A small feature release: 

  • Collections now have access to a 'Gallery' template option, which displays child objects as a thumbnail grid below the description. This allows you to use collections to generate an 'article + gallery' pattern for (say) events or travel articles, or can be used as an alternative display format for publications catalogues etc.

A small feature release and polish. The shiny new things are:

  • CSS grid themes: Several new themes are available based on native CSS grid, which removes Bootstrap as a dependency. This makes them both simpler and more lightweight. They are also more refined and precise in terms of spacing and layout. The new themes are Tide (teal), Sand and Sea (blue), Kelp (olive-amber), Canyon (rust stained) and Pond (green). The themes feature a 'night mode' toggle and use image source sets to ensure that thumbnails are crisp when displayed at different resolutions or on high resolution screens.
  • Block template overrides: Copy the internal block templates from modules into the relevant theme/blocks directory and customise them however you like, (eg. copy yourmodule/Block/some-template.html to themes/yourtheme/blocks/some-template.html). The versions internal to the modules provide safe defaults if theme-specific versions are not available.
  • Pagination control has been extracted from the PHP code and placed in a html template.

A small update to simplify / reduce friction during installation:

  • Change index.php to route from request path only, independent of scheme and host. This avoids the need to manually configure when deploying behind reverse proxy that handles TLS termination.

A minor update that provides a performance boost, file structure reorganisation and security hardening:

  • Optimise database performance: Indexes have been added, which accelerate queries, improve resilience under load, and further reduce the already small hardware requirements of Tuskfish. The indexes are primarily of benefit to sites with large content loads.
  • Modularity has been improved so that new modules can be dropped in or ripped out without modifying other code, which will simplify future development.
  • The SMTP password is now encrypted at rest.

A minor feature and security hardening release:

  • Add SMTP support via PHPMailer.
  • Add TFISH_EMAIL_URL constant to config.php.
  • Proactive security hardening pass based on sweep by Claude Opus 4.6.

A minor patch to fix a bug in collection pagination.

A minor maintenance release to harden the WebAuthn service class.

A minor patch:

Tighten access-control-origin header, close open redirects, improve validation and add resource limits to JS.

Tuskfish CMS now supports login with Windows Hello, Touch ID, Face ID, iOS and Android devices, and hardware security keys like the Yubikey. This is implemented as a second factor after password check for two-factor authentication (2FA) login security.

Users can register and revoke their 2FA credentials by visiting Preferences => Two-Factor Authentication in the Admin panel. Registration of a credential only takes a few seconds. Once a credential is registered, two-factor login becomes mandatory, so it is a good idea to register more than one device to avoid lock out. Users can revert to simple password login by revoking all their 2FA credentials.

Technically this is an implementation of the FIDO 2 / WebAuthn standards. Users register passkeys from platform authenticators (Hello, Touch ID etc) or hardware security keys (CTAP2 authenticators). Credentials are public-key based and origin-bound; no shared secrets are stored.

Minor bugfixes:

Reverted cache writes to avoid use of remove(), as this function is normally disabled in php.ini; tidied cached file names (prevent param separator being used on first param); fixed bug in gallery logic that prevented dynamic changes in columns to suit display width.