Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Disable Submit Button On-Click | This bug fix prevents the double submission of forms when the submit button is accidentally "double clicked" | KP-4581 |
Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Ability to search submissions via POST | This improvement provides the ability to search for submissoins using a POST. Using a GET can be problematic in some implementations where customers have complex, lengthy search query parameters that make the URL too long. This functionality allows for a POST request to a new endpoint called .../submission-search with a body such as {"q": "..."} | KP-4089 |
Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Configurable attachment link expiration | This feature provides the ability to adjust the amount of time an attachment link is valid for. In order to configure the file link expiration time for attachments in Kinetic Request CE, the com.kineticdata.core.fileLinkExpirationInSeconds java property may be set. This is typically either done with Tomcat startup arguments, or by adding an entry to the conf/catalina.properties configuration file that looks like: com.kineticdata.core.fileLinkExpirationInSeconds=30 | KP-3022 |
| Summary | Description | Issue Number(s) |
|---|
| Addresses XSS issue in default bundle | This feature Address XSS security issue with default bundle login.jsp | KP-3911 |
Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Remove support for bridged resource GET requests to prevent potential CSRF attacks | This issue removes the ability to retrieve a bridged resource using a GET request as some bridge adapters now support creating or updating records. This feature may cause backwards compatibility issues with javascript libraries that use bridges to retrieve data. They will need to be updated to do a PUT vs a GET request. | KP-3022 |
| Remove ability to inject HTML in page element bindings | This feature sanitizes field values that are used within form HTML elements to prevent XSS attacks. | KP-3029 |
Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Checkbox fields with invalid options being cleared on save | KCORE-2756 (released in CE 2.4.0) caused an unintended behavior making checkbox fields that were set with invalid options to be cleared when a form was rendered in the UI and then saved. At times, its common to set checkbox questions using workflow or the API to store an array of values, even if those values aren't valid options. This issue ensures that values that were set into a checkbox field via the API don't get cleared out when a form is saved. | KCORE-2897 |
| Form date field localization bug | Form date fields were not respecting the users preferred locale. | KCORE-2882 |
| Translations error with subforms | Fixes an error that happens when subforms are leveraging translations. | KCORE-2837 |
| Datastore pagination bug | Fixes issue with pagination when searching for datastore submissions using a query. | KCORE-2819 |
Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Searching and Pagination | Searching and pagination has been added to the User, Team, Form, Datastore Form, Kapp and Space endpoints. Previously, the API would return a list of ALL records which could cause performance issues when thousands records were returned. Queries can now be constructed using KQL (Kinetic Query Language) to search for records in these models and return paginated responses. See the in-app API documentation for usage details. | KCORE-2593 |
| Form Overwrite Protection | The application now provides functionality for protecting against accidental form overwrites when multiple developers are working on the same form wihtin the Form builder. | KCORE-2746, KCORE-2747 |
| Summary | Description | Issue Number(s) |
|---|
| Ability to set expiration of password reset tokens | Improves password reset functionality by allowing Space Admins to pass an exipration information when generating a token. Previously password reset tokens were only valid for 24 hours. | KCORE-2794 |
| Ability to set sesion cookie max age | Adds the ability to set client session cookie max age via a cookieMaxAge environment variable | KCORE-2726 |
| Summary | Description | Issue Number(s) |
|---|
| Unrecognized Locales | Locales that are not recognized by the system caused errors. The issue walks all accepted locales and uses the application's default (English) if none are found | KCORE-2796 |
| Bug when clearning checkbox values | Fixes a bug that existed when clearing checkbox question values on a Kinetic form. | KCORE-2756 |
| Login Bug in Base Bundle | Fixed a with the Login Button in the enbedded base bundle that wasn't respecting installations that use subdomains for tenant routes. | KCORE-2795 |
Web Application Download (MD5 | SHA1 | SHA256)
Cassandra Schema (MD5 | SHA1 | SHA256)
| Summary | Description | Issue Number(s) |
|---|
| Translations | Kinetic Request CE now supports the ability to translate content in forms and bundles. Leveraging this new functionality will require some changes to your bundle, however if you're using the standard Kinetic Bundle, you'll get this functionality automatically with an upgrade. | KCORE-2215 |
| Team and User Security Policies | Security Policies can now be defined for who can create and update Users and Teams. Previously, only space admins were able to create or update Teams and Users. | KCORE-2498 |
| Space Default and User Locale/Timezone Setting | We've added the ability to specify a Default Timezone and Locale for a space, and also the ability to let a user specify their own Timezone and Locale. This info is particularly helpful when sending email notifications within workflow. | KCORE-2527 |
| Summary | Description | Issue Number(s) |
|---|
| Form Update Webhooks | When a form is updated, the Created At /Updated At Dates are now passed as part of the webhook body. This enables administrators to implement form auditing solutions using workflow. | KCORE-2282 |
| Parent / Child Relationships | Removed the ability to delete a submission if it has a child to reduce errors caused when updating a submissions with a missing parent.
Improved the error message when updating a submission that has a parent that is missing for existing submission data. | KCORE-2377, KCORE-2380 |
| Form Builder Display Conditions | Added Form 'form(review)' bindings to page display condition menu which enables form builders to conditionally display an element if a form is in "Review Mode" or not. | KCORE-2401 |
| Missing Security Policy Error Message | Improved the error message raised when a security policy references a missing definition. This is particularly helpful when importing a form from another system that is referencing a Security Policy that doesn't exist. The new error message contains that name of the form that is missing the security policy along with the name of the referenced Security Policy Definition. | KCORE-2408 |
| JS Helper Method for working with Subforms | Implement method for cleaning the Kinetic.form object when working with subforms | KCORE-2472 |
| Deleting Datastore Records | Unable to delete datastore records unless a user is a space admin | KCORE-2490 |
| Summary | Description | Issue Number(s) |
|---|
| Single Page App Login Issue | SPA spaces render the embedded base bundle login when attempting to open a kapp/form/submission that doesn't exist | KCORE-2272 |
| System Console Bundle Path | System console should not require that a bundle path be set | KCORE-2273 |
| Creating Categories with Attributes | When creating a category, an error is returned when trying to set an attribute using attributesMap | KCORE-2283 |
| Datastore Form Attributes | DatastoreFormAttributes can be created with no name via the API | KCORE-2284 |
| Creating Teams with Attributes | Unable to add attributes to a team when creating the team | KCORE-2285 |
| Incorrect Redirects | Some redirects improperly include /:spaceSlug prefix regardless of whether the request has a space subdomain | KCORE-2305 |
| Admin Console Broken Link | Datastore Form Builder - View submissions link does not take you to submissions | KCORE-2340 |
| CE Webhook Secret Encryption | CE Webhook Configuration - Secret should be encrypted / not visible to end users | KCORE-2344 |
| Updating Submission Parent via API | Unable to remove Submission parent / origin via PUT passing null as value. | KCORE-2369 |
| Searching on indexes that aren't built | Datastore Submission search allows searching on indexes that aren't built | KCORE-2400 |
| currentPage Property when using PATCH api | PATCH Submission endpoint isn't respecting the currentPage property | KCORE-2402 |
| Review submission redirect issue | Review approval links do not properly redirect when a context is present | KCORE-2413 |
| Space oAuth Client Secret Encryption | The space.oauthClient.clientSecret should be encrypted / not included to end users | KCORE-2417 |
| Datastore Submission Index issue with Checkboxes | IndexOutOfBoundsException when creating datastore submissions with overlapping checkbox fields | KCORE-2451 |
| Logging issue with Datastore Webhooks | Webhooks log 'Unexpected parent type: Datastore Submission' when handling Datastore related webhooks | KCORE-2466 |
| Summary | Description | Issue Number(s) |
|---|
| Implemented Frame Policy Management | In order to address clickjacking attacks, a management interface that allows administrators to configure trusted frame domains was implemented within the Administration Consoles. | KCORE-14 |
| Addressed CSRF Vulnerabilities | In order to address Cross-Site Request Forgery (CSRF) attacks, the application implemented the [15]. Previously CSRF attacks were expected to be mitigated by the web proxy / load balancer [16]_ | KCORE-1932 |
| Implemented CORS Management | In order to address cross origin attacks, a management interface that allows administrators to configure trusted resource domains was implemented within the Administration Consoles | KCORE-1983 |
| Implemented Subdomain Support | In order to address request forgery attacks between spaces on a single instance of Kinetic Request CE, the application now supports the ability to user separate subdomains for each space. This is configured on your load balancer or web proxy by adding the "X-Kinetic-Subdomain" header. | KCORE-2221 |
| Summary | Description | Issue Number(s) |
|---|
| Implemented ability to specify that an HTTP request should return a 401 if the requester is not authenticated. | Kinetic Request CE bundles often retrieve lists of Forms or Submissions on behalf of the user. If the user's session times out, those calls would return only the records available to a "public" user (which are typically different than the records available to an authenticated user). By passing a "X-Kinetic-AuthAssumed" header with the AJAX request, the developer can instruct the application to return a 401 response (which can then be handled by displaying of a login model) rather than the incomplete results. | KCORE-1759 |
| Summary | Description | Issue Number(s) |
|---|
| Default Bundle contained a hard coded reference to the 'kinetic' web application context. | The bundle that ships with the Kinetic Request CE application (commonly referred to as the "Base" bundle) included a hard coded reference to the "kinetic" web application context. This would have caused an error for customers leveraging subdomains for tenant spaces. | KCORE-2228 |
| Incorrect results being returned for some Datastore Submission searches | Datastore submission searches were incorrectly omitting results when a compound index specified a greater than (or equal to) expression without a less than (or equal to) expression.
Also, the Datastore Submission indexes that included a checkbox question as part of the index definition were not properly being updated when the checkbox value changed. | KCORE-2269,KCORE-2279 |
| The '?debugjs' URL parameter was not being respected in SPA mode | The '?debugjs' URL parameter is used during development to prevent the Kinetic Request CE application from minifying the JS/CSS code returned from the server (for easier debugging). This URL parameter was not being respected when a space was configured with the "Single Page App" display type.. | KCORE-2275 |
| Summary | Description | Issue Number(s) | |
|---|
| Resolved bug where improper authorization was granted in spaces that were configured as a Single Page App. | Display authorization was being ignored when displaying embedded forms/submissions when the space is configured as a Single Page App.
This bug was introduced in Version 2.1.0 and was would have only been an issue if the Single Page App feature (part of 2.1.0) was being leveraged. | KCORE-2205 | |
| Resolved bug with spaces configured as a Single Page App where the location field under Space Settings looked empty even though it was set. | When a space is configured as a Single Page App, a "Location" field is presented to users under Space > Settings. This bug resolved an issue where the location field looked empty even though it was populated. | KCORE-2206 | |
| Resolved a bug that form developers experienced when using the Firefox browser to add choices to a checkbox/radio button question. | | If using the Firefox Browser to add choice options to a checkbox or radio button field, an additional "empty" choice was being added. This fix resolves that bug for Firefox Users. | KCORE-2212 |
[Download Links Removed] There is a known security vulnerability in the 2.1.0 release for customers leveraging the Single Page App feature. Customers should upgrade to 2.1.1.
| Summary | Description | Issue Number(s) |
|---|
| Implements Datastore as a component of the CE Platform. | Implements Datastore as a component of the CE Platform, allowing Datastore forms to define and build up referential data that can be effectively leveraged. Datastore forms can store hundreds of thousands to millions of records and still perform searches quickly and effectively on any field or combination of fields by allowing administrators to not only define the form, but the indexes on those forms. For more information on Datastore, click here. | KCORE-1755 |
| Add ability to compare current (previous) and updated values for update webhooks | Adds the ability to access both the current (previous) and updated values in the update webhooks, which means both the old and new values are available to the receiving system (eg. task tree). | KCORE-2069 |
| Adds support for single page app bundles by adding a new space Display Type. | The necessary files for the CE server part of a REACT bundle (webpack) now ships with the application, and a single page app are more easily specified with a Display Type on the space. | KCORE-1921 |
| Summary | Description | Issue Number(s) |
|---|
| Implements ability to return only specific attributes or values via the API using the ?includes parameter. | Previously, either all or no attributes could be returned via the API. This update implements the ability to return only specific attributes or values via the API using the ?includes parameter. Ex. ?includes=attributes[my-attribute-name] | KCORE-1798 |
| Improved Stability of Submission Indexing/Searching | This addressed many sub-issues, including adding the ability to check and rebuild submission indexes, the ability to do blue/green submission indexing, WriteTimeoutException handling for Submissions, and a number of changes to support datastore form indexing. | KCORE-1912 |
| Adds Origin and Parent GUID submission properties to the CE Console Forms > Submissions > (guid) | When viewing the submission in the CE console, the Origin and Parent GUIDs are shown.  | KCORE-1950 |
| Java 9 without configuration | This addresses an issue in CE caused by changes to what is included (and not) in the default path in Java 9. This allows use of Java 9 without having to update the path. | KCORE-2007 |
| Introduces use of an attribute map when using the CE API to interact with attributes. | Improved ability to set specific attributes by providing an attribute map when updating a CE object via the API. Also implements the ability to return attributes as a map instead of an array by specifying ?includes=attributesMap instead of ?includes=attributes. Note this can also be used to get a specific attribute with a map using ?includes=attributesMap[ATTRIBUTE NAME] | KCORE-2025 |
| Exposes the form type to the front end via the form object (K('form')) and the K.config.ready selector. | The form type property is now available to the form object with the call: K('form').type(). It is also available to K.config.ready. | KCORE-2028 |
Update the K.load js method to pass a status code to the error callback | The error callback on K.load (calling subforms) is called for any error not 401, 403, or 404 (these have different callbacks). This enhancement passes the status code to the callback to allow for conditional handling if desired. | KCORE-2104 |
| Don't fire the User Updated webhook on auto.update (when using an identity provider) because nothing has actually changed. | When authenticating to CE using an identity provider, if the auto.update setting was set to true, the user record was being updated even if no changes were made to the user. This was causing User Updated Webhooks to be triggered even though nothing changed. This enhancement cleans that up and prevents the webhook from firing in this particular nothing-changed scenario. | KCORE-2192 |
| Summary | Description | Issue Number(s) |
|---|
| Page navigation to the "first" page should not require a reference page | When setting what page a submission is on via the API, developers previously needed to pass the name of the page. This was inconvenient and wasn't needed. | KCORE-1810 |
| Fix regression with LDAP groups not being applied when using LDAP authenticator | When using the LDAP authenticator, the individual who logs in should have their LDAP groups added to their UserDetails to be able to be used by the system, including by KSL for security rules. This was lost in a previous release and is restored in this release. | KCORE-2094 |
| Description | Issue Number(s) |
|---|
| Automated false-positive index entry repair sometimes removes the wrong index entry | KCORE-2031 |
| When searching, an empty string should be treated the same as null | KCORE-2032 |
| Description | Issue Number(s) |
|---|
| Added the ability to restore deleted forms via the Rest API (this functionality is not available within the CE Consoles as of this release) | KCORE-777 |
| Implemented ability to calculate and pass displayable pages to client-side code | KCORE-1906 |
| Added ability to use form('review') in server-side expression evaluation | KCORE-1896 |
| Application Stability Improvements | - |
| Implement ability to fix false-positive submission indexes | KCORE-1913 |
| Implement ability to do blue/green submission indexing | KCORE-1904 |
| Implement ability to rebuild the system submissions index | KCORE-1916 |
| Implement ability to check the system submissions index | KCORE-1917 |
| Implement 'include=values.raw' in order to provide visibility into malformed or orphaned submission values | KCORE-1937 |
| Secuirty Improvements | - |
| Fixed XSS vulnerability in application error pages | KCORE-1979 |
| Description | Issue Number(s) |
|---|
| Automated false-positive index entry repair sometimes removes the wrong index entry | KCORE-2031 |
| When searching, an empty string should be treated the same as null | KCORE-2032 |
| Updated K.field().setOptions.() method to trigger change events when invoked via custom js | KCORE-1462 |
| Fixed issue where the javascript method K.field().options() does not bind change events after being used to set options on checkbox/radio's | KCORE-1813 |
| Rendering activity charts can cause the web browser to become unresponsive if there is a lot of submission data | KCORE-1885 |
| Updated K('form').previousPage() to respect the action.stop function when invoked via custom js | KCORE-1903 |
| Updated application submission logic to return an empty array for checkbox/attachment fields with no values instead of null to be consistent with other fields | KCORE-1907 |
| Changed application logic to not set Field Default value if the submission has not been submitted | KCORE-1909 |
| Incorrect cassandra consistency levels are sometimes applied (introducing the possibility of inconsistent data in extreme edge cases) | KCORE-1918 |
| NullPointerException raised by API when a submission has a malformed attachment value | KCORE-1919 |
| Fixed issue where custom tag libraries (app-taglib.tld, bundle-taglib.tld, and json-taglib.tld) failed validation when enabled on the web server | KCORE-1931 |
| Changes for KCORE-1586 introduces bug where bridged resources on submitted pages do not work properly | KCORE-2012 |
| Description | Issue Number(s) |
|---|
| Ability to map LDAP/SAML attributes to user attributes automatically when users authenticate. | KCORE-1254 |
| Added the bundle.identity() method for use within javascript to get the current users username. | KCORE-1665 |
| Implemented Structured Logging which ensures that a log file is a preset, consistent, and in a machine readable format. | KCORE-1677 |
| Updated webhook calls to send webhook event meta data (Type of Event, Event Action & Timestamp) | KCORE-1757 |
| Added Profile Attributes as variables throughout the form builder for use in setting defaults, and in bridged resources. | KCORE-1764 |
| Added ability to restrict users that are able to login to the system and space consoles by IP Address/IP Range | KCORE-1786 |
IN-APP DOCUMENTATION UPDATES
- Authentication Documentation
* Submission Activity Rest API
- Page Navigation Rest API
- Me Rest API
- Updated user settings documentation when creating/updating a space user | - |
| Description | Issue Number(s) |
|---|
| Fixed issue where users that had access to a submission, but didn't have access to submit the form could not access bridged resources. | KCORE-1586 |
| Fixed issue where users that had access to a submission, but didn't have access to submit the form could not access the submissions files. | KCORE-1691 |
| Fixed error with submission searching which sometimes returns 'Attempting to fill ... strand' errors. | KCORE-1827 |
| Description | Issue Number(s) |
|---|
| Error callback options for K.load function. Documentation available in application: kinetic/your-space-slug/app/dev/docs/js/guides/subforms | KCORE-1650 |
| Description | Issue Number(s) |
|---|
| Ability to delete submissions associated to (soft) deleted forms | KCORE-1731 |
| Ability to modify or delete submissions with malformed values | KCORE-1732 |
| SAML IDP metadata file is not loaded from %DATA_DIR%/config | KCORE-1734 |
| Description | Issue Number(s) |
|---|
| Implement teams | KCORE-1530 |
| Implement OAuth provider functionality | KCORE-1569 |
| Implement submission handle | KCORE-1572 |
| Implement submission activities | KCORE-1587 |
| Implement submission support access | KCORE-1593 |
| Description | Issue Number(s) |
|---|
| Improve performance for submitting forms with a large number of fields | KCORE-1524 |
| Limit ability to change a space slug to only the system administrator account | KCORE-1554 |
| Add ability to reference optional fields/attributes/etc when evaluating expressions | KCORE-1594 |
| When displaying a submission to a user that has 'Submission Access' but not 'Submission Modification' privileges, automatically render in review mode | KCORE-1595 |
| Description | Issue Number(s) |
|---|
| Attachment fields should fire change events | KCORE-975 |
| Checkbox fields should not require an array when setting a single default value | KCORE-1083 |
| Enter does not work as expected when creating list choices | KCORE-1190 |
| Renaming a security policy definition breaks references to the definition | KCORE-1418 |
| Webhook body content encodes some UTF-8 characters as '?' | KCORE-1525 |
| Date and Date/Time fields values show up in Chinese for some users | KCORE-1526 |
| Renaming a user profile attribute breaks references to the definition | KCORE-1552 |
| Submission searching should be case insensitive | KCORE-1556 |
| Cloning a form should not copy the Created By information | KCORE-1584 |
| Login and Reset Password redirects are not encoding username | KCORE-1620 |
| Dropping a file onto an attachment field sets the value for all attachments on the page | KCORE-1643 |
| Sharing a name between a field and section causes client-side error | KCORE-1647 |
