Release announcements, helpful tips, and community discussion


Cerb (8.2.10) is a maintenance update released on February 26, 2018. It includes 19 minor features and fixes from community feedback covering the 8.2 update. You can follow these instructions to upgrade.

  • [Cards/Groups/Links] On group cards, the ‘Links’ section is now available for viewing and managing record links.

  • [Dashboards/Charts] Fixed an issue with dashboard chart widgets. In some cases, a metric like “avg by month” could calculate improperly.

  • [Profiles/Workers/Responsibilities] Worker bucket responsibilities can now be managed by administrators from worker profiles. This is much more efficient than having to visit edit responsibilities for every group the worker is a member of.

  • [Responsibilities/Usability] When setting bucket responsibilities from worker or group profiles, the labels for worker, bucket, and group are now clickable and open cards.

  • [Platform/Developers/Plugins] Fixed an issue where extensions in the plugin.xml manifest file didn’t always automatically register themselves with the classloader.

  • [UI/Usability/Log] In the worker menu, the ‘activity log’ link now opens a search popup rather than changing the current page.

  • [Portals/Templates] Fixed an issue in portals when editing custom templates in the Support Center. The template cache wasn’t being cleared in some situations.

  • [Profiles/Custom Fields] Fixed a display issue on profiles when including a custom fieldset with an empty list or multi-checkbox field.

  • [Workspaces/Pages] Fixed an issue that prevented customizations on the workspace pages worklist from being saved.

  • [Platform/Developers] When using DevblocksPlatform::sanitizeArray(), the boolean type now properly considers the string "false" as false.

  • [Workspaces/Subtotals] Fixed an issue with subtotals on worklists. In rare situations, a record type used the field name label, which conflicted with an alias in subtotals. Subtotals now use explicit field names for grouping to avoid this.

  • [Worklists/UI] On worklists, the toolbar icons now have a neutral text shadow color. Previously, this was bluish like the default header color, which could clash with the recent feature to customize worklist colors.

  • [Security/Attachments] Fixed an obscure XSS issue where arbitrary Javascript inside of an SVG attachment could be executed if the worker used the optional ‘Open in browser’ action from the pulldown menu. These files are now displayed as plaintext. By default (as before), the attachment will download without causing issues.

  • [Security] Fixed a potential XSS issue in the owner picker on worklist filters. [#595]

  • [Login/Recover/UX] In the login process, an account recovery code will only be sent once per 30 minutes to prevent abuse. Previously, this form sent a new confirmation code by email for every request.

  • [Records/Validation/URLs] In records, added a new validator for URL-based fields. This ensures that a string begins with 'http(s):// and is properly formatted.

  • [Security/XSS/Orgs] Fixed an issue in organization records where Javascript could be entered into the ‘website’ field. This is now properly validated as a URL. [#598]

  • [Security/Logins] When a worker login attempt fails to authenticate, an event is now recorded in the activity log. This can be used to trigger bot behaviors, build security dashboards, prevent brute force attempts, etc.

  • [Security/Logins] When a worker fails to authenticate multiple times in a row within a short period of time, their account will automatically be locked from further longin attempts for a short time. This mitigates brute force login attempts. [#599]