-
Notifications
You must be signed in to change notification settings - Fork 35
/
CHANGES
1837 lines (1573 loc) · 80.4 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Version 1.17.1 (June 2024)
Upgrade Instructions
If using docker, rebuild the allura image and restart containers.
Security Fix
* [#8563] CVE 2024-38379 authenticated XSS possible for neighborhood admins
Breaking Changes
* [#8556] remove has_access(..)() syntax. Custom extensions using this syntax will need to remove the second ()
For Developers
* remove #allura irc mentions
* delete unused jinja file with invalid syntax
* replace tabs with spaces in jinja html files
* add jinja linter to pre-commit
Version 1.17.0 (June 2024)
Upgrade Instructions
Run: `paster ensure_index development.ini` in Allura dir
To install updated dependencies, run:
pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
If using docker, rebuild the allura image and restart containers.
To enable OAuth 2 with an existing .ini file, add: auth.oauth2.enabled = true
To switch to the new session cookie handling:
- add `session.jwt_secret_keys` to your .ini file, with a value generated by `python -c 'import secrets; print(secrets.token_hex());'`
- `session.type = cookie` is no longer used
- optionally `session.read_original_format = true` and rename `session.validate_key` to `session.original_format_validate_key` for backwards compatibility. Remove after a transition period
- optionally `session.write_original_format = true` if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code.
Critical Security Fix
* [#8561] CVE 2024-36471 DNS rebinding during imports
Breaking Changes
* [#8556] deprecate has_access(..)() syntax. Custom extensions using this syntax will need to remove the second ()
Major Changes
* [#7272] Support for OAuth 2.0
Security Improvements
* [#8526] improved session cookie handling security
* [#8536] improve |safe and Markup usage
* improve JS syntax and escaping
* [#8555] check blocked users better
* Python Package Upgrades
SEO
* [#8527] discussion app display thread subject in header
Code Repositories
* [#8529] support unicode in repo branch names
Wiki
* [#8540] fix wiki page 'recent' sort
Tickets
* [#8559] tickets API: better type handling
* fix username hover on ticket search results
* ticket's app titles should display current summary content
General
* [#8533] switch python email 'policy' for better line length handling
* [#8537] a few JS performance improvements
* [#8558] user email changes not getting into solr
* keep flash messages more visible
* Hide activitystream entries whose corresponding object has been deleted
* fully delete history snapshots when deleting artifacts (incl remove from solr)
* in password reset, also try lowercasing the email to see if that matches
Admin
* support overlapping admin urls, if a tool is installed with "groups" mount point
* make active notifications easier to see in the list
Performance
* use $regex instead of re.compile in mongo queries, so it uses indexes properly. Maybe fixed in current mongo versions https://jira.mongodb.org/browse/SERVER-26991
* add user_id index to oauth collections
For Developers
* [#8528] improve allura.command_init
* [#8532] [#8539] improve ruff checks
* [#8534] set up github codeql
* [#8538] Slight tweak to timeline helper methods
* code cleanup using autopep8
* Ignore .vscode settings folder
* make it easier to change order of sidebar items w/ the AdminExtension
* make ldap_conn() be a context manager, so unbind_s can be run automatically
* add conftest.py that mocks out tg context
* restore c.project.notifications_disabled after a task (can matter in tests)
* remove some old six.PY3 checks
* update RAT config to work with 0.16
* better --profile behavior for scripts, add option for outputfile
* remove i18n, only was used a tiny bit in templates
Version 1.16.0 (November 2023)
Upgrade Instructions
To install updated dependencies, run:
pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
If switching to a new version of Python, you will need to make a completely new python virtual environment,
and run `pip install ...` in it, and then use it to run Allura.
If using docker, rebuild the allura image and restart containers.
Critical Security Fix
* [#8525] CVE-2023-46851 import mechanisms allow local file access
Major Changes
* [#8519] Drop support for Python 3.7. Python 3.8 through Python 3.11 are officially supported.
SEO
* [#8521] Do not index empty ticket pages
General
* package upgrades
* specify formats supported for screenshots (BMP or GIF could work too, but not recommended)
* replace deprecated "docker-compose" cmd with "docker compose"
* fix solr 413 request too big for big batches
For Developers
* minor improvements to release script
* update build status icon on readme
* ignore warnings from inside other pkgs, fix a few warnings
* [#8524] update node version
* [#8523] github api improvements
Version 1.15.0 (September 2023)
Upgrade Instructions
To install updated dependencies, run:
pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
Run: `paster ensure_index development.ini` in Allura dir
If switching to a new version of Python, you will need to make a completely new python virtual environment,
and run `pip install ...` in it, and then use it to run Allura.
If using docker, rebuild the allura image and restart containers.
Major New Features
* added support for Python 3.8 through 3.11
* introduced Content-Security-Policy headers
Security
* Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
* better defaults for CSP to avoid warnings when developing
* [#8470] Add CSP Headers
* [#8479] CSP Headers Add Support For script-src
* [#8510] Add HTTP Header Add Permissions-Policy
* [#8511] Add HTTP Header Referrer-Policy
* [#8504] CSP Headers Add Support For script-src-attr
SEO
* noindex,follow for ticket milestone pages
* h1 title improvement for wiki sections browse pages and browse labels
* Make canonical tag on activities pages overridable
* [#8492] Update noindex Logic for User Profiles
* [#8464] Add noindex, follow on List Tools
* [#8469] Add Missing Canonical Tag
* [#8477] More Canonical Urls
Performance
* chunked_find: avoid redundant query at end
* performance optimizations related to anonymous()
* speedup: private_project for anonymous
* [#8497] ForgeMarkdown speedup
Tickets
* fix error on feed url for non-existant ticket
* remove ticket history records when uninstalling a ticket tool
Wikis
* fix failing trac wiki tests that were previously unused and apparently wrong
* [#8471] check for comments when setting wiki noindex
General
* Move GA snippet down slightly
* added noindex meta tag to new tickets page
* use error template for 410 Gone statuses too
* ignore a pure reformatting change
* add @ to url autolink pattern
* avoid unhandled error on bad input to /nf/markdown_to_html
* improve artifact_feed.author_link index by including field it is sorted on
* add indexes to Post for update_stats() queries
* make oauth api_key unique, to match child class that has it unique
* add --rm to single-use docker-compose commands, so container is cleaned up after
* remove .travis.yml since ASF isn't using travis any more; we could make a GitHub action instead
* Escape colons in the registration_ip field for IPv6 addresses
* Add the r prefix to escape sequence for search fields
* set c.project during add_artifacts task, like c.app already has been
* Make sure filenames are interpreted as utf8
* when a password reset link doesn't work, make the error more obvious and don't show them a login form since that's confusing
* task command: add another filter option for days
* fix weird HTTPError issue; details at https://github.com/agronholm/exceptiongroup/issues/39
* further fix for latin1 in etag headers
* [#8508] Generate unique id for screenshots
* [#8484] Add Support For Fediverse Addresses
* [#8489] support python 3.8
* [#8483] Markdown: image target URL fails when reaches 100 chars + FIX(?)
* [#8486] Git should look for 'main' branch
* [#8475] Return 404 on "Awaiting Moderation" Threads
* [#8473] use jinja's tojson instead of h.escape_json
* [#8487] Enable Analytics In Debug Mode
* [#8481] Commit Activity More Context
* [#8463] Commit Statuses For Repositories
* [#8467] support defopt with ScriptTasks
* [#8498] PEP8 Cleanup
* [#8482] saved comments (memorable) race condition
* [#8488] Incorrect name of web docker image in compose files
* [#8493] Make tracking snippet more self-contained
* [#8472] Project Activity Delete Issue
* [#8496] Trove Category Skip Limit for Admins
* [#8499] Update Deprecated Method Form Validation
For Developers
* Fix phone.attempts_limit check, if user had surpassed it already
* autopep8 -i --max-line-length 9999 on many files
* type hint for chunked_find
* change [pep8] to [pycodestyle]
* first substantial test file mostly passing under pytest
* [#8455] Convert from nosetests to pytest
* All tests in ./Allura collecting, and test_auth completely passing
* pytest: ignore other package's namespace warnings
* update deprecated html unescape function
* upgrade regex-as-re-globally for py3.11 issue
* fixes for Python 3.10 & 3.11
* run pyupgrade (targeting 3.7 still)
* Fix getiterator() deprecated in Python 3.9
* restore scripts/ApacheAccessHandler.py to py2 compatible
* with recent versions of pip but no wheel pkg, "pip install -e .." needs setuptools, so --no-index is a problem. Remove that, and update folder paths to be clearly folders to ensure they don't get installed from PyPI
* pytest: short (normal) tracebacks
* fix "reindex" cmd help string
* Update copyright year
* fix rebuild-all.bash SVN replacement to match updated format
* Add a helper method to TroveCategory to find by fullpath(s)
* [#8500] upgrade TurboGears
* [#8501] remove twemoji
* [#8502] Replace pyflake with ruff
* [#8490] Fix Failing Parallel Tests
* [#8461] replace python-oauth2 with oauthlib
* [#8494] Python Package Upgrades
* [#8476] Upgrade Underscore Library
* [#8491] JS Libraries Tablesorter and Sylvester
* [#8495] fix DeprecationWarnings
* [#6556] Error on undefined template vars, during development
* [#8505] python 3.11 - jenkins setup
* [#8513] Jenkins Buikd Docker Error
Version 1.14.0 (September 2022)
Upgrade Instructions
To install updated dependencies, run:
pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
Run: `./rebuild-all.bash` to get new ForgeFiles app available
Run: `paster ensure_index development.ini` in Allura dir
If switching from Python 3.6 to 3.7, you will need to make a completely new python virtual environment,
and run `pip install ...` in it, and then use it to run Allura.
If using docker, rebuild the allura image and restart containers.
Breaking Changes
* [#8413] [#8390] drop support for Python 2.7 and 3.6. Only Python 3.7 is supported in this release.
* [#8399] In an effort to update the Docker startup steps to make them as
easy as possible and compatible across as many OS's as possible, the default
allura-data location has been moved from `/allura-data` to `./allura-data`.
This will likely break existing Docker deployments. To fix your deployment,
Either set the LOCAL_SHARED_DATA_ROOT env variable to /allura-data or change
the value in the local `.env` file (or move your /allura-data to
./allura-data).
* Remove the `force_ssl.logged_in` config option. It is recommended to use https for
all visitors, whether logged in or not.
* [#8438] gravatar integration is disabled by default, for privacy reasons. If you wish to enable it, add
`use_gravatar = true` to your .ini file
Major New Features
* [#8368] new Files App
Security
* [#8414] Added a new validator to restrict private/internal ips from being submitted in import forms
* Many package upgrades
General
* [#8388] consolidate markdown_syntax and search_help pages
* [#8402] Remove PreChecked Checkboxes
* [#8424] Better Error Handling For Wiki And Discussion Pages
* [#8404] SMTP maximum allowed line length
* [#8430] improve SMTP retry logic
* [#8401] Project Icon URL Param Issue
* [#8454] Prevent Anonymous Github Imports
* [#8403] Github Importer Enhancements
* page and limit url params are now being included in threaded comments links
* underscores in user's mentions parse correctly
* Remove gittip_button macro; gittip is defunct
* Avoid occasional errors in cached_convert logging
* Prevent discussion stats endpoint from 500ing if hit without parameters
Code Repositories
* [#5593] Create backlink from ticket when commit message contains ticket link
* [#8060] Commit overview and diff changes are a bit messed up
* [#8431] handle dir/file/symlink changes better
* [#8432] diffs - add max file size
* [#8450] API to list repos
* Lower SVN import retry count significantly; block imports from plugins.svn.wordpress.org since it has millions of revisions
Wikis
* [#8246] Set Home dialog validation fix
* [#8459] Wiki Tool Installation Optional
Tickets
* [#8434] Tickets Tool Search Better Error Handling
* [#8457] Tickets Tool Actions Bug
Admin & Accounts
* [#8393] Password recovery - resend verification mail for pending users
* [#8391] Unsubscribe from a project when a user is removed from Admin group
* [#8448] Oauth Authorize Screen Visual Update
* [#8451] [#8458] record more admin actions in audit log
* [#8405] added last_access field to save the last access date for OAuth tokens
* Only activate+enable users exactly when needed
* Make "enter" do the natural thing when adding an email to an account
* Added checkbox option that sends message replies to users active email address
* Ensure audit log email is the same as what was actually used
* Show multifactor setup key in addition to QR code
* various TaskCommand improvements triggered by expansions to purge command
* add filter by age of task to TaskCommands
SEO
* [#8418] SEO - omit certain empty apps/tools from sitemap
* [#8420] Add "nofollow" to Markdown Syntax
* [#8421] SEO - omit certain empty apps/tools from sitemap - pt2
* [#8423] Wiki Page Versions Improvement
* [#8429] Add noindex,follow to Authorization Redirects
* [#8435] Robots Tag For Wiki History Pages
* [#8437] Do Not Index Empty Blog and Discussion Forums
* [#8439] Tool Search Add noindex, follow
* [#8440] Add Canonical Link To Project Activity
* [#8441] Project Members Page Better Title and H1
* [#8442] Code Repos Links Should nofollow
* [#8443] Project Activity And User Profile Link Add nofollow
* [#8444] Add Canonical Link For Tool Sections
* [#8446] Link Directly To User Profiles
* [#8462] 301 to default tool instead of 404 under projects
* [#8417] Added nofollow to generated links for RSS and Atom feeds
* Better detection of empty wiki pages
* noindex, follow on discussion stats page
* added noindex, follow header tag to project search
* On forums, use a 404 page instead of redirecting to a "deleted" page
* added missing trailing slash on stats link
* rel=nofollow on diff link, lots of them and not very useful content for search indexing
* 301 instead of 302 for http/https redirects
* Avoid extra redirect for /p/foo => /p/foo/ since the latter will do its own redir anyway
* Preserve exact URL in pagination helper
Performance
* [#4359] Reduce duplicate queries in threaded discussion display
* [#8409] Speed up anonymous user handling
* [#8410] Markdown performance mitigation
* [#8416] Use regex library instead of re
* [#8422] optimize more discussion thread queries
* [#8447] restrict thread pre-caching to not be so greedy
* update timermiddleware with perf improvement
* post_widget.html has_access() cleanup:
* make some markdown macros cacheable
* Disable ming validation measurement since there can be a lot; fix requests Timer
* Add post/forum_post index
For Developers
* [#8364] empty ProjectRole cleanup
* [#8389] CC-BY 4.0 and SIL Open Font License review & clarification
* [#8392] Allow further downstream customization of SiteNotifications
* [#8399] Broken Docker Setup Guide and Config + werkzeug upgrade
* [#8411] Inline Defaults for *.yml Files
* [#8415] Remove py2/3 bridging code
* [#8427] Fix tests to work with latest git
* [#8449] [#8452] [#8453] jQuery Upgrade
* init Memorable.items sooner, should fix error when sf_markitup.js calls Memorable.add before Memorable.initialize ran (due to jquery upgrade)
* [#8460] allow sending already-formatted message
* [#8412] added new method default_redirect
* fix sphinx documentation issues
* make "c" a template global too
* Fix sticky notifications
* install docs: update Docker/IP wording
* Remove node-sass npm dep
* remove some "with context" from template imports
* has_access() works with == not just is/bool checks
* Add generic require_method helper, alongside require_post
* Create a .git-blame-ignore-revs file
* create .asf.yaml
* New Relic: keep original transaction name if 500 error page is used
* Allow memoize_cleanup to work with dicts or objects
* Change ldap to simple_bind_s (does same thing, lets mockldap be used in tests)
* Fix LdapUserPreferencesProvider.get_pref return. Support multi-valued ldap prefs
* Adds method to fetch multiple troves by their IDs
* Add block to permit customization of user message notices
* Include the incoming mail task id in logging
* Have a field to track user registration date, not just rely on _id
* switch from npm install -> npm ci
* Log more details about image failures
* updated the flash message if the picture upload raises an exception
* Use default correctly in User.get_tool_data
* HIBP better exception handling inside function and added basic test
* Convert document/collection mapping to be like other MappedClass types
* Special property hinting
* Add type hints for all mapped classes' query attrs
* Remove old unused OldProjectRole class
* Handle historical activities with null icon_url value
* Configuration improvement to global tooltips
* fixing icon cache issues by updating the activitystream icon_url with the value from default_avatar_image
* Remove invalid sourceMappingURL setting
* Remove ancient IE css & html conditionals
* Remove pb.transformie.min.js and jquery.browser shim
* renamed model field and added a datetime field
* added two new model fields to store additional email information
* Remove some tool_data.sfx.userid mentions (not part Allura itself)
* Let really_unicode() preserve Markup types. Probably faster in most cases too
* Fix SitemapEntry html attrs being skipped/clobbered in a few places
* Change the exec call used by paster script cmd, to preserve the filename (helps when running coverage.py on a paster script cmd)
* [#8394] upgrade pillow dependency
* [#8396] Upgrade requests. and more
* [#8397] upgrade more packages
* [#8400] Upgrade Ming and dependencies
* [#8408] Upgrade markdown
* [#8425] Upgrade Jinja to 3.1.1
* [#8428] upgrade pip & friends
* [#8445] Package Upgrades
* upgrade oauthlib
* Upgrade waitress
* new pypeline package which allows <summary> html tag
* Upgrade requests & urllib3 to latest
* remove sql-only twophase_transaction helper
* Update copyright year
Version 1.13.0 (May 2021)
This release supports Python 2.7, 3.6, and 3.7.
It is the last release planned to support Python 2.
Upgrade Instructions
To install updated dependencies, run:
pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
Run `./rebuild-all.bash` to get new ForgeFeedback app available
If switching from Python 2 to Python 3, we recommend upgrading to Allura 1.13.0 first
and then switch Python versions as a separate step. When switching Python versions, you
will need to make a completely new python virtual environment using Python 3, and run
`pip install ...` in it, and then use it to run Allura.
When running on Python 3, newer versions of Pygments and Pillow can be installed which
include security fixes within those packages. The versions specified in requirements.txt
are older versions so that Python 2 can still be supported.
If you have customizations or extensions for Allura, you will need to port that code to
Python 3.
.ini file changes:
If you have customized development.ini or docker-dev.ini for your own site, you will
need to remove all the stats references after the "Logging configuration" section.
Remove it from 2 `keys =` lists, and 1 `handlers =` list, and the whole [handler_stats]
subsection.
All `%` will need to be escaped as `%%`, for example in bulk_export_filename.
`%` in logging configurations at the bottom of the file is ok.
For python 3, comments on the same line like `foo = 123; comments` are no longer
allowed. For example, `override_root = task` needs to be its own line only.
New configuration options are available. If you have an existing .ini file, defaults
will be used automatically, or you can set your own values for: phone.attempts_limit,
scm.view.max_file_bytes, and scm.download.max_file_bytes
Major New Features
* Added ForgeFeedback app
* [#8260] textarea inputs work better on mobile devices, and use browser spellchecker
* [#7935] Forum importer for allura's own export format
* [#8339] Allow multiple site-wide notices to be active
Security
* email on primary changed, password recover, email verified
* email added/removed mail notifications
* [#8362] Fix cookie lacking secure attribute
* Publicize information disclosure security bugfix in 1.12.0 changes
General
* [#8337] Show more helpful errors when username is wrong format
* [#8383] avoid control chars in rss feeds
* Help fix messed up multifactor auth sessions
* Sort by shortlink newest first, in case there are multiple matches the first one will be used
* Strip leading or trailing dashes when suggesting project shortnames
* Handle [[embed]] errors specifically, instead of whole markdown text erroring
* Handle better invalid URLs like /_list/ with no path after
* added noindex tag to profiles with no activity and no projects
* Small tweaks to controls around user messaging
Tickets
* [#7712] Bulk edit with filter on errors
* fix truncated ticket titles by allowing overflow wrapping
Wiki
* remove displayname from wiki history/browse
* show user cards for wiki usernames
* canonical on wiki pages
* wiki pages with noindex are omitted from sitemap.xml
* confirm_btn_align fixed misaligned wiki confirm modal
Code Repositories
* Don't move the page around when selecting a specific line in a repo page
* Repo sidebar: no Browse Commits if repo is empty; add Browse Files for SVN
* improve repo navbar SEO by 302->301
* [#8357] SVN: fixes for %s in filenames
* [#8350] non-unicode filenames in hg
Admin
* [#8372] Misc site admin improvements
* [#4069] Restrict ACLs that make projects private
* [#8370] User admin page should drop trailing slash
* Avoid error if a user blocked by permissions no longer exists
* Refactor some trove admin bits, add some test coverage
* Nicer formatting of user audit log details (make message bold)
* Site admin: only show pwd reset related buttons if user is enabled
* Allow long audit log messages to wrap
* Add more functionality to the add_user_to_group.py script
* Tooltip for youtube url, set type=url
* allow incomplete URLs without http:// to be entered in browser
* Remove byte size validator on project description (just validate string length)
* Add permit_legacy flag to NeighborhoodProjectShortNameValidator in case a site has older names to allow during URL checks
* Prevent private projects by disallowing access to 'permissions' page
Performance:
* [#8381] Max file sizes for displaying/downloading from repo
* [#8360] Misc performance improvements, icon CDN support
* [#8359] stopforumspam performance improvement
* [#8343] Improve image thumbnail compression
* [#8341] Fix slowness on large diffs
* [#8342] LastCommit & git log follow improvements
* Github import rate-limit retry improvement
* Put a general network socket timeout around RSS feed fetching (default otherwise is no timeout)
Deployment & Configuration:
* [#8348] Support mongo 3.6 - 4.2. To upgrade Mongo, you must follow mongo upgrade instructions (see ticket for links)
* Add better gunicorn cmd example to docker-compose-prod.yml
* [#8384] Enforce login throughout phone verification process
* Set a limit for phone verification attempts
* Update favicon.ico and use it in docker; avoids 404 which disrupts session esp. multifactor login
* Skip spam checks on metadata comments (ticket diff) and imported comments (often ip/ua/referrer/author info is not available)
* Work around virtualenv 20 issue causing our entry points to not be found
* renamed topic/categories jabber,audio/conversion,video/conversion
For Developers
* Update copyright year
* [#8347] Get all dependencies py3-compatible
* [#8354] Replace dependencies that aren't py3 compatible
* Many python package upgrades
* [#8363] Upgrade ming & pymongo
* [#8333] support newer mercurial if Forgehg is used
* Many python 3 related changes
* [#8340] Increase test coverage
* upgraded SimpleMDE to EasyMDE
* [#8380] API to create projects
* [#8386] review licenses of python dependencies
* [#8373] Misc code style fixes
* [#8345] event tasks can start too soon
* [#3938] Stats logging should not go to the "console" handler; remove it
* Make my_projects_by_role_name always return a list, even when logged out
* Misc: avoid errors when invalid page param
* Misc: avoid errors when sort param doesn't have a direction part
* misc: avoid filter=foo erroring
* Misc: check apache config file as part of docker build
* Handle json (raw data not form encoded) posts better
* Reformatted code so it matches pep8 guidelines
* ago_in_past helpers.ago returns 'in ...' if date is in future
* Send project_menu_updated events from a few other places that can change the menu
* Handle oauth scope checks better when no access granted at all yet
* Fix patch_middleware_config context manager error handling
* Avoid test error if git config from user/system has push.default set to 'nothing'
* remove old Makefile
* travis: fix pip cmd; enable py3 testing
* A bit more logging before phone validation
* Youtube oembed via https now; handle more status codes and errors better
* pep8/pycodestyle cleanup
* store project icon file hash
* shorter tracebacks on error debug pages
* Switch web debugger from Backlash (fork of werkzeug) to current werkzeug
* added new app.sitemap_xml() that is used when generating sitemap.xml
* Add logging if an index task unexpectedly has "dirty" objects to save back to mongo
* Fix latest pyflakes violations
* oauth_begin() to check scopes on an existing token
Version 1.12.0 (October 2019)
Upgrade Instructions
Run: `pip install -r requirements.txt` to install updated dependencies
If you wish to opt-in existing users to username notification emails, run:
`paste script your-ini-file.ini allura/scripts/set_default_user_notifications.py`
Username mentions and profile page changes:
* [#8284] Implement the notification email sender
* [#8285] Add a preference area for user mentions notifications
* [#8323] Trigger notification task per each artifact creation/modification and add tests
* [#8324] documentation for user mentions feature
* [#8330] Nicer user-project urls (for underscores) and titles
Security
* [#8335] Generic search doesn't do permission checks
Performance
* [#8332] Fix slowness on some large files in code repos
* [#8334] Python-ombed has no timeout by default
* [#8313] Make saved search cache expiry configurable, disable-able
Admin
* [#8318] Admin option to generate password reset link
* [#8331] Remove export controls settings
For Developers
* [#8314] @memoize on methods should still allow garbage collection
* [#8321] Unhandled error in Antispam class
* [#8320] Upgrade various packages
* [#8325] Upgrade more packages
* Update docs to match git/httpd config from [12f1d6]
* Publicize XSS vulnerability in 1.11.1 changes
Version 1.11.1 (July 2019)
Upgrade Instructions
Run: `pip install -r requirements.txt` to install updated dependencies
If using docker, run: `docker-compose up -d --no-deps --build http`
New Features
* [#8283] Add infotip for user mentions
Bug Fixes:
* [#8315] XSS vulnerability when adding another user to a project
* [#8312] Flash message regression due to TG upgrade
* [#8317] Docker image for git/http not working for pushes
* [#8316] Award/accolades error if project is removed
* [#8299] More precise markdown @username regex
For Developers
* Improve .ini notes about static caching in production
* [#8300] Update to py3-compatible Pypeline pkg
* [#8311] Split up and organize requirements.txt
* Publicize security fix in 1.11.0 changes
Version 1.11.0 (June 2019)
New Features
* [#5461] Option to subscribe to forums and other types of threads, when posting
* [#8253] Adding reaction support for comments
* [#8263] Indicate current reaction of comment
* [#8274] Add optional HaveIBeenPwned checks for password changes
* [#8281] Enable user mentions in markdown editor
* [#8282] Implement autocomplete list to selected users for mentioning
Upgrade Instructions
Run: `pip install -r requirements.txt` to install updated dependencies
Run: `python setup.py develop` in the `Allura` subdirectory
Recommended: `pip uninstall -y WebFlash WebError Pylons Tempita simplejson Routes` to remove old dependencies
Recommended, after upgrade is complete: in mongo, run `db.repo_commitrun.drop()` to free up storage space
To enable haveibeenpwned.com password checks:
Add to your .ini file the `auth.hibp_password_check` and following settings from `development.ini` and set to true.
Run: `paste script your-ini-file.ini allura/scripts/backfill_previous_login_details.py`
Security
* [#8303] CVE-2019-10085 Apache Allura XSS vulnerability in ticket user dropdown selector
Code Repositories
* [#6440] incorrect diff encoding (original in ru_RU.UTF-8)
* [#8264] AssertionError from git branch lock file
* Clear localStorage of merge request descriptions after successful create or edit
Discussion Forums
* [#8237] Moving discussion thread breaks attachments
General
* [#8261] Embed youtube videos without cookies
* [#8269] External link redirects should be 302 instead of 301
* [#8270] External link tool: rel=nofollow, omit from sitemap
* Track menu mount_point explicitly, fixes [#8270] regression of unconfigurable external links
* [#8289] Parse error in allura.tasks.mail_tasks.route_email
* Fix project-wide search with unicode terms
* Use correct vars in flash error message, when trying to send too many messages
* For fields like username/email/password fields, set some autocomplete/capitalize hints
Admin
* [#8302] Screenshot caption inputs not clickable in chrome
* [#8256] Drag-to-reorder on touch screens
* [#8280] Faster spam controls in discussions
Performance
* [#8271] Remove CommitRun usage
* [#8272] Really big artifact_feed queries
* [#8298] Use jinja caching settings for EW core widgets
* Lazy load /tree controller (self._commit.tree can run compute_tree_new and svn info2 for example), and run .ls() only once
For Developers
* [#8081] Subscriptions page should have the issues' Title column - migration script bugfixes
* [#8093] Developing Mobile Web View
* [#8222] TestForumMessageHandling fails occasionally
* [#8259] Update docker & docs for newer Ubuntu LTS
* [#8265] Update spam filter plugins
* [#8268] Make TroveCategory shortname unique per trove type
* [#8273] Upgrade TurboGears and WebOb partially
* [#8276] Turbogears 2.3.2 upgrade followup fixes
* [#8277] UnicodeDecodeErrors with weird url params
* [#8278] Track previous login details
* [#8279] Additional login security checks
* [#8286] Upgrade TG/etc more, remove pylons etc
* [#8287] Backfill all previous_login_details - NEEDS SCRIPT
* [#8288] Remove genshi templates, update EasyWidgets to py3-compatible
* [#8290] Move previous_login_details to a separate collection
* [#8291] Upgrade timermiddlware
* [#8295] error with latest EasyWidgets and debug=false
* [#8296] Regression on branches with "/" in name
* [#8301] Fix some issues with encoding in urls
* Release script: sort tags better (like 1.10 after 1.9)
* Avoid git directory clashes in tests
* Remove vagrant config
* Fix linter test when certain number of files are being linted, and files list is empty
* Upgrade colander and its dependencies
* Remove unused menus() function
* Update Node.js 4.x to 10.x
* Update our git repo URL
Version 1.10.0 (October 2018)
New Features
* [#8230] Make markdown checklists interactive
* [#6923] Support emoji shortcodes
* [#6299] Support attachments on blog posts and new forum topics
Upgrade Instructions
Run: `pip install -r requirements.txt` to install updated dependencies
Run: `paster script your-ini-file.ini ../scripts/migrations/034-update_subscriptions_ticket_and_mr_titles.py` in Allura dir
If you have your own .ini file (recommended), add `disable_entry_points.allura.theme.override = responsive` to it
Security
* [#8255] Escape html on wiki & blog diff views
Uploads & attachments
* [#2578] Handle BMP images
* [#6560] if same filename used, screenshot thumbnail not update
* [#8043] Animated gif attachment silently converted to static gif
* [#8238] Delete screenshot doesn't show any confirmation
* [#8239] Screenshots lightbox
* Add validation for screenshot file input
Accounts
* [#7459] Show password requirements on forms
* [#8244] Warn user if attempting to send messages when messaging is disabled
* [#8081] Subscriptions page should have the issues' Title column
* [#8233] Add "title" to envelope icon
Discussion Forums
* [#8232] DuplicateKeyError can happen on forum thread ids
* Make forums admin inline editing layout better
Admin
* [#8225] Component delete everything end up with 404
* [#8242] When deleting module and user at permissions page still gives 404
* [#8247] Project Categorization select and button are attached together
* [#8248] Module rename dialog accepts empty inputs
* Enforce a format for GA tracking id
* Fix _id var name (affects user searches where *anonymous/None is in results)
Code Repositories
* [#8231] Forking a repo doesn't keep the default branch
Wiki
* [#8246] Set Home dialog validation fix
Blog
* [#8249] Blog revert gives 405 Method Not Allowed
For Developers
* [#8093] Developing Mobile Web View
* [#8240] Personal Dashboard - Add dashboard docs
* [#8241] SMTP maximum allowed line length
* [#8243] Template extension point to wrap all content
* [#8245] Rename "row" and "column" classes
* Restore srcset support for img tags in HTML
* Upgrade paster packages to latest versions
* Allow more admin page customization via some div classes, and jinja block
* Santize more in paging_sanitizer() to avoid errors on invalid URL params
* Error handling around invalid pagination limits
Version 1.9.0 (September 2018)
New Features
* Personal Dashboard, showing your own tickets, merge requests, projects, etc
* [#8196] Save content before form submission
* [#8085] Add support for checkboxes to the markdown converter
Upgrade Instructions
Run `pip install -r requirements.txt` to install updated dependencies
Run: `paster ensure_index development.ini` in Allura dir
General
* [#8212] Github import error on deleted users
* [#8217] Content doesn't get saved when rate limit is hit
* Improve new external link dialog
* Fix scrollbar issue in "get link" dialog
* Add search help about specific fields, to blog, chat, discussion, wiki tools
* Audit log table fits better
* Make project status UI more prominent
* Better project import validation
Accounts
* [#8199] 2FA recovery codes file - line endings
* Don't list your own u/username project as going to be orphaned when disabling your account
* Only float profile project icon to left, avoid possible emoji img like in "Allura™"
Administration
* [#8186] Make antispam form post expiration configurable
* [#8197] Site admin searches match better
* [#8198] Ability to remove activity entries
* [#8210] Use different tmp dir for code snapshots
* [#8211] Use different tmp dir for project exports
Wiki
* [#1699] Fix incoming email for wiki pages with space in the title
* Show wiki edit link & login prompt, based on actual perms, not just whether user is logged in
Code Repositories
* [#6070] Make code snapshots based on directory
* [#8194] Persist the list of commits on Merge requests
* [#8200] Update GitPython to support git >= 2.15
* [#8201] Mask/hide email addresses in commit messages
* [#8214] Compute merge request commits in background
* Avoid calling _git.heads unnecessarily
Tickets
* [#6353] Pre-fill "private" using URL param
* [#8149] Bulk Delete for tickets
* [#8213] Nested replies don't update ticket timestamp
* [#8224] Ticket subscriptions orphaned when moving tickets
* Avoid error when closing a private ticket created by a deleted user
For Developers
* [#8195] More test coverage for rate limiting
* Use correct capitalization for solr "OR"
* Upgrade jinja to 2.10 and avoid bytecode versioning problems
* wrap export controls area on metadata admin page
* Don't generate SHA1 files any more, per ASF policy update
* Provide another master template block to hook in after the "block head" that many individual templates are using (without calling super)
* Support video_url field in project import
* Add a note to the debug section about how to do it with docker
* Make debug pages and post permalinks work correctly when behind a proxy (like docker)
* refreshrepo.py option to control creating activity, firing webhooks, etc
* Option in refreshrepo.py to clean commits after certain date
* Publicize previous security fix in changelog
Version 1.8.1 (March 2018)
New Features
* [#8192] StopForumSpam filter and moderation+spam update
* [#8193] Allow rate-limiting of comments
General
* [#4841] Anonymous updates should be moderated
* [#8182] Improve category management screens
* [#8183] Browse Commits graph should support hi-dpi
* [#8184] Project Importer should include optional icon
* [#8185] Allow additional domain patterns for inbound email
* [#8187] Make forum thread subjects editable
* [#8191] Remove html-only mailing options
* Adds convenience property for Neighborhood shortname
* Fix visual style on a modal cancel button
* Add tool_data field, use ProjectRegistrationProvider shortname validator, cleanup
* Ensure after a pwd reset, you can still log in. Test improvements.
Performance:
* [#8189] Fix slow forum listings
* [#8188] Config options for some scm limit params
Security:
* [#8190] HTTP response splitting vulnerability CVE-2018-1319
* Remove md5 from our release script, per latest ASF dist policy
* Publicize previous security fix in changelog
Version 1.8.0 (February 2018)
New Features
* Notify user of password changes, and more login audit logging
* [#7908] Docker setup for production environment
Upgrade Instructions
Run `pip install -r requirements.txt` to install updated dependencies
To subscribe merge request creators to their own merge requests, run:
paster script config-file.ini ../scripts/migrations/032-subscribe-merge-request-submitters.py
Bug Fixes & Minor Improvements
Security:
* [#8180] StaticFilesMiddleware allows directory traversal CVE-2018-1299
* [#8155] Record logins to audit log
* [#8156] Notify user of password changes
* [#8158] Add antispam measures to login page
* [#8159] Loosen ip requirements for antispam checks
General:
* [#6342] Errors in ForgeLinkPattern parsing
* [#8160] UnicodeEncodeError processing inbound email
* [#8169] Updating markdown cache should not affect last_updated
* [#8172] Markdown dialog shows same text repeatedly
* [#8176] Don't show related artifacts that user can't view
* Make Youtube embed work better with different CSS
* Allow a legacy icon (no original stored) to still be served when a larger width is requested
* If small icon requested, allow resizing down from old icons even if we don't have newer fullsize original
* Add a stylized search button to sidebar search boxes
* When reindexing, set c.app based on current artifact to avoid "Ambiguous link..."
* Make sure fontawesome never is downloaded twice, since we always provide it
* Upgrade to pygments 2.2 (includes faster HTML rendering for long lines)
Code Repositories:
* [#7896] Better plaintext mail for commit notifications
* [#8048] Better email subjects for merge request updates
* [#8157] Improvements to multiple commits in single notification
* [#8164] Merge requests should notify the submitter of changes HAS MIGRATION SCRIPT
* Handle repo's upstream fork being gone, rather than whole sidebar being blank
* Fix git merge requests to not update project last_updated when viewed.
* Show a root directory icon in the repo directory breadcrumbs too
* If a user can "write" to a MR but not "post" to it, still let them reject their MR
* Clarify a bit that a repo refresh is different than just refreshing the page
* Put the disabled attr on the merge button, not the icon within it
* Handle git 2.x output for last-commit detection
* Fix url encoding of diff urls
* Ensure markdown always gets unicode input (e.g. for rendering files from a repo)
* Fix encoding errors noticed in test.log when running tests with weird-chars.git repo
News:
* [#8167] errors when updating blog post, if feed item doesn't exist
Activity:
* [#8171] Changing your name should update your activity records
* [#8173] Empty activity pages have floating "1"
Wiki:
* [#8175] Better permission handling for non-existent wiki pages
Tickets:
* [#8177] Search bin counts include deleted items
* [#8178] Configurable invalidation delay for bin counts update
* Don't error on search_feed if ticket has unresolvable reporter
* Avoid errors on ticket search if filter=123 or =foo instead of json dict
Forum:
* Better labels & buttons for creating new forum
* Cache Thread.last_post, which avoids dupe queries when the prop is accessed frequently, e.g. in allura/templates/widgets/threads_table.html
* Include thread subject on spam check (for first post of forum threads)
Admin:
* [#8162] When purging a project, admin users missing audit log
* [#8174] Improve messaging around icon uploads
* Improve user skills interface:
* Allow subprojects within User-projects to be removed (since you can create them, after all)
* Fix positioning of Create project button
* Add username to admin user detail page title
* Provide convenience link on admin user detail page to remove all their projects
* Stronger delete tool messaging (since some people may use it while on an individual thread page)