Skip to content

Release Notes

Pre-release
Pre-release
Compare
Choose a tag to compare
@anyt anyt released this 27 Sep 13:54
· 1040 commits to master since this release
3.1.0-beta
a576e27

This release is a beta developer preview of an upcoming 3.1 version of OroCommerce. In this release we focused on application stability and security.

Email templates

We have added variables for all order totals so the order confirmation email may now include all the data displayed to the customer during checkout. Variables may also display totals in different currencies, allowing the customer to see their order details in checkout currency if it differs from the base currency.

Websocket security

SSL/TLS connections

OroCommerce may now connect to websocket server via SSL/TLS connection and pass SSL connect options if necessary. To enable this connection, use the following parameters in the application configuration:

  • websocket_backend_transport defines the transport to be used for connection. This option may be set to any registered transport returned by [stream_get_transports](http://php.net/manual/en/function.stream-get-transports.php); the default value is tcp.
  • websocket_backend_ssl_options specifies the SSL context options that will be passed when establishing the connection.
    These configuration options are not exposed on the UI and should be set during the installation or changed in config/parameters.yml file.

Connection origin check

To further improve the security of websocket connection and eliminate Cross-Site WebSocket Hijacking (CSWSH) attacks, Origin headers will be checked against the list of allowed origins after the websocket connection is established. This feature utilizes the existing OriginCheck functionality of GoS WebSocket bundle.

Administration

New Case-Insensitive Email Addresses configuration option allows the system configurator to restrict user email addresses acceptable for registration of both customer users and back-office users. When this option is turned on, all different capitalizations of a same email (e.g. [email protected] and [email protected]) will be treated as the same address so only one of them could be used to register a user. This option is off by default, as prescribed by RFC 5321 2.4.

API

  • JSON API is now the default REST API sandbox
  • API filters are now enabled by default for one-to-many relations
  • We created developer documentation for API filters
  • We added data flow diagrams to API action documentation to clarify the use of API processors in customizations

Other improvements

  • Checkout performance was improved significantly
  • ACL security model is now extendable with custom data access rules
  • New ACL rule restricts visitors from accessing checkouts (frontend-checkouts-grid) that do not belong to them

Known issues

Due to deprecations of Elasticsearch 6 the following changes were introduced:

  • Fulltext search will match words only from the beginning of the word – e.g. Foldable Wheelchair will be found by wheel, but not by eel
  • In case of multiple words, AND strategy will be used in the admin panel search
Assets 7
Loading