Strapi Release: 3.0.0-alpha.7.2

TL;DR

Strapi v3.0.0-alpha.7.2 introduces major new features including the User & Permissions plugin and Email plugin, requiring login for admin access. The administration panel is now detached from the project, moving away from the monolithic architecture. Framework enhancements improve installation and startup times, while the new middleware lifecycle method and plugin model support expand developer capabilities.

Highlight of the Release

• Introduction of User & Permissions plugin for role-based access control
• New Email plugin for sending emails from the application
• Authentication required for admin dashboard access
• Detached administration panel architecture
• New beforeInitialize lifecycle method for middlewares
• Support for plugin-specific models
• Significant performance improvements in installation and startup times

Migration Guide

For existing Strapi alpha users:

1. Authentication Required:

   • The admin panel now requires authentication
   • You'll need to register an admin user on first access

2. Administration Architecture:

   • The admin panel is now detached from your project
   • Update your development workflow to account for this change

3. Plugin Models:

   • If you were directly accessing models, update your code to use the new plugin model system
   • Use the appropriate queries for plugin models

4. Middleware Changes:

   • If you've created custom middlewares, consider implementing the new beforeInitialize lifecycle method
   • Review middleware configurations as the default handling has changed

5. Update Commands:

   # Update your global strapi installation
   npm install [email protected] -g
   
   # In your project directory
   strapi update
   

6. Configuration Files:

   • The plugins.json file has been removed
   • A new roles.json file is used for the permissions system

7. Content Manager Integration:

   • The Content Manager now supports plugin models
   • Actions can be redirected to plugin controllers

Upgrade Recommendations

Upgrade Priority: High

This release introduces significant new features and architectural changes that improve security, performance, and developer experience. The addition of the User & Permissions plugin and authentication requirements for the admin panel are major security enhancements that make this upgrade highly recommended.

For Development Environments:

• Upgrade immediately to benefit from the new features and architecture
• Test your custom code with the new plugin model system
• Explore the new User & Permissions plugin to implement proper access control

For Production Environments:

• Plan a careful upgrade as this version introduces architectural changes
• Test thoroughly in a staging environment before deploying
• Be prepared to set up authentication for admin users
• Review any custom middleware implementations

Note: As this is still an alpha release (v3.0.0-alpha.7.2), it's recommended to use it in development environments and non-critical production systems while testing for any issues.

Bug Fixes

• Fixed Windows issue related to symlinks created during installation
• Fixed login verification process
• Resolved issue preventing server start when no locales are present
• Fixed plugin email dependencies
• Fixed npm scripts
• Fixed user-permissions homepage notification bug
• Fixed content-type-builder typo
• Fixed admin translation typo on keys
• Fixed login error handling
• Fixed default connection for mongoose
• Fixed initialization of role permissions when starting app for the first time
• Fixed request helper header addition
• Fixed search input behavior and design
• Fixed issue with deleting users associated with a role
• Fixed email reset password 404 error
• Fixed user update with encrypted password
• Fixed plugin loading order in Firefox and Safari
• Fixed refresh functionality in administration page
• Fixed Content Manager related bugs
• Fixed password and token exposure in fetchable data

New Features

User & Permissions Plugin

The new User & Permissions plugin provides comprehensive role-based access control for your Strapi application. Features include:

• User management with role assignment
• Role creation, editing, and deletion
• Granular permission settings for routes and actions
• Policy enforcement for API endpoints
• User authentication with JWT
• Password reset functionality

Email Plugin

A new Email plugin allows sending emails directly from your Strapi application:

• Email template support
• Integration with the authentication flow
• Password reset email functionality

Authentication for Admin Dashboard

• Login and registration required to access the admin panel
• JWT-based authentication
• Password validation with length requirements

Detached Administration Panel

• Admin panel now separated from the core project
• Removes the old monolithic architecture
• Improves maintainability and separation of concerns

Plugin Model Support

• Plugins can now define their own models
• Models can be accessed through the Content Manager
• Supports both Mongoose and Bookshelf

New Middleware Lifecycle Method

• Added beforeInitialize lifecycle method for middlewares
• Allows executing code before middleware initialization

REPL Console Command

• Added a new strapi console command
• Provides a REPL interface for interacting with your Strapi application

Security Updates

• Protected User Data: Removed password and authentication token from fetchable user data to prevent sensitive information exposure.

• JWT Encryption: Added UUID generation for JWT encryption to enhance security.

• Admin User Protection: Prevented searching for admin users through the regular user search functionality.

• Authentication Policy: Implemented proper authentication policy injection for secure access control.

• Password Validation: Added password length validation to authentication pages.

• Custom Error Responses: Implemented custom error responses for authentication failures.

• 401 Responses: Now sending 401 status codes when actions are not enabled for a user's role.

Performance Improvements

• Reduced Installation Time: Removed unnecessary dependencies, making the installation process faster and more efficient.

• Faster Project Generation: Optimized the project generation process, reducing the time needed to create new Strapi projects.

• Improved Plugin Loading: Enhanced the plugin loading mechanism, with special fixes for Firefox and Safari browsers.

• Optimized i18n Functions: Refactored internationalization functions for better performance.

• Relative Path Usage: Now using relative paths instead of absolute paths to generate the manifest.json reference file, improving cross-platform compatibility and performance.

• Require Cache Clearing: The framework now clears the require cache before loading configurations, preventing stale configuration data.

• Delayed Admin Load: Admin panel loading is now delayed to improve initial startup time.

Impact Summary

This release represents a significant evolution in Strapi's architecture and security model. The introduction of the User & Permissions plugin transforms Strapi into a more secure and flexible CMS by implementing proper authentication and role-based access control. The detached administration panel marks an important architectural shift away from the monolithic design, improving maintainability and setting the foundation for future enhancements.

The new Email plugin adds essential functionality for user communication, particularly for authentication flows like password resets. Performance improvements in installation and startup times enhance the developer experience, while the new middleware lifecycle method and plugin model support provide developers with more powerful extension capabilities.

For existing users, this update requires adapting to the new authentication requirements and architecture changes, but the benefits in security, flexibility, and performance make this a worthwhile upgrade. The comprehensive role-based access control system is particularly valuable for projects requiring different permission levels for various user types.

Overall, this release moves Strapi closer to a production-ready headless CMS with enterprise-grade security features while maintaining its developer-friendly approach.

Full Release Notes