4.86v
1. Notable changes since 4.85v
- Performance statistics dashboard widgets: added new `dep_performance` and `op_performance` dashboard widgets that display real-time aggregated statistics for departments and operators respectively; widgets support configurable columns (chats received, chats answered, wait time, first/average response time, thumbs up/down, online/offline time) with configurable position and update intervals; new settings UI under Statistics for both department and operator performance configuration.
- Performance stats cron aggregator: new cron job (`cron/stats/performance`) aggregates department and operator performance data into the new `lh_abstract_performance` table; supports forced regeneration via `-p force`; configurable update interval and day range; cron respects sql_mode and local timezone settings.
- New `Performance` and `PerformanceWidgets` models: `Performance` model stores/retrieves serialized performance snapshots; `PerformanceWidgets` provides formatted data for dashboard sync, including per-department and per-operator stats with access-control filtering.
- Security and authentication hardening: improved password verification logic in REST API validator; added constant-time response delay in forgot-password flow to mitigate timing attacks; updated hashing methods for login and password update flows; implemented expired hash cleanup (deleteExpiredHashes) called from setRemindHash, remindpassword, and forgotpassword modules; removed LDAP authentication components; updated autologin with nonce support and improved hash validation; masked error messages for users without access to unhidden emails in send and reply APIs.
- Bot and event system: enhanced chat variable update handling and event dispatching; ignored default trigger message when a trigger is started manually; added support for invisible arguments in bot triggers; added event dispatch for transfer-to-human action; added event argument for custom is-online status checks.
- Editor and operator UI: added switch-editor option in active chat tab and a new permission for operators to toggle between new and old editors; added icons and colors to the transfer window; increased subject modal window width; fixed form loading scroll event; avoided null being displayed before a chat starts.
- Export and reports: enhanced export functionality with ChatML support and UI improvements; fixed compatibility with non-strict sql_mode for certain reports.
- Bug fixes: fixed matching rule search; minor fixes including string conversion and typo corrections.
2. Summary
- This release introduces a new real-time performance dashboard with configurable department and operator widgets backed by a cron aggregator and a dedicated `lh_abstract_performance` table.
- Security is hardened across authentication flows: stronger hashing, timing-safe responses, expired hash cleanup, autologin nonce support, and LDAP removal.
- Operator productivity is improved with a switchable editor, richer transfer UI, and expanded bot/event capabilities. Export and report compatibility are also addressed.
execute doc/update_db/update_352.sql for update
4.85v
1. Notable changes since 4.84v
- Security and access control: tightened chat operation permissions by requiring proper read/write access checks; additional permission hardening was applied across related flows.
- CSP and policy handling: completed CSP parser integration and follow-up fixes, including policy exposure hardening and parser/library alignment.
- Voice messaging and widget UX: improved voice-message flow and UX, updated voice app behavior, kept cursor focus on desktop, and added a widget-theme option to disable voice messages.
- Translation workflow: improved automatic translation reliability, added DeepL model/formality options, enhanced metadata/error handling, and refined start/stop and old-message translation flows.
- Analytics and timing metrics: improved chat duration/response-time calculations, participant timing accounting, and operator duration output in reports.
- REST API and diagnostics: added optional custom REST API messages, improved exception visibility/traceback details, and enabled direct log viewing from back office.
- Invitations and online-hours logic: enhanced invitation alias/profile handling and improved overlapping online-hours period calculations.
- UI/translations/dependencies: updated translations, refreshed JS dependencies (including html-react-parser migration), and applied multiple package/security updates.
- Misc fixes: delivered issue-specific fixes and regressions cleanup (including #2378, #2379, #2382), plus release workflow updates.
2. Summary
- This release focuses on security hardening, CSP maturity, and operator productivity, while also improving voice messaging UX and translation automation quality.
- It also improves chat/mail timing metrics and diagnostics, with additional stability updates across UI, dependencies, and release automation.
No new DB migration script required for this release.
4.84v
1. Notable changes since 4.83v
- REST API and bot workflow: improved REST API trigger execution and request body handling with attachment support; added skipped-body debug preview; enhanced chat locking behavior for streaming and chunked responses while preserving typing indicators.
- Widget and UI: expanded widget theme customization options (including color controls), applied theme colors to offline form, improved message delivery indicator styling, fixed height adjustments and zoom/icon interaction issues, and added support for custom nick from admin themes.
- Notifications and operator workflow: added assignment notification preferences (assigned pending chats vs all pending chats), quick action for auto-assignment, and persistent disabling of mobile notifications.
- Chat filters and analytics: added participant filters to chat search, improved filters and restored pagination behavior, added participant-aware export enhancements, and introduced average chat duration by agent/participant.
- File validation and security hardening: expanded MIME type handling for common file types and strengthened uploaded file verification (including file preview upload flow).
- Translation and UX polish: improved translation error handling and transaction flow, added operator notice for active chat translation state, and updated translations across modules.
- Core/codebase maintenance: added new tables and schema updates, improved error/log reporting and timing diagnostics (render and DB connection timing), and modernized PHP code style in core files.
2. Summary
- This release focuses on reliability and operator experience: stronger REST API/bot handling, better widget customization and messaging UX, richer notification controls, and improved chat search/export analytics.
- It also includes security-oriented file validation improvements, translation workflow refinements, and core maintenance updates for better observability and long-term stability.
execute doc/update_db/update_351.sql for update
4.83v
1. Notable changes since 4.82v
- Chat list sorting: added sort options for highest and lowest message count in chat lists; a validation warning is shown when sorting by message count without a date range of 31 days or less.
- Webhooks: debug mode support added to `processEvent` in both chat and mail conversation continuous webhook classes; new validation conditions `notempty` and `in_list`; improved error handling and logging; webhook form updated with chat ID testing and improved button styling; test pattern module enhanced with webhook ID validation.
- Dropdown: "Select all" and "Unselect all" buttons added to multi-select dropdowns across the back-office; dropdown plugin and render helper updated accordingly.
- Subject filter: subject filter conditions added to the chat list search panel and mail conversation search panel; department user dep logic enhanced.
- Widget: bumped to version 272; improved `screenAttributesUpdate` height/width calculations for better responsiveness across screen sizes; wrapper now passes its version to the API; fixed proper termination in wrapper source.
- Canned messages: fixed auto-uppercase breaking text input in the new rich-text editor (LHCEditor).
- REST API: fixed authentication validator regression.
- Chat core: added support for dashes in chat handling logic.
- Templates: minor fixes in chat lists template and survey fill-widget template.
2. Summary
- This release improves chat list usability with message count sorting, strengthens webhook debugging with debug mode and new validation conditions, and enhances multi-select dropdowns with select-all/unselect-all controls.
- Widget responsiveness and wrapper version reporting are improved; canned message auto-uppercase and REST API auth issues are resolved.
execute doc/update_db/update_350.sql for update
4.82v
1. Notable changes since 4.81v
- Security/file handling: enhanced MIME type validation across file download endpoints (`downloadfile.php`, `inlinedownload.php`, REST API `file.php`); MIME type constants added in mail conversation parser; all operator/visitor uploads validated against `var` folder path; resolved security issues L01, L02, L04, L05, L06, L11, L13.
- Widget: added expand mode with configurable width/height ratios and new `shrink_text`/`expand_text` UI fields; widget communication updated to include user session prefill variables in sent messages; fixed `reloadWidget` function; updated wrapper version.
- Chat search/statistics: added message count filters (operators, visitors, bots) to search panel and statistics tabs; added total messages count input field; added search by message ID range.
- Chat tab visibility: operators can toggle chat tab visibility (show/hide chat tabs) via quick actions in user settings.
- User settings: added auto-accept chats option and alert preference for transferred chats.
- Variables/prefill: support for passing custom back-office vars as `lhc_var` variables; encrypted prefilled variables always applied; variable only set when replaceable variable is non-empty; proactive invitations now update vars when custom vars are passed.
- Theme/translations: widget theme `translate` method accepts user context; REST API modules (`checkchatstatus`, `getinvitation`, `initchat`, `onlinesettings`, `settings`) use user context for theme translations; multilanguage support for custom fields; `fetchByVid` includes caching option.
- Canned messages: refactored retrieval with `getCannedMessages` method; added `auto_send` filter and `ignore_subjects` parameter.
- Extensions: support for extensions to contribute custom side-menu items.
- Configuration: folder/directory write-permission checks added to the configuration page with per-directory success/error indicators.
- Bot: support for background workers in REST API bot action; improved bot detection filtering.
- Message history: previous-message loading always uses all messages when the page limit is not reached; safe inclusion of all chat messages.
2. Summary
- This release strengthens file handling security with MIME type validation, file path checks, and resolves multiple L-series security issues.
- Operator UX improvements include widget expand mode, chat tab visibility toggles, and richer user settings (auto-accept, transfer alerts).
- Search and statistics gain new message count filters; extensions gain custom side-menu support; theme translations now respect user context.
3. Contributors
- L01: SSRF via incoming webhook image download (CWE-918)
- L06: Mass assignment in REST API file PUT leading to arbitrary file read (CWE-915, CWE-22)
- L11: Stored XSS via Content-Type spoofing in file upload (CWE-79, CWE-345)
- L13: Unsafe deserialization in configuration loader (CWE-502)
Vulnerability Researcher: Pedro J. Núñez-Cacho Fuentes (https://blogs.tunelko.com)
execute doc/update_db/update_349.sql for update