HST Code and Configuration Updates
The method HstRequestContext#isCmsRequest was deprecated in 13.2 and has been deprecated in 14.0 and removed in 14.7. It has been replaced with HstRequestContext#isChannelManagerPreviewRequest which provides the same functionality: to identify whether a request has an Experience manager preview context or not. The name of the old method was inaccurate since the introduction of the HST platform in 13.0. The new method has a more descriptive name.
If your implementation project contains any calls to HstRequestContext#isCmsRequest, it is recommended to replace those with HstRequestContext#isChannelManagerPreviewRequest when upgrading to 14.0.
In Java code, look for code like this:
And update it like this:
In Freemarker (or JSP) templates, look for code like this:
And replace it like this:
See Detect Preview or Experience Manager Request Context for more information.
Retrieving Authenticated User Info
The way how to retrieve information about an authenticated user has changed depending on your use case. Before version 14, every JCR Session was allowed to read its own JCR User node stored below /hippo:configuration/hippo:users and it was allowed to read the groups (below /hippo:configuration/hippo:groups) the user was used in. This way, end projects typically could use direct JCR read access to retrieve information like first and lastname of an authenticated user. Since in version 14 an regular (not admin or system) user its JCR Session is not allowed to read its own user and groups nodes any more, this requires updating the logic. The way how to retrieve User Info has been documented at Get Authenticated User and should be enough to understand how to rewrite your code if needed.
Default Sitewriter User More Restricted
The sitewriter is an HST user from the sitewriter session pool. Its purpose is to be allowed to read and write specific JCR Nodes, for example to nodes below /formdata or below /polldata. Before version 14, the sitewriter had by default read access to folders below /content. This is not the case any more. As a result, some code relying on the sitewriter might not function properly any more. Instead of giving read access on folders to the sitewriter, the preferred approach would be to rewrite the code to not rely on read access for the sitewriter on folders, by for example using the hst config user or some other user that has default read access on folders.
Custom Experience Manager / Relevance REST endpoints Require Annotation
If you have added an extra endpoint to the Experience Manager REST endpoints or an extra Relevance Rest endpoint, by default, the methods in those REST endpoints won't be allowed to be invoked any more. A method is only allowed to be invoked if it has been annotated
- with javax.annotation.security.PermitAll or with
- org.hippoecm.hst.pagecomposer.jaxrs.api.annotation.PrivilegesAllowed and the user has the required privilege against the JCR Node that is checked.
The annotation PermitAll means that anybody can invoke the method (if already being authenticated in the CMS). The PrivilegesAllowed requires the user to have the right privilege against a certain JCR Node. The PrivilegesAllowed takes a String argument for the required privilege and optionally an absPath argument for the JCR Node to test against. If there is no absPath present, then there will be implicit logic against which JCR Node to test, for example the JCR Node of the currently being edited HST configuration. For the Experience (Channel) Manager REST endpoints we differentiate between the using
and for Relevance end points we differentiate between
- @PrivilegesAllowed(value = "hippo:targeting-editor", absPath = /targetting:targeting/some/path)
- @PrivilegesAllowed(value = "hippo:targeting-viewer", absPath = /targetting:targeting/some/path)
If you have custom REST endpoints that are hooked into the Channel Manager or Relevance (which we by the way do not formerly support since it is not part of our public API), you will need to add at least PermitAll or PrivilegesAllowed with the right role to make it available.