Open Source realtime backend in 1 file
To update the prebuilt executable you can run
./pocketbase update
.
To update the prebuilt executable you can run
./pocketbase update
.
Fixed '~' auto wildcard wrapping when the param has escaped %
character (#4704).
Other minor UI improvements (added aria-expanded=true/false
to the dropdown triggers, added contrasting border around the default mail template btn style, etc.).
Updated Go deps and bumped the min Go version in the GitHub release action to Go 1.22.2 since it comes with some net/http
security and bug fixes.
To update the prebuilt executable you can run
./pocketbase update
.
Replaced the default s3blob
driver with a trimmed vendored version to reduce the binary size with ~10MB.
It can be further reduced with another ~10MB once we replace entirely the aws-sdk-go-v2
dependency but I stumbled on some edge cases related to the headers signing and for now is on hold.
Other minor improvements (updated GitLab OAuth2 provider logo #4650, normalized error messages, updated npm dependencies, etc.).
To update the prebuilt executable you can run
./pocketbase update
.
role
, aria-label
, aria-hidden
attributes to some of the elements in attempt to better assist screen readers.To update the prebuilt executable you can run
./pocketbase update
.
Minor test helpers fixes (#4600):
OnTerminate
hook on TestApp.Cleanup()
.tests.NewTestApp()
.Added more elaborate warning message when restoring a backup explaining how the operation works.
Skip irregular files (symbolic links, sockets, etc.) when restoring a backup zip from the Admin UI or calling archive.Extract(src, dst)
because they come with too many edge cases and ambiguities.
This was initially reported as security issue (thanks Harvey Spec) but in the PocketBase context it is not something that can be exploited without an admin intervention and since the general expectations are that the PocketBase admins can do anything and they are the one who manage their server, this should be treated with the same diligence when using scp
/rsync
/rclone
/etc. with untrusted file sources.
It is not possible (or at least I'm not aware how to do that easily) to perform virus/malicious content scanning on the uploaded backup archive files and some caution is always required when using the Admin UI or running shell commands, hence the backup-restore warning text.
Or in other words, if someone sends you a file and tells you to upload it to your server (either as backup zip or manually via scp) obviously you shouldn't do that unless you really trust them.
PocketBase is like any other regular application that you run on your server and there is no builtin "sandbox" for what the PocketBase process can execute. This is left to the developers to restrict on application or OS level depending on their needs. If you are self-hosting PocketBase you usually don't have to do that, but if you are offering PocketBase as a service and allow strangers to run their own PocketBase instances on your server then you'll need to implement the isolation mechanisms on your own.
To update the prebuilt executable you can run
./pocketbase update
.
Removed conflicting styles causing the detailed codeblock log data preview to not visualize properly (#4505).
Minor JSVM improvements:
$filesystem.fileFromUrl(url, optSecTimeout)
helper.FormData
interface and added support for sending multipart/form-data
requests with $http.send()
(#4544).To update the prebuilt executable you can run
./pocketbase update
.
Fixed the z-index of the current admin dropdown on Safari (#4492).
Fixed OnAfterApiError
debug log nil
error reference (#4498).
Added the field name as part of the @request.data.someRelField.*
join to handle the case when a collection has 2 or more relation fields pointing to the same place (#4500).
Updated Go deps and bumped the min Go version in the GitHub release action to Go 1.22.1 since it comes with some security fixes.
To update the prebuilt executable you can run
./pocketbase update
.
nullifyMisingField
resolver option to the query.To update the prebuilt executable you can run
./pocketbase update
.
To update the prebuilt executable you can run
./pocketbase update
.
Added Planning Center OAuth2 provider (#4393; thanks @alxjsn).
Admin UI improvements:
Added support for back/indirect relation filter
/sort
(single and multiple).
The syntax to reference back relation fields is yourCollection_via_yourRelField.*
.
⚠️ To avoid excessive joins, the nested relations resolver is now limited to max 6 level depth (the same as expand
).
Note that in the future there will be also more advanced and granular options to specify a subset of the fields that are filterable/sortable.
Added support for multiple back/indirect relation expand
and updated the keys to use the _via_
reference syntax (yourCollection_via_yourRelField
).
To minimize the breaking changes, the old parenthesis reference syntax (yourCollection(yourRelField)
) will still continue to work but it is soft-deprecated and there will be a console log reminding you to change it to the new one.
⚠️ Collections and fields are no longer allowed to have _via_
in their name to avoid collisions with the back/indirect relation reference syntax.
Added jsvm.Config.OnInit
optional config function to allow registering custom Go bindings to the JSVM.
Added @request.context
rule field that can be used to apply a different set of constraints based on the API rule execution context.
For example, to disallow user creation by an OAuth2 auth, you could set for the users Create API rule @request.context != "oauth2"
.
The currently supported @request.context
values are:
default
realtime
protectedFile
oauth2
Adjusted the cron.Start()
to start the ticker at the 00
second of the cron interval (#4394).
Note that the cron format has only minute granularity and there is still no guarantee that the scheduled job will be always executed at the 00
second.
Fixed auto backups cron not reloading properly after app settings change (#4431).
Upgraded to aws-sdk-go-v2
and added special handling for GCS to workaround the previous GCS headers signature issue that we had with v2.
This should also fix the SVG/JSON zero response when using Cloudflare R2 (#4287, #2068, #2952).
⚠️ If you are using S3 for uploaded files or backups, please verify that you have a green check in the Admin UI for your S3 configuration (I've tested the new version with GCS, MinIO, Cloudflare R2 and Wasabi).
Added :each
modifier support for file
and relation
type fields (previously it was supported only for select
type fields).
Other minor improvements (updated the ghupdate
plugin to use the configured executable name when printing to the console, fixed the error reporting of admin update/delete
commands, etc.).