This release is a release candidate of an upcoming 3.1 version of OroCommerce. In this release we focused on application stability and security.
We have added variables for all order totals so the order confirmation email may now include all the data displayed to the customer during checkout. Variables may also display totals in different currencies, allowing the customer to see their order details in checkout currency if it differs from the base currency.
OroCommerce may now connect to websocket server via SSL/TLS connection and pass SSL connect options if necessary. To enable this connection, use the following parameters in the application configuration:
websocket_backend_transportdefines the transport to be used for connection. This option may be set to any registered transport returned by
[stream_get_transports](http://php.net/manual/en/function.stream-get-transports.php); the default value is
websocket_backend_ssl_optionsspecifies the SSL context options that will be passed when establishing the connection.
These configuration options are not exposed on the UI and should be set during the installation or changed in
Connection origin check
To further improve the security of websocket connection and eliminate Cross-Site WebSocket Hijacking (CSWSH) attacks, Origin headers will be checked against the list of allowed origins after the websocket connection is established. This feature utilizes the existing OriginCheck functionality of GoS WebSocket bundle.
New Case-Insensitive Email Addresses configuration option allows the system configurator to restrict user email addresses acceptable for registration of both customer users and back-office users. When this option is turned on, all different capitalizations of a same email (e.g. email@example.com and JohnDoe@example.com) will be treated as the same address so only one of them could be used to register a user. This option is off by default, as prescribed by RFC 5321 2.4.
- JSON API is now the default REST API sandbox
- API filters are now enabled by default for one-to-many relations
- We created developer documentation for API filters
- We added data flow diagrams to API action documentation to clarify the use of API processors in customizations
- Checkout performance was improved significantly
- ACL security model is now extendable with custom data access rules
- New ACL rule restricts visitors from accessing checkouts (
frontend-checkouts-grid) that do not belong to them
Due to deprecations of Elasticsearch 6 the following changes were introduced:
- Fulltext search will match words only from the beginning of the word – e.g.
Foldable Wheelchairwill be found by
wheel, but not by
- In case of multiple words,
ANDstrategy will be used in the admin panel search