenheader added as the preferred transport for JWT access tokens. Sidesteps FastCGI / PHP-FPM / CGI setups (notably MAMP'smod_fastcgi) that silently strip the standardAuthorizationheader before it reaches PHP — a common source of 401 errors on shared hosts. Accepts either a bare JWT (X-API-Token: eyJ...) or the traditional Bearer form (X-API-Token: Bearer eyJ...).Authorization: Bearerstill works as a fallback for standards-compliant clients on hosts that don't strip it.GET /menow returnsgrav_versionandadmin_versionso admin UIs can surface the running Grav core and admin plugin versions without a separate request.admin_versionresolves to the enabled admin2 or admin-classic plugin blueprint.is_symlinkfield added to the installed-package serializer (present onGET /gpm/plugins,GET /gpm/plugins/{slug},GET /gpm/themes,GET /gpm/themes/{slug}). Detected viais_link()on the resolvedplugins://{slug}orthemes://{slug}path so admin UIs can flag symlinked packages.POST /pages/{route}/adopt-language— claims an untyped base page file (e.g.,default.md) as a specific language by renaming it in-place to{template}.{lang}.md. Pure filesystem rename + cache bust; content is untouched. Fails if the page already has an explicit file for that language, or if the page has no untyped base file. FiresonApiBeforePageAdoptLanguage/onApiPageLanguageAdopted. Enables "Save as English" workflows on sites that started single-language and later enabled multilang.- Page translation response (
GET /pages,GET /pages/{route}with?translations=true) now includes two new fields to disambiguate Grav's fallback behaviour:has_default_file(true when an untyped{template}.mdexists) andexplicit_language_files(the subset of site languages with a real{template}.{lang}.mdon disk). Needed because Grav reports the default lang intranslated_languageswheneverdefault.mdexists — admin UIs can now tell whether each lang is backed by an explicit file or the implicit fallback.
-
JwtAuthenticator::extractBearerToken()now readsX-API-Tokenfirst, then falls back toAuthorization: Bearer, then?token=query param. When both custom and standard headers are set, the custom header wins (so clients can send both for maximum host compatibility without ambiguity).- OpenAPI spec, README, and Newman test runner updated to lead with
X-API-Token. - Default CORS allow-headers list in
api.yamlnow includesX-API-Tokenalongside the existing entries, so cross-origin preflights succeed out of the box on fresh installs.
-
GET /meno longer 500s when resolving the admin plugin version. Previous implementation called$grav['plugins']->get($slug)->getBlueprint(), but->get()returns aDataconfig object, not aPlugininstance (nogetBlueprint()method). Now readsplugins://{slug}/blueprints.yamldirectly via the locator, matching the pattern used for themes.POST /pages/{route}/adopt-languageno longer spuriously rejects the default language with "A translation already exists". The previous check used$page->translatedLanguages()which always includes the default lang whendefault.mdexists (because it serves as a fallback). The guard now checks the filesystem directly for{template}.{lang}.md, so adoption proceeds whenever the concrete language file is genuinely absent.
-
POST /gpm/update-all— bulk update every updatable plugin + theme in one request (returns{updated[], failed[]})POST /gpm/upgrade— Grav core self-upgrade (refuses to run when Grav is installed via symlink)GET /gpm/updatesresponse now includesgrav.is_symlinkand counts Grav itself intotalso admin UIs can show the true update count- Events
onApiBeforePackageUpdate/onApiPackageUpdated/onApiBeforeGravUpgrade/onApiGravUpgradedfire around the new write operations
-
POST /gpm/updateauto-detects whether the slug is a theme and passestheme: trueto the installer so theme updates land in the right directoryGpmService— all GPM write operations (install / update / remove / direct-install / self-upgrade) are now implemented locally in the API plugin, removing the hard dependency onGrav\Plugin\Admin\Gpm. admin2 users can manage packages without the classic admin plugin installed
-
- Previously
POST /gpm/updatecalled the admin plugin's Gpm helper, which meant admin2-only sites (no classic admin) got500 Admin Plugin Requiredwhen trying to update anything
- Previously
-
/auth/tokennow delegates password check toUser::authenticate()so the core trait's plaintext-password fallback fires — restores long-standing Grav behavior (admin-classic, Login plugin, frontend login) where apassword:declared directly inuser/accounts/*.yamlauto-hashes on first successful login. Previous directAuthentication::verify()call required users to pre-populatehashed_password, which broke the "edit yaml and log in" workflow that operators rely on when the CLI is unavailable- Persist the auto-generated JWT secret on fresh installs. The previous
findResource(..., true, true)call returned an array, the fallback concatenated that array into"Array/...", and the write silently went nowhere — so every request minted a different secret, producing a login-then-immediately-expire loop on every fresh 2.0 install. Now resolves the path with default flags and logs+degrades gracefully if persistence genuinely fails.
-
- Page-view popularity tracker — single-file flat-JSON store with
flock(), replaces admin-classic's four-file scheme; subscribesonPageInitializedfor frontend hits only - One-shot import + rename of legacy
daily/monthly/totals/visitors.jsoninto the newpopularity.json(ISO-keyed,pagescapped at 500) popularity.{enabled, history.daily/monthly/visitors, ignore}config block inapi.yamlraw_routefield on serialized pages so admin clients can navigate home / aliased pages correctly
- Page-view popularity tracker — single-file flat-JSON store with
-
- Strict super-user scoping:
isSuperAdmin()honors onlyaccess.api.super(no fallback toadmin.super); operators can grant API authority without admin-classic implications SetupControllerwrites a minimal admin-next-native account (site.login+api.superonly), with race guards and explicit avatar/2FA reset to prevent flex-stored ghost dataissueTokenPair()lifted toAbstractApiControllerso setup, login, refresh, and 2FA share one token-shape source- Pages list / dashboard stats no longer skip the home page — the virtual pages-root is now distinguished by
$page->exists()instead of byroute() === '/' - Dashboard
popularityendpoint reads fromPopularityStore(handles legacy import transparently)
- Strict super-user scoping:
-
- Pages list and dashboard
pages.totalundercounted by 1 (the home page was being filtered out)
- Pages list and dashboard
- [new]
- Add intial user funtionality
- Add
ai.superpermissions - Add missing vendor library
- [improved]
- Default
enabledtotruesince the plugin is not installed by default and admin2 requires it
- Default
- [new]
- Initial beta release