This improvement provides the ability to search for submissoins using a POST. Using a GET can be problematic in some implementations where customers have complex, lengthy search query parameters that make the URL too long. This functionality allows for a POST request to a new endpoint called .../submission-search with a body such as {"q": "..."}
This feature provides the ability to adjust the amount of time an attachment link is valid for. In order to configure the file link expiration time for attachments in Kinetic Request CE, the com.kineticdata.core.fileLinkExpirationInSeconds java property may be set. This is typically either done with Tomcat startup arguments, or by adding an entry to the conf/catalina.properties configuration file that looks like: com.kineticdata.core.fileLinkExpirationInSeconds=30
KP-3022
Bugs Fixed
Summary
Description
Issue Number(s)
Addresses XSS issue in default bundle
This feature Address XSS security issue with default bundle login.jsp
Remove support for bridged resource GET requests to prevent potential CSRF attacks
This issue removes the ability to retrieve a bridged resource using a GET request as some bridge adapters now support creating or updating records. This feature may cause backwards compatibility issues with javascript libraries that use bridges to retrieve data. They will need to be updated to do a PUT vs a GET request.
KP-3022
Remove ability to inject HTML in page element bindings
This feature sanitizes field values that are used within form HTML elements to prevent XSS attacks.
Checkbox fields with invalid options being cleared on save
KCORE-2756 (released in CE 2.4.0) caused an unintended behavior making checkbox fields that were set with invalid options to be cleared when a form was rendered in the UI and then saved. At times, its common to set checkbox questions using workflow or the API to store an array of values, even if those values aren't valid options. This issue ensures that values that were set into a checkbox field via the API don't get cleared out when a form is saved.
KCORE-2897
Form date field localization bug
Form date fields were not respecting the users preferred locale.
KCORE-2882
Translations error with subforms
Fixes an error that happens when subforms are leveraging translations.
KCORE-2837
Datastore pagination bug
Fixes issue with pagination when searching for datastore submissions using a query.
Searching and pagination has been added to the User, Team, Form, Datastore Form, Kapp and Space endpoints. Previously, the API would return a list of ALL records which could cause performance issues when thousands records were returned. Queries can now be constructed using KQL (Kinetic Query Language) to search for records in these models and return paginated responses. See the in-app API documentation for usage details.
KCORE-2593
Form Overwrite Protection
The application now provides functionality for protecting against accidental form overwrites when multiple developers are working on the same form wihtin the Form builder.
KCORE-2746, KCORE-2747
Improved Functionality
Summary
Description
Issue Number(s)
Ability to set expiration of password reset tokens
Improves password reset functionality by allowing Space Admins to pass an exipration information when generating a token. Previously password reset tokens were only valid for 24 hours.
KCORE-2794
Ability to set sesion cookie max age
Adds the ability to set client session cookie max age via a cookieMaxAge environment variable
KCORE-2726
Bugs Fixed
Summary
Description
Issue Number(s)
Unrecognized Locales
Locales that are not recognized by the system caused errors. The issue walks all accepted locales and uses the application's default (English) if none are found
KCORE-2796
Bug when clearning checkbox values
Fixes a bug that existed when clearing checkbox question values on a Kinetic form.
KCORE-2756
Login Bug in Base Bundle
Fixed a with the Login Button in the enbedded base bundle that wasn't respecting installations that use subdomains for tenant routes.
Kinetic Request CE now supports the ability to translate content in forms and bundles. Leveraging this new functionality will require some changes to your bundle, however if you're using the standard Kinetic Bundle, you'll get this functionality automatically with an upgrade.
KCORE-2215
Team and User Security Policies
Security Policies can now be defined for who can create and update Users and Teams. Previously, only space admins were able to create or update Teams and Users.
KCORE-2498
Space Default and User Locale/Timezone Setting
We've added the ability to specify a Default Timezone and Locale for a space, and also the ability to let a user specify their own Timezone and Locale. This info is particularly helpful when sending email notifications within workflow.
KCORE-2527
Improved Functionality
Summary
Description
Issue Number(s)
Form Update Webhooks
When a form is updated, the Created At /Updated At Dates are now passed as part of the webhook body. This enables administrators to implement form auditing solutions using workflow.
KCORE-2282
Parent / Child Relationships
Removed the ability to delete a submission if it has a child to reduce errors caused when updating a submissions with a missing parent.
Improved the error message when updating a submission that has a parent that is missing for existing submission data.
KCORE-2377, KCORE-2380
Form Builder Display Conditions
Added Form 'form(review)' bindings to page display condition menu which enables form builders to conditionally display an element if a form is in "Review Mode" or not.
KCORE-2401
Missing Security Policy Error Message
Improved the error message raised when a security policy references a missing definition. This is particularly helpful when importing a form from another system that is referencing a Security Policy that doesn't exist. The new error message contains that name of the form that is missing the security policy along with the name of the referenced Security Policy Definition.
KCORE-2408
JS Helper Method for working with Subforms
Implement method for cleaning the Kinetic.form object when working with subforms
KCORE-2472
Deleting Datastore Records
Unable to delete datastore records unless a user is a space admin
KCORE-2490
Bugs Fixed
Summary
Description
Issue Number(s)
Single Page App Login Issue
SPA spaces render the embedded base bundle login when attempting to open a kapp/form/submission that doesn't exist
KCORE-2272
System Console Bundle Path
System console should not require that a bundle path be set
KCORE-2273
Creating Categories with Attributes
When creating a category, an error is returned when trying to set an attribute using attributesMap
KCORE-2283
Datastore Form Attributes
DatastoreFormAttributes can be created with no name via the API
KCORE-2284
Creating Teams with Attributes
Unable to add attributes to a team when creating the team
KCORE-2285
Incorrect Redirects
Some redirects improperly include /:spaceSlug prefix regardless of whether the request has a space subdomain
KCORE-2305
Admin Console Broken Link
Datastore Form Builder - View submissions link does not take you to submissions
KCORE-2340
CE Webhook Secret Encryption
CE Webhook Configuration - Secret should be encrypted / not visible to end users
KCORE-2344
Updating Submission Parent via API
Unable to remove Submission parent / origin via PUT passing null as value.
KCORE-2369
Searching on indexes that aren't built
Datastore Submission search allows searching on indexes that aren't built
KCORE-2400
currentPage Property when using PATCH api
PATCH Submission endpoint isn't respecting the currentPage property
KCORE-2402
Review submission redirect issue
Review approval links do not properly redirect when a context is present
KCORE-2413
Space oAuth Client Secret Encryption
The space.oauthClient.clientSecret should be encrypted / not included to end users
KCORE-2417
Datastore Submission Index issue with Checkboxes
IndexOutOfBoundsException when creating datastore submissions with overlapping checkbox fields
KCORE-2451
Logging issue with Datastore Webhooks
Webhooks log 'Unexpected parent type: Datastore Submission' when handling Datastore related webhooks
In order to address clickjacking attacks, a management interface that allows administrators to configure trusted frame domains was implemented within the Administration Consoles.
KCORE-14
Addressed CSRF Vulnerabilities
In order to address Cross-Site Request Forgery (CSRF) attacks, the application implemented the [synchronizer token pattern][15]. Previously CSRF attacks were expected to be mitigated by the web proxy / load balancer [_verifying standard headers.][16]_
KCORE-1932
Implemented CORS Management
In order to address cross origin attacks, a management interface that allows administrators to configure trusted resource domains was implemented within the Administration Consoles
KCORE-1983
Implemented Subdomain Support
In order to address request forgery attacks between spaces on a single instance of Kinetic Request CE, the application now supports the ability to user separate subdomains for each space. This is configured on your load balancer or web proxy by adding the "X-Kinetic-Subdomain" header.
KCORE-2221
Improved Functionality
Summary
Description
Issue Number(s)
Implemented ability to specify that an HTTP request should return a 401 if the requester is not authenticated.
Kinetic Request CE bundles often retrieve lists of Forms or Submissions on behalf of the user. If the user's session times out, those calls would return only the records available to a "public" user (which are typically different than the records available to an authenticated user). By passing a "X-Kinetic-AuthAssumed" header with the AJAX request, the developer can instruct the application to return a 401 response (which can then be handled by displaying of a login model) rather than the incomplete results.
KCORE-1759
Bugs Fixed
Summary
Description
Issue Number(s)
Default Bundle contained a hard coded reference to the 'kinetic' web application context.
The bundle that ships with the Kinetic Request CE application (commonly referred to as the "Base" bundle) included a hard coded reference to the "kinetic" web application context. This would have caused an error for customers leveraging subdomains for tenant spaces.
KCORE-2228
Incorrect results being returned for some Datastore Submission searches
Datastore submission searches were incorrectly omitting results when a compound index specified a greater than (or equal to) expression without a less than (or equal to) expression.
Also, the Datastore Submission indexes that included a checkbox question as part of the index definition were not properly being updated when the checkbox value changed.
KCORE-2269,KCORE-2279
The '?debugjs' URL parameter was not being respected in SPA mode
The '?debugjs' URL parameter is used during development to prevent the Kinetic Request CE application from minifying the JS/CSS code returned from the server (for easier debugging). This URL parameter was not being respected when a space was configured with the "Single Page App" display type..
Resolved bug where improper authorization was granted in spaces that were configured as a Single Page App.
Display authorization was being ignored when displaying embedded forms/submissions when the space is configured as a Single Page App.
This bug was introduced in Version 2.1.0 and was would have only been an issue if the Single Page App feature (part of 2.1.0) was being leveraged.
KCORE-2205
Resolved bug with spaces configured as a Single Page App where the location field under Space Settings looked empty even though it was set.
When a space is configured as a Single Page App, a "Location" field is presented to users under Space > Settings. This bug resolved an issue where the location field looked empty even though it was populated.
KCORE-2206
Resolved a bug that form developers experienced when using the Firefox browser to add choices to a checkbox/radio button question.
If using the Firefox Browser to add choice options to a checkbox or radio button field, an additional "empty" choice was being added. This fix resolves that bug for Firefox Users.
v2.1.0 (2018-04-16)
Download
[Download Links Removed] There is a known security vulnerability in the 2.1.0 release for customers leveraging the Single Page App feature. Customers should upgrade to 2.1.1.
New Features!
Summary
Description
Issue Number(s)
Implements Datastore as a component of the CE Platform.
Implements Datastore as a component of the CE Platform, allowing Datastore forms to define and build up referential data that can be effectively leveraged. Datastore forms can store hundreds of thousands to millions of records and still perform searches quickly and effectively on any field or combination of fields by allowing administrators to not only define the form, but the indexes on those forms. For more information on Datastore, click here.
KCORE-1755
Add ability to compare current (previous) and updated values for update webhooks
Adds the ability to access both the current (previous) and updated values in the update webhooks, which means both the old and new values are available to the receiving system (eg. task tree).
KCORE-2069
Adds support for single page app bundles by adding a new space Display Type.
The necessary files for the CE server part of a REACT bundle (webpack) now ships with the application, and a single page app are more easily specified with a Display Type on the space.
KCORE-1921
Improved Functionality
Summary
Description
Issue Number(s)
Implements ability to return only specific attributes or values via the API using the ?includes parameter.
Previously, either all or no attributes could be returned via the API. This update implements the ability to return only specific attributes or values via the API using the ?includes parameter. Ex. ?includes=attributes[my-attribute-name]
KCORE-1798
Improved Stability of Submission Indexing/Searching
This addressed many sub-issues, including adding the ability to check and rebuild submission indexes, the ability to do blue/green submission indexing, WriteTimeoutException handling for Submissions, and a number of changes to support datastore form indexing.
KCORE-1912
Adds Origin and Parent GUID submission properties to the CE Console Forms > Submissions > (guid)
When viewing the submission in the CE console, the Origin and Parent GUIDs are shown.
KCORE-1950
Java 9 without configuration
This addresses an issue in CE caused by changes to what is included (and not) in the default path in Java 9. This allows use of Java 9 without having to update the path.
KCORE-2007
Introduces use of an attribute map when using the CE API to interact with attributes.
Improved ability to set specific attributes by providing an attribute map when updating a CE object via the API. Also implements the ability to return attributes as a map instead of an array by specifying ?includes=attributesMap instead of ?includes=attributes. Note this can also be used to get a specific attribute with a map using ?includes=attributesMap[ATTRIBUTE NAME]
KCORE-2025
Exposes the form type to the front end via the form object (K('form')) and the K.config.ready selector.
The form type property is now available to the form object with the call: K('form').type(). It is also available to K.config.ready.
KCORE-2028
Update the K.load js method to pass a status code to the error callback
The error callback on K.load (calling subforms) is called for any error not 401, 403, or 404 (these have different callbacks). This enhancement passes the status code to the callback to allow for conditional handling if desired.
KCORE-2104
Don't fire the User Updated webhook on auto.update (when using an identity provider) because nothing has actually changed.
When authenticating to CE using an identity provider, if the auto.update setting was set to true, the user record was being updated even if no changes were made to the user. This was causing User Updated Webhooks to be triggered even though nothing changed. This enhancement cleans that up and prevents the webhook from firing in this particular nothing-changed scenario.
KCORE-2192
Bugs Fixed
Summary
Description
Issue Number(s)
Page navigation to the "first" page should not require a reference page
When setting what page a submission is on via the API, developers previously needed to pass the name of the page. This was inconvenient and wasn't needed.
KCORE-1810
Fix regression with LDAP groups not being applied when using LDAP authenticator
When using the LDAP authenticator, the individual who logs in should have their LDAP groups added to their UserDetails to be able to be used by the system, including by KSL for security rules. This was lost in a previous release and is restored in this release.
Added the ability to restore deleted forms via the Rest API (this functionality is not available within the CE Consoles as of this release)
KCORE-777
Implemented ability to calculate and pass displayable pages to client-side code
KCORE-1906
Added ability to use form('review') in server-side expression evaluation
KCORE-1896
Application Stability Improvements
-
Implement ability to fix false-positive submission indexes
KCORE-1913
Implement ability to do blue/green submission indexing
KCORE-1904
Implement ability to rebuild the system submissions index
KCORE-1916
Implement ability to check the system submissions index
KCORE-1917
Implement 'include=values.raw' in order to provide visibility into malformed or orphaned submission values
KCORE-1937
Secuirty Improvements
-
Fixed XSS vulnerability in application error pages
KCORE-1979
Bugs Fixed
Description
Issue Number(s)
Automated false-positive index entry repair sometimes removes the wrong index entry
KCORE-2031
When searching, an empty string should be treated the same as null
KCORE-2032
Updated K.field().setOptions.() method to trigger change events when invoked via custom js
KCORE-1462
Fixed issue where the javascript method K.field().options() does not bind change events after being used to set options on checkbox/radio's
KCORE-1813
Rendering activity charts can cause the web browser to become unresponsive if there is a lot of submission data
KCORE-1885
Updated K('form').previousPage() to respect the action.stop function when invoked via custom js
KCORE-1903
Updated application submission logic to return an empty array for checkbox/attachment fields with no values instead of null to be consistent with other fields
KCORE-1907
Changed application logic to not set Field Default value if the submission has not been submitted
KCORE-1909
Incorrect cassandra consistency levels are sometimes applied (introducing the possibility of inconsistent data in extreme edge cases)
KCORE-1918
NullPointerException raised by API when a submission has a malformed attachment value
KCORE-1919
Fixed issue where custom tag libraries (app-taglib.tld, bundle-taglib.tld, and json-taglib.tld) failed validation when enabled on the web server
KCORE-1931
Changes for KCORE-1586 introduces bug where bridged resources on submitted pages do not work properly
Ability to map LDAP/SAML attributes to user attributes automatically when users authenticate.
KCORE-1254
Added the bundle.identity() method for use within javascript to get the current users username.
KCORE-1665
Implemented Structured Logging which ensures that a log file is a preset, consistent, and in a machine readable format.
KCORE-1677
Updated webhook calls to send webhook event meta data (Type of Event, Event Action & Timestamp)
KCORE-1757
Added Profile Attributes as variables throughout the form builder for use in setting defaults, and in bridged resources.
KCORE-1764
Added ability to restrict users that are able to login to the system and space consoles by IP Address/IP Range
KCORE-1786
IN-APP DOCUMENTATION UPDATES
- Authentication Documentation * Submission Activity Rest API - Page Navigation Rest API - Me Rest API - Updated user settings documentation when creating/updating a space user
-
Bugs Fixed
Description
Issue Number(s)
Fixed issue where users that had access to a submission, but didn't have access to submit the form could not access bridged resources.
KCORE-1586
Fixed issue where users that had access to a submission, but didn't have access to submit the form could not access the submissions files.
KCORE-1691
Fixed error with submission searching which sometimes returns 'Attempting to fill ... strand' errors.
