K2 | The powerful content extension for Joomla! developed by JoomlaWorks

For the impatient, grab the update here: https://getk2.org/downloads/?f=K2_v2.6.7.zip

If you are on Joomla! 1.5, grab the zip file from the link above and install it on top of your existing K2 version. If you are on Joomla! 2.5 or 3.x, go to the Joomla! update manager, purge the update cache, re-check and you'll see the new release available to instantly update. If you are on Joomla! 1.6 or 1.7 then World War Z has already happened. Just kidding, but make sure you upgrade to Joomla! 2.5 or 3.x now!

So what's changed or been updated in this new release in more detail?
First of all, we fixed a minor VEL report as stated here: http://vel.joomla.org/vel-blog/623-k2-2-6-6.html

To clarify the matter, elFinder, a JavaScript file manager that we use for the K2 Media Manager uses a thumbnails folder to create the previews of images you see in the backend. This thumbnail folder was set to '777' file permissions and was flagged by the VEL team. They were right of course to flag K2 for that and it was our fault that we hadn't seen this before on elFinder's code. The truth is however that this not an important bug for 2 reasons: a) the thumbnails folder is hidden by default as it's prefixed with a dot (.tmb), so it's essentially impossible for any public user to browse to that folder and upload a nasty file there and b) since we've excluded user intervention with (a), let's also exclude remote intervention as well. You see, even if a folder is marked with '777' permissions, in order for one to put something into that folder, they must already be present on the same server as you (aka on a shared hosting plan) and have shell access (or some other method) to "write" a malicious file into your account. So the chances are very minimal.

That being said, you must always use 755 as the right permissions for your site folders and 644 for your site files. The .tmb folder from K2 may be hard to find, but your web root isn't ;)

So, to move on and fix things up, install K2 v2.6.7 and then also grab and install the free "Admin Tools" from https://www.akeebabackup.com/download/admintools.html and use it's "repair permissions" feature to set the aforementioned correct file/folder permissions to .tmb and your entire Joomla! site as well. Or if you wanna do it the manual way, just delete ".tmb" (should be inside your "images/" folder or where you've set your Joomla! media manager path to look into by default). elFinder via the K2 Media Manager will simply recreate the .tmb folder with the proper permissions. You should of course use FTP to do that as the folder is not visible via Joomla! as I already mentioned.

Now, on to the shiny new features!
We have added a new ACL option called "allow editing of already published items" for frontend editing. This essentially allows "trusted" users to republish their existing K2 items without the need of a moderator's approval.

jQuery has also been updated to support the latest 1.10.x release (in the 1.x branch - support for 2.x will not be added yet).

We have extended K2's anti-spam tools by integrating Akismet in the comments system. The cool thing is you can now even combine reCaptcha with Akismet for the best possible spam protection. You'll require an API key to have Akismet work on your site, which you can get from http://akismet.com.

When you install K2 on a new site, you'll also notice that both reCaptcha and Akismet are enabled (under the "Comments" tab in K2's parameters) even for registered users (when the related API keys are inserted). This is to prevent spammers from signing up to an "open" site (aka without user signup moderation) and posting spam comments in K2's commenting system, just because reCaptcha gets disabled for registered users. Yes, this is what's been plaguing K2 sites for some time now, because user registration is open by default in Joomla! and likewise, reCaptcha was disabled by default when users where logging in. So we have changed the default behaviour of this option and by default both reCaptcha and Akismet will be turned on even for registered users. You'll see a dramatic decrease of spam posts if you enable this option on existing K2 sites. Of course, if you want your users to avoid the reCaptcha challenge (which can be a bit annoying for legitimate users), you can still use Akismet, which is fully transparent (runs in the background everytime a comment is posted).

There are no K2 template override changes between versions 2.6.5, 2.6.6 and 2.6.7.

For a full list of changes (big or small), grab a Caipirinha, sit back and check out the long list posted on our SVN server: http://code.google.com/p/getk2/source/list

If you notice a bug, please take a moment to report it here: http://code.google.com/p/getk2/issues/list - we check this very often ;)

Enjoy!