A minor patch:
Tighten access-control-origin header, close open redirects, improve validation and add resource limits to JS.
]]>Tuskfish CMS now supports login with Windows Hello, Touch ID, Face ID, iOS and Android devices, and hardware security keys like the Yubikey. This is implemented as a second factor after password check for two-factor authentication (2FA) login security.
Users can register and revoke their 2FA credentials by visiting Preferences => Two-Factor Authentication in the Admin panel. Registration of a credential only takes a few seconds. Once a credential is registered, two-factor login becomes mandatory, so it is a good idea to register more than one device to avoid lock out. Users can revert to simple password login by revoking all their 2FA credentials.
Technically this is an implementation of the FIDO 2 / WebAuthn standards. Users register passkeys from platform authenticators (Hello, Touch ID etc) or hardware security keys (CTAP2 authenticators). Credentials are public-key based and origin-bound; no shared secrets are stored.
]]>Minor bugfixes:
Reverted cache writes to avoid use of remove(), as this function is normally disabled in php.ini; tidied cached file names (prevent param separator being used on first param); fixed bug in gallery logic that prevented dynamic changes in columns to suit display width.
]]>Minor cosmetic improvements and bugfixes: Changed radio button controls to coloured toggle switches; removed deprecated / redundant curl_close() calls; corrected some type initialisation and return values errors; and fixed bug making custom RSS feeds carry generic site title/description.
Tuskfish V2.2 brings a lot of improvements, including a group permissions system to control access to routes and individual content items, fourteen new colourful themes, and a new default theme preference for flipping the look and fee. of your site. All content types can now be set as 'static' with a new 'in feed' toggle switch, there is optional support for better thumbnail generation and colour space support with ImageMagick 6 available. The entire codebase has been reviewed with AI assistance for bugs, security issues, and compliance with PHP 8.4/8.5, Bootstrap 5 and HTML5. Core libraries have been updated. Note: I pushed a minor bugfix update so the current version is 2.2.1.
]]>Tuskfish 2.1 is a feature release that adds an extensible system for creating and managing blocks (the equivalent of 'widgets' in Wordpress or 'modules' in Joomla). Three block types ship by default: A Spotlight block for highlighting a particular piece of content, and 'Recent Content' block that lists the last X pieces of content filtered by tag and type, and custom HTML blocks. The code base has been updated to use recent language features. The minimum PHP version is now 8.3.
]]>I was tempted to call this the "2025 update" but since I usually take leave in December and spend most of it tinkering, quite likely I'll do some of this before new year or at least by the end of January. The next Tuskfish CMS release will be version 2.1. Core functionality will remain unchanged, but I will add support for blocks, and if I can sort out a couple of issues, native multilanguage. Not a crappy hacked up multilanguage, but one that is baked into the core and seamless. I'll be making use of some of the more recent language features in PHP, which will raise the minimum version required to PHP 8.3. Please note that the contemporary versions of PHP are now V8.3 and V8.4, with V8.2 now end of life.
]]>Tuskfish 2.0.8 is an incremental update with a bunch of small fixes and refinements. New features include an alternate compact template option for collections that displays child content as a list, support for a 3rd Yubikey hardware token, and extension of html toggling of content online status extended to admin search results. There are several improvements to the video templates as well: They are now responsive, and alternate selectable templates are available for common aspect ratios including 16:9, 4:3, 21:9 and 1:1.
]]>