Bagisto releases

:sparkles: Features

• #10832 - Added a "Sales By Coupon" report to the admin sales reporting dashboard, with a coupon-code badge linking to the corresponding cart rule edit page and a drill-down "View Details" listing showing each order that used a coupon (order ID linking to the order detail, coupon code linking to the cart rule).

:bug: Bug Fixings

• Fixed wrong "From" and "To" dates on the admin Bookings data grid and calendar view caused by the Carbon 3 timezone behavior change in the Laravel 12 upgrade. Carbon::createFromTimestamp() now returns UTC by default instead of the app timezone, so the booking timestamps are explicitly converted via ->timezone(config('app.timezone')) in BookingDataGrid and BookingController.

• Optimized cart rule evaluation to reduce repeated database lookups during cart total calculation, improving cart and checkout performance.

• Refined the admin cart-rule create/edit pages with a clearer Coupon section, a context-aware Actions card, and a dedicated Generated Coupons datagrid with a modal-based bulk-code generator.

• Refined the storefront cart and onepage checkout summaries with + / − indicators, a collapsed dual tax-mode display, an expandable Discount breakdown, and a modernized applied-coupon pill.

• #8738 - Added column sorting on every reporting list page (Sales / Customers / Products) with sort direction indicators in the column header, fixing the previously non-functional click target.

:bug: Bug Fixings

All booking product bug fixes from the 2.3 branch into 2.4. Key highlights:

• Added admin-side order creation support for booking products across appointment, event, rental, default, and table sub-types.
• Fixed booking slot overlap detection and corrected the calendar window generation for appointment bookings.
• Fixed display pricing for rental and event sub-types with a "starting from" price on listings and corrected strike-through pricing.
• Hardened cart handling for booking items (quantity updates, missing-ticket guards, inverted rental range checks).
• Fixed booking product import by updating the data-transfer sample files and correcting the importer for booking attributes.

:bug: Bug Fixings

• Added Booking product support to the DataTransfer (import) package. Booking products can now be imported via CSV/XLS/XLSX/XML using a new booking_options column that follows the existing pipe/key=value convention (same pattern as bundle_options / configurable_variants). The column encodes the product-level config, type-specific config, and slot or ticket records in pipe-separated sections. All five booking subtypes are supported: default (one/many), appointment, event (with tickets + translations), rental (daily/hourly), and table. Updated the sample product files in all four formats with one example per booking subtype.

• #11258 - Fixed user enumeration vulnerability (CWE-204) in the customer resend-verification endpoint where a missing null-check leaked email existence via differential HTTP responses. Added rate limiting on the route.

• #11273 - Reworked the Sales → Booking → Calendar event detail modal to focus on booking information. Removed the ordered amount (Price), added the product name, and now reuses the same booking attributes (From/Till, Location, Ticket, Number of Bookings, etc.) that are shown in the cart and order views — rendered in the same logical order (When → Where → What → How many). The underlying booking query no longer pulls the grand total and now joins order_items.additional and the localized product name.

• #10695 - Booking product availability is now visually indicated on the date picker. Weekdays with no slots configured, dates outside the available_from/available_to window, and dates blocked by prevent_scheduling_before are now grayed out in the calendar, so customers no longer have to click each date to check availability. Applies to default, appointment, table, and rental booking types.

• #11263 - Fixed the Cancel Order option ignoring the booking allow_cancellation flag. The flag is now snapshotted on the bookings record at order placement time, so later product edits never affect placed orders. For mixed orders, cancelling now skips only the non-cancellable booking items and cancels the rest — the Cancel button remains available as long as the order has at least one cancellable item. Amber informational banners explain this behaviour on both admin and customer order views, and a separate banner on the product view warns customers before checkout.

• #11262 - Fixed booking products allowing checkout beyond available quantity. The compareOptions comparator for booking products now matches on booking slot/date/renting-type so repeated additions of the same slot merge into a single cart item, correctly triggering the out-of-stock validation.

• #11261 - Fixed the Reorder button being visible in admin and customer order views for booking products that are out of stock. The Booking type now implements a proper isSaleable() check based on booking quantity, event ticket stock, and the product's availability window. Booking items are also skipped during reorder with an info message, since their original slot data is typically expired.

• #11260 - Fixed event booking showing the "sold out" toast when the requested quantity exceeded the available stock. A dedicated exceeds_available message is now shown with the remaining ticket count when stock is still available.

• #11259 - Fixed the "Start time must be less than end time" toast appearing for valid multi-day slots (e.g., Saturday to Sunday) on default booking products. Time comparison now runs only for same-day slots, and the frontend overlap check handles cross-week ranges correctly.

• #11251 - Fixed a system crash when viewing refund details after refunding a table booking product. The Booking product type was marked as composite, causing the refund view to look for child items that do not exist.

• #11250 - Fixed a system crash when viewing refund details after refunding an appointment booking product, caused by the same composite product misconfiguration.

• #11240 - Updated the event booking product page to display the combined ticket price (base product price + ticket type price) so customers can see the actual amount payable per ticket.

• #11239 - Fixed incorrect slot selection time and date displayed in the cart, customer orders, and admin section for default booking products. Timestamps are now converted using the configured application timezone to match the slot selected by the customer.

• #11238 - Fixed incorrect slot duration and time visibility in the cart, customer orders, and admin section by casting slot timestamps to integer and applying consistent timezone conversion across all booking attribute formatters.

• #11236 - Fixed an issue with incorrect slot visibility on the product page for table booking products when the selected weekday or date was out of range.

• #11235 - Fixed an issue causing incorrect slot visibility based on selected day and date in appointment booking.

• #11234 - Fixed product categories being silently cleared when saving the product while viewing a channel whose root category differs from another channel's. The edit form now preserves categories outside the current channel's tree via hidden inputs so sync() no longer drops them.

• #11232 - Fixed guest limit and booking slot details not being visible in the cart for table booking products. The cart attributes now include charged-per type (per table/per guest) and guest limit when applicable.

• #11230 - Fixed irrelevant slot time displayed in the cart for hourly rental bookings by casting timestamps to integer and applying timezone conversion consistently.

• #10902 - Updated appointment booking products to display only available time slots.

• #10739 - Fixed booking information not being displayed properly on the product view page when the booking information was edited on the product edit page. Null guards were added so storefront views do not fail when slot relations are missing.

• #10738 - Fixed the "Slots Time Duration" functionality not working correctly for the "One Booking for Many Days" default booking configuration. Overlapping multi-day slot ranges are now matched against the selected day of week and cross-day slots are no longer silently dropped by the backend overlap validator.

• #10708 - Fixed event booking cart allowing quantity to exceed the ticket limit. A max-value constraint was added to the quantity changer based on the ticket's available quantity.

• #10697 - Fixed incorrect alert message being shown when a rental product was unavailable. Type-specific error messages are now returned for rental, event, and other booking types.

• #10696 - Fixed the end date not being displayed for "One Booking for Many Days" booking products on the storefront. Multi-day slot labels now include the day and date along with the time.

• #10683 - Fixed duplicate slot timing being shown for the same day on booking products. The slot calculation helper now deduplicates slots by timestamp and performs sorting once after slot generation completes.

:bug: Bug Fixings

• Added support for Romanian language.

• Fixed product 404 when locale-specific URL keys differ across locales by adding cross-locale fallback in product slug resolution and locale-aware URL rewrite redirects.

• Upgraded image search to support AI-powered analysis via Laravel AI SDK (MagicAI), with TensorFlow.js as the default fallback. Configurable under Magic AI > Storefront Features > AI Image Search.

• Added Base URL configuration field for Ollama provider in Magic AI settings.

• Fixed RMA rules issues where inactive rules were still selectable on the product create/edit form, and where the "Create" modal would update the last-edited rule after an edit modal had been opened.

• #11220 - Fixed SQL injection in DataGrid sort column and unauthenticated path traversal via ImageCache.

• #11212 - Fixed TypeError in Carbon when RESPONSE_CACHE_ENABLED is enabled.

• #11013 - Fixed an issue where the order date range filter accepted a single date input and returned no results.

:bug: Bug Fixings

• Added support for Romanian language.

• Fixed product 404 when locale-specific URL keys differ across locales by adding cross-locale fallback in product slug resolution and locale-aware URL rewrite redirects.

• Fixed tax categories being undeletable once any tax rate was assigned or any historical order referenced them. Removed the misleading guard against tax rate assignments (the pivot table already cascades) and changed the cart_items.tax_category_id and order_items.tax_category_id foreign keys to nullOnDelete, so live carts and historical orders no longer block deletion and their denormalized tax amounts remain intact.

• Fixed an issue where <img> tags were stripped from theme static content on save after the recent HTML sanitization hardening. Images inserted from the static-content editor now include an empty src="" alongside data-src, so they satisfy HTMLPurifier's required-attribute check while still being lazy-loaded by lazysizes.

• Fixed the customer GDPR data request form on the storefront not returning a JSON response for AJAX submissions, causing the success state to fail in the frontend.

• Fixed customer datagrid export failing because the computed revenue column was being evaluated per-row during export. The column is now marked as non-exportable.

• Fixed the error message shown when deleting a customer with pending orders. The previous translation key showed an unhelpful "Orders is Pending"; replaced with a dedicated delete-pending-order-error key and a clearer message across all locales.

• #11225 - Fixed incorrect translation key for coupon usage limit exceeded message.

• #10967 - Fixed shipment options not showing when adding VAT ID with unsupported country during checkout.

• #10846 - Fixed wishlist quantity not updating when moving the same product from cart to wishlist.

• #11223 - Fixed explode() null deprecation in AppServiceProvider when APP_DEBUG_ALLOWED_IPS is unset.

:sparkles: Features

• 10792 - Added Cache Management in Admin Configuration panel.

:bug: Bug Fixings

• Fixed an issue where the price slider was not displaying on the layered navigation.

• Fixed an issue where static content was pointing to demo categories and giving 404 errors when installed without sample products.

• #11207 - Performed a major update and cleanup of Polish translations across both Admin and Shop sections.

:bug: Bug Fixings

• Fixed a critical race condition vulnerability in coupon usage during concurrent checkout, where two simultaneous orders could both redeem a single-use coupon. Coupon validation and usage consumption are now atomic using row-level locking inside the order creation transaction.

• Fixed an issue with Elasticsearch search for grouped products.

• #11204 - Fixed a Chrome browser display issue caused by v-pre handling related to SSTI protection.

• #11196 - Fixed an issue where Vue.js @click directives were not working on mobile Chrome on the order detail page.

• #10378 - Added Elasticsearch index prefix support to avoid index conflicts when multiple Bagisto instances share the same Elasticsearch cluster.

:sparkles: New Features

• [Laravel 12 Upgrade] Upgraded framework to Laravel 12 with comprehensive modernization:

  • Fixed Carbon date/time type strictness issues (int/float parameters, non-null timezones).
  • Modernized all legacy PHP date functions (strtotime(), date(), date_default_timezone_set()) to Carbon equivalents.
  • Implemented timezone fallback logic using config('app.timezone') for channel-based operations.
  • Updated PDF response headers to match Laravel 12 format (Content-Disposition).
  • Enhanced date handling methods in Core helper with proper Carbon integration.

• Implemented two-factor authentication (2FA) for admin users to enhance account security.

• Migrated from Google reCAPTCHA v2 to Google reCAPTCHA Enterprise for enhanced bot protection.

• Added Stripe payment gateway integration with secure checkout session.

• Added Razorpay payment gateway integration with drop-in UI checkout experience.

• Added PayU payment gateway integration with redirect-based checkout flow.

• Upgraded PayPal SDK from abandoned v1 to modern v2 with improved reliability and security. Refactored PayPal integration to use controller-based transaction handling and modernized IPN processing with Laravel HTTP client.

• Added comprehensive Return Merchandise Authorization (RMA) system with complete order return management.

• Integrated Laravel AI SDK for Magic AI, refactoring the provider and model layer into per-provider enums with a unified AiProvider entry point and updated AI model configurations.

• Added fresh demo products during the installation process with updated translations.

• Added Pest and Playwright test cases.

• #11126 - Added SMTP configuration support from the admin panel.

:spiral_notepad: Changes

• Removed shetabit/visitor package and all visitor tracking functionality including dashboard visitors widget, products with most visits reporting, customers traffic reporting, and purchase funnel visitor metrics.

:bug: Bug Fixes

• Included all bug fix updates from version 2.3.

• Optimized RMA-related queries and introduced a return period column in the order items table.

• Fixed issues with language switching in the installation wizard and corrected PHP configuration texts.

• Fixed automatic application URL detection and automatic timezone selection during installation.

• Fixed backend validation and VeeValidate error handling to ensure proper integration with Laravel backend validation in the installer package.

• #11100 - Fixed an issue where updating the return window rule affected previously placed orders.

:page_facing_up: Documentation

• Updated the upgrade guide (UPGRADE.md) with breaking changes from v2.3 including Laravel 12, reCAPTCHA Enterprise, PayPal SDK upgrade, visitor tracking removal, and Magic AI SDK migration.

:notebook: Changes

• Removed shetabit/visitor package and all visitor tracking functionality including dashboard visitors widget, products with most visits reporting, customers traffic reporting, and purchase funnel visitor metrics.

• Updated the upgrade guide (UPGRADE.md) with breaking changes from v2.3 including Laravel 12, reCAPTCHA Enterprise, PayPal SDK upgrade, visitor tracking removal, and Magic AI SDK migration.

• Rewrote AGENTS.md with accurate codebase documentation covering architecture, conventions, commands, and development guidelines.

:spiral_notepad: Changes

• Included bug fix updates from version 2.3.

:sparkles: Enhancements

• Added Exchange Rates core configuration with scheduled auto-update, API key management (Fixer & ExchangeRate-API), and date_format vee-validate rules.

:bug: Bug Fixings

• #11187 - Fixed an issue causing an "Undefined array key 'resolver'" error.

• #11176 - Fixed an issue where the extra price for image/file customizable options was not applied in the cart and checkout for simple products.

• #11107 - Fixed an issue with the SEO URL preview.

• #10964 - Fixed an issue where the search query was not populated in the search box on the customer end.

• #10250 - Added support email configuration through the core configuration settings.

:sparkles: Enhancements

• Enhanced the Laravel AI SDK integration for Magic AI and improved the related configuration sections.

• Updated all outdated AI models and image model configurations.

:bug: Bug Fixings

• Fixed an issue where wishlist items were being fetched for all customers when performing "Move to Cart" or deleting wishlist items.

:sparkles: Features

• Integrated Laravel AI SDK for Magic AI, refactoring the provider and model layer into per-provider enums with a unified AiProvider entry point.

• #11126 [feature] - Added SMTP configuration support from the admin panel.

:bug: Bug Fixings

• Merged all bug fixes and improvements from version 2.3.

• Added pest and playwright testcases.

:bug: Bug Fixings

• Fixed catalog rule condition validation where boolean value 0 was being incorrectly treated as empty and causing the condition to fail.

• #11034 - Fixed an issue where the createOrderIfNotThenRetry method caused an infinite loop by adding a configurable max retry attempts limit.

• #10876 - Fixed an issue where customers were unable to resubscribe to the newsletter after unsubscribing or after an admin changed their subscription status from True to False.

• #10854 - Fixed an issue where incomplete product data was exported in CSV, XLS, and XLSX formats.

• #10828 - Fixed an issue in the customer order view where the parent SKU was being displayed instead of the variant SKU for configurable products.

• #10827 - Fixed an issue where customers from one channel could see orders from another channel. Now customers are bound to a specific channel at registration and login, ensuring orders are channel-specific.

:bug: Bug Fixings

• Fixed admin redirect logic after login to properly handle single-level permissions by redirecting to the first accessible child route.

• #11030 - Added management support for shop footer copyright content in the admin panel.

• #10960 - Fixed an issue where, in certain scenarios, adding a bundle product with a quantity greater than 1 calculated the cart subtotal for only a single quantity, resulting in incorrect pricing.

• #10929 - Added redirect URI configuration support for social authentication login.

• #10831 - Fixed COD appearing for downloadable products in mixed cart.

• #9879 - Fixed an issue where invoice email attachments were not being sent correctly.

:bug: Bug Fixings

• Updated the translations for all the dummy products.

• Optimized RMA-related queries and introduced a return period column in the order items table.

• Fixed issues with language switching in the installation wizard and corrected PHP configuration texts.

• Fixed automatic application URL detection and automatic timezone selection during installation.

• Fixed backend validation and VeeValidate error handling to ensure proper integration with Laravel backend validation in the installer package.

• #11100 - Fixed an issue where updating the return window rule affected previously placed orders.

:sparkles: Whats New?

• [Laravel 12 Upgrade] Upgraded framework to Laravel 12 with comprehensive modernization:

  • Fixed Carbon date/time type strictness issues (int/float parameters, non-null timezones).
  • Modernized all legacy PHP date functions (strtotime(), date(), date_default_timezone_set()) to Carbon equivalents.
  • Implemented timezone fallback logic using config('app.timezone') for channel-based operations.
  • Updated PDF response headers to match Laravel 12 format (Content-Disposition).
  • Enhanced date handling methods in Core helper with proper Carbon integration.

• Implemented two-factor authentication (2FA) for admin users to enhance account security.

• Migrated from Google reCAPTCHA v2 to Google reCAPTCHA Enterprise for enhanced bot protection.

• Added Stripe payment gateway integration with secure checkout session.

• Added Razorpay payment gateway integration with drop-in UI checkout experience.

• Added PayU payment gateway integration with redirect-based checkout flow.

• Upgraded PayPal SDK from abandoned v1 to modern v2 with improved reliability and security. Refactored PayPal integration to use controller-based transaction handling and modernized IPN processing with Laravel HTTP client.

• Added comprehensive Return Merchandise Authorization (RMA) system with complete order return management.

• Added fresh demo products during the installation process.

:bug: Bug Fixings

• Security updates.

• Enhanced form validation by implementing auto-scroll to the first error field, with support for regular inputs, array fields (categories, channels), nested fields, and TinyMCE editors. Added fallback flash messages when error fields cannot be located or scrolled to.

• #11080 - Fixed a currency display issue in invoices when the channel currency differed from the admin panel currency.

:pencil2: Changes

• Fixed a security issue in the installer endpoints.

• Fixed a security issue in the customer order reorder functionality.

• Fixed a Server-Side Template Injection (SSTI) vulnerability in the first and last name fields that could be exploited by low-privileged users.

• Refined the Blade tracer to track only view files, ensuring accurate view-level tracing.

• Fixed SSTI vulnerability in type parameter handling — user input is now properly sanitized/validated to prevent server-side template injection.

• Sanitized product review attachments to prevent stored XSS.

• Sanitized CMS html_content during create and update operations to prevent stored XSS vulnerabilities.

• Added validation for external URLs in downloadable product samples to block access to private and reserved IP ranges.

:bug: Bug Fixings

• #11058 - Fixed the speculation issue and resolved the revoke endpoint issue.

• #11053 - Fixed an issue where the custom field price was not converted according to the exchange rate on the product view page.

• #11051 - Fixed a redirection issue that occurred when a product had insufficient quantity.

• #11028 - Fixed an issue where horizontal scrolling caused misalignment of fixed-position elements (Cart/Profile buttons) on the search page.

• #10975 - Fixed validation to ensure the source and target currencies are different when creating exchange rates.

:bug: Bug Fixings

• Meta tag, comment and header added for Bagisto.

• #11035 - Fixed an issue where an exception occurred when saving a CMS page without selecting a channel.

• #11014 - Fixed the wishlist icon issue on the product view page caused by Full Page Cache (FPC).

• #11011 - Added missing translation for the Customer Group delete response message.

• #11010 - Fixed the CAPTCHA configuration issue that allowed saving settings without the site key or secret key.

• #10985 - Fixed an issue in CustomerGroupPrice where deleting any group discount incorrectly removed the last discount entry instead of the selected one.

• #10899 - Fixed a validation error that occurred while importing CSV files in Data Transfer.

• #10866 - Fixed the issue where filterable options on the theme page were not appearing.

:sparkles: Improvements

• Improved octane compatibility.

• Added the missing captcha on the checkout login page.

• Refined TinyMCE editor integration and applied related security fixes.

• Applied security fixes to product attributes, including short description, long description, and other TinyMCE-enabled fields.

• Fixed an issue where the description was not updating correctly during channel updates.

• Implemented security fixes for the DataGrid export feature.

:bug: Bug Fixings

• #10971 - Fixed an issue where updating a field without changing the image caused the image to break or not display correctly.

• #10898 - Added an asterisk (*) to indicate all required fields in configurable product variants.

:sparkles: Features

• Improved full application perfomance and web vital score.

• Implemented did you mean functionality.

• Added the capability to run the dev command from the customized theme package without needing to run the publishers repeatedly.

• #10834 - Refined the admin pages and made approximately 95% of them responsive.

:bug: Bug Fixings

• Fixed the database prefix validation issue in both the GUI and CLI installers.

• Resolved translation issues for the ca and id locales across the Admin, Shop, and Installer packages.

• #10955 - Fixed cancel order issue in mobile device.

• #10953 - Fixed bundle product issue when having one simple product in cart.

• #10952 - Fixed move to cart bundle product issue when having one simple product in cart.

• #10937 - Customer profile photo removed when saving profile without changes.

• #10923 - Admin -> URL Rewrite DataGrid does not match the ACL permission.

• #10912 - ACL for create invoice is not correct.

• #10903 - Fixed elasticsearch issue for Hindi, Chinese and Portugues locale.

• #10897 - Fixed missing success message when admin approving the review.

• #10893 - Fixed email verification issue.

• #10883 - Fixed broken artisan commands.

• #10847 - Fixed attribute family issue where new attribute group is not getting saved.

• #10840 - Fixed flash message issue which is caused due to FPC.

• #10838 - Fixed the cart issue.

• #10836 - Fixed the date of birth issue.

• #10755 - Fixed review api issue by setting generic message for customer facing end.

• #10711 - Show validation error in cart rule coupons when entering wrong input.

• #10701 - Fixed inventories group attribute condition error.

• #10694 - Closed time slot should show all the time slots except the mentioned one.

• #10693 - Fixed issue where multiple bookings created for back-to-back days showed all bookings starting on the first day, even if they started later.

• #10692 - Show all time slots in default booking type (one booking for many days).

• #10686 - Prevent customer from updating the quantity of appointment booking type.

• #10684 - Show validation error when entering wrong time slot.

• #10682 - Show correct alert message when entering wrong date in the "available to" column of booking product.

:bug: Bug Fixings

• Added a method in the Installer class to prompt for a GitHub star once the installation is completed.

• Fixed the blank search issue that was causing all products to be fetched.

• Handled the storage URL directly within the DataGrid class instead of the view.

• Optimized the anonymous file by removing unnecessary currency code, and cleaned up the Maintenance Mode class by removing the unused Database Manager code.

• #10819 - Fixed the issue related to maintenance mode.

• #10782 - Resolved an issue where the "Bundle Items" section was not visible while creating a Bundle Product in the French locale (APP_LOCALE=fr). This was caused by unescaped apostrophes in translatable strings breaking JavaScript during rendering.

Full Changelog: https://github.com/bagisto/bagisto/compare/v2.3.5...v2.3.6

:bug: Bug Fixings

• Added a method in the Installer class to prompt for a GitHub star once the installation is completed.

• Fixed the blank search issue that was causing all products to be fetched.

• Handled the storage URL directly within the DataGrid class instead of the view.

• Optimized the anonymous file by removing unnecessary currency code, and cleaned up the Maintenance Mode class by removing the unused Database Manager code.

• #10782 - Resolved an issue where the "Bundle Items" section was not visible while creating a Bundle Product in the French locale (APP_LOCALE=fr). This was caused by unescaped apostrophes in translatable strings breaking JavaScript during rendering.

Full Changelog: https://github.com/bagisto/bagisto/compare/v2.2.9...v2.2.10

:sparkles: Enhancement

• Added support for the Indonesian language.

:bug: Bug Fixings

• Fixed an issue in the installer where old values were being retained, causing the first attempt to fail. The installation now completes successfully on the first attempt.

• Added missing event dispatches to ensure proper event flow and handling.

• Added backend validation for image uploads in the image search feature.

• #10802 - Removed default address handling from the repository and moved it to the controllers to prevent side effects across customer addresses in the admin panel, shop front, and checkout pages.

:bug: Bug Fixings

• Fixed an issue in the installer where old values were being retained, causing the first attempt to fail. The installation now completes successfully on the first attempt.

• Added missing event dispatches to ensure proper event flow and handling.

• Added backend validation for image uploads in the image search feature.

• #10802 - Removed default address handling from the repository and moved it to the controllers to prevent side effects across customer addresses in the admin panel, shop front, and checkout pages.