Pinakes v0.4.1

Bug Fixes

• Fix: Updater memory limit increased to 256MB for large updates
• Fix: Added verbose logging for troubleshooting update issues
• Fix: Connection diagnostics (DNS, SSL, cURL) on failure
• Fix: DataTables default sorting (most recent first)
• Fix: CSRF session expired page with local assets

Improvements

• Improved update process reliability on shared hosting
• Better error messages during update failures

📦 Full Changelog: v0.4.0...v0.4.1

What's New in v0.4.0

GDPR Privacy Consent Tracking

• Privacy consent tracking with acceptance date and policy version
• New user fields: privacy_accettata, data_accettazione_privacy, privacy_policy_version
• Automatic backfill for existing active users

Persistent "Remember Me" Sessions

• 30-day secure sessions with SHA256 token hashing
• Multi-device support
• Automatic cleanup via maintenance cron

MARC-8 Text Normalization (Fixed)

• Comprehensive removal of MARC-8 control characters (NSB/NSE U+0088-U+009F)
• Unicode-aware patterns with /u flag for proper UTF-8 handling
• Normalization of ALL text fields including title, subtitle, series/collana, authors, publisher, etc.
• Whitespace normalization in all scraping sources (SBN, SRU, Google Books, Open Library)

Dynamic Calendar Generation

• ICS calendar files now generated dynamically on request
• URL: /calendar/events.ics (no longer requires static file)

Plugin Auto-Registration

• Bundled plugins automatically registered in database after update
• Fixes issue where plugin folders existed but weren't active

Updater Improvements

• Preserves storage/calendar and storage/tmp during updates
• Prevents deletion of user-generated files

Loan Return UX Improvements

• Smart default status (defaults to 'Returned on time')
• Clear labels distinguishing return types
• Form persistence on validation errors

Download & Install

Download pinakes-v0.4.0.zip and verify:

shasum -a 256 -c pinakes-v0.4.0.zip.sha256

Updating from v0.3.0

Use Admin → Updates - the auto-updater handles everything automatically.

Fresh Install

Extract, run installer at your domain root.

What's New in v0.3.0

Completely Redesigned Dewey Classification System

The Dewey Decimal Classification system has been completely rewritten. Data is no longer stored in the database but loaded from JSON files, enabling more flexible and collaborative management.

Key features:

• Automatic import from SBN: When querying books via the SBN API (Italian National Library Service), if the record contains a Dewey classification it is automatically imported
• Dewey Editor Plugin: A dedicated plugin for visual classification management — tree view, manual code addition per language (IT/EN), inline name editing, search, and delete functionality
• JSON Import/Export: Classification files can be exported and imported, enabling collaborative sharing between Pinakes installations
• Multi-language support: Separate JSON files for Italian and English with automatic locale detection

Built-in Auto-Updater

Starting from this version, Pinakes includes an integrated update system. Administrators can check, download, and install new versions directly from the control panel.

Note: Since this is the first version with the updater, v0.3.0 must be installed manually. Future releases can be updated automatically from the admin interface.

Features: Requirements check, automatic database backup, secure download from GitHub Releases, application file backup for rollback, file installation respecting protected paths (.env, uploads, storage), orphan file cleanup, automatic database migrations, OpCache reset.

Database Backup System

New comprehensive backup management:

• Automatic pre-update backup
• Manual on-demand backup from admin panel
• Backup list with creation date and size
• Download backups for disaster recovery
• Delete old backups to free disk space

Author Normalization

Intelligent system to prevent duplicate authors:

• Automatic format conversion: "Levi, Primo" and "Primo Levi" are recognized as the same author
• Source normalization during SBN import
• Fuzzy matching finds existing authors regardless of name format

Author/Publisher Merge

New feature to unify duplicate records:

• Bulk selection of authors or publishers to merge
• Automatic reassignment of all books to the primary record
• Deletion of duplicate records

Database Changes

This version includes database migrations. The updater will automatically:

• Rename column classificazione_dowey → classificazione_dewey (typo fix)
• Remove table classificazione (data now in JSON files)
• Add table migrations for tracking applied migrations
• Add table update_logs for update history

Breaking Changes

v0.3.0 is NOT compatible with previous versions without manual migration.

If upgrading from v0.2.x or earlier:

# 1. BACKUP YOUR DATABASE FIRST!
mysqldump -u USER -p DATABASE > backup_before_0.3.0.sql

# 2. Run the migration
mysql -u USER -p DATABASE < installer/database/migrations/migrate_0.3.0.sql

# 3. Then replace the application files

For new installations: No action needed — the installer handles everything automatically.

Upgrade Notes

• Backup your database before updating (done automatically by updater)
• Clear browser cache after update
• If using opcache, restart PHP-FPM
• Future updates can be performed automatically from Admin → Updates

Full Changelog

v0.2.0...v0.3.0

v0.2.1 - Patch Release

Minor version bump and maintenance release.

See v0.2.0 for the main feature set.

Nuove Funzionalità

Modalità Catalogo

Nuova modalità browse-only per biblioteche che non necessitano di circolazione:

• Toggle in Impostazioni → Avanzate
• Configurabile durante l'installazione
• Nasconde automaticamente UI prestiti/prenotazioni

Conferma Ritiro Prenotazioni

Workflow migliorato per il ritiro fisico dei libri:

• Prenotazioni creano prestiti in stato "pendente"
• Admin conferma ritiro tramite pulsante dedicato
• Tracciamento origine prestiti (prenotazione vs manuale)

Esportazione Calendario ICS

• Esportazione singoli prestiti o batch
• Compatibile con Google Calendar, Apple Calendar, Outlook
• URL sottoscrivibile con aggiornamenti automatici

Dashboard Migliorata

• Calendario interattivo FullCalendar
• Eventi color-coded per stato
• Nuove card "Ritiri da Confermare" e "Richieste Manuali"

Miglioramenti Sicurezza

• Prevenzione XSS in filtri e calendario
• Fix race condition in gestione prenotazioni
• Sanitizzazione CSV injection nell'export

Bug Fix

• Fix notifiche email retry
• Fix date calendario
• Fix padding pagina catalogo
• Numerose correzioni UI/UX

📖 Documentazione completa: Consulta il README per istruzioni di installazione e configurazione.

Correzioni

Email di Registrazione

• Risolto bug critico: il campo token_verifica_email non veniva selezionato dalla query del database
• I link di verifica email ora vengono correttamente inclusi nelle email di registrazione
• Supporto universale route: sia /verify-email che /verifica-email funzionano indipendentemente dalla lingua installata
• Locale corretto nelle email: le email vengono inviate nella lingua di installazione (it_IT) invece che in inglese
• Tutte le email di servizio (registrazione, attivazione, reset password, inviti admin) ora usano il locale di installazione

Route Universali

Implementato supporto per route multiple per tutti i servizi critici:

• /verify-email + /verifica-email (verifica email)
• /login + /accedi (login)
• /reset-password + /reimposta-password (reset password)
• /forgot-password + /password-dimenticata (recupero password)

Le email usano sempre le route inglesi che funzionano in tutte le lingue.

Variabili d'Ambiente

• Risolto problema con getenv() che falliva su alcuni server di produzione
• Implementato fallback $_ENV['VAR'] ?? getenv('VAR') in tutti i file critici:
  • NotificationService
  • EmailService
  • HtmlHelper
  • ReservationManager
  • PasswordController

UX e Sicurezza

• Redirect utenti loggati: gli utenti già autenticati non possono più accedere alla pagina di registrazione
• Profilo utente: aggiunta visualizzazione data di scadenza tessera e margin migliorato (5rem)
• Dashboard ridisegnata: design moderno allineato con wishlist/catalogo, usa variabili tema CSS
• Menu dropdown profilo: aggiunto menu dropdown nell'header con link a Dashboard, Profilo e Logout
• Tutte le stringhe UI tradotte (it_IT/en_US)

Assets e UI

• Star-rating: risolti errori 404 per i file CSS/JS nelle pagine recensioni
• Copiati asset star-rating.js da node_modules a public/assets/star-rating/dist/
• Aggiunta eccezione .gitignore per includere i file necessari
• Modal plugin: cambiato overflow-hidden in overflow-auto per permettere lo scroll
• Console errors: rimosso errore "Failed to fetch" dalla console per loadQuickStats
• Descrizione libro: colore del testo cambiato in nero (#000000) per migliorare la leggibilità

Impatto

Le email di registrazione ora funzionano correttamente su tutti i server, con link di verifica funzionanti in qualsiasi formato e contenuto nella lingua corretta. UI moderna e coerente su tutte le pagine utente con navigazione migliorata e tutti gli asset correttamente serviti.

Full Changelog: v0.1.5...v0.1.6

🎯 Summary

Security audit and bug fixes for v0.1.5 release. This release includes comprehensive security verification, i18n improvements, and UX enhancements.

🔐 Security Audit Results

Completed comprehensive security audit across all critical components:

✅ LibriController - 5/5 Stars

• SSRF Protection: DNS rebinding prevention with IP validation
• DoS Prevention: Three-tier file size validation (HEAD request + streaming + final check)
• Path Traversal Protection: realpath() boundary checks with whitelist validation
• File Locking: Atomic operations with LOCK_EX
• Domain Whitelist: External image downloads restricted to trusted domains
• SVG Upload Prevention: JavaScript injection protection

✅ HtmlHelper + EmailService + NotificationService - 5/5 Stars

• Host Header Injection Prevention: APP_CANONICAL_URL takes precedence over HTTP_HOST
• Hostname Validation: RFC 1123 compliant regex with whitelist for localhost
• Port Handling: Proper default port detection (80/443)
• Email Links Security: Always use canonical URL for verification/password reset links

✅ MaintenanceController & Installer - 5/5 Stars

• CSRF Protection: Token validation on all endpoints
• Input Validation: Type whitelist + URL format validation
• Atomic File Writes: file_put_contents() with LOCK_EX
• Error Handling: Proper exception messages with i18n

✅ View Templates - 5/5 Stars

• No Code Injection: All nested PHP tags fixed
• Proper i18n: Server-side translation in JavaScript contexts

Overall Security Rating: ⭐⭐⭐⭐⭐ (5/5 - Excellent)

🐛 Bug Fixes

i18n Fixes (18 total)

1. Nested PHP tags in placeholders (11 fixes)

   • crea_editore.php: 9 placeholders fixed
   • crea_autore.php: 2 placeholders fixed
   • Pattern: <?= '<?= __("text") ?>' ?> → <?= __("text") ?>

2. ReferenceError in confirmation dialogs (3 fixes)

   • crea_editore.php line 196
   • crea_autore.php lines 175, 199
   • Pattern: __('text') → '<?= addslashes(__("text")) ?>'

3. Biography placeholder with $1 (1 fix)

   • crea_autore.php line 97
   • Fixed "Enter $1" → proper description text

UX Fixes (3 total)

1. Digital Library CSS 404 error (2 fixes)

   • First fix: Added file_exists() check before loading plugin CSS
   • Second fix: Aligned file_exists() path with actual serving location
   • Prevents console errors when CSS not present

2. Console logging documentation

   • Documented that fetch/XHR logs in Chrome console are normal browser behavior
   • Stats refresh every 5 minutes for real-time updates
   • Can be filtered in DevTools Console panel (deselect "Fetch/XHR")

📝 Configuration Updates

.env.example

• Added APP_CANONICAL_URL documentation with examples
• Clarified development vs production settings
• Added email link security notes (verification, password reset use canonical URL)

CLAUDE.md

• Updated with canonical URL redirect behavior documentation
• Explained API exemption from redirects (for SRU/Z39.50 interoperability)
• Added security best practices for .env operations

🧪 Testing

All changes have been tested on:

• ✅ Publisher creation form (/admin/editori/crea)
• ✅ Author creation form (/admin/autori/crea)
• ✅ Confirmation dialogs (SweetAlert2)
• ✅ Form placeholders (translated correctly)
• ✅ Console output (clean, no errors)
• ✅ CSS loading (no 404 errors)
• ✅ Plugin asset serving (correct path resolution)

📊 Impact

• Security: No vulnerabilities found ✅
• i18n Coverage: +18 fixes bringing total to ~30/491 (6%)
• UX: Cleaner console, proper placeholders, correct asset loading
• Documentation: Comprehensive security audit report in fix.md

🔗 Related Pull Requests

• #12 - Security audit and fixes