Version 1.26.0
In this version, we have added the ability to use REST request variables in headers. This feature increases the flexibility of the system and extends the opportunities for the creation of scripts. Another important introduction is the ability to connect single-node and distributed instances to external databases.
We have also improved the abilities to control the master data by adding business roles and the ability to assign them to employees: now, you can reflect in the system the information about additional employee business roles that are not included in the official organizational structure. This allows to reflect real business structure of a company in the SimpleOne system in case the employees perform specific roles within the business processes in addition to their official job positions.
We have created a new portal widget, Image Carousel, where you can add banners. When a banner is clicked, a link specified for the currently displayed image is opened in a new tab. The new functionality is available for both desktop and mobile versions of the portal.
Additionally, we have made a number of system changes aimed at improving the system security and overall performance: we have implemented the Sentinel component for Redis to store tokens and user sessions without interruptions, and updated the versions of HAProxy and several libraries used in the microservices.
New features
REST request variables in headers
We have added the ability to use variables in REST requests. The functionality allows you to create the variables that can be used in REST requests for the dynamic substitution of the data. For this purpose, we have created a new REST Request Variable (sys_rest_request_variable) table available in the navigator REST API Client → Variables.
The data included in the variables can be encrypted to provide security, or be stored openly, depending on the selected option. The variables can be used in almost any part of a REST request, including:
- URL (endpoint, path parameters, query parameters)
- headers
- body
This feature simplifies the configuration of integrations and automation of processes. It also increases the flexibility of the API by allowing the use of the dynamic data without the need to code.
Read more in the documentation.
Connection to external databases
We have implemented the ability to connect single-node and distributed instances to external databases. The implementation of this functionality makes it possible for instance owners to administer the databases on their own, which increases the system security and stability.
Detailed information about the configuration of connection to external databases has been added to operational documenation.
Widget for the displaying of banners on the portal
We have created a new Image Carousel widget that you can use to add banners on the portal:
The banner records are stored in a new Carousel Image (carousel_image) table. For each banner, you need to add images for mobile and desktop portal versions and specify a link to be opened in a new tab when the banner is clicked.
The users can switch banners with the side buttons and the buttons at the bottom of the banners, drag the banners in desktop version and swipe them in the mobile version. An administrator can specify if the banners should switch automatically.
By default, the widget is not added to the portal. To add it, follow the instruction from the documentation.
Employee business roles
You can now add business roles – the markers assigned to employees. Such a marker suggests certain responsibilities and authorities. The business roles can align with an employee job title but they may also differ from it in case an employee is responsible for the tasks beyond the responsibilities typically expected on their position. The use of this feature makes business processes more clear and straightforward due to defining the business roles in a company's business structure. Another advantage of the business roles is their flexible configuration: the business roles are not as strictly defined in the company's business structure as job positions.
For this, we have added two new tables:
- Business Role (org_role) – the list of business roles existing in the system.
- Employee Business Role (org_role_employee) – the business roles assigned to employees.
A new Employee Business Roles related list has been added to the Employee (employee) form. It contains all business roles assigned to the employee. The Employee Business Roles related list has been added to the Company (org_company) form. There, you can see all employees of the company and the business roles assigned to them.
Read more in the documentation.
Improvements
The use of Redis Sentinel for authorization
For the creation of a failover authentication token storage, we have integrated the Sentinel component with two Redis nodes for distributed architecture. This will allow to keep user sessions uninterrupted if one of the storages fails.
Update of HAProxy version
We have updated the HAProxy to version 3.03, which has eliminated a set of vulnerabilities and increased the overall system performance.
Fixes
DEF0020690: The indications with the Changes to conditions worked incorrectly with business rules. The system treated the launch of a business rule as an update of the record which led to errors. For instance, an indication could move into a wrong state when a business rule was launched. This problem is solved, and the launch of business rules does not trigger the Changes to condition of the indications.
DEF0019713: The input fields of an Activity feed added with the activityFeed Simple tag were inactive if the form contained an element added with the rem Simple tag. Now, the input fields remain active in such a case.
DEF0019433: After the update of PHP to version 8.2, delays appeared in the receiving of incoming emails: when a large number of emails was sent, they came once a minute or even less often. After the fix, the emails started coming more often, approximately once every ten seconds.
DEF0019049, DEF0019042, DEF0019041: The Monolith-mediator, Dot-walking, Delay-queue microservices utilized vulnerable versions of the x/net and grpc libraries. We have updated them to the versions in which the vulnerabilities are fixed.
DEF0017775: The Static User Information SA, Static Task Information SA widgets read and ran Javascript injections in record fields (for instance, in the username) at the page update, because the widget client scripts used a vulnerable Element.innerHTML property. The same problem occurred if an incoming email record contained a Javascript injection: it was ran when a user returned to the list interface from the record form, at a record preview and when the Field info context action was used. We have replaced the methods used in the client scripts of these widgets, so such situations do not occur anymore.
Additionally, we have created a new method of SimpleWidgets class – sanitizevalue(). This method allows to safely receive the data without running the injections. It should be used when the use of s_widget.addTemplate() method is not possible for wrapping potentially dangerous values to avoid running the injections. Read more in the documentation.
DEF0017662: A user with no roles could create a record in the Activity feed with the create-thread method and receive all history of the Activity feed without having access to it. We have fixed this vulnerability: now, when the method is used, the system verifies access level of the user to ensure they have access to the record on the form of which the Activity feed is placed, and the fields of the Activity feed records (username, avatar).