Skip to content

Release Notes

Releases use the following numbering system: {major}.{minor}.{incremental}

  • major: Major refactoring or rewrite - make sure you read and test very carefully!
  • minor: Breaking change in some circumstances, or a new feature. Read carefully and make sure you understand the impact of the change.
  • incremental: A "safe" change / improvement. Should always be safe to upgrade.

  • [BC]: Items marked with [BC] indicate a breaking change that will require updates to your code if you are using that code in your extension.

1.5.9 (2023-04-12)

  • Fix #28 Fix firewall event triggers.
  • Fix #31 Make compatible with all versions of symfony.

1.5.8 (2023-01-12)

  • !14 Add composer.json for easier inclusion in projects.
  • Fix setting context when generating CSRF token.

1.5.7 (2022-12-09)

  • #25 Add hook that triggers when firewall blocks an IP address.
  • #26 Add a firewall event for formprotection violations.

1.5.6 (2022-11-17)

  • Save CSRF token context to session if available.

1.5.5 (2022-11-16)

  • Add Stripe authorize listener (used to authorize Stripe API events).

1.5.4 (2022-11-14)

  • Fix CSRF timeout too soon.
  • !10 Add session id to CSRF.

1.5.3 (2022-11-13)

  • Fix 500 error on sites with translation enabled
  • Use secure_cache_timeout_minutes instead of custom setting for CSRF token lifetome

1.5.2 (2022-11-12)

  • #23 Add event for logging declined cards, stricter fraud settings


  • Improve documentation.
  • Improve return values from Job.firewall_cleanup.


  • Don't use IP address to generate/validate CSRF tokens (the IP address may change during a client session, particularly on mobile networks).


  • Implement IP address block list and IPv4 wildcards for block/safelist (eg. 192.168.*).
  • Trigger firewall via civi.invoke.auth event. hook_civicrm_config can run too early and cause classloader issues - should fix #18.


  • Convert Firewall to use non-static methods and provide a "reason" string on failure.
  • Fix #17 Compatibility with Symfony 4+.


  • Fix #16 Error: Class 'Civi\Firewall\Firewall' not found in...


  • Add settings page at Administer->System Settings->Firewall.
  • Improve method for retrieving client IP address (handle CiviCRM behind reverse proxy).
  • Implement IP address safe list.


  • Fix permissions issue on 5.28 when running cleanup job.
  • Regenerate autogenerated code for compatibility with newer CiviCRM versions.


  • Fix #15 Firewall breaks drush cache:rebuild on Drupal 8.


  • Fix #12 Make sure that the caller (API4) always has permission to write an entry to the firewall log table.


  • Add Firewall.Getcsrf and Firewall.Getcsrfisvalid APIv3 functions.
  • Change the way we generate/validate CSRF tokens so they do not rely on session (or any) storage:

Previously this was stored in the user session but this causes problems if you request more than one token in the same session (eg. by opening multiple payment pages in different browser tabs).

  • Fix parameters for API3 Job.firewall_cleanup.
  • Don't log changes to civicrm_firewall_ipaddress table.


  • Regenerate DAO (Data Access Object) files to support changes in CiviCRM 5.27+.


  • Don't specify ROW_FORMAT=DYNAMIC when installing (leave it to CiviCRM/database to decide).


  • Fix #5 Api4 related error with Firewall: Cleanup job

0.2 / 1.0

  • Specify database Engine=InnoDB and Row format = DYNAMIC to resolve installation issues on some database servers.


  • Initial Release