Application Scope
Development progress & changelog
3.5.0
Current Version
35
Releases
82
Total Changes
38
Major Updates
415
Days Active
| Version | Change | Category | Impact | Date |
|---|---|---|---|---|
| 3.5.0 |
Two-Factor Authentication Admin Controls
Admin settings to enable/disable 2FA site-wide and require 2FA for admin accounts. Includes live adoption stats showing users and admins with 2FA enabled.
|
Security | Major | Feb 16, 2026 |
| 3.4.4 |
Web Scraper Protection
robots.txt dynamically generated to block scrapers from resource and download folders. Admin toggle to enable/disable scraper protection.
|
Security | Minor | Feb 14, 2026 |
| 3.2.0 |
Admin GET Action Protection
All destructive GET-based admin actions (delete/toggle for announcements, ads, resources, paths, lessons, classrooms, API keys) now require a CSRF token and cast IDs to integer to prevent injection.
|
Security | Minor | Feb 8, 2026 |
|
Learning API Input Hardening
All 7 input handlers in api/learn.php now use InputSanitizer: enrollment, lesson completion, bookmarks, and path import. Slug validation, score range enforcement, and lesson content sanitization added.
|
Security | Minor | Feb 8, 2026 | |
|
Classroom API Input Hardening
All 12 input handlers in api/classroom.php now use InputSanitizer: class creation, assignments, discussions, grading, rubrics, bulk import, and moderation. Array type checks added for nested inputs.
|
Security | Minor | Feb 8, 2026 | |
|
Input Sanitization Library
New InputSanitizer class with 10 methods: text, richText, positiveInt, float, enum, email, url, slug, csvList, and json. Strips dangerous HTML (scripts, iframes, event handlers, JS URIs) while preserving safe formatting tags.
|
Security | Major | Feb 8, 2026 | |
|
CSRF Protection on Admin Panel
All admin POST forms (settings, announcements, ads, resources, learning paths, lessons) now include CSRF tokens. All destructive GET actions (delete, toggle) require a valid token parameter. Uses Auth::generateCsrfToken/verifyCsrfToken with 2-hour expiry.
|
Security | Major | Feb 8, 2026 | |
|
Admin Auth Hardening
Replaced hardcoded admin credentials with the Auth system. Admin panel now requires login via the users table with role-based access control — only admin and superadmin roles are permitted. Includes full Auth features: rate limiting, account lockout, and session management.
|
Security | Major | Feb 8, 2026 | |
| 3.1.0 |
API Rate Limiting
RateLimiter and ApiMiddleware classes enforce per-key hourly rate limits with X-RateLimit headers and 429 responses.
|
Security | Major | Feb 8, 2026 |
| 2.8.0 |
API Key Registration: Login Required
API key requests now require authenticated users. Form pre-fills name and email from user profile. Non-logged-in users see a login prompt.
|
Security | Minor | Feb 8, 2026 |