-
Notifications
You must be signed in to change notification settings - Fork 5
/
CHANGES.TXT
3521 lines (3195 loc) · 168 KB
/
CHANGES.TXT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Please read ``doc/upgrading.txt`` to see how to bring you Roundup version
up to date with changes listed in this file. This may require schema
and template changes not listed here.
Each entry has the developer who committed the change in brackets.
Entries without name were done by Richard Jones.
**IMPORTANT** The v1.5.x releases of Roundup were the last to support
Python v2.5 and v2.6. Starting with the v1.6 releases of Roundup
v2.7.2 is required to run newer releases of Roundup.
2019-??-?? 1.6.1
Features:
- doc updates. Link rot fixed and some grammar changes.
'Provisional User' config example fixed. Issue tracker is
now https. (John Rouillard)
Fixed:
- issue2550994: avoid breakage caused by use of backports of Python 3
configparser module to Python 2. (Joseph Myers)
- issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by Cédric Krier, reviewed/applied John Rouillard.)
- issue2551035 - fix XSS issue in wsgi and cgi when handing url not
found/404. Reported by hannob at
https://github.com/python/bugs.python.org/issues/34, issue opened by
JulienPalard.
- issue2551029: Jinja2 template install error. Remove config.ini
from templates to make sure that roundup-admin install writes a new
default config.ini based on configuration.py.
- issue2551029: Jinja2 template install error. Handle issue with
template's config.ini not getting updated. Provide an alternate
file: config_ini.ini for required config settings that are merged
into the default values producing an up to date config.ini on
install.
2018-07-13 1.6.0
Features:
- issue2550894: migrate test suite and run_test.py to py.test (John Kristensen)
- issue2550880: Ability to choose password store scheme and SSHA
support. Discussion on devel list is tending in favor of this patch.
Embedded test works, my manual test with a SSHA password
assigned to a user allowed the user to log in. Ran the test suite
and the tests that were not skipped passed. (applied by John Rouillard)
- New Link/Multilink property attribute 'msg_header_property', can be
used to configure additional headers in outgoing emails. See
documentation in ``doc/customizing.txt``. (Ralf Schlatterbeck)
- Allow multiple file uploads: If the html template specifies
multiple="multiple" for a file upload the user can attach multiple
files and the form parser now handles this. (Ralf Schlatterbeck)
- issue2550886: Add support for an integer type to join the existing
number type. This can be used for properties used for ordering,
counts etc. where a decimal point isn't needed. Developed by
Anthony (antmail). Doc updates written by John Rouillard. (applied
by John Rouillard)
- Updated html/_generic.404.html to use the page template. So 404
errors now include the left hand menu, a proper page title and
body content. Note added to doc/upgrading.txt on how to add it to
deployed trackers. (John Rouillard)
- issue2109308 - Allow subject of nosy messages be changed from reactor
Adds a subject parameter to nosymessage function. Patch initally
generated by Frank Niessink. Tests, adaptation by John Rouillard.
- issue2550683 Allow indexargs_form filter variable exclusion.
Patch generated by Bruce Tulloch (bruce). Applied and docstring for
indexargs_form updated by John Rouillard. Patch description is:
This is required to allow indexargs_form to be used in conjunction with
other form variables which *replace* some filterspec parameters.
One must exclude all variables from the indexargs_form call which are to
be replaced with values that are derived from other form input elements,
otherwise they will clash with the "hidden" input elements generated by
indexargs_form itself.
For example:
<tal:block replace="structure python:request.indexargs_form(
sort=0,group=0,filter=0,columns=0,
exclude=['type','status','assignedto'])"/>
where the variables type, status and assignedto are supplied via other
form input elements. Without the new exclude argument to indexargs_form,
all hidden input elements otherwise generated by this call would need to
be manually added to the template code. Further, given that the template
may not know what other variables may be defined, it may not even be
possible to code this without some python helpers.
[ rouilj I think this is an example usecase. Possible assignedto
users need to have a specific role. Create TAL that
filters the users to the select few. Defines a select list for
assignedto. Use exclude=['assignedto'] to prevent the
indexargs_form from generating a confliciting assignedto field
which lists all users regardless of the role.]
- allow user to recover account password using an entry in the
Alternate E-mail addresses list. See:
http://psf.upfronthosting.co.za/roundup/meta/issue564
for description. Merge request at:
https://sourceforge.net/p/roundup/code/merge-requests/1/
Patch supplied by kinggreedy. Applied/tested by John Rouillard
- issue2550636, issue2550909: Added support for Whoosh indexer.
Also adds new config.ini setting called indexer to select
indexer. See ``doc/upgrading.txt`` for details. Initial patch
done by David Wolever. Patch modified, docs added and committed
by John Rouillard.
- issue2550803: Replying to NOSY mail goes to the tracker through
reply-to, not original message author.
Created new [tracker] replyto_address config.ini option to allow:
1) setting reply-to header to the tracker
2) setting reply-to header to the address of the author
of the change
3) setting it to a fixed address (like [email protected])
Done by John Rouillard from proposal by Peter Funk (pefu)
in discussion with Tom Ekberg (tekberg). See doc/upgrading.txt.
- issue1714899: Feature Request: Optional Change Note. Added a new
quiet=True/False option for all property types. When quiet=True
changes to the property will not be displayed in the::
confirmation banner (shown in green) when a change is made
property change section of change note (nosy emails)
web history display for an item.
Note that this may confuse users if used on a property that is
meant to be changed by a user. It is most useful on administrative
properties that are changed by an auditor as part of a user
generated change. Original patch by Daniel Diniz (ajaksu2)
discussed also at:
http://psf.upfronthosting.co.za/roundup/meta/issue249
Support for setting quiet when calling the class specifiers:
E.G. prop=String(quiet=True) rather than::
prop=String()
prop.quiet=True
support for anydb backend, added tests, doc updates, support for
ignoring quiet setting using showall=True in call to history()
function in templates by (John Rouillard). (Note implementation
changed while implementing fix for issue2550864. Filtering of
quiet properties pushed down to the hyperdb.py::Class::history
function. This fixes a small bug in the implementation that caused
a limiting the templating history call to display fewer than the
the requested number of items if some were quiet.)
- issue2550767: Add newitemcopy.py detector to notify users of new
items. Added to detectors directory and a README.txt generated to
describe the purpose of the directory. It also says the detectors
are provided on an as-is basis and may not work. Detector by W.
Trevor King (wking), rest by John Rouillard.
- issue934009: Have New Issues Submitted By Email *Not* Change Body!
The mailgw config options: keep_quoted_text and leave_body_unchanged
can now have a new values: new. If set to new, keep_quoted_text acts
like yes if the message is starting a new issue. Otherise it strips
quoted text. This allows somebody to start a new issue by forwarding
a threaded email (with multiple quoted parts) into roundup and
keeping all the quoted parts. If leave_body_unchanged is set to
new, even the signature on the email that starts a new issue will be
preserved.
- New cgi action restore (RestoreAction) which reverses the effects of
the retire action. Created while implementing fix for
issue2550831. Requires restore permission in the schema. See
upgrading.txt for migrating to 1.6.0 for details. (John Rouillard)
- issue2550751: Email Header Issue. Noel Garces requested the ability
to suppress email headers like "x-roundup-issue-files". With Ralf's
addition of the Link/Multilink property attribute
'msg_header_property' we can do this easily. Setting the
'msg_header_property' to the empty string '' (not to None) will
suppress the header for that property. (John Rouillard)
- issue2550891: Allow subdir in template value. Anthony (antmail)
requested the ability to put templates into subdirectories. So
the issue class can accept @template=issues/item to get the
html/issues/issue.item.html template. See ``doc/upgrading.txt``.
- issue1842687: Keywords: After creating, stay in "Create New" mode.
Change to classic tracker template to provide a check box (checked
by default) that keeps the user on the "Add new keyword" page after
submitting a new keyword. Usually after submission, you will see the
the page for the new keyword to allow you to change the name of the
keyword. (John Rouillard)
- issue2550757 - internal restructuring to allow admin.py to be tested
more easily. W. Trevor King (wking)/ John Rouillard.
- When storing user-defined queries we now store the template with the
query if the template name is different from 'index'. This allows
stored queries for templates different from the default 'index'
template. (Ralf Schlatterbeck)
- Number properties now have an optional attribute use_double to request
double precision float as the storage type for this property. (Ralf
Schlatterbeck)
- issue2550796: Calendar and Classhelp selection tools don't cause
onchange event to be triggered.
Using the helper popups for modifying lists of users, lists of
issues, dates etc.. now trigger the change event on the form's
field. This allows onchange javascript to trigger to highlight
changes, recalculate other form values etc. See ``upgrading.txt``
for details on applying these changes to your tracker. (John Rouillard)
- menu template function has a new parameter "showdef". When set to a
string, the string is appended to the displayed option value. This
allows the user to reset the value for the menu (select) to the
original value. (John Rouillard)
- @template html url parameter can be set to "oktmpl|errortmpl". When
a form is submitted, if the form passes validation the oktmpl is
used for the resulting page. If the form fails submission the
errortmpl page is used to display the form. The errortmpl will
usually be the same template used to edit the form. See the section
on "Implementing Modal Editing Using @template" in
``customizing.txt``. (John Rouillard)
- New form of check function is permitted in permission definitions.
If the check function is defined as:
check(db, userid, itemid, **ctx)
the ctx variable will have:
ctx['property'] the name of the property being checked or None
ctx['classname'] the class that is being checked or None
ctx['permission'] the name of the permission (e.g. View, Edit)
At some future date the older 3 argument style check command will
be deprecated. See ``upgrading.txt`` for details.
- New property for permissions added to simplify the model. See
``customizing.txt`` and search for props_only and
set_props_only_default in the section 'Adding a new Permission'.
(John Rouillard)
- issue2550690 - Inadequate CSRF protection. Improvements in
Cross Site Request Forgery protection to check HTTP headers
and nonces. If the header/nonce is present, they are
validated. But if headers or nonces are missing access is
granted. The enforcement policy can be set in config.ini.
Requiring enforcement will need some changes to
templates. Support for protecting xmlrpc endpoint not well
tested. See ``upgrading.txt``. (John Rouillard)
- Added support for using the SameSite cookie option on the
session cookie. Default is lax, but there is a settable
option in config.ini file to change to strict or
suppress it entirely. See ``upgrading.txt``. (John Rouillard)
- Added a new roundup-admin command: updateconfig. Similar to
genconfig but it uses values from an existing config.ini
rather than default values. Use to update an existing
config.ini with new options and help text. (John Rouillard)
- issue2550864: Potential information leakage via journal/history
Hyperdb history function now only returns properties that the user
can View or Edit and links to objects the user can see. Can be
overridden by setting a parameter when calling the method.
Also restructured code that implemented issue1714899 moving it
from the templating class to the hyperdb. (John Rouillard)
- Improves diagnostics for mail processing: When using logging level = DEBUG,
bounces and bounce problems are logged. (Bernhard Reiter)
- In roundup-server, pass X-Forwarded-For and X-Forwarded-Proto
headers as the environment variables: HTTP_X-FORWARDED-FOR and
HTTP_X_FORWARDED_PROTO. If the user is running roundup server behind
a proxy, these headers allow the user to write extensions that can
figure out the original client ip and protocol. None of the core
roundup code uses these headers/env vars. These headers can be
spoofed by bad proxies etc. so you have been warned.
- issue2550799: provide basic support for handling html only emails
Emails missing text/plain parts but with text/html parts can be
converted into text. If this is done the email will no longer be
bounced back to the sender with an error. Enable by configuring the
convert_htmltotext option in your upgraded config.ini. (Initial
patch by Igor Ippolitov merged with changes by John Rouillard.)
- Add a 'retired' parameter to Class.filter to allow searching for
retired, non-retired or all (retired and non-retired) items similar
to the argument of the same name to Class.getnodeids. This is 'False'
by default (finding only non-retired items for backwards
compatibility) and can be set to None (for finding retired and
non-retired items) or True (for finding only retired items).
- Requires Python 2.7 now, indicated in version_check.py
and doc/installation.txt. (Bernhard Reiter)
- New -L flag to roundup-server to send http/https request logs
through the python logger module (using roundup.http). This allows
automatic log rotation. Without it, log file rotation requires restarting
the server. (John Rouillard)
- Part of issue2550960. Applied patch 0038 to upgrade documentation
code examples to support both python 2 and 3. (Joseph Myers)
- Release no longer includes binary windows installer. Pypi no longer
accepts it for upload.
Fixed:
- issue1615201: Optionally restore the original (version 0.6) mailgw
behaviour of ignoring a Resent-From:-header and using the real
From-header instead: new configuration option EMAIL_KEEP_REAL_FROM
(Peter Funk aka Pefu).
- issue2550717: Changed a couple of residual email references into
E-Mail in German translation (John Rouillard)
- issue2550669: Adding documentation for csv_field_size to the
customizing tracker section of doc/customizing.txt (John Rouillard)
- issue2550601: gsoc-2009 "bug" class doesn't have "patches" property
Added multilink to patches to the bug schema in the devel template.
(applied by John Rouillard)
- issue2550748: Crash when creating new issues with non-existing
multilink values (in classic template). Applied patch so it
now errors the same way as an update does. (applied by John Rouillard)
- issue2550757: one bug raised by issue fixed. Patch created by
W. Trevor King (wking) for documentation of mailgw applied by
John Rouillard.
- Fix processing of additional arguments to cgi method 'menu': This
would not work if more than one additional argument is used.
(Ralf Schlatterbeck)
- Update documentation of some existing property attributes (like
'do_journal' for Link/Multilink properties), this also adds missing
documentation for issue1444214. (Ralf Schlatterbeck)
- issue2550763 Strip whitespace from Multilink values after + or -.
(W. Trevor King) Test heavily modified by John Rouillard. (applied
by John Rouillard)
- issue2550907 Fix errors when creating documentation. Work done by
Peter Funk (pefu). (Applied by John Rouillard with small change
omitting obsolete security.txt.)
- issue2550826 Capture some exceptions from auditors/reactors and
raise a DetectorError instead. This allows failures like IOErrors
from the detectors (e.g. unable to access files) to be handled.
Previously an IOError just resulted in no output (premature end of
headers under apache). Problem diagnosed and initial patch created by
Tom Ekberg (tekberg). Further testing and patch change done by
John Rouillard.
- issue2550851 in installation doc removed directions for
installing additional codecs for Asian languages. They
they appear to be part of the standard python since at least 2.6.
Also the quoted url is obsolete. See ticket if you think you need
the codecs.
- issue2550823 improve mailgw logging for node creation errors.
Patch by r.david.murray (applied by John Rouillard).
- issue2550549 Postgres error on message templating
Exception gets thrown and not captured if nodeid is too large
on postgres. Added a check in rdbms_common layer that max nodeid
is < 2^31 -1. Large nodeid now return no such id error upstream.
Patch idea from: martin.v.loewis. (John Rouillard)
- issue2550723 Fix propagation of @pagesize
When @pagesize=0 is specified (indicating show all), the value of
pagesize is not propigated to the prev link. This patch fixes that.
Patch provided by John Kristensen. (Applied, light testing by John
Rouillard.)
- issue2550850 anypy/email_.py uses BSPACE which is not defined in python 2.7
Supplied a definition for BSPACE since it seems to not be defined
anywhere. Reported by Dennis Boone. (John Rouillard)
- Validate properties specified for sorting and grouping in index
views. Original patch from martin.v.loewis via:
https://hg.python.org/tracker/roundup/rev/439bd3060df2
Applied by John Rouillard with some modification to properly
identify if the bad property is a sort or grouping property. Tests
added.
- Validate Integer and Numeric type filter parameters rather than
passing output down to db level. Initial patch at:
http://hg.python.org/tracker/roundup/rev/98508a47c126 by
Martin.V.Loewis. Numeric test patch applied, Integer code and tests
developed by John Rouillard.
- issue1926124: fix crash in roundup_admin migrate option.
Patch submitted by Henry (henryl), modified value to False
since this produces the correct "No migration action required"
output from the migrate command.
- issue2161722: oudated docs (sic)
Fix old entry in FAQ, update roundup-server config docs and
example file from current roundup-server output. Update
some typos in .py files. John Rouillard.
- issue2550572: setting nosy=+foo on multiple issues gives them all
the same exact nosy list. Fixed a missing reinitialization that has
to occur every time though the loop in do_set. Manual tests work.
(John Rouillard)
- issue2550653: xapian search, stemming is not working
This is a partial fix for the issue. It does make stemming work
(so searching for silent will also return docs with silently in
them). However to do this we need to lowercase the text so the
porter stemmer will work. This means capitalization is not
preserved. Fix done by David Wolever (wolever). Committed and doc
updates John Rouillard.
- issue2550855: "show unassigned" link shows all open issues if not
logged in. This adds permission for the anonymous user to search
the users class. Without this the unassigned search can't see if
there is a user assigned to an issue, so it acts like all open
issues. Patch supplied by Stuart McGraw (smcgraw). For caveats
see ``upgrading.txt`` and the comments in the default templates.
(Docs created and applcation by John Rouillard)
- issue2550854: including new field in All text* search.
Fixed documentation in customizing.txt. The default for indexme on
String fileds is 'no' not 'yes'. So to get a new string field into
the full text/all text index you need to use String(indexme='yes').
Reported by Michael Belleville. (John Rouillard)
- issue2550853 - better error handling and cleanup on some postgres
tests by Stuart McGraw.
- issue2086536 - back_postgresql: fixing pg_command and prefering
psycopg2. Patch done by Philipp Gortan (mephinet). His patch
also improves handling of retryable errors. Applied and
edited by John Rouillard. Edits included removing support for
psycopg1. See:
https://sourceforge.net/p/roundup/mailman/message/32855027/
for rational for dropping it.
- issue2550831: Make the classic template query.edit page work.
Many fixes and improvements. See ``upgrading.txt`` for details.
Diagnosis and fix with patch by R David Murray. Support for
restoring retired but active queries, html layout changes and doc
by John Rouillard.
- issue2550785: Using login from search (or logout) fails. When
logging in from a search page or after a logout it fails with an
error. These failures have been fixed. The fix also keeps the user
on the same page they started from before the login. There are two
parts to this: 1) changes to the templates to properly define the
__came_from form element. See ``upgrading.txt``. 2) code changes
to the LoginAction code in roundup/cgi/actions.py. (John Rouillard)
- issue2550648 - partial fix for problem in this issue. Ezio Melotti
reported that the expression editor allowed the user to generate an
expression using retired values. To align the expression editor with
the simple dropdown search item, retired values are now removed from
the expression editor. (We have an open question as to whether this
is desirable.)
- issue2550743 - Reindex with MySQL Server failed. It looks like
indexing large documents may require increasing mysql's
max_allowed_packet setting. Documented the issue in doc/mysql.txt.
Possible solutions include: increasing value of MySQL parameter,
changing the full text search engine to whoosh or xapian. Problem
report by telsch. Analysis/doc by John Rouillard.
- issue2550882. Reported by Karl-Philipp Richter. Fixed
installation.txt documentation to include better directions on
starting roundup-server on different ports/ip addresses. Also
updated man page to include default use of localhost for -n and use
of -n 0.0.0.0 to bind to all addresses on the host. (John Rouillard)
- issue2550827, issue2550718. Doc additions so people know that a
python 32 bit installation may be required for windows. Additional
documentation on the requirement of pywin32 for running roundup as a
windows service. Also the windows installer must be run as
administrator and strong encouragement for installing the pytz
module added to ``doc/installation.txt``.
- issue2550776: imapServer.py problem. Fixed a missing initialization of the
logging level if no logging level option is supplied. (John Rouillard)
- issue2550839: Xapian, DatabaseLockError: Unable to get write lock on
db/text-index: already locked. Put in a retry loop that will attempt
to get the lock. Total delay approx 4.5 seconds. (John Rouillard)
- issue2550727: db.newid is broken with sqlite. Added proper transaction
lock around the sql code to get a new id. The the locking
that pysqlite attempts had to be defeated because it is broken.
Had to explicitly manage transactions with BEGIN IMMEDIATE and call
sql_commit. Note that this reduces performance in return for accuracy.
Problem reported by Matt Mackall (mpm) (John Rouillard).
- issue2550701: Path traversal from template names. This affects the
tal based template engines (zopetal, chameleon). If a directory
with a specific name is created in the html subdirectory, the
template name in the url can be used to get access to files outside
of the tracker html directory. This has been fixed by normalizing
the path and comparing to the normalized path for the html
directory. See ``doc/upgrading.txt``. (John Rouillard)
- Fix subject parsing in mail gateway. The previous parsing routine
would not ensure that arguments are at the end of the subject and when
subject_suffix_parsing was configured to be 'loose' it would truncate
the subject when encountering a double prefix, e.g.
Subject: [frobulated] [frobulatedagain] this part would be lost
(Ralf Schlatterbeck)
- issue2550795: @dispname query args in page.html search links
not valid html. Some queries with names that include spaces are not
properly url encoded/quoted. I.E. a space should be replaced with
%20. Fixes to allow a url_query method to be applied to
HTMLStringProperty to properly quote string values passed as part of
a url.
- issue2550755: exceptions.NotFound(msg) msg is not reported to user
in cgi. When an invalid column is specified return error code 400
rather than 404. Make error code 400 also return an error message to
the user. Reported by: Bernhard Reiter, analysis, fix by John Rouillard.
- issue1408570: Finally fix that form values are lost on edit
exceptions. This occured for example if editing an issue with the
classic template and setting 'superseder' to a non-existing issue
number. All changes to the form where the original field was non-empty
were lost. (Ralf Schlatterbeck)
- Fix submit_once Javascript function: This needs to return a boolean
value (not and integer like 0 or 1). And the work-around for an
ancient version of Internet Explorer would make it break for a recent
Firefox. The old version would show the popup but after clicking away
the alert it would load the page. The new version (tested with
Chromium and Firefox) doesn't load the page. (Ralf Schlatterbeck)
- Fix Traceback in backends/portalocker.py on windows due to missing
windll import, thanks to Heiko Stegmann for suggesting a first fix.
(Ralf Schlatterbeck)
- issue2550933 - Fix Traceback in cgi/templating.py when a string is
passed to PasswordHTMLProperty::plain. (John Rouillard)
- issue2550934 - templating.py-indexargs_form() returns id's as
space separated list not comma separated. This fixes the format of
the id url parameter when generated by indexargs_form. (John
Rouillard)
- issue2550932 - html_calendar produces templating errors for bad date
strings. Fixed to ignore bad date and highlight todays date in the
calendar popup.
- Query handling requires that query names for a user are unique.
Different users are allowed to use the same query name. Under some
circumstances a user could generate a second query with the same
name. The SearchAction function has been corrected to report this
error. Also the index.search.html template in the classic tracker
and corresponding templates in the other example trackers
has been modified to include:
<input type="hidden" name="@template" value="index|search"/>
so an error from SearchAction will display an error message and keep
the user on the search page so they can correct the error. See
``doc/upgrading.txt``. (John Rouillard)
- When a new named search is created, the index page that is displayed
doesn't show the name. This has been fixed by setting the @dispname
to the query's name. (John Rouillard)
- Passing args into indexargs_url(..,{'@queryname': request/dispname
or None, 'Title': 'some' }) where the value of the arg is None
will not add the arg to the url. In the example above @queryname
will only be in the url if dispname is set in the request.
(John Rouillard)
- The HTMLClass::properties() method produced a list of properties
that the user could not search. As a result these properties can not
be used for sorting or grouping index pages. This patch eliminates
the confusion that results from this mismatch by verifying that all
properties returned are searchable. (John Rouillard)
- Mutilinks can be displayed with their labelprop using the plain()
method, but they can not be looped over using tal:repeat if the user
doesn't have view access to the class the multilink represents. The
permissions check was changed to require that the user have View
access to the labelprop for the class rather than View access to the
class. (John Rouillard)
- issue2550937: fix crash by verifying that sendto is not null before
calling mailer.smtp_send. Discovered and patched by Trent Gamblin.
Applied by John Rouillard.
- removed old code from roundup-admin that implemented the obsolete
config (do_config) command. (John Rouillard)
- Modified configuration option static_files to be a space separated
list of directories to search for static files in the web interface.
If one of the elements is -, the search stops and the TEMPLATES
directory is not searched. See:
https://sourceforge.net/p/roundup/mailman/message/35773357/
subject is "showing template sources to all".
- issue2550945: OpenPGP: Extends newissuecopy.py to encrypt if configured.
(Bernhard Reiter)
- CSRF protection broke the retire function for query edit. Fix
javascript and make sure csrf tokens are provided in the right
places. (John Rouillard)
- query.item.html was missing checks to verify that a query should
be visible to the user. This is fixed and users can only view
queries that they own or that are not private. (John Rouillard)
- issue2550953: Patch: fix for context.is_view_ok check in jinja2 template
Form controls are displayed when anonymous views indexes but is
denied access. (patch by Anton Schur applied by John Rouillard)
- issue2550957: Duplicate emails (with patch).
Bcc and cc users passed to nosymessage are not properly recorded.
This results in duplicate emails. (patch by Trent Gamblin (trentgg)
applied by John Rouillard).
- issue2550954: History display breaks on removed properties
Now changes to removed properties, and link/unlink events from
non-existing properties or classes no longer trigger a traceback.
Concerning the visibility: We have a new config-item
obsolete_history_roles in the main section that defines which roles
may see removed properties. By default only role Admin is allowed to
see these.
- Fix issue2550955: Roundup commits although a Reject exception is raised
Fix the problem that changes are committed to the database (due to
commits to otk handling) even when a Reject exception occurs. The fix
implements separate database connections for otk/session handling and
normal database operation.
- Allow empty content property for file and message via xmlrpc
interface. This used to raise a traceback in the (sql) backend.
- Work around a limitation in python2.7 implementation of poplib (for
the pop3 protocol for fetching emails): It seems poplib applies a
line-length limit not just to the lines involving the pop3 protocol
but to any email content, too. This sometimes leads to tracebacks
whenever an email exceeding this limit is encountered. We "fix" this
by monkey-patching poplib with a larger line-limit. Thanks to Heiko
Stegmann for discovering this.
- Fix issue2550963: After refactoring one-time keys from the main
database we need to commit the password change in the password reset
mechanism separately. This used to be committed by the otk commit.
2016-01-11: 1.5.1
Pay attention:
If you have installed an intermediate version from our version control
system and have modified your tracker instance to escape OK and
error-messages in the HTML templates you need to revert this change.
If you're upgrading from a previous roundup release version
you should look into ``doc/upgrading.txt``. (Ralf Schlatterbeck)
Also note the default user permissions, see ``doc/upgrading.txt``.
Features:
- The example local_replace.py has been updated to show how to link to
modern revision systems using hex revision identifiers.
This extension is used to expand shortcuts in msgs. (Bernhard Reiter)
- Drop comment in user settings about numeric hour offsets instead of using
pytz timezone names. Due to DST these are wrong half of the year, it is
much better to use timezone names. (Thomas Arendsen Hein)
- issue2550793: Wrap messages with very long lines in the web interface.
(Thomas Arendsen Hein)
- New Link / Multilink option "try_id_parsing": Sometimes the key of a
class can be numeric -- in that case roundup will try to parse the
value as an ID when evaluating form values -- not as a key. Specifying
try_id_parsing='no' for these Link/Multilink will skip the ID step,
default is 'yes'. (Ralf Schlatterbeck)
- New configuration option 'isolation_level' in rdbms section. Currently
supported for Postgres and mysql, sets the transaction isolation level.
Wrong history entries for concurrent database updates observed in
issue2550806 can be prevented by setting this to 'repeatable read' if
you want to pay the performance penalty. We test this behaviour in the
regression tests for Postgres but not currently for mysql.
See http://www.postgresql.org/docs/9.1/static/transaction-iso.html
(Ralf Schlatterbeck)
- /xmlrpc endpoint now shows link to XML-RPC documentation if accessed
through browser, without text/xml Content-Type (anatoly techtonik)
- docs: New dedicated chapter for extensions in ``doc/customizing.txt``
(anatoly techtonik)
- Increase default height of classhelp windows from 400 to 600.
(Thomas Arendsen Hein)
- Date properties now can specify (on input) an explicit timezone suffix
(similar to RFC 2822), e.g. +0200 for CEST or -0500 for EST. This also
works in the XMLRPC interface. For examples see roundup.date.Date.
(Ralf Schlatterbeck)
- Add RejectRaw exception to allow unescaped HTML error messages to be
displayed to the user (thanks Ezio Melotti for the initial patch)
(John Kristensen)
- Add rel=nofollow to http and https url's in the body of messages.
This should reduce the value of a public roundup tracker to spammers.
References like issue20 or msg10 will hyperlink without
rel=nofollow so that robots can index them. Similar work was done
for the history display in roundup 1.5.0. (John Rouillard)
Fixed:
- issue2550869 Duplicate mail headers (Reply-To, Message-ID, In-Reply-To)
when sending out email. Reported with first fix by Mathias Behrle.
(Bernhard Reiter)
- issue2550830 An empty LinkHTMLProperty cannot be compared successfully.
Improves the query editing page. Reported and fixed by R David Murray
(Bernhard Reiter).
- Fix Release-date of 1.5.0 in this file (thanks to Bernhard for
discovery) (Ralf Schlatterbeck)
- Pythons cgi form code can return a TypeError, we now guard for this
condition. (Ralf Schlatterbeck)
- Small bug-fix in SQL backends: A query (e.g. in a html menu) with a
where-clause that always evaluates to false now will not raise a
traceback. (Ralf Schlatterbeck)
- Remove Python 2.3 compatibility code for i18n (anatoly techtonik)
- If documentation 'sphinx-build' tool is not found in system PATH,
'setup.py build_doc' command now tries to detect it from PYTHONPATH
(anatoly techtonik)
- Read version and release for generated documentation from
roundup/__init__.py. (Thomas Arendsen Hein)
- Do not throw an internal error if a .mo file can not be read
(Thomas Arendsen Hein)
- issue2550673 Make the "Make a copy" link work by fixing copy_url to properly
handle multilink properties. (John Rouillard)
- issue2550583, issue2550635 Do not limit results with Xapian indexer
(Thomas Arendsen Hein)
- Allow using plain() on unsaved dates in HTML forms
(Thomas Arendsen Hein)
- setup.py now installs static files of the HTML documentation (stylesheets,
images, etc.) (Thomas Arendsen Hein)
- executable .py scripts need "#!/usr/bin/env python", add this to demo.py,
remove exec bits from website/wiki/wiki/data/plugin/theme/roundup.py
(Thomas Arendsen Hein)
- issue2550822: Fix showing more than one additional property in class menu.
Report and fix by James Mack (Thomas Arendsen Hein)
- Fix String search with special SQL wildcard characters in LIKE/ILIKE
clause and add testcase (Ralf Schlatterbeck)
- Fix subtle bug when sorting by a Link that contains a Multilink from
which we also search for an attribute. In that case the LEFT OUTER
JOIN clause was missing in generated SQL. (Ralf Schlatterbeck)
- Fix another XSS issue2550817. Note that the code that triggers that
particular bug is no longer in roundup core. But the change to the
templates we suggest is a *lot* safer as it by default escapes the
error and ok messages now. Thanks to Thibault Fevry for the original
bug-report. (Ralf Schlatterbeck)
- issue2117897: Fixed two more places in date.py where seconds can be
rounded to 60.0 and causing exceptions. Change them to 59.999 as was
done in the fix for issue2550802. (Thomas Arendsen Hein)
- Fix batch.propchanged for transitive id properties (would result in a
backtrace when trying to group by property.id) (Ralf Schlatterbeck)
- Fix issue2550835, the test checks for date-range queries with an
interval that depends on the local time. Put the queried date a little
later to avoid a race condition where the queried interval doesn't
match the date because the clock has advanced. (Ralf Schlatterbeck)
- Apply german translation fixes from Debian team in issue2550761,
thanks to Kai Storbeck for taking the time to report these.
(Ralf Schlatterbeck)
- Fix issue2550843 Pass text of Unauthorised and Login exceptions instead
of the exception instance to avoid traceback with string operations.
(Thomas Arendsen Hein)
- Fix issue2550841 roundup-demo templates not found in virtualenv (John
Kristensen)
- Security: Default user permissions should not include all user
attributes. We now limit this to the username, realname and some
further attributes depending on the schema. Note that we no longer
include the email addresses, depending on your installation you may
want to further restrict this or add some attributes like ``address``
and ``alternate_addresses``. (Ralf Schlatterbeck)
- Correctly recreate the database directory when re-initialising a tracker
instance. (John Kristensen)
- In case of an error, date fields would lose the calendar help, fixed.
(Ralf Schlatterbeck)
- demo.py usage message improved: explains "nuke" now. (Bernhard Reiter)
- Fix issue2550735 Missing doc for xmlrpc schema. Thanks to Cedric Krier
for the patch. (anatoly techtonik)
- Fix two line-break accidents in devel and responsive milestone.item.html
(Thomas Arendsen Hein)
- Fix broken images in legacy spec.html and original_overview.html, and
restore web presence for "Roundup's Design Document" (anatoly techtonik)
- Template jinja2: Updated URL to point to http://www.roundup-tracker.org/,
fixed a typo. (Bernhard Reiter)
- Security: Add mime-type whitelist for attachmens that can be safely
rendered from Roundup without trigerring security bugs in browser
plugins, XSS issues and spam. The option ``allow_html_file`` didn't
provide protection for invalid content-type, in which case browser
tried to guess the best one. Thanks to Kay Hayen for reporting and
helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik)
- Documentation: configuration messages_to_author value "nosy" now documented
in chapter "customizing". (Bernhard Reiter)
- issue2550877 Failures in test_mailgw.py because of duplicated headers
and more precise comparision. Writing headers with the email module will use
continuation_ws = ' ' now for python 2.5 and 2.6. (Bernhard Reiter)
- issue2550870 migrate use of 'rfc822' module to the 'email' module
(Bernhard Reiter/John Kristensen)
- Doctests for roundup.date.Date are now really executable and don't
fail. Bug-Fixes in range properties, open intervals with 'to' didn't
always work. (Ralf Schlatterbeck)
- issue2550881 demo.py: Add pointer how to access demo from remote host.
Suggested by Karl-Philipp Richter. (Bernhard Reiter)
- issue2550884 roundup-mailgw --help text improved to explain the allowed
parameters better. Suggested by by Karl-Philipp Richter. (Bernhard Reiter)
- Fix form-parsing: If multiple new items are added to a multilink
property, the old version would create the new items but only link
one. (Ralf Schlatterbeck)
- issue2550892 (translation error of priority in locale de) Thanks
Martin Thomas Swaton for reporting. (Bernhard Reiter)
- Help-Window now gets focus, this prevents the case that help doesn't
work because an old help-window is below the main window.
(Ralf Schlatterbeck)
- issue2550811 20% fix: jinja2 template engine now has an example
how to use non-ascii unicode contents with a custom filter ('| u').
See updates on http://www.roundup-tracker.org/cgi-bin/moin.cgi/Jinja2
(Bernhard Reiter)
2013-07-06: 1.5.0
Features:
- issue2550775 Added rel=nofollow to links in the journal linking to
attachments to allow the admin to delete attachment spam and prevent
search engines from increasing the rankings. (John Rouillard)
- issue2550808 Enhanced the boolean field template function. Now by
default the labels generated can be clicked on and select the
corresponding radio button. Also can create a trivalued radiobutton
(yes/no/unknown) as well as customize the labels for the
yes/no/unknown radio buttons. (John Rouillard)
- issue2550807 enhance classhelp method with ability to set html
properties on the generated link. (John Rouillard)
- Support for tx_Source property on database handle. Can be used by
detectors to find out the source of a change in an auditor to block
changes arriving by unauthenticated mechanisms (e.g. plain email
where headers can be faked). The property db.tx_Source has the
following values:
* None - Default value set to None. May be valid if it's a script
that is created by the user. Otherwise it's an error and indicates
that some code path is not properly setting the tx_Source property.
* "cli" - this string value is set when using roundup-admin and
supplied scripts.
* "web" - this string value is set when using any web based
technique: html interface, xmlrpc ....
* "email" - this string value is set when using an unauthenticated
email based technique.
* "email-sig-openpgp" - this string value is set when email with a
valid pgp signature is used. (*NOTE* the testing for this mode
is incomplete. If you have a pgp infrastructure you should test
and verify that this is properly set.) (John Rouillard)
- Introducing Template Loader API (anatoly techtonik)
- Experimental support for Jinja2, try 'jinja2' for template_engine
in config (anatoly techtonik)
- A new jinja2 template based on Classic schema and using Twitter
bootstrap for responsive behaviour. Run as -
python demo.py -t jinja2 nuke (Pradip P Caulagi)
- roundup_admin.py and other scripts can now be run directly from the
sources dir as roundup\scripts\roundup_admin.py (anatoly techtonik)
- Renamed old Templates classes to Loader classes to clarify sources
for alternative templating engines, updated docs (anatoly techtonik)
- Template selection code is moved from Loader classes into cgi.client
limiting the responsibility of Loaders to compilation and rendering.
Internally, templating.find_template is replaced with
client.selectTemplate (anatoly techtonik)
- Increased generated password length to 12 symbols to slow down GPGPU
attacks (anatoly techtonik)
- Implement XMLRPC MultiCall (including test), see
http://docs.python.org/2/library/xmlrpclib.html#xmlrpclib.MultiCall
(Ralf Schlatterbeck)
Fixed:
- issue2550789: add documentation on how to initialise a tracker
without exposing the admin password.
- issue2550805: Postgres should search title attribute case insensitive
like sqlite. Reported and fixed by Tom Ekberg. (Bernhard Reiter)
- Removed some old left over "rlog" references in documentation and code.
Makes the debugging.txt advise for the database unit tests work again.
(Bernhard Reiter)
- Fixed OpenPGP support for modern versions of libgpgme. (Bernhard Reiter)
- Restored compatibility with old style trackers (anatoly techtonik)
- Make roundup play nice with setup tools (for using with virtualenv)
(Pradip Caulagi)
- [minor] Template responsive: make demo.py work out of the box with it,
by setting the static_files config.ini setting to "static".
Footer: link fixed and hardcoded last modified date removed. (Bernhard Reiter)
- demo.py print location of tracker home and fully erase its directory
when nuking (anatoly techtonik)
- demo.py changing hostname in config.ini actually changes the address
where demo.py listens. (John Rouillard)
- issue2550802: Fixed date so second fraction can't cause rounding to
60.000 when serialising. Report and fix by Erik Hanspers. (Bernhard Reiter)
- issue2550595: Allow migrating from roundup 0.x to 1.4 (Thomas Arendsen Hein)
- issue2550634: New German orthography corrections (Thomas Arendsen Hein)
2012-12-21: 1.4.21
Features:
- issue2550782: Added a new irker detector to send notifications on IRC
when an issue is created or messages are added. (Ezio Melotti)
- Beta version of responsive templates using devel schema
and Twitter Bootstrap for styling (Pradip Caulagi)
- pywin32 is no longer required to run on Windows (anatoly techtonik)
- Rewritten portalocker.py logic in ctypes for Windows (anatoly techtonik)
- Add an interface to register clearCache callbacks in roundupdb.
Sometimes complicated computations may require an application cache.
This application can now register a callback to clear the application
cache, because roundup knows better when to clear it (usually when a
transaction ends, either with rollback or with commit). The interface
for this is currently considered experimental. The current interface
is registerClearCacheCallback(self, method, param) where method is
called with param as the only parameter. (Ralf Schlatterbeck)
- Add a script to remove file-spam from a tracker, see
scripts/spam-remover. (Ralf Schlatterbeck)
Fixed:
- issue2550765: Don't show links in calendar that will fail.
Found and fixed by Cédric Krier. (Bernhard)
- issue2550765: use <meta name="robots" content="noindex, nofollow"> in the
_generic.calendar.html to prevent robots to follow all the links in the
calendar. (Ezio Melotti)
- "BaseException.with_traceback" is not available on Python 2, so use
"raise E, V, T" instead of "raise E(V).with_traceback(T)". This change was
originally introduced in 74476eaac38a. (Ezio Melotti)
- issue2550759: Trailing punctuation is no longer included when URLs are
converted to links. (Ezio Melotti)
- issue2550574: Restore sample detectors removed in roundup 1.4.9
(Thomas Arendsen Hein)
- Prevent AttributeError when removing all roles of a user
(Thomas Arendsen Hein)
- issue2550762 Minor Documentation fix in doc/developers.txt, thanks
to W. Trevor King. (Bernhard Reiter)
- issue2550766: Minor formatting issues in the docs for date properties,
thanks John Kristensen. (Bernhard Reiter)
- issue2550738: Fixes for various documentation typoes,
thanks Nathan Russell. (John Kristensen)
- issue2550756: Fix `oder' typo in mailer.Mailer.bounce_message docstring,
thanks W. Trevor King (John Kristensen)
- Fix basic authentication: instatiating the login action would fail if
the user is not set. We now first set the user to anonymous and then
try basic authentication if enabled. (Ralf Schlatterbeck)
- Fix xmlrpc permissions for lookup method: Allow if the key attribute
is either searchable or viewable, don't check id attribute (Ralf
Schlatterbeck)
- Fix installation documentation (section Prerequisites) to require at
least python 2.5, thanks to John P. Rouillard for discovering this.
(committed by Ralf Schlatterbeck)
- Fix version_check.py to require at least python 2.5 (anatoly techtonik)
- Fixing the download button re-activating the cheeseshop plugin in the
sphinx config. Thanks to Richard for the hint. (Bernhard Reiter)
- issue2550783 devel template's schema.py permissions referenced the
organization property for the user, but the property is called
organisation. Thanks to Pradip Caulagi. (committed by John Rouillard)
- issue2550749 - the xmlrpc interface is invoked on content type
and not url path. Sending any text/xml data to roundup results in
invoking the xml-rpc interface, but a REST or other interface could
also consume xml data and do something different. So require the use
of 'http(s)://.../xmlrpc' uri to trigger the xmlrpc interface.
(John Rouillard)
- issue2550774: Remove generating documentation with rst2html, and update the
README.txt with how to create the html docs using sphinx, thanks Kai Storbeck
(John Kristensen)
- issue2550774: Include doc/conf.py in the release tarball, so people can build
their own documentation in html, thanks Kai Storbeck (John Kristensen)
- issue2550774: Update website/www/Makefile to symlink COPYING.txt so "make"
works again, thanks Kai Storbeck (John Kristensen)
- issue2550760: Several improvements to the manpages
thanks Kai Storbeck & Bastian Kleineidam (John Kristensen)
2012-05-15: 1.4.20
Features:
- Experimental support for the new Chameleon templating engine.
We now have two configurable templating engines, the old Zope TAL
templates (called zopetal in the config) and the new Chameleon (called
chameleon in the config). A new config-option "template_engine" under
[main] can take these config-options, the default is zopetal.
Thanks to Cheer Xiao for the idea of making this configurable *and*
for the actual implementation! (Ralf)
WARNING: Chameleon support is highly experimental and *not* recommended for
production use. It has known performance issues and i18n is not yet
functioning. It's still under active development. Only use this feature if
you want to experiment with Chameleon and/or help with Roundup
developement. If you found a bug in Chameleon support, please report after
testing against latest Roundup source from the Mercurial repository.
- issue2550678: Allow pagesize=-1 which returns all results.
Suggested and implemented by John Kristensen.
Tested by Satchidanand Haridas. (Bernhard)
- Allow to turn off translation of generated html options in menu method
of LinkHTMLProperty and MultilinkHTMLProperty -- default is
translation as it used to be (Ralf)
- Sending of OpenPGP encrypted mail to all users or selected users (via
roles) is now working. (Ralf)
- Add config-option "nosy" to messages_to_author setting in [nosy]
section of config: This will send a message to the author only
in the case where the author is on the nosy-list (either added
earlier or via the add_author setting). Current config-options
for this setting will send / not send to author without considering
the nosy list. (Ralf)
Fixed:
- issue2550730: FAQ has broken link to Zope book. Reported and fixed by
John Rouillard.(Bernhard)
- issue2550728: remove buggy parentheses in TAL/DummyEngine.py.
Reported and fixed by Ralf Hemmecke. (Bernhard)
- issue2550715: IndexError when requesting non-existing file via http.
Reported and fixed by Cédric Krier. (Bernhard)
- issue2550712: exportcsvaction errors poorly when given invalid columns.
Reported by Will Kahn-Greene, fixed by Cédric Krier. (Bernhard)
- issue2550695: 'No sort or group' settings not retained when editing queries.
Reported and fixed by John Kristensen. Tested by Satchidanand Haridas.
(Bernhard)
- Fix matching of incoming email addresses to the alternate_addresses
field of a user -- this would match substrings, e.g. if the user has
[email protected] as an alternate email and an incoming mail
is addressed to [email protected] this would (wrongly) match. (Ralf)
- issue2550729: Fix password history display for anydbm backend, thanks
to Ralf Hemmecke for reporting. (Ralf)
- OpenPGP support is again working (pyme API has changed significantly) and
we now have a regression test. We now take care that bounce-messages
for incoming encrypted mails or mails where the policy dictates that
outgoing traffic should be encrypted is actually OpenPGP encrypted. (Ralf)
- Ignore confirm set() fields by themselves in the absence of non-"confirm"
values; otherwise a bare confirm field can be used to change the a
password. Reported by Cam Blackwood. (Ralf)
- Updated version of simplified Chinese message file by Cheer Xiao:
Corrected some mistakes, added a few more items and did some
formating. (Ralf)
- Fix xmlrpc URL parsing so that passwords may contain a ':' character
(Ralf)
- Be more tolerant when parsing RFC2047 encoded mail headers. Use
backported version of my proposed changes to
email.header.decode_header in http://bugs.python.org/issue1079
(Ralf)
- issue2550684 Fix XSS vulnerability when username contains HTML code,
thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)
- issue2550711 Fix XSS vulnerability in @action parameter,
thanks to "om" for reporting. (Ralf)
- issue2550535 In some cases even when keep_quoted_text=yes is
configured we would strip quoted sections. This hit the python
bug-tracker especially for python interpreter examples with leading
'>>>' strings. The fix is slightly different compared to the proposal
as this broke keep_quoted_text=no in certain cases. We also fix a bug
where keep_quoted_text=no would drop the last line of a non-quoted
section if there wasn't an empty line between the next quotes. (Ralf)
- issue2431638 wrong registration link in bounce mail for non-registered
users reported *years* ago by anonymous (Ralf)
- Fix doc/upgrading.txt which produces errors with latest docutils about
wrong block structure. Fix .gitignore in doc directory. Thanks to
Cheer Xiao for the patches. (Ralf)
- Fix wrong execute permissions on some files, thanks to Cheer Xiao for
the patch. (Ralf)
- Fix override of TemplatingUtils in instance.py, thanks to Cheer Xiao
for the patch. (Ralf)
- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
reporting. (Ralf)
- Mark cookies HttpOnly and -- if https is used -- secure. Fixes
issue2550689, but is untested if this really works in browsers.
Thanks to Joseph Myers for reporting. (Ralf)
- Fix another XSS with the ok- and error message, see issue2550724. We
now escape messages when added to the list so we can decide whether to
escape a message individually for each message. The default is to
escape. Thanks to David Benjamin for the bug-report and to Ezio
Melotti for several proposed fixes. (Ralf)
2011-07-15: 1.4.19
Features:
- Xapian indexing improved: Slightly faster and slightly smaller database.
Closes issue2550687. Thanks to Olly Betts for the patch. (Bernhard Reiter)
- PostgreSQL backend minor improvement: database creation less likely to fail
for PostgreSQL versions >= 8.1 as the table "postgres" is used by default.
Closes issue2550543. Thanks to Kai Storbeck for the patch. (Bernhard Reiter)
- Allow HTMLRequest.batch to filter on other permissions than "View"
(e.g. on the new "Search" permission") by adding a "permission"
parameter. Thanks to Eli Collins for the patch. Closes issue2550699. (Ralf)
Fixed:
- Installation: Fixed an issue that prevented to use EasyInstall
and a Python egg. Thanks to Satchidanand Haridas for the patch and
John Kristensen for testing it. (Bernhard Reiter)
- The PostgreSQL backend quotes database names now for CREATE and DROP,
enabling more exotic tracker names. Closes issue2550497.
Thanks to Sebastian Harl for providing the patch. (Bernhard Reiter)
- Updated the url to point to www.roundup-tracker.org in two places in the
docs. (Bernhard Reiter)
- Do not depend on a CPython implementation detail anymore to make Roundup
more compatible with other Python implementations like PyPy.