Merge pull request #12017 from firefly-iii/release-1774238341

🤖 Automatically merge the PR into the develop branch.

.github/pull_request_template.md

@@ -6,6 +6,8 @@
 2. If your PR is more than 25 lines, talk to me FIRST.
 3. If you fix spelling or code comments, talk to me FIRST.
 
+This is to prevent AI bots, low-effort PRs and spam. Sorry about that.
+
 Wanna talk to me? Open a GitHub Issue, Discussion, or email me: james@firefly-iii.org
 
 👀 Please ensure you have taken a look at the contribution guidelines:
@@ -17,7 +19,9 @@ Remember that your PR may be CLOSED:
 2. If you open a PR on the main branch, your PR will be CLOSED.
 3. If you only fix a spelling error or code comment, your PR will be CLOSED.
 
-Thanks again, and happy developing!
+Again, this is to prevent AI bots, low-effort PRs and spam. I apologize for the harsh tone.
+
+But if you made it this far thanks again for contributing, and happy developing!
 
 -->
 
@@ -48,3 +52,6 @@ I used AI assistance for:
 <!--
 Thanks for contributing!
 -->
+
+@JC5
+

THANKS.md

@@ -4,6 +4,7 @@ Over time, many people have contributed to Firefly III. Their efforts are not al
 Please find below all the people who contributed to the Firefly III code. Their names are mentioned in the year of their first contribution.
 
 ## 2026
+- Joe Longendyke
 - Daniel Holøien
 - Matthew Grove
 - Cinnamon Pyro

app/Api/V1/Controllers/Models/TransactionCurrency/DestroyController.php

@@ -28,9 +28,7 @@ use FireflyIII\Api\V1\Controllers\Controller;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Models\TransactionCurrency;
 use FireflyIII\Repositories\Currency\CurrencyRepositoryInterface;
-use FireflyIII\Repositories\User\UserRepositoryInterface;
 use FireflyIII\Support\Facades\Preferences;
-use FireflyIII\User;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
@@ -41,7 +39,6 @@ use Illuminate\Validation\ValidationException;
 final class DestroyController extends Controller
 {
     private CurrencyRepositoryInterface $repository;
-    private UserRepositoryInterface $userRepository;
 
     /**
      * CurrencyRepository constructor.
@@ -50,8 +47,7 @@ final class DestroyController extends Controller
     {
         parent::__construct();
         $this->middleware(function ($request, $next) {
-            $this->repository     = app(CurrencyRepositoryInterface::class);
-            $this->userRepository = app(UserRepositoryInterface::class);
+            $this->repository = app(CurrencyRepositoryInterface::class);
             $this->repository->setUser(auth()->user());
 
             return $next($request);
@@ -69,15 +65,8 @@ final class DestroyController extends Controller
      */
     public function destroy(TransactionCurrency $currency): JsonResponse
     {
-        /** @var User $admin */
-        $admin = auth()->user();
         $rules = ['currency_code' => 'required'];
 
-        if (!$this->userRepository->hasRole($admin, 'owner')) {
-            // access denied:
-            $messages = ['currency_code' => '200005: You need the "owner" role to do this.'];
-            Validator::make([], $rules, $messages)->validate();
-        }
         if ($this->repository->currencyInUse($currency)) {
             $messages = ['currency_code' => '200006: Currency in use.'];
             Validator::make([], $rules, $messages)->validate();

app/Api/V1/Controllers/Models/TransactionCurrency/UpdateController.php

@@ -35,7 +35,6 @@ use FireflyIII\Support\Http\Api\TransactionFilter;
 use FireflyIII\Transformers\CurrencyTransformer;
 use FireflyIII\User;
 use Illuminate\Http\JsonResponse;
-use Illuminate\Support\Facades\Log;
 use League\Fractal\Resource\Item;
 
 /**
@@ -154,7 +153,6 @@ final class UpdateController extends Controller
     public function update(UpdateRequest $request, TransactionCurrency $currency): JsonResponse
     {
         $data        = $request->getAll();
-        Log::debug(__METHOD__, $data);
 
         /** @var User $user */
         $user        = auth()->user();

app/Api/V1/Controllers/Models/TransactionLinkType/DestroyController.php

@@ -32,7 +32,6 @@ use FireflyIII\Support\Facades\Preferences;
 use FireflyIII\Support\Http\Api\TransactionFilter;
 use FireflyIII\User;
 use Illuminate\Http\JsonResponse;
-use Illuminate\Support\Facades\Log;
 
 /**
  * Class DestroyController
@@ -72,11 +71,6 @@ final class DestroyController extends Controller
         if (false === $linkType->editable) {
             throw new FireflyException('200020: Link type cannot be changed.');
         }
-        if (false === auth()->user()->hasRole('owner')) {
-            Log::channel('audit')->warning('Non-owner user tries to delete a link type.');
-
-            return response()->json([], 401);
-        }
 
         $this->repository->destroy($linkType);
         Preferences::mark();

app/Api/V1/Controllers/Models/TransactionLinkType/StoreController.php

@@ -27,12 +27,10 @@ namespace FireflyIII\Api\V1\Controllers\Models\TransactionLinkType;
 use FireflyIII\Api\V1\Controllers\Controller;
 use FireflyIII\Api\V1\Requests\Models\TransactionLinkType\StoreRequest;
 use FireflyIII\Repositories\LinkType\LinkTypeRepositoryInterface;
-use FireflyIII\Repositories\User\UserRepositoryInterface;
 use FireflyIII\Support\Http\Api\TransactionFilter;
 use FireflyIII\Transformers\LinkTypeTransformer;
 use FireflyIII\User;
 use Illuminate\Http\JsonResponse;
-use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
 use League\Fractal\Resource\Item;
 
@@ -44,7 +42,6 @@ final class StoreController extends Controller
     use TransactionFilter;
 
     private LinkTypeRepositoryInterface $repository;
-    private UserRepositoryInterface $userRepository;
 
     /**
      * LinkTypeController constructor.
@@ -54,9 +51,8 @@ final class StoreController extends Controller
         parent::__construct();
         $this->middleware(function ($request, $next) {
             /** @var User $user */
-            $user                 = auth()->user();
-            $this->repository     = app(LinkTypeRepositoryInterface::class);
-            $this->userRepository = app(UserRepositoryInterface::class);
+            $user             = auth()->user();
+            $this->repository = app(LinkTypeRepositoryInterface::class);
             $this->repository->setUser($user);
 
             return $next($request);
@@ -73,15 +69,6 @@ final class StoreController extends Controller
      */
     public function store(StoreRequest $request): JsonResponse
     {
-        /** @var User $admin */
-        $admin       = auth()->user();
-        $rules       = ['name' => 'required'];
-
-        if (!$this->userRepository->hasRole($admin, 'owner')) {
-            // access denied:
-            $messages = ['name' => '200005: You need the "owner" role to do this.'];
-            Validator::make([], $rules, $messages)->validate();
-        }
         $data        = $request->getAll();
         // if currency ID is 0, find the currency by the code:
         $linkType    = $this->repository->store($data);

app/Api/V1/Controllers/Models/TransactionLinkType/UpdateController.php

@@ -29,12 +29,10 @@ use FireflyIII\Api\V1\Requests\Models\TransactionLinkType\UpdateRequest;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Models\LinkType;
 use FireflyIII\Repositories\LinkType\LinkTypeRepositoryInterface;
-use FireflyIII\Repositories\User\UserRepositoryInterface;
 use FireflyIII\Support\Http\Api\TransactionFilter;
 use FireflyIII\Transformers\LinkTypeTransformer;
 use FireflyIII\User;
 use Illuminate\Http\JsonResponse;
-use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
 use League\Fractal\Resource\Item;
 
@@ -46,7 +44,6 @@ final class UpdateController extends Controller
     use TransactionFilter;
 
     private LinkTypeRepositoryInterface $repository;
-    private UserRepositoryInterface $userRepository;
 
     /**
      * LinkTypeController constructor.
@@ -56,9 +53,8 @@ final class UpdateController extends Controller
         parent::__construct();
         $this->middleware(function ($request, $next) {
             /** @var User $user */
-            $user                 = auth()->user();
-            $this->repository     = app(LinkTypeRepositoryInterface::class);
-            $this->userRepository = app(UserRepositoryInterface::class);
+            $user             = auth()->user();
+            $this->repository = app(LinkTypeRepositoryInterface::class);
             $this->repository->setUser($user);
 
             return $next($request);
@@ -80,15 +76,6 @@ final class UpdateController extends Controller
             throw new FireflyException('200020: Link type cannot be changed.');
         }
 
-        /** @var User $admin */
-        $admin       = auth()->user();
-        $rules       = ['name' => 'required'];
-
-        if (!$this->userRepository->hasRole($admin, 'owner')) {
-            $messages = ['name' => '200005: You need the "owner" role to do this.'];
-            Validator::make([], $rules, $messages)->validate();
-        }
-
         $data        = $request->getAll();
         $this->repository->update($linkType, $data);
         $manager     = $this->getManager();

app/Api/V1/Controllers/System/ConfigurationController.php

@@ -30,12 +30,10 @@ use FireflyIII\Enums\WebhookDelivery;
 use FireflyIII\Enums\WebhookResponse;
 use FireflyIII\Enums\WebhookTrigger;
 use FireflyIII\Exceptions\FireflyException;
-use FireflyIII\Repositories\User\UserRepositoryInterface;
 use FireflyIII\Support\Binder\EitherConfigKey;
 use FireflyIII\Support\Facades\FireflyConfig;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\Log;
-use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
 
 /**
@@ -43,21 +41,6 @@ use Illuminate\Validation\ValidationException;
  */
 final class ConfigurationController extends Controller
 {
-    private UserRepositoryInterface $repository;
-
-    /**
-     * ConfigurationController constructor.
-     */
-    public function __construct()
-    {
-        parent::__construct();
-        $this->middleware(function ($request, $next) {
-            $this->repository = app(UserRepositoryInterface::class);
-
-            return $next($request);
-        });
-    }
-
     /**
      * This endpoint is documented at:
      * https://api-docs.firefly-iii.org/?urls.primaryName=2.0.0%20(v1)#/configuration/getConfiguration
@@ -142,11 +125,6 @@ final class ConfigurationController extends Controller
      */
     public function update(UpdateRequest $request, string $name): JsonResponse
     {
-        $rules     = ['value' => 'required'];
-        if (!$this->repository->hasRole(auth()->user(), 'owner')) {
-            $messages = ['value' => '200005: You need the "owner" role to do this.'];
-            Validator::make([], $rules, $messages)->validate();
-        }
         $data      = $request->getAll();
         $shortName = str_replace('configuration.', '', $name);
 

app/Api/V1/Controllers/System/UserController.php

@@ -74,13 +74,9 @@ final class UserController extends Controller
             return response()->json([], 500);
         }
 
-        if ($this->repository->hasRole($admin, 'owner')) {
-            $this->repository->destroy($user);
+        $this->repository->destroy($user);
 
-            return response()->json([], 204);
-        }
-
-        throw new FireflyException('200025: No access to function.');
+        return response()->json([], 204);
     }
 
     /**

app/Api/V1/Requests/Models/TransactionCurrency/UpdateRequest.php

@@ -28,6 +28,7 @@ use FireflyIII\Models\TransactionCurrency;
 use FireflyIII\Rules\IsBoolean;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
+use FireflyIII\User;
 use Illuminate\Foundation\Http\FormRequest;
 
 /**
@@ -45,15 +46,23 @@ class UpdateRequest extends FormRequest
      */
     public function getAll(): array
     {
-        // return nothing that isn't explicitly in the array:
-        $fields = [
-            'name'           => ['name', 'convertString'],
-            'code'           => ['code', 'convertString'],
-            'symbol'         => ['symbol', 'convertString'],
-            'decimal_places' => ['decimal_places', 'convertInteger'],
-            'default'        => ['default', 'boolean'],
-            'enabled'        => ['enabled', 'boolean'],
+        /** @var User $user */
+        $user    = auth()->user();
+        $isAdmin = $user->hasRole('owner');
+
+        $fields  = [
+            'enabled' => ['enabled', 'boolean'],
         ];
+        if ($isAdmin) {
+            $fields = [
+                'name'           => ['name', 'convertString'],
+                'code'           => ['code', 'convertString'],
+                'symbol'         => ['symbol', 'convertString'],
+                'decimal_places' => ['decimal_places', 'convertInteger'],
+                'default'        => ['default', 'boolean'],
+                'enabled'        => ['enabled', 'boolean'],
+            ];
+        }
 
         return $this->getAllData($fields);
     }

app/Exceptions/Handler.php

@@ -251,7 +251,7 @@ class Handler extends ExceptionHandler
             'method'       => request()->method(),
             'headers'      => $headers,
             // @mago-expect lint:no-request-all
-            'post'         => 'POST' === request()->method() ? json_encode(request()->all()) : '',
+            'post'         => 'PUT' === request()->method() || 'POST' === request()->method() ? json_encode(request()->all()) : '',
         ];
 
         // create job that will mail.

app/Helpers/Collector/GroupCollector.php

@@ -75,8 +75,6 @@ class GroupCollector implements GroupCollectorInterface
         $this->userGroup            = null;
         $this->limit                = null;
         $this->page                 = null;
-        $this->startRow             = null;
-        $this->endRow               = null;
 
         $this->hasAccountInfo       = false;
         $this->hasCatInformation    = false;
@@ -443,9 +441,15 @@ class GroupCollector implements GroupCollectorInterface
             $this->query->orWhereIn('transaction_journals.transaction_group_id', $groupIds);
         }
         $result      = $this->query->get($this->fields);
+        $this->total = $result->count();
+        // if no post-filters are present, it can be sliced and returned.
+        if (0 === count($this->sorting) && 0 === count($this->postFilters) && null !== $this->limit && null !== $this->page) {
+            $offset = ($this->page - 1) * $this->limit;
+            $result = $result->slice($offset, $this->limit);
+        }
+
         // $this->dumpQueryInLogs();
-        // Log::debug(sprintf('Count of result is %d', $result->count()));
-        // now to parse this into an array.
+        // now to parse the rest into an array.
         $collection  = $this->parseArray($result);
 
         // filter the array using all available post filters:
@@ -454,19 +458,12 @@ class GroupCollector implements GroupCollectorInterface
         // sort the collection, if sort instructions are present.
         $collection  = $this->sortCollection($collection);
 
-        // count it and continue:
-        $this->total = $collection->count();
-
         // now filter the array according to the page and the limit (if necessary)
-        if (null !== $this->limit && null !== $this->page) {
+        if (count($this->postFilters) > 0 && null !== $this->limit && null !== $this->page) {
             $offset = ($this->page - 1) * $this->limit;
 
             return $collection->slice($offset, $this->limit);
         }
-        // OR filter the array according to the start and end row variable
-        if (null !== $this->startRow && null !== $this->endRow) {
-            return $collection->slice($this->startRow, $this->endRow);
-        }
 
         return $collection;
     }
@@ -477,17 +474,11 @@ class GroupCollector implements GroupCollectorInterface
     public function getPaginatedGroups(): LengthAwarePaginator
     {
         Log::debug('Now in getPaginatedGroups()');
-        $set   = $this->getGroups();
+        $limit = $this->limit ?? 1;
         if (0 === $this->limit) {
             $this->setLimit(50);
         }
-        if (null !== $this->startRow && null !== $this->endRow) {
-            /** @var int $total */
-            $total = $this->endRow - $this->startRow;
-
-            return new LengthAwarePaginator($set, $this->total, $total, 1);
-        }
-        $limit = $this->limit ?? 1;
+        $set   = $this->getGroups();
 
         return new LengthAwarePaginator($set, $this->total, $limit, $this->page);
     }
@@ -519,13 +510,6 @@ class GroupCollector implements GroupCollectorInterface
         return $this;
     }
 
-    public function setEndRow(int $endRow): self
-    {
-        $this->endRow = $endRow;
-
-        return $this;
-    }
-
     public function setExpandGroupSearch(bool $expandGroupSearch): GroupCollectorInterface
     {
         $this->expandGroupSearch = $expandGroupSearch;
@@ -636,13 +620,6 @@ class GroupCollector implements GroupCollectorInterface
         return $this;
     }
 
-    public function setStartRow(int $startRow): self
-    {
-        $this->startRow = $startRow;
-
-        return $this;
-    }
-
     /**
      * Limit the search to one specific transaction group.
      */
@@ -692,6 +669,10 @@ class GroupCollector implements GroupCollectorInterface
     #[Override]
     public function sortCollection(Collection $collection): Collection
     {
+        if (0 === count($this->sorting)) {
+            return $collection;
+        }
+
         /**
          * @var string $field
          * @var string $direction

app/Helpers/Collector/GroupCollectorInterface.php

@@ -469,11 +469,6 @@ interface GroupCollectorInterface
      */
     public function setEnd(Carbon $end): self;
 
-    /**
-     * Set the page to get.
-     */
-    public function setEndRow(int $endRow): self;
-
     public function setExpandGroupSearch(bool $expandGroupSearch): self;
 
     /**
@@ -573,11 +568,6 @@ interface GroupCollectorInterface
      */
     public function setStart(Carbon $start): self;
 
-    /**
-     * Set the page to get.
-     */
-    public function setStartRow(int $startRow): self;
-
     /**
      * Limit results to a specific tag.
      */

app/Http/Controllers/Admin/NotificationController.php

@@ -132,7 +132,7 @@ final class NotificationController extends Controller
             return redirect(route('settings.notification.index'));
         }
 
-        $all              = $request->only(['channel']);
+        $all              = $request->only(['test_submit']);
         $channel          = $all['test_submit'] ?? '';
 
         switch ($channel) {

app/Http/Controllers/Auth/RegisterController.php

@@ -83,7 +83,7 @@ final class RegisterController extends Controller
             throw new FireflyException('Registration is currently not available :(');
         }
 
-        $this->validator($request->only(['email', 'password']))->validate();
+        $this->validator($request->only(['email', 'password', 'password_confirmation']))->validate();
         $user              = $this->createUser($request->only(['email', 'password']));
         Log::info(sprintf('Registered new user %s', $user->email));
         $owner             = new OwnerNotifiable();

app/Http/Middleware/IsAdminApi.php

@@ -0,0 +1,71 @@
+<?php
+
+/**
+ * IsAdmin.php
+ * Copyright (c) 2019 james@firefly-iii.org
+ *
+ * This file is part of Firefly III (https://github.com/firefly-iii).
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+declare(strict_types=1);
+
+namespace FireflyIII\Http\Middleware;
+
+use Closure;
+use FireflyIII\Repositories\User\UserRepositoryInterface;
+use FireflyIII\User;
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Class IsAdmin.
+ */
+class IsAdminApi
+{
+    /**
+     * Handle an incoming request. Must be admin.
+     *
+     * @param null|string $guard
+     *
+     * @return mixed
+     *
+     * @throws AuthorizationException
+     */
+    public function handle(Request $request, Closure $next, $guard = null)
+    {
+        if (Auth::guard($guard)->guest()) {
+            if ($request->ajax()) {
+                return response('Unauthorized.', 401);
+            }
+
+            return response()->redirectTo(route('login'));
+        }
+
+        /** @var User $user */
+        $user       = auth()->user();
+
+        /** @var UserRepositoryInterface $repository */
+        $repository = app(UserRepositoryInterface::class);
+        if (!$repository->hasRole($user, 'owner')) {
+            Log::error(sprintf('Cannot access %s?%s.', $request->url(), $request->getQueryString()));
+
+            throw new AuthorizationException();
+        }
+
+        return $next($request);
+    }
+}

app/Services/Internal/Recalculate/PrimaryAmountRecalculationService.php

@@ -202,7 +202,7 @@ class PrimaryAmountRecalculationService
 
         /** @var Account $account */
         foreach ($set as $account) {
-            $currencyId = (int) $account->accountMeta()->where('name', 'currency_id')->first()->data;
+            $currencyId = (int) $account->accountMeta()->where('name', 'currency_id')->first()?->data;
             if ($groupCurrency->id === $currencyId) {
                 Log::debug(sprintf('Account "%s" is in group currency %s. Skip.', $account->name, $groupCurrency->code));
 

app/Services/Internal/Update/JournalUpdateService.php

@@ -774,8 +774,8 @@ class JournalUpdateService
                     $this->transactionJournal,
                     'update_foreign_amount',
                     [
-                        'currency_symbol' => $oldForeignCurrency->symbol,
-                        'decimal_places'  => $oldForeignCurrency->decimal_places,
+                        'currency_symbol' => $oldForeignCurrency?->symbol,
+                        'decimal_places'  => $oldForeignCurrency?->decimal_places,
                         'amount'          => $originalSourceAmount,
                     ],
                     [

app/Support/Binder/Date.php

@@ -70,7 +70,7 @@ class Date implements BinderInterface
         try {
             $result = new Carbon($value);
         } catch (InvalidDateException|InvalidFormatException $e) {
-            $message = sprintf('Could not parse date "%s" for user #%d: %s', $value, auth()->user()->id, $e->getMessage());
+            $message = sprintf('Could not parse date "%s" for user #%d: %s', $value, (int) auth()->user()?->id, $e->getMessage());
             Log::error($message);
 
             throw new NotFoundHttpException('Could not parse value', $e);

bootstrap/app.php

@@ -29,6 +29,7 @@ use FireflyIII\Http\Middleware\EncryptCookies;
 use FireflyIII\Http\Middleware\Installer;
 use FireflyIII\Http\Middleware\InterestingMessage;
 use FireflyIII\Http\Middleware\IsAdmin;
+use FireflyIII\Http\Middleware\IsAdminApi;
 use FireflyIII\Http\Middleware\Range;
 use FireflyIII\Http\Middleware\RedirectIfAuthenticated;
 use FireflyIII\Http\Middleware\SecureHeaders;
@@ -157,7 +158,7 @@ $app = Application::configure(basePath: dirname(__DIR__))
                       // This middleware is added to ensure that the user is not only logged in and
                       // authenticated (with MFA and everything), but also admin.
                       $middleware->appendToGroup('api-admin', [
-                          IsAdmin::class,
+                          IsAdminApi::class,
                       ]);
                       $middleware->appendToGroup('admin', [
                           IsAdmin::class,

changelog.md

@@ -3,9 +3,28 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## v6.5.9 - 2026-03-23
+
+<!-- summary: Bug fixes mainly, but also updated dependencies and new wording in the instructions you see when you open a PR. -->
+
+### Fixed
+- [Issue 12004](https://github.com/firefly-iii/firefly-iii/issues/12004) (Test notification buttons always generate an error) reported by @IDevJoe
+- [Issue 12014](https://github.com/firefly-iii/firefly-iii/issues/12014) (Converting a transaction to a transfer and setting the destination account to one with a different currency breaks the audit log) reported by @avee87
+
+# Changed
+- [Issue 12000](https://github.com/firefly-iii/firefly-iii/issues/12000) (Improved transaction pagination for large data sets) reported by @christiaanderidder
+
+## v6.5.8 - 2026-03-22
+
+<!-- summary: This release fixes a regression bug in user registration. -->
+
+### Fixed
+
+- [Issue 11995](https://github.com/firefly-iii/firefly-iii/issues/11995) (User registration breaks on password validation) reported by @mikaelhm
+
 ## v6.5.7 - 2026-03-21
 
-<!-- summary: There is a new security policy for AI-generated security advisories and of course, interesting and annoying bugs fixed. -->
+<!-- summary: There is a new security policy for AI-generated security advisories and of course, some interesting but annoying bugs fixed. -->
 
 ### Fixed
 

config/firefly.php

@@ -78,8 +78,8 @@ return [
         'running_balance_column' => (bool)envDefaultWhenEmpty(env('USE_RUNNING_BALANCE'), true), // this is only the default value, is not used.
         // see cer.php for exchange rates feature flag.
     ],
-    'version'                              => 'develop/2026-03-20',
-    'build_time'                           => 1774047487,
+    'version'                              => 'develop/2026-03-23',
+    'build_time'                           => 1774238153,
     'api_version'                          => '2.1.0', // field is no longer used.
     'db_version'                           => 28, // field is no longer used.
 

resources/assets/v2/package.json

@@ -9,10 +9,10 @@
     },
     "devDependencies": {
         "axios": "^1",
-        "laravel-vite-plugin": "^2",
+        "laravel-vite-plugin": "^3",
         "patch-package": "^8",
         "sass": "^1",
-        "vite": "^7",
+        "vite": "^8",
         "vite-plugin-manifest-sri": "^0.2.0"
     },
     "dependencies": {

resources/assets/v2/src/support/renderers/GenericObjectRenderer.js

@@ -20,6 +20,14 @@
 
 export default class GenericObjectRenderer {
     renderUrl(url, title, text) {
-        return `<a href="${url}" title="${title}">${text}</a>`;
+        return `<a href="${url}" title="${this.escapeHtml(title)}">${this.escapeHtml(text)}</a>`;
     }
+    escapeHtml(unsafe) {
+        return unsafe
+            .replaceAll("&", "&amp;")
+            .replaceAll("<", "&lt;")
+            .replaceAll(">", "&gt;")
+            .replaceAll('"', "&quot;")
+            .replaceAll("'", "&#039;");
+    };
 }

routes/api.php

@@ -347,7 +347,6 @@ Route::group(
         'namespace'  => 'FireflyIII\Api\V1\Controllers\Models\UserGroup',
         'prefix'     => 'v1/user-groups',
         'as'         => 'api.v1.user-groups.',
-        'middleware' => ['api-admin'],
     ],
     static function (): void {
         Route::get('', ['uses' => 'IndexController@index', 'as' => 'index']);
@@ -636,6 +635,7 @@ Route::group(
     ],
     static function (): void {
         Route::get('', ['uses' => 'ShowController@index', 'as' => 'index']);
+        Route::put('{currency_code?}', ['uses' => 'UpdateController@update', 'as' => 'update']);
         Route::get('primary', ['uses' => 'ShowController@showPrimary', 'as' => 'show.primary']);
         Route::get('default', ['uses' => 'ShowController@showPrimary', 'as' => 'show.default']);
         Route::get('{currency_code}', ['uses' => 'ShowController@show', 'as' => 'show']);
@@ -655,7 +655,7 @@ Route::group(
     }
 );
 
-// transaction currency API routes that require admin rights:
+// Transaction currency API routes that require admin rights:
 Route::group(
     [
         'namespace'  => 'FireflyIII\Api\V1\Controllers\Models\TransactionCurrency',
@@ -664,9 +664,8 @@ Route::group(
         'middleware' => ['api-admin'],
     ],
     static function (): void {
-        Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
-        Route::put('{currency_code?}', ['uses' => 'UpdateController@update', 'as' => 'update']);
         Route::delete('{currency_code}', ['uses' => 'DestroyController@destroy', 'as' => 'delete']);
+        Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
     }
 );
 
@@ -696,11 +695,23 @@ Route::group(
     ],
     static function (): void {
         Route::get('', ['uses' => 'ShowController@index', 'as' => 'index']);
-        Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
         Route::get('{linkType}', ['uses' => 'ShowController@show', 'as' => 'show']);
+        Route::get('{linkType}/transactions', ['uses' => 'ListController@transactions', 'as' => 'transactions']);
+    }
+);
+
+// Transaction Link Type API routes that need admin rights.
+Route::group(
+    [
+        'namespace'  => 'FireflyIII\Api\V1\Controllers\Models\TransactionLinkType',
+        'prefix'     => 'v1/link-types',
+        'as'         => 'api.v1.link-types.',
+        'middleware' => ['api-admin'],
+    ],
+    static function (): void {
+        Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
         Route::put('{linkType}', ['uses' => 'UpdateController@update', 'as' => 'update']);
         Route::delete('{linkType}', ['uses' => 'DestroyController@destroy', 'as' => 'delete']);
-        Route::get('{linkType}/transactions', ['uses' => 'ListController@transactions', 'as' => 'transactions']);
     }
 );
 
@@ -740,10 +751,23 @@ Route::group(
     ],
     static function (): void {
         Route::get('', ['uses' => 'ConfigurationController@index', 'as' => 'index']);
-        Route::put('{dynamicConfigKey}', ['uses' => 'ConfigurationController@update', 'as' => 'update']);
         Route::get('{eitherConfigKey}', ['uses' => 'ConfigurationController@show', 'as' => 'show']);
     }
 );
+
+// Configuration API routes that need admin rights
+Route::group(
+    [
+        'namespace'  => 'FireflyIII\Api\V1\Controllers\System',
+        'prefix'     => 'v1/configuration',
+        'as'         => 'api.v1.configuration.',
+        'middleware' => ['api-admin'],
+    ],
+    static function (): void {
+        Route::put('{dynamicConfigKey}', ['uses' => 'ConfigurationController@update', 'as' => 'update']);
+    }
+);
+
 // Users API routes:
 Route::group(
     [