Mercurial > p > roundup > code

annotate doc/upgrading.txt @ 8527:d4a43d9da8ef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
chore(build): build(deps): bump anchore/scan-action from 7.3.1 to 7.3.2 pull #82
author John Rouillard <rouilj@ieee.org>
date Mon, 23 Feb 2026 20:16:55 -0500
parents 00aec15117c0
children 4184173d364f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6586
24e2eeb2ed9a Add meta description to some doc pages.
John Rouillard <rouilj@ieee.org>
parents: 6464
diff changeset
1 .. meta::
6774
e7b4ad2c57ac landmarks, skiplink, remove bad attrs, autocomplete search
John Rouillard <rouilj@ieee.org>
parents: 6768
diff changeset
2 :description:
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3 Critical documentation for upgrading the Roundup Issue
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
4 Tracker. Actions that must be taken when upgrading from
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
5 one version to another are documented here.
6586
24e2eeb2ed9a Add meta description to some doc pages.
John Rouillard <rouilj@ieee.org>
parents: 6464
diff changeset
6
6168
de9d602c8ce6 more index entries and CHANGES.txt update for them.
John Rouillard <rouilj@ieee.org>
parents: 6128
diff changeset
7 .. index:: Upgrading
de9d602c8ce6 more index entries and CHANGES.txt update for them.
John Rouillard <rouilj@ieee.org>
parents: 6128
diff changeset
8
782
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9 ======================================
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 Upgrading to newer versions of Roundup
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11 ======================================
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12
7296
c3b0fd62b0b8 Minor tweaks to upgrading general directions.
John Rouillard <rouilj@ieee.org>
parents: 7281
diff changeset
13 Please read each section carefully and edit the files in your tracker home
2016
2112962f5bb1 Update documentation for the client.py split and add an upgrade notice.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2003
diff changeset
14 accordingly. Note that there is information about upgrade procedures in the
6781
b3d4b25b4922 Add links some updates.
John Rouillard <rouilj@ieee.org>
parents: 6780
diff changeset
15 `administration guide`_ in the `Software Upgrade`_ section.
782
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16
7321
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
17 If a specific version transition isn't mentioned here (e.g. 0.6.7 to
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
18 0.6.8) then you don't need to do anything. If you're upgrading from
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
19 0.5.6 to 0.6.8 though, you'll need to apply the "0.5 to 0.6" and
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
20 "0.6.x to 0.6.3" steps.
2273
c77483d2cda4 merge from maint-0-7
Richard Jones <richard@users.sourceforge.net>
parents: 2263
diff changeset
21
7047
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
22 General steps:
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
23
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
24 1. Make note of your current Roundup version.
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
25 2. Take your Roundup installation offline (web, email,
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
26 cron scripts, roundup-admin etc.)
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
27 3. Backup your Roundup instance
7296
c3b0fd62b0b8 Minor tweaks to upgrading general directions.
John Rouillard <rouilj@ieee.org>
parents: 7281
diff changeset
28 4. Install the new version of Roundup (preferably in a new virtual
c3b0fd62b0b8 Minor tweaks to upgrading general directions.
John Rouillard <rouilj@ieee.org>
parents: 7281
diff changeset
29 environment)
7047
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
30 5. Make version specific changes as described below for
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
31 each version transition. If you are starting at 1.5.0
7296
c3b0fd62b0b8 Minor tweaks to upgrading general directions.
John Rouillard <rouilj@ieee.org>
parents: 7281
diff changeset
32 and installing to 2.3.0, you need to make the changes for **all**
7047
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
33 versions starting at 1.5 and ending at 2.3. E.G.
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
34 1.5.0 -> 1.5.1, 1.5.1 -> 1.6.0, ..., 2.1.0 -> 2.2.0,
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
35 2.2.0 -> 2.3.0.
8047
a0876d16e299 doc: clarify basic upgrade instructions to target single instance
John Rouillard <rouilj@ieee.org>
parents: 8046
diff changeset
36 6. Run ``roundup-admin -i <tracker_home> migrate`` using
a0876d16e299 doc: clarify basic upgrade instructions to target single instance
John Rouillard <rouilj@ieee.org>
parents: 8046
diff changeset
37 the newer version of Roundup for the instance you are
a0876d16e299 doc: clarify basic upgrade instructions to target single instance
John Rouillard <rouilj@ieee.org>
parents: 8046
diff changeset
38 upgrading. This will update the database if it is
a0876d16e299 doc: clarify basic upgrade instructions to target single instance
John Rouillard <rouilj@ieee.org>
parents: 8046
diff changeset
39 required.
7047
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
40 7. Bring your Roundup instance back online
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
41 8. Test
d3593cbb8e6f Add overview of upgrading steps. Also capitalize roundup.
John Rouillard <rouilj@ieee.org>
parents: 6941
diff changeset
42
8047
a0876d16e299 doc: clarify basic upgrade instructions to target single instance
John Rouillard <rouilj@ieee.org>
parents: 8046
diff changeset
43 Repeat for each tracker instance.
a0876d16e299 doc: clarify basic upgrade instructions to target single instance
John Rouillard <rouilj@ieee.org>
parents: 8046
diff changeset
44
7321
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
45 .. note::
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
46 The v1.5.x releases of Roundup were the last to support
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
47 Python v2.5 and v2.6. Starting with the v1.6 releases of Roundup
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
48 Python version 2.7 that is newer than 2.7.2 is required to run
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
49 Roundup. Starting with Roundup version 2.0.0 we also support Python 3
8315
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
50 versions newer than 3.6. Roundup version 2.5 supports Python
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
51 3.7 and newer.
4901
fa268ea457db Add note about dropping support for Python v2.5
John Kristensen <john@jerrykan.com>
parents: 4890
diff changeset
52
7217
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
53 Recent release notes have the following labels:
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
54
8045
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
55 * **required** - Roundup will not work properly if these steps are not done
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
56 * **recommended** - Roundup will still work, but these steps can cause
7343
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
57 security or stability issues if not done.
8045
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
58 * **optional** - new features or changes to existing features you might
7343
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
59 want to use
8045
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
60 * **info** - important possibly visible changes in how things operate
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
61
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
62 If you use virtual environments for your installation, you
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
63 can run trackers with different versions of Roundup. So you
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
64 can have one tracker using version 2.2.0 and another tracker
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
65 using version 1.6.1. This allows you to upgrade trackers one
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
66 at a time rather than having to upgrade all your trackers at
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
67 once. Note that downgrading may require restoring your
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
68 database to an earlier version, so make sure you backed up
ab96dcb1beb4 doc: bold status/severity keywords in key; discuss virtual env install
John Rouillard <rouilj@ieee.org>
parents: 8030
diff changeset
69 your database.
7296
c3b0fd62b0b8 Minor tweaks to upgrading general directions.
John Rouillard <rouilj@ieee.org>
parents: 7281
diff changeset
70
7321
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
71 .. note::
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
72
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
73 This file only includes versions released in the last 10
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
74 years. If you are upgrading from an older version, start with the
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
75 changes in the `historical migration <upgrading-history.html>`_
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
76 document.
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
77
7438
116ea5ce06ab issue2551269: Add warning abut Python 2 support lifetime
John Rouillard <rouilj@ieee.org>
parents: 7400
diff changeset
78 .. admonition:: Python 2 Support
116ea5ce06ab issue2551269: Add warning abut Python 2 support lifetime
John Rouillard <rouilj@ieee.org>
parents: 7400
diff changeset
79
116ea5ce06ab issue2551269: Add warning abut Python 2 support lifetime
John Rouillard <rouilj@ieee.org>
parents: 7400
diff changeset
80 If you are running Roundup under Python 2, you should make plans to
8071
a4cb4e75d4e9 final changes for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 8064
diff changeset
81 switch to Python 3. Release 2.4.0 (Jul 2024) is the last release to
a4cb4e75d4e9 final changes for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 8064
diff changeset
82 officially support Python 2. The next non-patch release scheduled
a4cb4e75d4e9 final changes for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 8064
diff changeset
83 for 2025 will mark 5 years since Roundup supported Python 3.
7438
116ea5ce06ab issue2551269: Add warning abut Python 2 support lifetime
John Rouillard <rouilj@ieee.org>
parents: 7400
diff changeset
84
7452
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
85 .. admonition:: XHTML Support Deprecation Notice
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
86
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
87 If you are running a tracker where the ``html_version`` setting in
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
88 ``config.ini`` is ``xhtml``, you should plan to change your
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
89 templates to use html (HTML5). If you are affected by this, please
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
90 send email to the roundup-users mailing list (roundup-users at
8048
3ddc6a7d41de doc: 2.3.0 is the last version to support xhtml
John Rouillard <rouilj@ieee.org>
parents: 8047
diff changeset
91 lists.sourceforge.net). Version 2.3.0 is the last version to support
3ddc6a7d41de doc: 2.3.0 is the last version to support xhtml
John Rouillard <rouilj@ieee.org>
parents: 8047
diff changeset
92 XHTML.
7452
bed28b64c581 Add xhtml deprecation notice.
John Rouillard <rouilj@ieee.org>
parents: 7438
diff changeset
93
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
94 .. raw:: html
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
95
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
96 <details>
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
97 <summary>Contents:</summary>
4890
609edf9de0a5 docs: Remove one nesting level from ToC on subpages
anatoly techtonik <techtonik@gmail.com>
parents: 4880
diff changeset
98
782
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 .. contents::
4890
609edf9de0a5 docs: Remove one nesting level from ToC on subpages
anatoly techtonik <techtonik@gmail.com>
parents: 4880
diff changeset
100 :local:
782
6f6eb43d9d86 Moved the MIGRATION text in with the rest of the docco, fixed up for 0.4.2
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
102 .. raw:: html
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
103
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
104 </details>
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
105
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
106 .. index:: Upgrading; 2.5.0 to 2.6.0
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
107
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
108 Migrating from 2.5.0 to 2.6.0
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
109 =============================
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
110
8446
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
111 Default Logs Include Unique Request Identifier (info)
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
112 -----------------------------------------------------
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
113
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
114 The default logging format has been changed from::
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
115
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
116 %(asctime)s %(levelname)s %(message)s
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
117
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
118 to::
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
119
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
120 %(asctime)s %(trace_id)s %(levelname)s %(message)s
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
121
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
122 So logs now look like::
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
123
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
124 2025-08-20 03:25:00,308 f6RPbT2s70vvJ2jFb9BQNF DEBUG get user1 cached
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
125
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
126 which in the previous format would look like::
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
127
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
128 2025-08-20 03:25:00,308 DEBUG get user1 cached
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
129
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
130 The new format includes ``trace_id`` which is a thread and process
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
131 unique identifier for a single request. So you can link together all
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
132 of the log lines and determine where a slow down or other
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
133 problem occurred.
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
134
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
135 The logging format is now a ``config.ini`` parameter in the
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
136 ``logging`` section with the name ``format``. You can change it if you
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
137 would like the old logging format without having to create a logging
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
138 configuration file. See :ref:`rounduplogging` for details.
14c7c07b32d8 feature: add thread local trace_id and trace_reason to logging.
John Rouillard <rouilj@ieee.org>
parents: 8432
diff changeset
139
8510
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
140 Make Pagination Links Keep Search Name (optional)
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
141 -------------------------------------------------
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
142
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
143 When displaying a named search, index templates don't preserve
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
144 the name when using the pagination (Next/Prev) links. This is
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
145 fixed in the 2.6.0 templates for issues/bugs/tasks. To make the
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
146 change to your templates, look for the pagination links (look for
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
147 prev or previous case insensitive) in your tracker's html
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
148 subdirectory and change::
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
149
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
150 request.indexargs_url(request.classname,
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
151 {'@startwith':prev.first, '@pagesize':prev.size})"
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
152
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
153 to read::
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
154
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
155 request.indexargs_url(request.classname,
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
156 dict({'@dispname': request.dispname}
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
157 if request.dispname
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
158 else {},
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
159 **{'@startwith':prev.first, '@pagesize':prev.size}))"
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
160
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
161 This code will be embedded in templating markup that is not shown
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
162 above. The change above is for your previous/prev link. The
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
163 change for the next pagination link is similar with::
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
164
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
165 {'@startwith':next.first, '@pagesize':next.size}
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
166
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
167 replacing::
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
168
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
169 {'@startwith':prev.first, '@pagesize':prev.size}
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
170
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
171 in the example.
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
172
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
173 This moves the existing dictionary used to override the URL
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
174 arguments to the second argument inside a ``dict()`` call. It
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
175 also adds ``**`` before it. This change creates a new override
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
176 dictionary that includes an ``@dispname`` parameter if it is set
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
177 in the request. If ``@dispname`` is not set, the existing
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
178 dictionary contents are used.
00aec15117c0 bug: Issue2551393 - keep search name when paginating
John Rouillard <rouilj@ieee.org>
parents: 8478
diff changeset
179
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
180 Support authorized changes in your tracker (optional)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
181 -----------------------------------------------------
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
182
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
183 An auditor can require change verification with user's password.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
184
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
185 When changing sensitive information (e.g. passwords) it is
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
186 useful to ask for a validated authorization. This makes sure
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
187 that the user is present by typing their password.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
188
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
189 You can add this to your auditors using the example
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
190 :ref:`sensitive_changes`.
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
191
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
192 To use this, you must copy ``_generic.reauth.html`` into your
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
193 tracker's html subdirectory. See the classic template directory for a
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
194 copy. If you are using jinja2, see the jinja2 template directory.
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
195 Then you can raise a Reauth exception and have the proper page
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
196 displayed.
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
197
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
198 Also javascript *MUST* be turned on if this is used with a file
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
199 input. If JavaScript is not turned on, attached files are lost during
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
200 the reauth step. Information from other types of inputs (password,
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
201 date, text etc.) do not need JavaScript to work.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8371
diff changeset
202
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
203 See :ref:`Confirming the User` in the reference manual for details.
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
204
8423
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
205 Support for dictConfig Logging Configuration (optional)
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
206 -------------------------------------------------------
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
207
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
208 Roundup's basic log configuration via config.ini has always had the
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
209 ability to use an ini style logging configuration to set levels per
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
210 log channel, control output file rotation etc.
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
211
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
212 With Roundup 2.6 you can use a JSON like file to configure logging
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
213 using `dictConfig
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
214 <https://docs.python.org/3/library/logging.config.html#logging.config.dictConfig>`_. The
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
215 JSON file format as been enhanced to support comments that are
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
216 stripped before being processed by the logging system.
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
217
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
218 You can read about the details in the :ref:`admin manual <dictLogConfig>`.
94eed885e958 feat: add support for using dictConfig to configure logging.
John Rouillard <rouilj@ieee.org>
parents: 8412
diff changeset
219
8459
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
220 Fix user.item.html template producing invalid Javascript (optional)
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
221 -------------------------------------------------------------------
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
222
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
223 The html template ``page.html`` in the classic, devel, minimal, and
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
224 responsive tracker templates define a ``user_src_input`` macro. This
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
225 macro produces invalid javascript for the ``onblur`` event when used
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
226 by ``user.item.html``. The only effect from this bug is a javascript
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
227 error reported in the user's browser when the user does not have edit
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
228 permissions on the page. It doesn't have any user visible impact.
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
229
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
230 If you want to fix this, replace::
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
231
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
232 tal:attributes="onblur python:edit_ok and 'split_name(this)';
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
233
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
234 with::
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
235
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
236 tal:attributes="onblur python:'split_name(this)' if edit_ok else '';
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
237
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
238 in the ``html/page.html`` file in your tracker.
db435e272f26 fix: update updating.txt doc for user_src_input bug
John Rouillard <rouilj@ieee.org>
parents: 8446
diff changeset
239
8081
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
240 .. index:: Upgrading; 2.4.0 to 2.5.0
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
241
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
242 Migrating from 2.4.0 to 2.5.0
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
243 =============================
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
244
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
245 .. _CVE-2025-53865:
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
246
8359
d98cb4730a4a docs: relabel/label a couple of headers
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
247 XSS security issue with devel and responsive templates (recommended)
d98cb4730a4a docs: relabel/label a couple of headers
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
248 --------------------------------------------------------------------
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
249
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
250 There are actually two different issues under this heading.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
251
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
252 1. incorrect use of the ``structure`` keyword with
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
253 ``tal:content``
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
254 2. use of ``tal:replace`` on unsafe input
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
255
8371
7d1b50c02835 doc: link to security page for link to formal CVE report.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
256 See the `security page for a link to CVE-2025-53865
7d1b50c02835 doc: link to security page for link to formal CVE report.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
257 <security.html#cve-announcements>`_.
7d1b50c02835 doc: link to security page for link to formal CVE report.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
258
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
259 In the discussion below, the :term:`html directory` means one or
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
260 more directories listed in the ``templates`` key of your
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
261 tracker's ``config.ini`` file.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
262
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
263 These directions can be used to solve the XSS security issue with
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
264 any version of Roundup. Even if you used a classic or minimal
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
265 template, you should check your trackers for these issues. The
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
266 classic template fixed most of these many years ago, but the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
267 updates were not made to the devel and responsive templates. No
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
268 report of similar issues with the jinja template has been seen.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
269
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
270 Incorrect use of structure in templates
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
271 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
272
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
273 The devel and responsive templates prior to Roundup 2.5 used this
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
274 construct::
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
275
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
276 tal:content="structure context/MUMBLE/plain"
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
277
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
278 Where ``MUMBLE`` is a property of your issues (e.g. title).
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
279
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
280 This construct allows a URL with a carefully crafted query
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
281 parameter to execute arbitrary JavaScript.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
282
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
283 You should check all your trackers. The classic template has not
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
284 used this construct since at least 2009, but your tracker's
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
285 templates may use the offending construct anyway.
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
286
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
287 This fix will apply if your tracker is based on the responsive or
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
288 devel template. Check the TEMPLATE-INFO.txt file in your tracker
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
289 home. The template name is the first component of the ``Name``
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
290 field. For example a Name like::
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
291
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
292 Name: responsive-bugtracker
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
293
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
294 Name: devel-bugtracker
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
295
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
296 shows that tracker is based on the responsive or devel templates.
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
297
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
298 .. _cve-2025-53865-fixed:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
299
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
300 To fix this, remove the ``structure`` declaration when it is used
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
301 with a plain representation. So fixing the code by replacing the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
302 example above with::
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
303
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
304 tal:content="context/MUMBLE/plain"
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
305
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
306 prevents the attack.
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
307
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
308 To check for this issue, search for ``structure`` followed by
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
309 ``/plain`` in all your html templates. If you are on a Linux/Unix
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
310 system you can search the html subdirectory of your tracker with
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
311 the following::
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
312
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
313 grep 'structure.*/plain' *.html
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
314
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
315 which should return any lines with issues.
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
316
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
317 .. warning::
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
318
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
319 Backup the files in the ``html`` subdirectory of your tracker
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
320 in case an edit goes wrong.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
321
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
322 As an example, you could fix this issue using the GNU sed
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
323 command::
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
324
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
325 sed -i.bak -e '/structure.*\/plain/s/structure.//' *.html
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
326
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
327 to edit the files in place and remove the structure keyword. It
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
328 will create a ``.bak`` file with the original contents of the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
329 file. If your templates were changed, this might still miss some
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
330 entries. If you are on windows, some text editors support search
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
331 and replace using a regular expression.
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
332
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
333 If the construct is split across lines::
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
334
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
335 tal:content="structure
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
336 context/MUMBLE/plain"
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
337
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
338 the commands above will miss the construct. So you should also
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
339 search the html files using ``grep /plain *.html`` and verify
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
340 that all of the ``context/MUMBLE/plain`` include ``tal:content``
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
341 as in the `fixed example above <#cve-2025-53865-fixed>`_. Any
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
342 lines that have ``context/MUMBLE/plain`` without ``tal:content=``
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
343 before it need to be manually verified/fixed.
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
344
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
345 The distributed devel and responsive templates do not split the
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
346 construct across lines, but if you changed the files it may be
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
347 split.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
348
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
349 tal:replace used with unsafe input
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
350 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
351
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
352 The problem was caused by the following markup::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
353
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
354 <span tal:replace="context/MUMBLE" />
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
355
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
356 in the head of the ``bug.item.html``, ``task.item.html`` and
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
357 other files in the devel and responsive templates.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
358
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
359 This was fixed many years ago in the classic template's
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
360 ``index.item.html``. The classic template replaces the above
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
361 construct with::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
362
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
363 <tal:x tal:content="context/MUMBLE" />
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
364
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
365 ``tal:content`` explicitly escapes the result unless the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
366 ``structure`` directive is used. ``tal:replace`` expects the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
367 result to be safe and usable in an HTML context.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
368
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
369 TAL drops any tags that it doesn't know about from the output.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
370 ``<tal:x tal:content="..." />`` results in the value of the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
371 content expression without a surrounding html tag. (Effectively
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
372 replacing the construct.)
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
373
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
374 The following diff for ``bug.item.html`` in the devel template
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
375 shows the change to make things safe (remove lines starting with
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
376 ``-`` and add lines staring with ``+``)::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
377
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
378 <tal:block metal:use-macro="templates/page/macros/frame">
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
379 <title metal:fill-slot="head_title">
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
380 <tal:block condition="context/id" i18n:translate=""
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
381 - >Bug <span tal:replace="context/id" i18n:name="id"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
382 - />: <span tal:replace="context/title" i18n:name="title"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
383 - /> - <span tal:replace="config/TRACKER_NAME" i18n:name="tracker"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
384 + >Bug <tal:x tal:content="context/id" i18n:name="id"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
385 + />: <tal:x tal:content="context/title" i18n:name="title"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
386 + /> - <tal:x tal:content="config/TRACKER_NAME" i18n:name="tracker"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
387 /></tal:block>
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
388 <tal:block condition="not:context/id" i18n:translate=""
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
389 >New Bug report - <span tal:replace="config/TRACKER_NAME" i18n:name="tracker"
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
390
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
391 A similar change was applied in the following html files in the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
392 devel or responsive templates:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
393
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
394 .. rst-class:: multicol
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
395
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
396 * _generic.collision.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
397 * bug.item.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
398 * keyword.item.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
399 * milestone.item.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
400 * msg.item.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
401 * task.item.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
402 * user.item.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
403
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
404 Also ``page.html`` should be changed from::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
405
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
406 <p class="label"><b tal:replace="request/user/username">username</b></p>
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
407
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
408 to::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
409
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
410 <p class="label"><b tal:replace="python:request.user.username.plain(escape=1)">username</b></p>
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
411
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
412 The code audit found the ``tal:replace`` construct is used with
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
413 ``context/id`` and ``context/designator`` paths. The references
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
414 to these paths have been changed to use ``tal:x`` in the classic
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
415 template's ``msg.item.html`` file and the classic and minimal
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
416 template's ``_generic.collision.html`` file.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
417
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
418 These paths are critical to navigation in Roundup and are set
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
419 from the path part of the URL. Roundup's URL path validation
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
420 makes it unlikely that an attacker could exploit them. If you
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
421 wish you can change your templates or copy the corresponding
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
422 files from the template if you haven't made local changes.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
423
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
424 Also you may have used copies of these insecure templates
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
425 elsewhere in your tracker (e.g. to create a feature class). To
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
426 find other possible issues you can use the command::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
427
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
428 grep -r "tal:replace=" *.html
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
429
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
430 in your tracker's :term:`html directory`. Check each occurrence
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
431 and if needed, change it to the safer form. You should consider
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
432 any reference to ``context`` to be under the user's (attacker's)
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
433 control. Also ``db`` (excluding ``db/config``) and ``request``
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
434 references that use user supplied content
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
435 (e.g. ``request/user/username`` above) should be changed to
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
436 ``tal:x`` form
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
437
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
438 .. comment:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
439 As part of the analysis, the following command was used to find
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
440 potentially vulnerable stuff in the templates. Each grep -v was
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
441 removed to display items in that category and they were checked::
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
442
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
443 grep -r 'tal:replace' . | grep -v 'replace="batch' | \
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
444 grep -v 'replace="config' | grep -v 'replace="db/config' | \
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
445 grep -v 'replace="structure' | grep -v 'replace="python:' | \
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
446 grep -v 'replace="request/'
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
447
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
448
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
449 context/id, context/designator:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
450 assume safe if used in an class.item.html page as the page
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
451 wouldn't be shown if they weren't valid numbers/designators.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
452
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
453 Might not be ok referenced in a _generic fallback page though.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
454
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
455 config, db/config, batch, nothing:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
456 should be safe as they are not under user control
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
457
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
458 request/classname (python:request._classname), request/template:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
459 should be safe as they are needed to navigate to a display page,
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
460 so if they are invalid nothing will be displayed.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
461
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
462 utils, python:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
463 assume it's written correctly and is safe (could use some new
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
464 tests for the shipped utility functions). The intent of these
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
465 can be to deliver blocks of <script> or other html markup.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
466
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
467 db, request:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
468 might be dangerous when accessing user supplied values.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
469
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
470 request/user/username:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
471 Escape these. If the username is an XSS issue, an attacker could
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
472 use it to compromise a user.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
473
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
474 request/dispname:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
475 should be quoted and is by the existing python: code.
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
476
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
477 Open question: why does there have to be an error generated by the
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
478 url @sort=1. Without invalid sort param, the exploit url doesn't
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
479 work and the context appears to use the database's title not the one
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
480 in the url. Also its not positional @sort=1 can appear anywhere in
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8361
diff changeset
481 the url.
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8355
diff changeset
482
8315
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
483 Deprecation Notices (required)
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
484 ------------------------------
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
485
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
486 * Support for SQLite version 2 has been removed in 2.5.0.
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
487 * Support for the `PySQLite <https://github.com/ghaering/pysqlite>`_
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
488 library has been removed in 2.5.0. Only the Python supplied
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
489 sqlite3 library is supported.
3f43db05aa11 docs: use bulleted list for deprecation; pydoc for shared dir
John Rouillard <rouilj@ieee.org>
parents: 8300
diff changeset
490 * Roundup 2.5.0 supports Python 3.7 or newer. (It is not tested
8355
226a4f391ae2 docs: fix typo
John Rouillard <rouilj@ieee.org>
parents: 8352
diff changeset
491 on Python 3.6. It may work but we don't support it.)
8081
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
492
8124
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
493 Update responsive template _generic.404.html and query.item.html (recommended)
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
494 ------------------------------------------------------------------------------
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
495
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
496 This only applies if your tracker is based on the responsive
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
497 template. Check the TEMPLATE-INFO.txt file in your tracker
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
498 home. The template name is the first component of the ``Name``
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
499 field. For example a Name like::
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
500
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
501 Name: responsive-bugtracker
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
502
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
503 is based on the responsive template. If the Name doesn't start with
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
504 ``responsive`` no changes are needed.
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
505
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
506 The ``_generic.404.html`` and ``query.item.html`` templates will crash
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
507 when displayed because a missing macro is called. Change::
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
508
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
509 <tal:block metal:use-macro="templates/page/macros/icing">
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
510
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
511 to::
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
512
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
513 <tal:block metal:use-macro="templates/page/macros/frame">
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
514
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
515 at the top of both files. The icing macro used in other tracker
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
516 templates was renamed to frame in this tracker template.
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
517
8218
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
518 Update userauditor.py detector (recommended)
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
519 --------------------------------------------
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
520
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
521 When using the REST interface, setting the address property of the
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
522 user to the same value it currently has resulted in an error.
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
523
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
524 If you have not changed your userauditor, you can copy one from any of
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
525 the supplied templates in the ``detectors/userauditor.py`` file. Use
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
526 ``roundup-admin templates`` to find a list of template directories.
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
527
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
528 If you have changed your userauditor from the stock version, apply the
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
529 following diff::
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
530
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
531 raise ValueError('Email address syntax is invalid
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
532 "%s"'%address)
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
533
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
534 check_main = db.user.stringFind(address=address)
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
535 + # allow user to set same address via rest
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
536 + if check_main:
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
537 + check_main = nodeid not in check_main
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
538 +
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
539 # make sure none of the alts are owned by anyone other than us (x!=nodeid)
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
540
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
541 add the lines marked with ``+`` in the file in the location after
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
542 check_main is assigned.
32aaf5dc562b fix(REST): issue2551383; improve errors for bad json, fix PUT docs
John Rouillard <rouilj@ieee.org>
parents: 8177
diff changeset
543
8239
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
544 Modify config.ini password_pbkdf2_default_rounds setting (recommended)
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
545 ----------------------------------------------------------------------
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
546
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
547 The method for hashing and storing passwords has been updated to use
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
548 PBKDF2 with SHA512 hash. This change was first introduced in Roundup
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
549 2.3 and is now the standard. If you previously added code in
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
550 interfaces.py for a `PBKDF2 upgrade`_ to enable PBKDF2S5, you can
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
551 remove that code now.
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
552
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
553 SHA512 is a more secure hash, it requires fewer rounds to ensure
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
554 safety. The older PBKDF2-SHA1 needed around 2 million rounds.
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
555
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
556 You should update the ``password_pbkdf2_default_rounds`` setting in
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
557 ``config.ini`` to 250000. This value is higher than the OWASP
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
558 recommendation of 210000 from three years ago. If you don’t make this
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
559 change, logins will be slow, especially for REST or XMLRPC calls.
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
560
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
561 See `PBKDF2 upgrade`_ for details on how to test the algorithm's
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
562 speed. We do not recommend reverting to the older SHA1 PBKDF2. If you
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
563 have to do so due to a slow CPU, you can add the following to your
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
564 tracker's ``interfaces.py``::
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
565
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
566 from roundup.password import Password
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
567 ## Use PBDKF2 (PBKDF2-SHA1) as default hash for passwords.
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
568 # That scheme is at the start of the deprecated_schemes list and ha
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
569 # to be removed.
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
570 Password.default_scheme = Password.deprecated_schemes.pop(0)
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
571 # Add PBKDF2S5 (PBKDF2-SHA512) as a valid scheme. Passwords
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
572 # using it will be rehashed to use PBDKF2.
8361
fee1b89ae6c3 docs: fix example
John Rouillard <rouilj@ieee.org>
parents: 8360
diff changeset
573 Password.experimental_schemes.insert(0, "PBKDF2S5")
8239
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
574
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
575 If you proceed with this, you should set
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
576 ``password_pbkdf2_default_rounds`` to 2 million or more rounds to keep
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
577 your hashed password database secure in case it gets stolen.
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
578
8237
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
579 Defusedxml support improves XMLRPC security (optional)
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
580 ------------------------------------------------------
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
581
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
582 This release adds support for the defusedxml_ module. If it is
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
583 installed it will be automatically used. The default xmlrpc module in
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
584 the standard library has known issues when parsing crafted XML. It can
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
585 take a lot of CPU time and consume large amounts of memory with small
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
586 payloads.
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
587
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
588 When the XMLRPC endpoint is used without defusedxml, it will log a
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
589 warning to the log file. The log entry can be disabled by adding::
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
590
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
591
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
592 from roundup.cgi import client
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
593 client.WARN_FOR_MISSING_DEFUSEDXML = False
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
594
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
595 to the ``interfaces.py`` file in the tracker home. (Create the file if
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
596 it is missing.)
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
597
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
598 XMLRPC access is enabled by default in the classic and other trackers.
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
599 Upgrading to defusedxml is considered optional because the XMLRPC
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
600 endpoint can be disabled in the tracker's ``config.ini``. Also
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
601 ``Xmlrpc Access`` can be removed from the ``Users`` role by commenting
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
602 out a line in ``schema.py``.
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
603
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
604 If you have enabled the xmlrpc endpoint, you should install
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
605 defusedxml.
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
606
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
607 .. _defusedxml: https://pypi.org/project/defusedxml/
57325fea9982 issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents: 8236
diff changeset
608
8286
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
609 Enable use of native date inputs (optional)
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
610 -------------------------------------------
8285
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
611
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
612 Roundup now can use native ``date`` or ``datetime-local`` inputs for
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
613 ``Date()`` properties. These inputs take the place of the text input and
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
614 calendar popup from earlier Roundup versions. Modern browsers come with
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
615 a built-in calendar for date selection, so the ``(cal)`` calendar link
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
616 is no longer needed. These native inputs show the date based on the
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
617 browser's locale and translate terms into the local language.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
618
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
619 Note that the date format is tied to the language setting in most
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
620 browsers, with some browsers you need special configurations to make the
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
621 browser use the operating system date format.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
622
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
623 By default the old input mechanism (using type=text inputs) is used.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
624 To enable native date input you need to set the config variable ::
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
625
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
626 use_browser_date_input = yes
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
627
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
628 in section ``[web]`` in the ``config.ini`` file.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
629
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
630 If native date input is used, simple uses of the ``field()`` method will
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
631 generate ``datetime-local`` inputs to allow selection of a date and time.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
632 Input fields for ``Date()`` properties will not have the ``(cal)`` link
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
633 anymore. If fields should only use a date (without time) you can specify
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
634 the parameter ``display_time=no`` in ``schema.py`` for a ``Date()``
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
635 property (the default is ``yes``). This will use ``date`` inputs in the
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
636 generated html to select a date only. If you need this only for a single
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
637 date, the ``field()`` method now has a boolean parameter
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
638 ``display_time`` (which by default is set to the ``display_time``
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
639 parameter of ``Date()``)
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
640
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
641 Complex uses using a ``format`` specification in ``field()`` will not be
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
642 upgraded and will operate like earlier Roundup versions. In addition the
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
643 ``format`` can now also be specified in the ``Date()`` constructor.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
644
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
645 To upgrade all date properties, there are five changes to make:
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
646
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
647 1. Configure ``use_browser_date_input = yes`` in section ``[web]`` in
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
648 ``config.ini``
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
649
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
650 2. Optionally add ``display_time = no`` in the schema for Date()
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
651 properties that should have no time displayed
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
652
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
653 3. Remove the format argument from field() calls on Date()
8285
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
654 properties.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
655
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
656 4. Remove popcal() calls.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
657
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
658 5. Include datecopy.js in page.html.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
659
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
660 The ``display_time`` option
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
661 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
662
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
663 Both the ``Date()`` constructor and the ``field`` call take a
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
664 ``display_time`` option which by default is ``yes`` in the ``Date()``
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
665 constructor and ``True`` in ``field``. The ``display_time`` setting of
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
666 ``Date()`` is inherited by the html property, so it doesn't need to be
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
667 specified in each ``field()`` call for this property.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
668
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
669 When ``display_time`` is off, the date field does not include hours,
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
670 minutes or seconds.
8285
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
671
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
672 Remove format argument
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
673 ~~~~~~~~~~~~~~~~~~~~~~
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
674
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
675 Speaking of arguments, avoid setting the date ``format`` if you want to
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
676 use native date inputs. If you include the `format` argument in the
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
677 `field` method, it should be removed.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
678
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
679 By default using a format argument will show the
8285
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
680 popup calendar link. You can disable the link by setting
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
681 ``popcal=False`` in the field() call. If you have::
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
682
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
683 tal:content="structure python:context.duedate.field(
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
684 placeholder='YYYY-MM, format='%Y-%m')"
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
685
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
686 changing it to::
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
687
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
688 tal:content="structure python:context.duedate.field(
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
689 placeholder='YYYY-MM, format='%Y-%m',
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
690 popcal=False)"
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
691
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
692 will generate the input as in Roundup 2.4 or earlier without a
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
693 popcal link.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
694
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
695 Remove popcal
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
696 ~~~~~~~~~~~~~
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
697
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
698 if you have enabled date input types in the configuration and you
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
699 use the ``popcal()`` method directly in your templates, you
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
700 should remove them. The browser's native date selection calendar should
8285
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
701 be used instead.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
702
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
703 Add copy/paste/edit on double-click using datecopy.js
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
704 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
705
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
706 When using date input types,
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
707 there is no way to copy/paste using a native ``datetime-local`` or
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
708 ``date`` input. With the ``datecopy.js`` file installed, double-clicking
8285
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
709 on the input turns it into a normal text input with the ability
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
710 to copy, paste, or manually edit the date.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
711
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
712 To set this up, take either ``datecopy.js`` or the smaller
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
713 version, ``datecopy.min.js``, from the ``html`` folder of the
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
714 classic tracker template. Put the file in the ``html`` folder of
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
715 your tracker home.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
716
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
717 After you install the datecopy file, you can add the script
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
718 directly to a page using::
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
719
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
720 <script tal:attributes="nonce request/client/client_nonce"
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
721 tal:content="structure python:utils.readfile('datecopy.min.js')">
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
722 </script>
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
723
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
724 or get the file in a separate download using a regular script
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
725 tag::
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
726
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
727 <script type="text/javascript" src="@@file/datecopy.js">
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
728 </script>
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
729
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
730 You can place these at the end of ``page.html`` just before the
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
731 close body ``</body>`` tag. This is the method used in the
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
732 classic template. This forces the file to be run for every page
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
733 even those that don't have any date inputs. However, it is cached
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
734 after the first download.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
735
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
736 Alternatively you can inline or link to it using a script tag
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
737 only on pages that will have a date input. For example
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
738 ``issue.item.html``.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
739
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
740 There is no support for activating text mode using the
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
741 keyboard. Tablet/touch support is mixed. Chrome supports
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
742 double-tap to activate text mode input. Firefox does not.
2bf0c4e7795e fix: issue2551390 - Replace text input/calendar popup with native date input
John Rouillard <rouilj@ieee.org>
parents: 8277
diff changeset
743
8346
107761be1e75 docs: issue2551398 document enabling native browser number/integer types
John Rouillard <rouilj@ieee.org>
parents: 8345
diff changeset
744 Enable native number inputs for Number() and Integer() (optional)
8286
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
745 -----------------------------------------------------------------
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
746
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
747 Roundup's ``field()`` method for properties of type ``Number()`` or
8346
107761be1e75 docs: issue2551398 document enabling native browser number/integer types
John Rouillard <rouilj@ieee.org>
parents: 8345
diff changeset
748 ``Integer()`` can use a native browser number input by default.
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
749
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
750 This is configurable for *all* ``Number()`` and ``Integer()`` properties
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
751 with the config option ``use_browser_number_input`` in section ``[web]``.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
752
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
753 You can use the old style text inputs for individual fields
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
754 by calling the field method with ``type="text"``.
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
755
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
756 Note that the ``Integer()`` type also uses ``step="1"`` by default to
8286
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
757 add a stepper control and try to constrain the input to
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
758 integers. This can be overridden by passing a new step
8300
b99e76e76496 Make native date and number elements configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8286
diff changeset
759 (e.g. ``step="50"``) to the ``field()`` method.
8286
6445e63bb423 feat(web) - Use native number type input for Number() and Integer().
John Rouillard <rouilj@ieee.org>
parents: 8285
diff changeset
760
8346
107761be1e75 docs: issue2551398 document enabling native browser number/integer types
John Rouillard <rouilj@ieee.org>
parents: 8345
diff changeset
761 This is an experiment and maybe changed based on feedback.
107761be1e75 docs: issue2551398 document enabling native browser number/integer types
John Rouillard <rouilj@ieee.org>
parents: 8345
diff changeset
762
8265
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
763 Change in REST response for invalid CORS requests (info)
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
764 --------------------------------------------------------
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
765
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
766 CORS_ preflight requests that are missing required headers can
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
767 now result in either a 403 or 400 error code. If you permit
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
768 anonymous users to access the REST interface, a 400 error may
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
769 still occur. Previously, only a 400 error was given. This change
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
770 is not expected to create issues since the client will recognize
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
771 both codes it as an error response, and the CORS request will
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
772 still fail.
35beff316883 fix(api): issue2551384. Verify REST authorization earlier
John Rouillard <rouilj@ieee.org>
parents: 8262
diff changeset
773
8168
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
774 More secure session cookie handling (info)
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
775 ------------------------------------------
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
776
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
777 This affects you if you are accessing a tracker via https. The name
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
778 for the cookie that you get when logging into the web interface has a
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
779 new name. When upgrading to Roundup 2.5 all users will have to to log
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
780 in again. The cookie now has a ``__Secure-`` prefix to prevent it
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
781 from being exposed/used over http.
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
782
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
783 If your tracker is using the unencrypted http protocol, nothing has
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
784 changed.
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
785
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
786 See
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
787 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes
3f0f4746dc7e issue2551370 - prefix session cookie with __Secure- over https
John Rouillard <rouilj@ieee.org>
parents: 8124
diff changeset
788 for details on this security measure.
8124
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
789
8177
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
790 Invalid accept header now prevents operation (info)
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
791 ---------------------------------------------------
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
792
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
793 In earlier versions, the rest interface checked for an incorrect
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
794 "Accept" header, "@apiver", or the ".json" mime type only after
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
795 processing the request. This would lead to a 406 error, but the
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
796 requested change would still be completed.
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
797
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
798 In this release, the validation of the output format and version
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
799 occurs before any database changes are made. Now, all errors related
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
800 to the data format (mime type, API version) will return 406 errors,
2967f37e73e4 refactor: issue2551289. invalid REST Accept header stops request
John Rouillard <rouilj@ieee.org>
parents: 8168
diff changeset
801 where some previously resulted in 400 errors.
8124
800c8dd75051 - issue2551074 - In "responsive" template: click on hide comment leads
John Rouillard <rouilj@ieee.org>
parents: 8111
diff changeset
802
8262
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
803 New method for registering templating utils (info)
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
804 --------------------------------------------------
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
805
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
806 If you are building a template utility function that needs access
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
807 to:
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
808
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
809 * the database
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
810 * the client instance
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
811 * the form the user submitted
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
812
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
813 you had to pass these objects from the template using the ``db``,
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
814 ``request.client`` or ``request.form`` arguments.
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
815
8352
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
816 A new method for registering a template utility has been added. If you
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
817 use the ``instance`` object's ``registerUtilMethod()`` to register a
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
818 utility function, you do not need to pass these arguments. The
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
819 function is called as a method and the first argument is a
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
820 TemplatingUtils (tu) instance from which the client object
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
821 (tu.client), the database (tu.client.db), form (tu.client.form),
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
822 request (tu.client.request), the translator for the current language
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
823 (tu._) and any functions (tu.X) you registered using
6ea309c6d17c docs: fix registerutilMethod docs, format for highlights.
John Rouillard <rouilj@ieee.org>
parents: 8346
diff changeset
824 ``registerUtil()`` are available.
8262
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
825
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
826 You can find an example in :ref:`dynamic_csp`.
2a7c3eeaf167 feat: add templating utils method dynamically; method to set http code
John Rouillard <rouilj@ieee.org>
parents: 8239
diff changeset
827
8478
ed4ef394d5d6 doc: initial attempt to document setup of pgp support for email.
John Rouillard <rouilj@ieee.org>
parents: 8459
diff changeset
828 .. _gpginstall:
ed4ef394d5d6 doc: initial attempt to document setup of pgp support for email.
John Rouillard <rouilj@ieee.org>
parents: 8459
diff changeset
829
8359
d98cb4730a4a docs: relabel/label a couple of headers
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
830 Directions for installing gpg (optional)
d98cb4730a4a docs: relabel/label a couple of headers
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
831 ----------------------------------------
8345
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
832
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
833 In this release a new version of the gpg module was needed for Ubuntu
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
834 24.04 and python 3.13. Paul Schwabauer produced a new version of the
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
835 gpg module. However it is only on the test instance of pypi. If you
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
836 run into issues installing gpg with pip, you can use::
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
837
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
838 pip install --index-url https://test.pypi.org/simple/ \
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
839 --extra-index-url https://pypi.org/simple gpg;
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
840
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
841 to installed version 2.0 of gpg from test.pypi.org obtaining it's
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
842 requirements from pypi.org.
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
843
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
844 When `issue2551368 <https://issues.roundup-tracker.org/issue2551368>`_
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
845 is closed, you should be able to use ``pip install gpg`` again.
35fab0db52f5 docs(install): document how to install gpg 2.0
John Rouillard <rouilj@ieee.org>
parents: 8315
diff changeset
846
8081
95f91b6f0386 issue2551343 - Remove support for PySQLite and sqlite v2.
John Rouillard <rouilj@ieee.org>
parents: 8071
diff changeset
847 .. index:: Upgrading; 2.3.0 to 2.4.0
6804
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
848
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
849 Migrating from 2.3.0 to 2.4.0
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
850 =============================
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
851
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
852 Update your ``config.ini`` (required)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
853 -------------------------------------
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
854
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
855 Upgrade tracker's config.ini file. Use::
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
856
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
857 roundup-admin -i /path/to/tracker updateconfig newconfig.ini
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
858
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
859 to generate a new ini file preserving all your settings.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
860 You can then merge any local comments from the tracker's
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
861 ``config.ini`` to ``newconfig.ini`` and replace
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
862 ``config.ini`` with ``newconfig.ini``.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
863
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
864 ``updateconfig`` will tell you if it is changing old default
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
865 values or if a value must be changed manually.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
866
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
867 This will insert the bad API login rate limiting settings.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
868
7964
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
869 Also if you have ``html_version`` set to ``xhtml``, you will get
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
870 an error.
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
871
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
872 .. _CVE-2024-39124:
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
873
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
874 Fix for CVE-2024-39124 in help/calendar popups (recommended)
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
875 ------------------------------------------------------------
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
876
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
877 Classhelper components accessed via URL using ``@template=help``,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
878 ``@template=calendar`` or other template frame in the classhelper
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
879 can run JavaScript embedded in the URL. If user clicks on a
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
880 malicious URL that:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
881
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
882 * arrives in an email,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
883 * is embedded in a note left on a ticket [#markdown-note]_,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
884 * left on some other web page
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
885
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
886 the JavaScript code will be executed. This vulnerability seems to
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
887 be limited to manually crafted URL's. It has not been generated
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
888 by using Roundup's mechanism for generating classhelper URLs.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
889
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
890 The files that need to be changed to fix this depend on the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
891 template used to create the tracker. Check the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
892 TEMPLATE-INFO.txt file in your tracker home. The template
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
893 name is the first component of the ``Name`` field. For
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
894 example trackers with Names like::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
895
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
896 Name: classic-bugtracker
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
897
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
898 Name: devel-mytracker
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
899
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
900 were derived from the ``classic`` and ``devel`` templates
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
901 respectively. If your tracker is derived from the jinja2
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
902 template, you may not be affected as it doesn't provide
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
903 classhelpers by default. If you aren't sure which tracker
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
904 template was used to create your tracker home, check the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
905 ``html/help.html`` file for the word ``Javascript``. If your
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
906 help.html is missing the word ``Javascript``, follow the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
907 directions for the classic template.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
908
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
909 If you have not modified the original tracker html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
910 templates, you can copy replacement files from the new
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
911 templates supplied with release 2.4.0. If you install 2.4.0
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
912 in a `new virtual environment
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
913 <installation.html#standard-installation>`_, you can use the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
914 command ``roundup-admin templates`` to find the installation
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
915 path of the default templates.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
916
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
917 If your template was based on the classic template, replace the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
918 following files in your tracker:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
919
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
920 * html/_generic.calendar.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
921 * html/_generic.help-list.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
922 * html/_generic.help-submit.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
923 * html/_generic.help.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
924 * html/user.help-search.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
925 * html/user.help.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
926
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
927 If your template was based on the minimal template, replace the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
928 following files in your tracker:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
929
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
930 * html/_generic.calendar.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
931 * html/_generic.help.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
932
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
933 If your template was based on the responsive or devel templates,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
934 replace the following files in your tracker:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
935
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
936 * html/_generic.calendar.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
937 * html/_generic.help-submit.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
938 * html/help.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
939 * html/user.help-search.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
940 * html/user.help.html
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
941
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
942 As an example, assume Roundup's virtual environment is
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
943 ``/tools/roundup``. The classic tracker's default template will
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
944 be in ``/tools/roundup/share/roundup/templates/classic``.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
945 Copy
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
946 ``/tools/roundup/share/roundup/templates/classic/html/_generic.calendar.html``
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
947 to ``html/_generic.calendar.html`` in your tracker's home
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
948 directory. Repeat for every one of the files that needs to
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
949 be replaced.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
950
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
951 If you have made local changes to your popup/classhelper
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
952 files or have created new help templates based on the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
953 existing ones, don't copy the default files. Instead, follow
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
954 the directions below to modify each file as needed for your
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
955 template.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
956
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
957 In the examples below, your script tag may differ. For
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
958 example it could include::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
959
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
960 tal:attributes="nonce request/client/client_nonce"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
961
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
962 If it does, keep the differences. You want to make changes
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
963 to remove the structure option but keep the rest of the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
964 valid attributes.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
965
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
966 Most files have a small script that sets a few variables
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
967 from the settings in the URL. You should change::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
968
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
969 <script language="Javascript" type="text/javascript"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
970 tal:content="structure string:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
971 // this is the name of the field in the original form that we're working on
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
972 form = window.opener.document.${request/form/form/value};
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
973 field = '${request/form/property/value}';">
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
974
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
975 to::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
976
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
977 <script language="Javascript" type="text/javascript"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
978 tal:content="string:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
979 // this is the name of the field in the original form that we're working on
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
980 form = window.opener.document.${request/form/form/value};
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
981 field = '${request/form/property/value}';">
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
982
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
983 by removing the ``structure`` keyword from the tal:content
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
984 block. This will html escape the settings in the URL. This
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
985 neutralizes an attempt to execute JavaScript by manipulating
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
986 the URL. Most of the files use code similar to this.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
987
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
988 A few files have more extensive JavaScript embedded in the same
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
989 script tag. To handle this you should split it into two scripts
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
990 and encode the replaced strings. For example, change::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
991
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
992 <script language="Javascript" type="text/javascript"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
993 tal:content="structure string:<!--
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
994 // this is the name of the field in the original form that we're working on
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
995 form = parent.opener.document.${request/form/form/value};
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
996 callingform=form
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
997 field = '${request/form/property/value}';
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
998 var listform = null
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
999 function listPresent() {
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1000 return document.frm_help.cb_listpresent.checked
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1001 [more code skipped]
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1002
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1003 to::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1004
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1005 <script language="Javascript" type="text/javascript"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1006 tal:content="string:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1007 // this is the name of the field in the original form that we're working on
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1008 form = parent.opener.document.${request/form/form/value};
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1009 callingform=form
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1010 field = '${request/form/property/value}';">
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1011 </script>
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1012 <script language="Javascript" type="text/javascript"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1013 tal:content="string:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1014 var listform = null
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1015 function listPresent() {
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1016 return document.frm_help.cb_listpresent.checked
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1017 [...]
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1018
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1019 modifying the original by:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1020
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1021 1. removing the ``structure`` keyword and the HTML comment
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1022 marker ``<!--``. This encodes the replaced strings.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1023 2. adding ``">`` at the end of the line that sets ``field`` closes
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1024 the script tag.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1025 3. adding::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1026
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1027 </script>
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1028 <script language="Javascript" type="text/javascript"
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1029 tal:content="string:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1030
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1031 after the line used in step 2, to ends the first script and
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1032 starts a new script.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1033
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1034 Just removing the ``structure`` directive is enough to fix the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1035 bug. Splitting the large script into two parts:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1036
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1037 1. one that has replaced strings with values taken from the URL
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1038 2. one that has no replaced strings
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1039
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1040 allows use of ``structure`` on the script with no replaced
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1041 strings should it be required for your tracker.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1042
8431
a6c41651f553 doc: reformat markdown-note footnote
John Rouillard <rouilj@ieee.org>
parents: 8423
diff changeset
1043 .. [#markdown-note] If you are using markdown formatting for your
a6c41651f553 doc: reformat markdown-note footnote
John Rouillard <rouilj@ieee.org>
parents: 8423
diff changeset
1044 tracker's notes, the user will see the markdown label rather than
a6c41651f553 doc: reformat markdown-note footnote
John Rouillard <rouilj@ieee.org>
parents: 8423
diff changeset
1045 the long (suspicious) URL. You may want to add something like::
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1046
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1047 a[href*=\@template]::after {
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1048 content: ' [' attr(href) ']';
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1049 }
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1050
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1051 to your css. This displays the URL inside square brackets if
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1052 the href has ``@template`` in it. It is placed after the link
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1053 label.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1054
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1055 Fix CVE in earlier versions of Roundup (recommended)
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1056 ----------------------------------------------------
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1057
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1058 If you are upgrading to version 2.4.0, you can skip this
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1059 section. These fixes are already present in 2.4.0.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1060
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1061 This section is for people who can not upgrade yet, and want
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1062 to fix the issues.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1063
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
1064 .. _CVE-2024-39125:
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1065
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1066 Referer value not escaped CVE-2024-39125
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1067 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1068
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1069 Malicious JavaScript inserted into a page can change the value of
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1070 the Referer header to include a script. If a link on that page
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1071 points to a Roundup tracker, that script will be executed. The
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1072 technique to change the header will result in a change of the URL
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1073 in the browser's address bar, but this is easily missed.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1074
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1075 Fix this by editing ``cgi/client.py``, and change::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1076
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1077 except (UsageError, Unauthorised) as msg:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1078 csrf_ok = False
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1079 self.form_wins = True
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1080 self._error_message = msg.args
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1081
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1082 to::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1083
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1084 except (UsageError, Unauthorised) as msg:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1085 csrf_ok = False
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1086 self.form_wins = True
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1087 self.add_error_message(' '.join(msg.args))
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1088
8277
b757cf509480 doc: typo fix.
John Rouillard <rouilj@ieee.org>
parents: 8265
diff changeset
1089 This escapes the Referer value and prevents it from being
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1090 executed.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1091
8064
d6b447de4f59 docs: set up for release documentation.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
1092 .. _CVE-2024-39126:
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1093
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1094 Stop JavaScript execution from attached files CVE-2024-39126
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1095 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1096
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1097 If an SVG, XML or PDF file that includes malicious JavaScript is
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1098 attached to an issue, downloading the file will cause the
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1099 JavaScript to run.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1100
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1101 In ``cgi/client.py`` add the Content-Security-Policy line
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1102 after the existing ``nosniff`` line so it looks like::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1103
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1104 # exception handlers.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1105 self.determine_language()
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1106 self.db.i18n = self.translator
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1107 self.setHeader("X-Content-Type-Options", "nosniff")
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1108 self.setHeader("Content-Security-Policy", "script-src 'none'")
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1109 self.serve_file(designator)
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1110
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1111 (the example is reindented for display).
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1112
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1113 This should prevent SVG and XML files with embedded scripts
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1114 from running.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1115
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1116 If your version of Roundup is old enough that the ``nosniff``
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1117 line is missing, search for ``serve_file(designator)`` and add
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1118 both setHeader lines.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1119
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1120 .. warning::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1121
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1122 If your users use older browsers that don't support Content
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1123 Security Policies (e.g. Internet Explorer), you must
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1124 remove ``text/xml`` and ``image/svg`` from
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1125 ``mime_type_allowlist`` as explained below for
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1126 ``application/pdf``.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1127
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1128 PDF files can also embed JavaScript. Many browsers include
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1129 PDF viewers that may not support disabling scripting. The
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1130 safest way to handle this is to force a download of the PDF
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1131 file and use a PDF viewer with scripting disabled. To force
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1132 downloading, look in ``cgi/client.py`` for
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1133 ``mime_type_allowlist`` and remove the line for
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1134 ``application/pdf``.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1135
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1136 Version 2.4.0 allows you to `modify the mime_type_allowlist
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1137 using interfaces.py
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1138 <admin_guide.html#controlling-browser-handling-of-attached-files>`_.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1139 This will allow you to enable in-browser reading of PDF
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1140 files when you upgrade to 2.4.0 if you wish.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1141
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1142 Note that a `Content Security Policy as documented in the admin
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1143 guide
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1144 <admin_guide.html#adding-a-web-content-security-policy-csp>`_ is
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1145 not applied it to a direct download. This requires adding an
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1146 explicit CSP header as above.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1147
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1148 .. comment: end of CVE include marker
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1149
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1150 XHTML no longer supported (required)
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1151 ------------------------------------
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1152
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1153 If your ``config.ini`` sets ``html_version`` to ``xhtml``,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1154 you need to change it to ``html``. Then you need to change
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8058
diff changeset
1155 your tracker's templates to html from xhtml.
7964
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1156
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1157 Note that the default Roundup templates use html4 so it is
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1158 unlikely that your templates are xhtml based. See
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1159 `issue2551323
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1160 <https://issues.roundup-tracker.org/issue2551323>`_ for
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1161 details on the deprecation of xhtml.
791b61ed11c9 issue2551323 - Remove XHTML support
John Rouillard <rouilj@ieee.org>
parents: 7961
diff changeset
1162
7860
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1163 Update MySQL character set/collations (required)
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1164 ------------------------------------------------
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1165
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1166 issue2551282_ and issue2551115_ discuss issues with MySQL's utf8
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1167 support. MySQL has variations on utf8 character support. This
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1168 version of Roundup expects to use utf8mb4 which is a version of
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1169 utf8 that covers all characters, not just the ones in the basic
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1170 multilingual plane. Previous versions of Roundup used latin1 or
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1171 utf8mb3 (also known as just utf8). Newer versions of MySQL are
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1172 supposed to make utf8mb4 and not utf8mb3 the default.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1173
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1174 To convert your database, you need to have MySQL 8.0.11 or newer
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1175 (April 2018) and a mysql client.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1176
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1177 .. warning::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1178
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1179 This conversion can damage your database. Back up your
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1180 database using mysqldump or other tools. Preferably on a quiet
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1181 database. Verify that your database can be restored (or at
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1182 least look up directions for restoring it). This is very
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1183 important.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1184
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1185 We suggest shutting down Roundup's interfaces:
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1186
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1187 * web
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1188 * email
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1189 * cron jobs that use Python or roundup-admin
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1190
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1191 then make your backup.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1192
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1193 Then connect to your mysql instance using ``mysql`` with the
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1194 information in ``config.ini``. If your tracker's ``config.ini``
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1195 includes::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1196
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1197 name = roundupdb
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1198 host = localhost
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1199 user = roundupuser
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1200 password = rounduppw
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1201
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1202 you would run some version of::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1203
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1204 mysql -u roundupuser --host localhost -p roundupdb
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1205
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1206 and supply ``rounduppw`` when prompted.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1207
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1208 With the Roundup database quiet, convert the character set for the
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1209 database and then for all the tables. To convert the tables you
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1210 need a list of them. To get this run::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1211
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1212 mysql -sN -u roundupuser --host localhost -p \
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1213 -e 'show tables;' roundupdb > /tmp/tracker.tables
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1214
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1215 The ``-sN`` removes line drawing characters and column headers
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1216 from the output. For each table ``<t>`` in the file, run::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1217
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1218 ALTER TABLE `<t>` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1219
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1220 You can automate this conversion using sed::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1221
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1222 sed -e 's/^/ALTER TABLE `/' \
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1223 -e 's/$/` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;/'\
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1224 /tmp/tracker.tables> /tmp/tracker.tables.sql
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1225
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1226 The backticks "`" are required as some of the table names became
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1227 MySQL reserved words during Roundup's lifetime.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1228
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1229 Inspect ``tracker.tables.sql`` to see if all the lines look
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1230 correct. If so then we can start the conversion.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1231
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1232 First convert the character set for the database by running::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1233
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1234 mysql -u roundupuser --host localhost -p roundupdb
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1235
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1236 Then at the ``mysql>`` prompt run::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1237
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1238 ALTER DATABASE roundupdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1239
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1240 you should see: ``Query OK, 1 row affected (0.01 sec)``.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1241
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1242 Now to modify all the tables run:
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1243
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1244 \. /tmp/tracker.tables.sql
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1245
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1246 You will see output similar to::
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1247
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1248 Query OK, 5 rows affected (0.01 sec)
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1249 Records: 5 Duplicates: 0 Warnings: 0
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1250
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1251 for each table. The rows/records will depend on the number of
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1252 entries in the table. This can take a while.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1253
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1254 Once you have successfully completed this, copy your tracker's
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1255 config.ini to a backup file. Edit ``config.ini`` to use the defaults:
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1256
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1257 * mysql_charset = utf8mb4
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1258 * mysql_collation = utf8mb4_unicode_ci
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1259 * mysql_binary_collation = utf8mb4_0900_bin
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1260
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1261 Also look for a ``~/.my.cnf`` for the roundup user and make sure
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1262 that the settings for character set (charset) are utf8mb4 compatible.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1263
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1264 To test, run ``roundup-admin -i tracker_home`` and display an
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1265 issue designator: e.g. ``display issue10``. Check that the text
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1266 fields are properly displayed (e.g. title). Start the web
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1267 interface and browse some issues. Again, check that the text
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1268 fields display correctly, that the history at the bottom of the
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1269 issues displays correctly and if you are using the default full
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1270 text search, make sure that that works.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1271
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1272 If this works, bring email cron jobs etc. back online.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1273
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1274 If this fails, take down the web interface, restore the database
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1275 from backup, restore the old config.ini. Then test again and
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1276 reach out to the mailing list for help.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1277
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1278 We can use assistance in getting these directions corrected or
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1279 enhanced. The core Roundup developers don't use MySQL for their
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1280 production workloads so we count on users to help us with this.
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1281
8030
6d1b62ffbb5d docs: add references for utf8 -> utf8mb4 conversion/issues for mysql
John Rouillard <rouilj@ieee.org>
parents: 7995
diff changeset
1282 References:
6d1b62ffbb5d docs: add references for utf8 -> utf8mb4 conversion/issues for mysql
John Rouillard <rouilj@ieee.org>
parents: 7995
diff changeset
1283
6d1b62ffbb5d docs: add references for utf8 -> utf8mb4 conversion/issues for mysql
John Rouillard <rouilj@ieee.org>
parents: 7995
diff changeset
1284 * https://mathiasbynens.be/notes/mysql-utf8mb4#utf8-to-utf8mb4
6d1b62ffbb5d docs: add references for utf8 -> utf8mb4 conversion/issues for mysql
John Rouillard <rouilj@ieee.org>
parents: 7995
diff changeset
1285 * https://adamhooper.medium.com/in-mysql-never-use-utf8-use-utf8mb4-11761243e434
6d1b62ffbb5d docs: add references for utf8 -> utf8mb4 conversion/issues for mysql
John Rouillard <rouilj@ieee.org>
parents: 7995
diff changeset
1286
7860
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1287 .. _issue2551282: https://issues.roundup-tracker.org/issue2551282
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1288 .. _issue2551115: https://issues.roundup-tracker.org/issue2551115
8b31893f5930 issue2551115/issue2551282 - utf8mb4 support in roundup
John Rouillard <rouilj@ieee.org>
parents: 7819
diff changeset
1289
8058
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1290 Disable spellcheck on all password fields (recommended)
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1291 -------------------------------------------------------
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1292
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1293 All tracker templates have been updated to disable spell checking on
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1294 password input fields. This can help prevent exposing the password to
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1295 an external server that provides spell checking for a browser. Since
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1296 passwords should not be real words in any language, spell checking
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1297 serves no purpose.
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1298
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1299 If you have modified your template with a "show password" option you
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1300 should disable spell check.
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1301
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1302 To implement this in your deployed trackers, add::
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1303
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1304 spellcheck="false"
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1305
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1306 to make your password inputs look like::
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1307
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1308 <input type="password" spellcheck="false" name=....>
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1309
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1310 The changed files in the classic/devel/responsive templates are:
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1311
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1312 .. code-block:: text
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1313
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1314 html/page.html
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1315 html/user.item.html
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1316
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1317 and in the jinja2 template the following files were changed:
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1318
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1319 .. code-block:: text
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1320
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1321 html/user.item.html
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1322 html/user.register.html
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1323 html/layout/navigation.html
0e382e97f0e3 fix: disable spellchecking for password fields
John Rouillard <rouilj@ieee.org>
parents: 8048
diff changeset
1324
7971
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1325 Add new classhelper to your templates (optional)
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1326 ------------------------------------------------
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1327
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1328 The classic classhelper invoked by the ``(list)`` link in your
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1329 issue.item.html template can be greatly improved by wrapping the
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1330 links with the new web-component based ``roundup-classhelper``.
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1331
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1332 The new classhelper:
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1333
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1334 * allows you to select items from multiple pages
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1335 * is usable with a content security policy
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1336 * is more easily styled
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1337
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1338 To deploy it, install the required files and wrap classhelp calls
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1339 in the new ``<roundup-classhelper>`` component. For example,
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1340 wrap::
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1341
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1342 <span tal:condition="context/is_edit_ok" tal:replace="structure
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1343 python:db.user.classhelp('username,realname,address',
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1344 property='nosy', width='600'" />
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1345
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1346 so it looks like::
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1347
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1348 <roundup-classhelper
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1349 data-search-with="username,phone,roles[]">
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1350
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1351 <span tal:condition="context/is_edit_ok" tal:replace="structure
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1352 python:db.user.classhelp('username,realname,address',
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1353 property='nosy', width='600')" />
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1354
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1355 </roundup-classhelper>
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1356
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1357 to allow the user to search by: username, phone number and use a
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1358 select/dropdown to search by role. Full details about the
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1359 attributes and installation instructions can be found in the
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1360 `classhelper documentation`_ in the admin guide.
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1361
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
1362
7819
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1363 Disable performance improvement for wsgi mode (optional)
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1364 --------------------------------------------------------
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1365
7961
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1366 In Roundup version 2.2.0, an experimental feature was introduced to
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1367 enhance performance while operating in wsgi mode. Initially, this
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1368 feature was disabled. Over the past two years, it has been used at a
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1369 few sites without any reported problems.
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1370
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1371 As a result, the default setting now enables this performance
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1372 improvement, encouraging a wider adoption of the feature. In the
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1373 event that an undiscovered bug arises, it can still be disabled
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1374 if you experience problems. To disable it, modify your wsgi
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1375 startup script and add the feature_flags to the RequestDispatcher
8360
f6e58615a998 doc: put example in callout using ::
John Rouillard <rouilj@ieee.org>
parents: 8359
diff changeset
1376 as below::
7819
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1377
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1378 feature_flags = { "cache_tracker": False }
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1379 app = RequestDispatcher(tracker_home, feature_flags=feature_flags)
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1380
7961
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1381 Then restart your wsgi instance. If you have to disable this
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1382 feature, send email to the roundup-users mailing list
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1383 (roundup-users at lists.sourceforge.net) so we can help you
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1384 diagnose the cause and fix it for everybody.
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1385
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1386 In the future, support for disabling this improvement will be removed.
7819
0fe2b9f6e19f issue2551212 - enable wsgi cache_tracker by default
John Rouillard <rouilj@ieee.org>
parents: 7801
diff changeset
1387
7686
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1388 Fix duplicate id for confirm password in user.item.html (optional)
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1389 ------------------------------------------------------------------
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1390
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1391 The TAL macro ``user_confirm_input`` at the end of ``html/page.html``
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1392 for all templates except ``jinja2`` sets the ``id`` of the ``Confirm
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1393 password`` input the same as the ``Login Password`` input. This
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1394 creates an HTML error. Two items must not have the same id.
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1395
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1396 However browsers ignore the error and things still work. If you were
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1397 to use css or javascript to target the ``password`` id, it would not
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1398 work as expected.
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1399
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1400 To fix this, change the line near the end of your tracker's
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1401 ``html/page.html`` from::
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1402
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1403 tal:attributes="id name; name string:@confirm@$name; readonly not:edit_ok" value="">
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1404
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1405 to::
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1406
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1407 tal:attributes="id string:confirm_$name; name string:@confirm@$name; readonly not:edit_ok" value="">
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1408
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1409 This will change the id to ``confirm_password``.
a27f30709d46 fix: duplicate password id generated for user.item.html
John Rouillard <rouilj@ieee.org>
parents: 7668
diff changeset
1410
7694
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1411 Merge changes from devel template task.index.html (optional)
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1412 ------------------------------------------------------------
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1413
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1414 The devel template's ``task.index.html`` has some fields that are not
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1415 defined in the schema. It looks like it was originally copied from the
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1416 ``bug.index.html``. If the task index is requested without specifying
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1417 the columns/fields, the template will crash trying to display
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1418 ``severity`` and other fields that don't exist in the task schema.
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1419
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1420 In normal use, the left hand menu for tasks always specifies valid
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1421 columns so you may not see this issue. However if you remove the
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1422 ``@columns`` query parameter, you can see the error.
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1423
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1424 The removed columns are: severity, versions, keywords, dependencies.
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1425
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1426 It is also missing the ``solves`` field which is added to match the
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1427 schema.
54eb12cd3be1 fix: make task index not crash.
John Rouillard <rouilj@ieee.org>
parents: 7686
diff changeset
1428
7961
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1429 `You can see the diff in the Sourceforge web interface <https://sourceforge.net/p/roundup/code/ci/54eb12cd3be143b079809795dcb2f813f75a691c/tree/share/roundup/templates/devel/html/task.index.html?diff=c95870b2bbab822def6066498a4ef8634e76e0b3>`_.
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1430
7992
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1431 Make group headers span all columns (optional)
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1432 ----------------------------------------------
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1433
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1434 In a number of index pages a version of the following TAL command
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1435 appears::
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1436
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1437 <th tal:attributes="colspan python:len(request.columns)" class="group">
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1438
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1439 If the ``@columns`` parameter (aka request.columns) is not set,
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1440 all columns are shown. However the group header only spans the
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1441 first column. Changing this to read::
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1442
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1443 <th tal:attributes="colspan python:len(request.columns) or 100" class="group">
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1444
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1445 makes the group header span all the columns (if you have fewer
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1446 than 100 columns). All of the supplied templates hae been
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1447 upgraded with this change. `See issue 2551341 for details
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1448 <https://issues.roundup-tracker.org/issue2551341>`_.
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1449
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1450 Note the jinja2 template has the same issue, but the development
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1451 team hasn't devised a solution.
1e9c16b079fa fix: issue2551341 - if @columns missing from an index url, the group headers colspan property = 0
John Rouillard <rouilj@ieee.org>
parents: 7971
diff changeset
1452
7936
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1453 Use @current_user in Searches (optional)
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1454 ----------------------------------------
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1455
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1456 You can create queries like: "My issues" by searching the ``creator``
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1457 property of issues for your id number. Similarly you can search for
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1458 "Issues assigned to me" by searching on the ``assignedto`` property.
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1459
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1460 Queries in Roundup can be shared between users. However queries like
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1461 these can be shared. However for any user but they will only find
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1462 issues created by/assigned to the user who created the query.
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1463
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1464 This release allows you to search Links to the User class by
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1465 specifying ``@current_user``. This token searches for the currently
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1466 log in user. It makes searches like the above usable when shared.
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1467
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1468 This only works for properties that are a Link to the user
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1469 class. E.G. creator, actor, assignedto. It does not yet work for
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1470 MultiLink properties (like nosy).
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1471
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1472 As an example this can be deployed to the classic tracker's issue
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1473 search template (issue.search.html), by replacing::
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1474
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1475 <option metal:fill-slot="extra_options" i18n:translate=""
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1476 tal:attributes="value request/user/id">created by
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1477 me</option>
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1478
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1479 with::
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1480
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1481 <option metal:fill-slot="extra_options" value="@current_user"
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1482 tal:attributes="selected python:value == '@current_user'"
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1483 i18n:translate="">created by me</option>
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1484
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1485 There are three places where ``value request/user/id`` is used in the
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1486 classic template. Your template may have more.
7938
ce5a554b2f88 doc: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7936
diff changeset
1487
ce5a554b2f88 doc: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7936
diff changeset
1488 If you have a user with the exact username of `@current_user` they
ce5a554b2f88 doc: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7936
diff changeset
1489 should change it. `Details can be found in issue1525113
ce5a554b2f88 doc: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7936
diff changeset
1490 <https://issues.roundup-tracker.org/issue1525113>`_.
7936
a9b136565838 feat: issue1525113 - notation to filter by logged-in user
John Rouillard <rouilj@ieee.org>
parents: 7928
diff changeset
1491
7719
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1492 New PostgreSQL Settings (optional)
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1493 ----------------------------------
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1494
7961
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1495 With this release, you can specify a Postgresql database schema
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1496 to use. By default Roundup creates a database when using
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1497 ``roundup-admin init``. Setting the rdbms ``name`` keyword to
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1498 ``roundup_database.roundup_schema`` will create and use the
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1499 ``roundup_schema`` in the pre-created ``roundup_database``. See
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1500 the `Roundup PostgreSQL documentation`_ for details on how to set
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
1501 up the roles.
7719
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1502
7723
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1503 Also there is a new configuration keyword in the rdbms
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1504 section of ``config.ini``. The ``service`` keyword allows
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1505 you to define the service name for Postgres that will be
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1506 looked up in the `Connection Service File`_. Any of the
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1507 methods of specifying the file including by using the
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1508 ``PGSERVICEFILE`` environment variable are supported.
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1509
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1510 This is similar to the existing support for MySQL
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1511 option/config files and groups.
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1512
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1513 If you use services, any settings for the same properties
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1514 (user, name, password ...) that are in the tracker's
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1515 ``config.ini`` will override the service settings. So you
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1516 want to leave the ``config.ini`` settings blank. E.G.::
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1517
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1518 [rdbms]
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
1519 name =
7723
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1520 host =
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
1521 port =
7723
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1522 user =
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1523 password =
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
1524 service = roundup_roundup
7723
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1525
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1526 Setting ``service`` to ``roundup_roundup`` with
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1527 the following in the service file::
7719
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1528
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1529 [roundup_roundup]
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1530 host=127.0.0.1
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1531 port=5432
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1532 user=roundup
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1533 password=roundup
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1534 dbname=roundup
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1535
7723
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1536 would use the roundup database with the specified
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1537 credentials. It is possible to define a service that
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1538 connects to a specific schema using::
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1539
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1540 options=-c search_path=roundup_service_dev
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1541
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1542 Note that the first schema specified after ``search_path=``
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1543 is created and populated. The schema name
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1544 (``roundup_service_dev``) must be terminated by: a comma,
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1545 whitespace or end of line.
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1546
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1547 You can use the command ``psql "service=db_service_name"``
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1548 to verify the settings in the connection file. Inside of
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1549 ``psql`` you can verify the ``search_path`` using ``show
8147f6deac9f fix(db): Make using pg_service work again.
John Rouillard <rouilj@ieee.org>
parents: 7719
diff changeset
1550 search_path;``.
7719
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1551
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1552 .. _`Connection Service File`: https://www.postgresql.org/docs/current/libpq-pgservice.html
3071db43bfb6 feat: issue2550852 - support using a specified PostgreSQL db schema
John Rouillard <rouilj@ieee.org>
parents: 7711
diff changeset
1553
7749
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1554 Update for user.help-search.html (optional)
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1555 -------------------------------------------
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1556
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1557 There is a bug in the template used as a search helper for the user
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1558 fields (e.g. the nosy list). The ``properties`` url query argument was
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1559 ignored. You can not select the displayed fields using the
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1560 ``properties`` argument. This is fixed in 2.4.0. You can probably just
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1561 copy the ``user.help-search.html`` from the classic tracker template.
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1562
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1563 If you have modified that template, you can follow the analysis in
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1564 `issue2551320 <https://issues.roundup-tracker.org/issue2551320>`_
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1565 to fix your template.
79344ea780ea doc: add upgrading notes for user.help-search.html
John Rouillard <rouilj@ieee.org>
parents: 7724
diff changeset
1566
7928
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1567 Update for _generic.help.html (optional)
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1568 ----------------------------------------
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1569
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1570 Using the ``_generic.help.html`` template with ``classhelper()`` to
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1571 provide information on a property without selecting a property caused
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1572 an error when processing the template. Using the help template with
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1573 Link properties can provide description or other information that the
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1574 user can use to determine the right setting.
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1575
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1576 If your tracker is based on the minimal or classic tracker and you have
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1577 not changed the _generic.help.html file, you can copy it into place
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1578 from the template directory.
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1579
c05ea62b4c7a fix: issue2551347 - make _generic.help.html work without property settings
John Rouillard <rouilj@ieee.org>
parents: 7923
diff changeset
1580
7905
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1581 Fix static_files use of '-' directory (info)
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1582 --------------------------------------------
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1583
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1584 Use of the '-' directory in ``static_files`` config.ini setting now
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1585 works. So it will prevent access to the html directory when using
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1586 ``@@file/`` based url's.
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1587
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1588
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1589 Bad Login Rate Limiting and Locking (info)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1590 ------------------------------------------
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1591
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1592 Brute force logins have been rate limited in the HTML web interface
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1593 for a while. This was not the case with the API interfaces.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1594
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1595 This release introduces rate limiting for invalid REST or XMLRPC API
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1596 logins. As with the web interface, users who have hit the rate limit
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1597 have their accounts locked until after the recommended delay time has
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1598 passed. See `information on configuring the API rate limits`_ for
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1599 details.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1600
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1601 .. _`information on configuring the API rate limits`: rest.html#rate-limiting-api-failed-logins
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1602
7582
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1603 Removal of cgi.py from Python (info)
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1604 ------------------------------------
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1605
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1606 The ``cgi.py`` module will be `removed starting with Python 3.13
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1607 <https://peps.python.org/pep-0594/#cgi>`_. Roundup now `vendors a copy
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1608 <https://pypi.org/project/legacy-cgi/>`_ of ``cgi.py`` and makes it
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1609 and its storage objects available by importing from::
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1610
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1611 from roundup.anypy.cgi_ import cgi
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1612 from roundup.anypy.cgi_ import FieldStorage, MiniFieldStorage
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1613
7959
88239d4ac4ab doc: spelling fix.
John Rouillard <rouilj@ieee.org>
parents: 7938
diff changeset
1614 It is unlikely that you will care unless you have done some expert
7582
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1615 level Roundup customization. If you have, use one of the imports above
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1616 if you plan on running on Python 3.13 (expected in 2024) or newer.
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
1617
7668
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1618 Fixing PostgreSQL Out of Memory Errors when Importing Tracker (info)
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1619 --------------------------------------------------------------------
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1620
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1621 Importing a tracker into PostgreSQL can run out of memory with the
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1622 error::
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1623
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1624 psycopg2.errors.OutOfMemory: out of shared memory
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1625 HINT: You might need to increase max_locks_per_transaction.
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1626
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1627 before changing your PostgreSQL configuration, try changing the pragma
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1628 ``savepoint_limit`` to a lower value. By default it is set to
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1629 ``10000``. In some cases this may be too high. See the `administration
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1630 guide`_ for further details.
5b41018617f2 fix: out of memory error when importing under postgresql
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1631
7905
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1632 roundup-admin's History Command Produces Readable Output (info)
f47b186a2ad9 fix use of '-' directory in static files
John Rouillard <rouilj@ieee.org>
parents: 7860
diff changeset
1633 ---------------------------------------------------------------
7797
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1634
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1635 The history command of roundup-admin used to print the raw journal
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1636 data. In this release the default is to produce more human readable
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1637 data. The original output (not pretty printed as below) was::
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1638
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1639 [('1', <Date 2013-02-18.20:30:34.125>, '1', 'create', {}),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1640 ('1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1641 <Date 2013-02-19.21:24:20.391>,
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1642 '1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1643 'set',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1644 {'messages': (('+', ['3']),)}),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1645 ('1', <Date 2013-02-19.21:24:24.797>, '1', 'set', {'priority': '1'}),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1646 ('1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1647 <Date 2013-02-20.03:16:52.000>,
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1648 '1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1649 'link',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1650 ('issue', '2', 'dependson')),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1651 ('1', <Date 2013-02-21.20:51:40.750>, '1', 'link', ('issue', '2',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1652 'seealso')),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1653 ('1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1654 <Date 2013-02-22.05:33:08.875>,
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1655 '1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1656 'set',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1657 {'dependson': (('+', ['3']),), 'private': None, 'queue': None}),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1658 ('1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1659 <Date 2013-02-22.05:33:19.406>,
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1660 '1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1661 'set',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1662 {'dependson': (('+', ['2']),)}),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1663 ('1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1664 <Date 2013-02-27.03:24:42.844>,
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1665 '1',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1666 'unlink',
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1667 ('issue', '2', 'seealso')),
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1668 ...
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1669
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1670 Now it produces (Each entry is on one line, lines wrapped
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1671 and indented for display)::
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1672
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1673 admin(2013-02-18.20:30:34) create issue
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1674 admin(2013-02-19.21:24:20) set modified messages: added: msg3
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1675 admin(2013-02-19.21:24:24) set priority was critical(1)
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1676 admin(2013-02-20.03:16:52) link added issue2 to dependson
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1677 admin(2013-02-21.20:51:40) link added issue2 to seealso
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1678 admin(2013-02-22.05:33:08) set modified dependson: added: issue3;
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1679 private was None; queue was None
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1680 admin(2013-02-22.05:33:19) set modified dependson: added: issue2
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1681 admin(2013-02-27.03:24:42) unlink removed issue2 from seealso
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1682 ...
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1683
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1684
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1685 A few things to note: set operations can either assign a property or
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1686 report a modification of a multilink property. If an assignment
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1687 occurs, the value reported is the **old value** that was there before
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1688 the assignment. It is **not** the value that is assigned. In the
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1689 example above I don't know what the current value of priority is. All
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1690 I know it was set to critical when the issue was created.
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1691
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1692 Modifications to multilink properties work differently. I know that
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1693 ``msg3`` was present in the messages property after 2013-02-19 at
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1694 21:24:20 UTC.
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1695
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1696 The history command gets a new optional argument ``raw`` that produces
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1697 the old style output. The old style is (marginally) more useful for
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1698 script automation.
8bdf0484215c Summary: feat: roundup-admin history command has human interpretable output
John Rouillard <rouilj@ieee.org>
parents: 7793
diff changeset
1699
7921
e3975f679bf1 issue2551302 - Remove support for sqlite version 1 from back_sqlite.py
John Rouillard <rouilj@ieee.org>
parents: 7905
diff changeset
1700 Deprecation Notices (info)
e3975f679bf1 issue2551302 - Remove support for sqlite version 1 from back_sqlite.py
John Rouillard <rouilj@ieee.org>
parents: 7905
diff changeset
1701 --------------------------
e3975f679bf1 issue2551302 - Remove support for sqlite version 1 from back_sqlite.py
John Rouillard <rouilj@ieee.org>
parents: 7905
diff changeset
1702
e3975f679bf1 issue2551302 - Remove support for sqlite version 1 from back_sqlite.py
John Rouillard <rouilj@ieee.org>
parents: 7905
diff changeset
1703 Support for SQLite version 1 has been removed in 2.4.0.
e3975f679bf1 issue2551302 - Remove support for sqlite version 1 from back_sqlite.py
John Rouillard <rouilj@ieee.org>
parents: 7905
diff changeset
1704
8046
c53117e6775f doc: deprication sqlite2
John Rouillard <rouilj@ieee.org>
parents: 8045
diff changeset
1705 Support for SQLite version 2 will be removed in 2.5.0.
c53117e6775f doc: deprication sqlite2
John Rouillard <rouilj@ieee.org>
parents: 8045
diff changeset
1706
7923
29a666d8a70d issue2551285 - Remove StructuredText support
John Rouillard <rouilj@ieee.org>
parents: 7922
diff changeset
1707 Support for StructuredText has been removed in 2.4.0. Support for
29a666d8a70d issue2551285 - Remove StructuredText support
John Rouillard <rouilj@ieee.org>
parents: 7922
diff changeset
1708 reStructuredText remains.
29a666d8a70d issue2551285 - Remove StructuredText support
John Rouillard <rouilj@ieee.org>
parents: 7922
diff changeset
1709
7922
ded9f1c3f112 announce deprecation for PySQLite in 2.5.0
John Rouillard <rouilj@ieee.org>
parents: 7921
diff changeset
1710 Support for the `PySQLite <https://github.com/ghaering/pysqlite>`_
ded9f1c3f112 announce deprecation for PySQLite in 2.5.0
John Rouillard <rouilj@ieee.org>
parents: 7921
diff changeset
1711 library will be removed in 2.5.0. Only the Python supplied sqlite3
ded9f1c3f112 announce deprecation for PySQLite in 2.5.0
John Rouillard <rouilj@ieee.org>
parents: 7921
diff changeset
1712 library will be supported.
ded9f1c3f112 announce deprecation for PySQLite in 2.5.0
John Rouillard <rouilj@ieee.org>
parents: 7921
diff changeset
1713
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1714 .. index:: Upgrading; 2.2.0 to 2.3.0
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7507
diff changeset
1715
6804
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1716 Migrating from 2.2.0 to 2.3.0
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1717 =============================
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1718
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1719 Update your ``config.ini`` (required)
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1720 -------------------------------------
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1721
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1722 Upgrade tracker's config.ini file. Use::
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1723
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1724 roundup-admin -i /path/to/tracker updateconfig newconfig.ini
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1725
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1726 to generate a new ini file preserving all your settings.
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1727 You can then merge any local comments from the tracker's
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1728 ``config.ini`` to ``newconfig.ini`` and replace
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1729 ``config.ini`` with ``newconfig.ini``.
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1730
7203
12a3cd86668f auto update 'password_pbkdf2_default_rounds' "
John Rouillard <rouilj@ieee.org>
parents: 7166
diff changeset
1731 ``updateconfig`` will tell you if it is changing old default
12a3cd86668f auto update 'password_pbkdf2_default_rounds' "
John Rouillard <rouilj@ieee.org>
parents: 7166
diff changeset
1732 values or if a value must be changed manually.
12a3cd86668f auto update 'password_pbkdf2_default_rounds' "
John Rouillard <rouilj@ieee.org>
parents: 7166
diff changeset
1733
7132
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1734 Using the roundup-mailgw script (required)
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1735 ------------------------------------------
7064
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1736
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1737 In previous versions the roundup-mailgw script had a ``-C`` (or
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1738 ``--class``) option for specifying a class to be used with ``-S`` (or
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1739 ``--set``) option(s). In the latest version the ``-C`` option is gone,
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1740 the class for this option is specified as a prefix, e.g. instead of ::
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1741
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1742 roundup-mailgw -C issue -S issueprop=value
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1743
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1744 You now specify ::
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1745
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1746 roundup-mailgw -S issue.issueprop=value
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1747
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1748 If multiple values need to be set, this can be achieved with multiple
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1749 ``-S`` options or with delimiting multiple values with a semicolon (in
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1750 that case the string needs to be quoted because semicolon is a shell
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1751 special character)::
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1752
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1753 roundup-mailgw -S 'issue.issueprop1=value1;issueprop2=value2'
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1754 roundup-mailgw -S issue.issueprop1=value1 -S issue.issueprop2=value2
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1755
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1756 are equivalent. Note that the class is provided as a prefix for the
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1757 set-string, not for each property. The class can be omitted altogether
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1758 in which case it defaults to ``msg`` (this default existed in previous
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1759 versions).
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1760
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1761 If you do not use the ``-C`` (or ``--class``) option in your current
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1762 setup of mailgw you don't need to change anything.
3359dc1dabb0 Add OAuth authentication to the mailgw script
Ralf Schlatterbeck <rsc@runtux.com>
parents: 7047
diff changeset
1763
7132
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1764 Replace Create User permission for Anonymous with Register (required)
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1765 ---------------------------------------------------------------------
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1766
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1767 Check your trackers schema.py. If you have the following code::
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1768
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1769 db.security.addPermissionToRole('Anonymous', 'Create', 'user')
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1770
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1771 after the permission for Anonymous 'Email Access', change it to::
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1772
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1773 db.security.addPermissionToRole('Anonymous', 'Register', 'user')
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1774
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1775 The comment for Anonymous 'Email Access' may refer to Create. Change
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1776 it to refer to Register.
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1777
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1778 This will be an issue if you used the devel or responsive tracker
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1779 templates. If you used a classic, minimal or jinja2 template the
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1780 permission change (but not the comment change) should be done already.
c087ad45bf4d update Anonymous Create user to Register user permissions
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1781
6806
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1782 Rdbms version change from 7 to 8 (required)
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1783 -------------------------------------------
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1784
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1785 This release includes a change that requires updates to the
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1786 database schema.
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1787
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1788 Sessions and one time key (otks) tables in the Mysql and
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1789 PostgreSQL database use a numeric type that
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1790 truncates/rounds expiration timestamps. This results in
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1791 entries being purged early or late (depending on whether
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1792 it rounds up or down). The discrepancy is a couple of
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1793 days for Mysql or a couple of minutes for PostgreSQL.
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
1794
6806
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1795 Session keys stay for a week or more and CSRF keys are
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1796 two weeks by default. As a result, this isn't usually a
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1797 visible issue. This migration updates the numeric types
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1798 to ones that supports more significant figures.
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1799
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1800 You should backup your instance and run the
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1801 ``roundup-admin -i <tracker_home> migrate``
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1802 command for all your trackers once you've
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1803 installed the latest code base.
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1804
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1805 Do this before you use the web, command-line or mail
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1806 interface and before any users access the tracker.
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1807
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1808 If successful, this command will respond with either
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1809 "Tracker updated" (if you've not previously run it on an
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1810 RDBMS backend) or "No migration action required" (if you
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1811 have run it, or have used another interface to the tracker,
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1812 or are using anydbm).
bdd28b244839 - issue2551223 - fix timestamp truncation in mysql and postgresql
John Rouillard <rouilj@ieee.org>
parents: 6804
diff changeset
1813
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1814 Session/OTK data storage for SQLite backend changed (required)
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1815 --------------------------------------------------------------
6804
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1816
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1817 Roundup stores a lot of ephemeral data:
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1818
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1819 * login session tokens,
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1820 * rate limits
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1821 * password reset attempt tokens
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1822 * one time keys
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1823 * and anti CSRF keys.
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1824
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1825 These were stored using dbm style files while the main data
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1826 is stored in a SQLite db. Using both dbm and sqlite style
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1827 files is surprising and due to how we lock dbm files can be
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1828 a performance issue.
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1829
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1830 However you can continue to use the dbm files by setting the
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1831 ``backend`` option in the ``[sessiondb]`` section of
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1832 ``config.ini`` to ``anydbm``.
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1833
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1834 If you do not change the setting, two sqlite databases
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1835 called ``db-otk`` and ``db-session`` replace the dbm
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1836 databases. Once you make the change the old ``otks`` and
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1837 ``sessions`` dbm databases can be removed.
6804
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1838
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1839 Note this replacement will require users to log in again and
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1840 refresh web pages to save data. It is best if people save
6804
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1841 all their changes and log out of Roundup before the upgrade
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1842 is done to minimize confusion. Because the data is
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
1843 ephemeral, there is no plan to migrate this data to the new
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1844 SQLite databases. If you want to keep using the data set the
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1845 ``sessiondb`` ``backend`` option as described above.
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1846
7166
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1847 Update ``config.ini``'s ``password_pbkdf2_default_rounds`` (required)
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1848 ---------------------------------------------------------------------
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1849
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1850 Roundup hashes passwords using PBKDF2 with SHA1. In this release, you
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
1851 can `upgrade to PBKDF2-SHA512 from current PBKDF2-SHA1 (recommended)`_. If you
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1852 upgrade, you want to set the default rounds according to the
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1853 PBKDF2-SHA512 upgrading directions. Note that this algorithm is
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1854 expected to be the default in a future version of Roundup.
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1855
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1856 If you don't want to upgrade, we recommend that you increase the
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1857 default number of rounds from the original 10000. PBKDF2 has a
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1858 parameter that makes hashing a password more difficult to do. The
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1859 original 10000 value was set years ago. It has not been updated for
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1860 advancements in computing power.
7166
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1861
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1862 This release of Roundup changes the value to 2000000 (2
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1863 million). This exceeds the current `recommended setting of
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1864 1,300,000`_ for PBKDF2 when used with SHA1.
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1865
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1866 .. caution::
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1867
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1868 If you were using the old 10000 value, **it will be automatically
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1869 upgraded** to 2 million by using ``roundup-admin``'s
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1870 ``updateconfig``. If you were not using the old 10000 default, you
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1871 should update it manually.
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1872
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1873 After the change users will still be able to log in using the older
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1874 10000 round hashed passwords. If ``migrate_passwords`` is set to
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1875 ``yes``, passwords will be automatically re-hashed using the new
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1876 higher value when the user logs in. If
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1877 ``password_pbkdf2_default_rounds`` is set to a lower value than was
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1878 used to hash a password, the password will not be rehashed so the
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1879 higher value will be kept. The lower value will be used only if the
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1880 password is changed using the web or command line.
7166
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1881
7209
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1882 Increasing the number of rounds will slow down re-hashing. That's the
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1883 whole point. Sadly it will also slow down logins. Usually the hash
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1884 takes under 1 second, but if you are using a slow chip (e.g. an ARM V6
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1885 at 700 bogo mips) it can take 30 seconds to compute the 2000000
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1886 rounds. The slowdown is linear. So what takes .001 seconds at 10000
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1887 rounds will take: ``2000000/10000 * .001 = 200 * .001`` seconds or 0.2
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1888 seconds.
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1889
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1890 You can see how long it will take by using the new ``roundup-admin``
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1891 ``perftest`` command. After you have finished migrating your database,
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1892 run::
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1893
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1894 roundup-admin -i <tracker_home> perftest password scheme=PBKDF2 rounds=10000
7209
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1895
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1896 and then::
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1897
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1898 roundup-admin -i <tracker_home> perftest password scheme=PBKDF2 rounds=2,000,000
7209
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1899
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1900 so see the difference. Output from this command looks like::
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1901
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1902 Hash time: 0.203151849s scheme: PBKDF2 rounds: 10000
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1903
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1904 If your testing reports a hash time above 0.5 seconds for 10000
7209
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1905 rounds, there may be another issue. See if executing::
7166
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1906
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1907 python3 -c 'from hashlib import pbkdf2_hmac'
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1908
7209
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1909 produces an error.
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1910
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1911 If you get an ImportError, you are using Roundup's fallback PBKDF2
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1912 implementation. It is much slower than the library version. As a
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1913 result re-encrypting the password (and logging in, which requires
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1914 calculating the encrypted password) will be very slow.
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1915
c1227f883177 Implement password hash testing using new roundup-admin perftest.
John Rouillard <rouilj@ieee.org>
parents: 7203
diff changeset
1916 You should find out how to make the import succeed. You may need to
7166
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1917 install an OS vendor package or some other library.
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1918
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1919 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
1549c7e74ef8 issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
John Rouillard <rouilj@ieee.org>
parents: 7155
diff changeset
1920
8239
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
1921 .. _PBKDF2 upgrade:
6bd11a73f2ed issue2551253. default hash is PBKDF2-SHA512.
John Rouillard <rouilj@ieee.org>
parents: 8237
diff changeset
1922
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1923 Upgrade to PBKDF2-SHA512 from current PBKDF2-SHA1 (recommended)
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1924 ---------------------------------------------------------------
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1925
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1926 We recommend that you upgrade to using PBKDF2-SHA512 for hashing your
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1927 passwords. This is a more secure method than the old PBKDF2 (with
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1928 SHA1). Because the algorithm is more secure, it uses a smaller value
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1929 for ``password_pbkdf2_default_rounds``. Setting
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1930 ``password_pbkdf2_default_rounds`` to ``250000`` exceeds the current
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1931 `recommended setting of 210,000`_ iterations for PBKDF2 when used with
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1932 SHA512.
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1933
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1934 You can see how long this takes to calculate on your hardware using
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1935 ``roundup-admin``'s perftest command. For example::
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1936
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1937 roundup-admin -i <tracker_home> perftest password scheme=PBKDF2S5 rounds=250,000
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1938
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1939 produces::
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1940
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1941 Hash time: 0.161892945 seconds, scheme: PBKDF2S5, rounds: 250000
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1942
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1943 Any increase in the number of rounds will cause the password to
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1944 automatically be rehashed to the higher value the next time the user
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1945 logs in via the web interface. Changing the number of rounds to a
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1946 **lower** value will not trigger a rehash during login unless the
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1947 scheme is also being changed. The lower number will be used only when
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1948 the password is explicitly changed using the web interface or the
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1949 command line (``roundup-admin`` for example).
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1950
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1951 Change the default hashing scheme by adding the following lines to
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1952 |the interfaces.py file|_ in your tracker home::
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1953
7711
0c855080794e doc: fix PBKDF2 SHA512 implementation example.
John Rouillard <rouilj@ieee.org>
parents: 7694
diff changeset
1954 from roundup.password import Password
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1955 ## Use PBDKF2S5 (PBKDF2-SHA512) for passwords. Re-hash old PBDFK2
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1956 # Force password with scheme PBKDF2 (SHA1) to get re-hashed
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1957 Password.deprecated_schemes.insert(0, Password.known_schemes[0])
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1958 # choose PBKDF2S5 as the scheme to use for rehashing.
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1959 Password.default_scheme = Password.experimental_schemes[0]
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1960
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1961 You may need to create the ``interfaces.py`` file if it doesn't exist.
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1962 In the future, when the default hash is changed to PBKDF2S5, upgrade
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1963 directions will include instructions to remove these lines and
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1964 the file ``interfaces.py`` if it becomes empty.
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1965
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1966 You can verify that PBKDF2S5 is used by default by running::
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1967
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1968 roundup-admin -i <tracker_home> perftest password rounds=250,000
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1969
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
1970 and verify that the scheme is PBKDF2S5.
7375
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1971
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1972 .. _the interfaces.py file:
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1973 reference.html#interfaces-py-hooking-into-the-core-of-roundup
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1974
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1975 .. |the interfaces.py file| replace:: the ``interfaces.py`` file
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1976
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1977 .. _recommended setting of 210,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
9bd7ed918121 issue2551253 - Modify password PBKDF2 method to use SHA512
John Rouillard <rouilj@ieee.org>
parents: 7354
diff changeset
1978
7217
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1979 jQuery updated with updates to user.help.html (recommended)
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1980 -----------------------------------------------------------
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1981
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1982 The devel and responsive templates shipped with an old version of
7275
c5d01886b27d fix mispelling.
John Rouillard <rouilj@ieee.org>
parents: 7217
diff changeset
1983 jQuery. According to automated tests, it may have a security issue. It
7217
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1984 has been updated to the current version: 3.6.3. If your tracker is
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1985 based on one of these templates (see the ``TEMPLATE-INFO.txt`` file in
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1986 your tracker), remove the old ``html/jquery.js`` file from your
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1987 tracker and copy the new ``jquery-3.6.3.js`` file from the template
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1988 directory to your tracker's ``html`` directory. Also copy in the new
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1989 ``user.help.html`` file. It now references the new ``jquery-3.6.3.js``
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1990 file.
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1991
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
1992
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1993 Session/OTK data storage using Redis (optional)
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1994 -----------------------------------------------
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
1995
6819
1319ab13f286 redis works with python 2.7 too.
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1996 You can store your ephemeral data in a Redis database. This
1319ab13f286 redis works with python 2.7 too.
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1997 provides significantly better performance for ephemeral data
1319ab13f286 redis works with python 2.7 too.
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1998 than SQLite or dbm files. See the section `Using Redis for
1319ab13f286 redis works with python 2.7 too.
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1999 Session Databases`_ in the `administration guide`_
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2000
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2001
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2002 .. _Using Redis for Session Databases:
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2003 admin_guide.html#using-redis-for-session-databases
6804
25d08e15e3b4 issue2551224 - Replace dbm db for sessions/otks when using sqlite
John Rouillard <rouilj@ieee.org>
parents: 6781
diff changeset
2004
6930
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2005 New SQLite databases created with WAL mode journaling (optional)
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2006 ----------------------------------------------------------------
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2007
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2008 By default, SQLite databases use a rollback journal when
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2009 writing an update. The rollback journal stores a copy of the
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2010 data from before the update. One downside of this is that
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2011 all reads have to be suspended while a write is
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2012 occurring. SQLite has an alternate way of insuring ACID
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2013 compliance by using a WAL (write ahead log) journal.
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2014
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2015 Version 2.3.0 of Roundup, creates new SQLite databases using
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2016 WAL journaling. With WAL, a writer does not block readers
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2017 and readers do not block writing an update. This keeps
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2018 Roundup accessible even under a heavy write load (e.g. when
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2019 bulk loading data or automated updates via REST).
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2020
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2021 If you want to convert your existing SQLite db to WAL mode:
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2022
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2023 1. check the current journal mode on your database
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2024 using::
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2025
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2026 sqlite3 <tracker_home>/db/db "pragma journal_mode;"
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2027
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2028 2. If it returns ``delete``, change it to WAL mode using::
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2029
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2030 sqlite3 <tracker_home>/db/db "pragma journal_mode=WAL;"
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2031
6930
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2032 3. verify by running the command in step 1 again and you
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2033 should get ``wal``.
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2034
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2035 If you are using SQLite for session and otk databases,
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2036 perform the same steps replacing ``db`` with ``db-session``
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2037 and ``db-otk``.
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2038
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2039 If you find WAL mode is not working for you, you can set the
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2040 journal method to a rollback journal (``delete`` mode) by
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2041 using step 2 and replacing ``wal`` with ``delete``. (Note:
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2042 SQLite supports other journaling modes, but only ``wal`` and
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2043 ``delete`` persist. Roundup doesn't set a journaling mode
7396
bb7752f6e1cd Clarify wording.
John Rouillard <rouilj@ieee.org>
parents: 7375
diff changeset
2044 when it opens the database, so journaling mode options such
bb7752f6e1cd Clarify wording.
John Rouillard <rouilj@ieee.org>
parents: 7375
diff changeset
2045 as ``truncate`` are not useful.)
6930
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2046
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2047 For details on WAL mode see `<https://www.sqlite.org/wal.html>`_
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2048 and `<https://www.sqlite.org/pragma.html#pragma_journal_mode>`_.
a96a239db0d9 Set all sqlite db's to WAL mode on creation
John Rouillard <rouilj@ieee.org>
parents: 6819
diff changeset
2049
7217
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
2050 Change in processing allowed_api_origins setting (info)
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
2051 -------------------------------------------------------
7155
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2052
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2053 In this release you can use both ``*`` (as the first origin) and
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2054 explicit origins in the ``allowed_api_origins`` setting in
7155
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2055 ``config.ini``. (Before it was only one or the other.)
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2056
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2057 You do not need to use ``*``. If you do, it allows any client
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2058 anonymous (unauthenticated) access to the Roundup tracker. This
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2059 is the same as browsing the tracker without logging in. If they
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2060 try to provide credentials, access to the data will be denied by
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2061 `CORS`_.
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2062
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2063 If you include explicit origins (e.g. \https://example.com),
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2064 users from those origins will not be blocked if they use
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2065 credentials to log in.
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2066
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2067 .. _CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
89a59e46b3af improve REST interface security
John Rouillard <rouilj@ieee.org>
parents: 7138
diff changeset
2068
7217
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
2069 Change in processing of In-Reply_to email header (info)
1f3418a3fd3e Add label explanation; Upgrade jquery in devel/responsive templates
John Rouillard <rouilj@ieee.org>
parents: 7209
diff changeset
2070 -------------------------------------------------------
6941
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2071
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2072 Messages received via email usually include a ``[issue23]``
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2073 designator in the subject line. This indicates what issue is
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2074 being updated. If the designator is missing, Roundup tries
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2075 to find the correct issue by using the in-reply-to email
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2076 header.
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2077
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2078 The former code appends the new message to the first issue
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2079 found with a message matching the in-reply-to
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2080 header. Usually a message is associated with only one
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2081 issue. However nothing in Roundup requires that.
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2082
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2083 In this release, the in-reply-to matching is disabled if
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2084 there are multiple issues with the same message. In this
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2085 case, subject matching is used to try to find the matching
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2086 issue.
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2087
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2088 If you don't have messages assigned to multiple issues you
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2089 will see no change. If you do have multi-linked messages
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2090 this will hopefully result in better message->issue
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2091 matching.
bd2c3b2010c3 issue2551232 - modify in-reply-to threading when multiple matches
John Rouillard <rouilj@ieee.org>
parents: 6930
diff changeset
2092
7400
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2093 Incremental/batch full test reindexing with roundup-admin (info)
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2094 ----------------------------------------------------------------
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2095
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2096 The ``reindex`` command in ``roundup-admin`` can reindex
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2097 a range of items. For example::
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2098
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2099 roundup-admin -i ... reindex issues:1-1000
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2100
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2101 will reindex only the first 1000 issues. This is useful since
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2102 reindexing can take a while and slow down the tracker. By running
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2103 it in batches you can control when the reindex runs rather than having
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2104 to wait for it to complete all the reindexing. See the man page or
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2105 `administration guide`_ for details.
d364ef1d66c2 doc batch reindex in upgrading file.
John Rouillard <rouilj@ieee.org>
parents: 7396
diff changeset
2106
6775
bc9728a17f76 Fix index markers.
John Rouillard <rouilj@ieee.org>
parents: 6774
diff changeset
2107 .. index:: Upgrading; 2.1.0 to 2.2.0
6248
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2108
6698
b56bd672ebbf formatting changes
John Rouillard <rouilj@ieee.org>
parents: 6688
diff changeset
2109 Migrating from 2.1.0 to 2.2.0
6458
8f1b91756457 issue2551147 - Enable compression of http responses in roundup.
John Rouillard <rouilj@ieee.org>
parents: 6456
diff changeset
2110 =============================
8f1b91756457 issue2551147 - Enable compression of http responses in roundup.
John Rouillard <rouilj@ieee.org>
parents: 6456
diff changeset
2111
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2112 Update your ``config.ini`` (required)
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2113 -------------------------------------
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2114
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2115 Upgrade tracker's config.ini file. Use::
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2116
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2117 roundup-admin -i /path/to/tracker updateconfig newconfig.ini
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2118
6814
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2119 to generate a new ini file preserving all your settings.
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2120 You can then merge any local comments from the tracker's
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2121 ``config.ini`` to ``newconfig.ini`` and replace
3f60a71b0812 Summary: Support selecion session/otk data store. Add redis as data store.
John Rouillard <rouilj@ieee.org>
parents: 6806
diff changeset
2122 ``config.ini`` with ``newconfig.ini``.
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2123
6590
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2124 Rdbms version change from 6 to 7 (required)
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2125 -------------------------------------------
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2126
6599
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2127 This release includes two changes that require updates to the database
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2128 schema:
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2129
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2130 1. The size of words included in the Roundup FTS indexers have been
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2131 increased from 25 to 50. This requires changes to the database
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2132 columns used by the native indexer. This also affect the whoosh
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2133 and xapian indexers.
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2134 2. Some databases that include native full-text search (native-fts
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2135 indexer) searching are now supported.
6590
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2136
6780
f1af67bf8fae doc change: roundup migrate and fts link.
John Rouillard <rouilj@ieee.org>
parents: 6775
diff changeset
2137 You should run the ``roundup-admin -i <tracker_home> migrate`` command
f1af67bf8fae doc change: roundup migrate and fts link.
John Rouillard <rouilj@ieee.org>
parents: 6775
diff changeset
2138 for all your trackers once you've installed the latest codebase.
6590
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2139
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2140 Do this before you use the web, command-line or mail interface
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2141 and before any users access the tracker.
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2142
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2143 If successful, this command will respond with either "Tracker
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2144 updated" (if you've not previously run it on an RDBMS backend) or
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2145 "No migration action required" (if you have run it, or have used
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2146 another interface to the tracker, or are using anydbm).
39308a49fdc3 Add required upgrade to rdbms version from 6 to 7.
John Rouillard <rouilj@ieee.org>
parents: 6589
diff changeset
2147
6780
f1af67bf8fae doc change: roundup migrate and fts link.
John Rouillard <rouilj@ieee.org>
parents: 6775
diff changeset
2148 See `below if you want to enable native-fts searching`_.
f1af67bf8fae doc change: roundup migrate and fts link.
John Rouillard <rouilj@ieee.org>
parents: 6775
diff changeset
2149
f1af67bf8fae doc change: roundup migrate and fts link.
John Rouillard <rouilj@ieee.org>
parents: 6775
diff changeset
2150 .. _below if you want to enable native-fts searching: \
6599
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2151 #enhanced-full-text-search-optional
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2152
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2153 The increase in indexed word length also affects whoosh and xapian
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2154 backends. You may want to run ``roundup-admin -i tracker_home
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2155 reindex`` if you want to index or search for longer words in your full
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2156 text searches. Re-indexing make take some time.
39189dd94f2c issue2551189 - increase size of words in full text index.
John Rouillard <rouilj@ieee.org>
parents: 6591
diff changeset
2157
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2158 Check new login_empty_passwords setting (required)
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2159 --------------------------------------------------
6684
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6626
diff changeset
2160
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6626
diff changeset
2161 In this version of Roundup, users with a blank password are not
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6626
diff changeset
2162 allowed to login. Blank passwords have been allowed since 2002, but
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6626
diff changeset
2163 2022 is a different time. If you have a use case that requires a user
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6626
diff changeset
2164 to login without a password, set the ``login_empty_passwords`` setting
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2165 in the ``web`` section of ``config.ini`` to ``yes``. In
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2166 general this should be left at its default value of ``no``.
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2167
7724
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2168 Verify that SQLite supports FTS5 (required)
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2169 -------------------------------------------
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2170
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2171 If you use SQLite as your backend, it *must* support FTS5. See the
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2172 `FTS5 testing steps`_ for how to verify this.
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2173
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2174 .. _FTS5 testing steps: installation.html#fts5-testing
68c04cc8edf7 More doc upates for FTS5 requires for sqlite and roundup > 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 7723
diff changeset
2175
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2176 Check allowed_api_origins setting (optional)
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2177 --------------------------------------------
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2178
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2179 If you are using the REST or xmlrpc api's from an origin
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2180 that is different from your roundup tracker, you will need
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2181 to add your allowed origins to the allowed_api_origins in
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2182 your updated ``config.ini``. Upgrade your ``config.ini`` as
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2183 described above then read the documentation for the setting
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2184 in ``config.ini``.
6684
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6626
diff changeset
2185
6589
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2186 Check compression settings (optional)
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2187 -------------------------------------
6458
8f1b91756457 issue2551147 - Enable compression of http responses in roundup.
John Rouillard <rouilj@ieee.org>
parents: 6456
diff changeset
2188
6591
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2189 Read the `administration guide`_ section on `Configuring Compression`_.
6458
8f1b91756457 issue2551147 - Enable compression of http responses in roundup.
John Rouillard <rouilj@ieee.org>
parents: 6456
diff changeset
2190
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2191 Upgrade your tracker's config.ini as described
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2192 above. Compare the old and new files and configure new
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2193 compression settings as you want. Then replace
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
2194 ``config.ini`` with the ``newconfig.ini`` file.
6458
8f1b91756457 issue2551147 - Enable compression of http responses in roundup.
John Rouillard <rouilj@ieee.org>
parents: 6456
diff changeset
2195
6589
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2196 Search added to user index page (optional)
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2197 ------------------------------------------
6464
28461636e249 issue1596345 - filtering user list (need user.search.hml)
John Rouillard <rouilj@ieee.org>
parents: 6458
diff changeset
2198
28461636e249 issue1596345 - filtering user list (need user.search.hml)
John Rouillard <rouilj@ieee.org>
parents: 6458
diff changeset
2199 A search form and count of number of hits has been added to the
28461636e249 issue1596345 - filtering user list (need user.search.hml)
John Rouillard <rouilj@ieee.org>
parents: 6458
diff changeset
2200 ``user.index.html`` template page in the classic template. You may
28461636e249 issue1596345 - filtering user list (need user.search.hml)
John Rouillard <rouilj@ieee.org>
parents: 6458
diff changeset
2201 want to merge the search form and footer into your template.
28461636e249 issue1596345 - filtering user list (need user.search.hml)
John Rouillard <rouilj@ieee.org>
parents: 6458
diff changeset
2202
6589
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2203 Enhanced full-text search (optional)
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2204 ------------------------------------
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2205
6604
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2206 SQLite's `FTS5 full-text search engine`_ is available as is
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2207 `PostgreSQL's full text search`_. Both require a schema upgrade so you
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2208 should run::
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2209
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2210 roundup-admin -i tracker_home migrate
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2211
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2212 to create FTS specific tables before restarting the roundup-web or
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2213 email interfaces.
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2214
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2215 SQLite 3.9.0+ or PostgreSQL 11.0+ are required to use this feature.
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2216 When using SQLite, all full text search fields will allow searching
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2217 using the MATCH query format described at:
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2218 https://www.sqlite.org/fts5.html#full_text_query_syntax. When using
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2219 PostgreSQL either the websearch_to_tsquery or to_tsquery formats
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2220 described on
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2221 https://www.postgresql.org/docs/14/textsearch-controls.html#TEXTSEARCH-PARSING-QUERIES
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2222 can be used. The default is websearch. Prefixing the search with
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2223 ``ts:`` enables tsquery mode.
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2224
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2225 A list of words behaves almost the same as the default text search
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2226 (``native``). So the search string ``fts search`` will find all issues
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2227 that have both of those words (an AND search) in a text-field (like
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2228 title) or in a message (or file) attached to the issue.
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2229
6604
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2230 One thing to note is that native-fts searches do not ignore words
6613
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2231 longer than 50 characters or less than 2 characters. Also SQLite does
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2232 not filter out common words (i.e. there is no stopword list). So words
6604
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2233 like "and", "or", "then", "with" ... are included in the FTS5 search.
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2234
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2235 You must explicitly enable this search mechanism by changing the
6613
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2236 ``indexer`` setting in ``config.ini`` to ``native-fts``. Native-fts
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2237 must be explicitly chosen. This is different from Xapian or Whoosh
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2238 indexers, which are chosen if they are installed in the Python
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2239 environment. This prevents the existing native indexing from being
2eec7a500333 Doc updates for indexers.
John Rouillard <rouilj@ieee.org>
parents: 6604
diff changeset
2240 discarded if ``indexer`` is not set.
6591
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2241
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2242 Next re-index your data with ``roundup-admin -i tracker_home
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2243 reindex``. This can take a while depending on the size of the tracker.
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2244
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2245 You may want to update your ``config.ini`` by following the directions
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2246 above to get the latest documentation.
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2247
6604
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
2248 See the `administration guide notes on native-fts`_ for further details.
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
2249
6589
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2250 Adding error reporting templates (optional)
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2251 -------------------------------------------
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2252
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2253 Currently some internal errors result in a bare html page with an
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2254 error message. The usual chrome supplied by page.html is not shown.
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2255 For example query language syntax errors for full text search methods
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2256 will display a bare HTML error page.
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2257
6591
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2258 If you add an ``_generic.400.html`` template to the html directory, you
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2259 can display the error inside of the layout provided by the ``page.html``
6589
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2260 template. This can make fixing the error and navigation easier. You
6591
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2261 can use the ``_generic.404.html`` template to create a
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2262 ``_generic.400.html`` by modifying the title and body text. You can test
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
2263 the 400 template by appending ``@template=400`` to the url for the
6589
5ce396880899 Add error templates for 400 and label each item optional
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
2264 tracker.
6458
8f1b91756457 issue2551147 - Enable compression of http responses in roundup.
John Rouillard <rouilj@ieee.org>
parents: 6456
diff changeset
2265
6626
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2266 Change passwords using crypt module (optional)
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2267 ----------------------------------------------
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2268
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2269 The crypt module is being removed from the standard library. Any
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2270 stored password using crypt encoding will fail to verify once the
7343
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
2271 crypt module is removed (expected in Python 3.13 see `pep-0594
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
2272 <https://peps.python.org/pep-0594/>`_). Automatic migration of
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
2273 passwords (if enabled in config.ini) re-encrypts old passwords using
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
2274 something other than crypt if a user logs in using the web interface.
6626
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2275
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2276 You can find users with passwords still encrypted using crypt by
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2277 running::
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2278
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2279 roundup-admin -i <tracker_home> table password,id,username
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2280
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2281 Look for lines starting with ``{CRYPT}``. You can reset the user's
8432
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2282 password using [#history-pragma]_ ::
6626
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2283
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2284 roundup-admin -i <tracker_home>
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2285 roundup> set user16 password=somenewpassword
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2286
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2287 changing ``16`` to the id in the second column of the table output.
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2288 The example uses interactive mode (indicated by the ``roundup>``
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2289 prompt). This prevents the new password from showing up in the output
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2290 of ps or shell history. The new password will be encrypted using the
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2291 default encryption method (usually pbkdf2).
120b0bb05b6e issue2551191 - Module deprication PEP 594. crypt
John Rouillard <rouilj@ieee.org>
parents: 6613
diff changeset
2292
8432
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2293 .. [#history-pragma] If your version of roundup-admin provides history
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2294 support, you should add ``-P history_features=2`` to the command
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2295 line or run ``pragma history_features=2`` at the ``roundup>``
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2296 prompt. This will prevent the command line (and password) from being
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2297 saved to your history file (usually ``.roundup_admin_history`` in
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2298 your user's home directory. You can use ``roundup-admin -i
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2299 <tracker_home> pragma list`` to see if pragmas are supported.
7f7749d86da8 doc: add disable saving roundup-admin history file for password changes
John Rouillard <rouilj@ieee.org>
parents: 8431
diff changeset
2300
6747
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2301 Enable performance improvement for wsgi mode (optional)
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2302 -------------------------------------------------------
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2303
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2304 There is an experimental wsgi performance improvement mode that caches
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2305 the loaded roundup instance. This eliminates disk reads that are
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2306 incurred on each connection. In one report it improves speed by a
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2307 factor of 2 to 3 times. To enable this you should add a feature flag
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2308 to your Roundup wsgi wrapper (see the file
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2309 ``.../share/frontends/wsgi.py``) so it looks like::
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2310
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2311 feature_flags = { "cache_tracker": "" }
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2312 app = RequestDispatcher(tracker_home, feature_flags=feature_flags)
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2313
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2314 to enable this mode. Note that this is experimental and was added
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2315 during the 2.2.0 beta period, so it is enabled using a feature flag.
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2316 If you use this and it works for you please followup with an email to
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2317 the roundup-users at lists.sourceforge.net mailing list so we can
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2318 enable it by default in a future release.
d32d43e4a5ba wsgi can cache tracker instance enabled by feature flag.
John Rouillard <rouilj@ieee.org>
parents: 6698
diff changeset
2319
6753
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2320
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2321 Hide submit button during readonly use of _generic.item.html (optional)
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2322 -----------------------------------------------------------------------
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2323
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2324 The submit button in _generic.item.html always shows up even when the
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2325 user doesn't have edit perms. Change the ``context/submit`` html to
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2326 read::
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2327
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2328 <td colspan=3 tal:content="structure context/submit"
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2329 tal:condition="context/is_edit_ok">
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2330
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2331 in your TAL based templates. The ``jinja2`` based templates are
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2332 missing this file, but if you implemented one you want to surround the
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2333 jinja2 code with::
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2334
7343
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
2335 {% if context.is_edit_ok() %}
6753
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2336 <submit button code here>
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2337 {% endif %}
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2338
2bca9fcef70d Don't display submit button with readoly use of _generic.item.html
John Rouillard <rouilj@ieee.org>
parents: 6747
diff changeset
2339
6775
bc9728a17f76 Fix index markers.
John Rouillard <rouilj@ieee.org>
parents: 6774
diff changeset
2340 .. index:: Upgrading; 2.0.0 to 2.1.0
bc9728a17f76 Fix index markers.
John Rouillard <rouilj@ieee.org>
parents: 6774
diff changeset
2341
6456
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2342 Migrating from 2.0.0 to 2.1.0
6248
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2343 =============================
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2344
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2345 Rdbms version change from 5 to 6 (required)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2346 -------------------------------------------
6434
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2347
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2348 To fix an issue with importing databases, the database has to be
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2349 upgraded for rdbms backends.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2350
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2351 You should run the ``roundup-admin migrate`` command for your
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2352 tracker once you've installed the latest codebase.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2353
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2354 Do this before you use the web, command-line or mail interface
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2355 and before any users access the tracker.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2356
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2357 If successful, this command will respond with either "Tracker
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2358 updated" (if you've not previously run it on an RDBMS backend) or
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2359 "No migration action required" (if you have run it, or have used
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2360 another interface to the tracker, or are using anydbm).
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2361
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2362 This only changes the schema for the mysql backend. It has no
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2363 effect other than upgrading the revision on other rdbms backends.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2364
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2365 On the mysql backend it creates the database index that makes
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2366 sure the key field for your class is unique.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2367
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2368 If your update/migration fails, you will see an::
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2369
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2370 IntegrityError: (1062, "Duplicate entry '0-NULL' for key '_user_key_retired_idx'")
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2371
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2372 it means you have two non-retired members of the class with the
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2373 same key field. E.G. two non-retired users with the same
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2374 username.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2375
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2376 Debug this using roundup-admin using the list command. For
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2377 example dump the user class by the key field ``username``::
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2378
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2379 $ roundup-admin -i <tracker_home> list user username
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2380 1: admin
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2381 2: anonymous
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2382 3: demo
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2383 4: agent
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2384 5: provisional
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2385 6: foo@example.com
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2386 7: dupe
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2387 8: dupe
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2388 ...
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2389
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2390 then search the usernames for duplicates. Once you have
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2391 identified the duplicate username (``dupe`` above), you should
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2392 retire the other active duplicates or change the username for the
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2393 duplicate. To retire ``7: dupe``, you run::
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2394
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2395 roundup-admin -i <tracker_home> retire user7
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2396
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2397 (use ``restore user7`` if you retired the wrong item). If you
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2398 want to rename the entry use::
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2399
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2400 roundup-admin -i <tracker_home> set user7 username=dupe1
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2401
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2402 Keep doing this until you have no more duplicates. Then run the
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2403 update/migrate again.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2404
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2405 If you have duplicate non-retired entries in your database,
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2406 please email roundup-users at lists.sourceforge.net. We are
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2407 interested in how many issues this has caused. Duplicate creation
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2408 should occur only when two or more mysql processes run in
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2409 parallel and both of them creating an item with the same key. So
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2410 this should be a rare event. The internal duplicate prevention
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2411 checks should work in other cases.
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2412
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2413 For the nerds: if you had a new installation that was created at
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2414 version 5, the uniqueness of a key was not enforced at the
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2415 database level. If you had a database that was at version 4 and
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2416 then upgraded to version 5 you have the uniqueness enforcing
6456
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2417 constraint. Running migrate updates to schema version 6 and installs
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2418 the unique index constraint if it is missing.
6434
269f39e28d5c issue2551142 - Import of retired node ... unique constraint failure.
John Rouillard <rouilj@ieee.org>
parents: 6418
diff changeset
2419
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2420 Setuptools is now required to install (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2421 --------------------------------------------
6378
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2422
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2423 Roundup install now uses setuptools rather than distutils. You must
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2424 install setuptools. Use the version packgaged by your OS vendor. If
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2425 your OS vendor doesn't supply setuptools use ``pip install
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2426 setuptools``. (You may need pip3 rather than pip if using python3.)
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2427
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2428 Define Authentication Header (optional)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2429 ---------------------------------------
6436
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2430
6456
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2431 The web server in front of roundup (apache, nginx) can perform user
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2432 authentication. It can pass the authenticated username to the backend
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2433 in a variable. By default roundup looks for the ``REMOTE_USER``
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2434 variable. This can be changed by setting the parameter
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2435 ``http_auth_header`` in the ``[web]`` section of the tracker's
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2436 ``config.ini`` file to a different value. The value is case sensitive.
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2437 If the value is unset (the default) the REMOTE_USER variable is used.
6436
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2438
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2439 If you are running roundup using ``roundup-server`` behind a proxy
6456
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2440 that authenticates the user you need to configure ``roundup-server``
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2441 to pass the HTTP header with the authenticated username to the
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2442 tracker. By default ``roundup-server`` looks for the ``REMOTE_USER``
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2443 header for the authenticated user. You can copy an arbitrary header
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2444 variable to the tracker using the ``-I`` option to roundup-server (or
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2445 the equivalent option in the roundup-server config file).
6436
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2446
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2447 For example to use the ``uid_variable`` header, two configuration
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2448 changes are needed: First configure ``roundup-server`` to pass the
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2449 header to the tracker using::
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2450
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2451 roundup-server -I uid_variable ....
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2452
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2453 note that the header is passed exactly as supplied by the upstream
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2454 server. It is **not** prefixed with ``HTTP_`` like other headers since
6456
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2455 you are explicitly allowing the header. Multiple comma separated
6436
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2456 headers can be passed to the ``-I`` option. These could be used in a
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2457 detector or other tracker extensions, but only one header can be used
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2458 by the tracker as an authentication header.
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2459
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2460 To make the tracker honor the new variable changing the tracker
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2461 ``config.ini`` to read::
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2462
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2463 [web]
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2464 ...
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2465 http_auth_header = uid_variable
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2466
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2467 At the time this is written, support is experimental. If you use it
1f2f7c0b8968 issue2550837 - New option for web auth (also http header passing)
John Rouillard <rouilj@ieee.org>
parents: 6434
diff changeset
2468 you should notify the roundup maintainers using the roundup-users
6456
cbc18a8bc61f Changes for release of version 2.1.0.
John Rouillard <rouilj@ieee.org>
parents: 6436
diff changeset
2469 at lists.sourceforge.net mailing list.
6378
b57c3d50505b issue2550899 Migrate setup.py to setuptools
John Rouillard <rouilj@ieee.org>
parents: 6333
diff changeset
2470
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2471 Classname Format Enforced (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2472 --------------------------------
6248
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2473
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2474 Check schema.py and look at all Class(), IssueClass(), FileClass()
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2475 calls. The second argument is the classname. All classnames must:
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2476
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2477 * start with an alphabetic character
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2478 * consist of alphanumerics and '_'
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2479 * not end with a digit
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2480
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2481 this was not enforced before. Using non-standard classnames could lead
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2482 to other issues.
2f53d41ae71f Upgrading directions from 2.0.0 - classname format requirements.
John Rouillard <rouilj@ieee.org>
parents: 6210
diff changeset
2483
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2484 jQuery updated with updates to user.help.html (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2485 -----------------------------------------------------------
6290
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2486
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2487 The devel and responsive templates shipped with an old version of
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2488 jQuery with some security issues. It has been updated to the current
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2489 version: 3.5.1. If your tracker is based on one of these templates
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2490 (see the ``TEMPLATE-INFO.txt`` file in your tracker), remove the old
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2491 ``html/jquery.js`` file from your tracker and copy the new
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2492 ``jquery-3.5.1.js`` file from the template directory to your tracker's
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2493 ``html`` directory. Also copy in the new ``user.help.html`` file. It now
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2494 references the new ``jquery-3.5.1.js`` file and also fixes a bug that
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2495 prevented applying the change from the helper to the field on the main
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2496 form.
944e4dfcc9b7 issue2551100 - out of date jquery fix security and user.help.html
John Rouillard <rouilj@ieee.org>
parents: 6265
diff changeset
2497
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2498 Roundup-admin security stops on incorrect properties (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2499 -----------------------------------------------------------
6393
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2500
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2501 The ``roundup-admin ... security`` command used to continue
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2502 running through the rest of the security roles after reporting a
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2503 property error. Now it stops after reporting the incorrect property.
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2504
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2505 If run non-interactively, it exits with status 1. It can now be
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2506 used in a startup script to detect permission errors.
51a1a9b0f567 - issue2551062: AddPermission doesn't validate property names.
John Rouillard <rouilj@ieee.org>
parents: 6378
diff changeset
2507
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2508 Futureproof devel and responsive timezone selection extension (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2509 ---------------------------------------------------------------------------
6418
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2510
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2511 The devel and responsive (derived from devel) templates use a select
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2512 control to list all available timezones when pytz is used. It
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2513 sanitizes the data using cgi.escape. Cgi.escape is deprecated and
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2514 removed in newer pythons. Change your ``extensions/timezone.py``
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2515 file by applying the following patch manually::
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2516
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2517
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2518 -import cgi
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2519 +try:
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2520 + from html import escape
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2521 +except ImportError:
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2522 + from cgi import escape
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2523
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2524 try:
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2525 import pytz
6418
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2526 @@ -25,7 +28,7 @@
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2527 s = ' '
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2528 if zone == value:
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2529 s = 'selected=selected '
6418
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2530 - z = cgi.escape(zone)
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2531 + z = escape(zone)
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2532
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2533 See https://issues.roundup-tracker.org/issue2551136 for more details.
559b3d8e03d7 issue2551136 - timezone extention crash on Python 3.8.
John Rouillard <rouilj@ieee.org>
parents: 6393
diff changeset
2534
6168
de9d602c8ce6 more index entries and CHANGES.txt update for them.
John Rouillard <rouilj@ieee.org>
parents: 6128
diff changeset
2535 .. index:: Upgrading; 1.6.x to 2.0.0
de9d602c8ce6 more index entries and CHANGES.txt update for them.
John Rouillard <rouilj@ieee.org>
parents: 6128
diff changeset
2536
5941
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2537 Migrating from 1.6.X to 2.0.0
5501
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2538 =============================
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2539
6174
5522c950a2e4 Add indexing for roundup-admin references.
John Rouillard <rouilj@ieee.org>
parents: 6170
diff changeset
2540 .. index:: roundup-admin; updateconfig subcommand
5522c950a2e4 Add indexing for roundup-admin references.
John Rouillard <rouilj@ieee.org>
parents: 6170
diff changeset
2541
6210
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2542
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2543 Python 2 MYSQL users MUST READ (required)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2544 -----------------------------------------
6210
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2545
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2546 To fix issues with encoding of data and text searching, roundup now
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2547 explicitly sets the database connection character set. Roundup prior
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2548 to 2.0 used the default character set which was not always utf-8. All
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2549 roundup data is manipulated in utf-8. This mismatch causes issues with
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2550 searches and result in corrupted data in the database if it was not
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2551 properly represented across the charset conversions.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2552
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2553 This issue exists when running roundup under python 2. Note that there
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2554 are more changes required for running roundup 2.0 if you choose to use
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2555 python3. See `Python 3 support`_.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2556
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2557 In an upgraded ``config.ini`` (see next section) the ``[rdbms]``
6333
bd84f43e1d13 Fixes to mysql 2.0 conversion doc issue2551115 Werner Hunger
John Rouillard <rouilj@ieee.org>
parents: 6290
diff changeset
2558 section has a key ``mysql_charset`` set by default to ``utf8mb4``.
bd84f43e1d13 Fixes to mysql 2.0 conversion doc issue2551115 Werner Hunger
John Rouillard <rouilj@ieee.org>
parents: 6290
diff changeset
2559
bd84f43e1d13 Fixes to mysql 2.0 conversion doc issue2551115 Werner Hunger
John Rouillard <rouilj@ieee.org>
parents: 6290
diff changeset
2560 It should be possible to change ``utf8mb4`` to any mysql charset. So
bd84f43e1d13 Fixes to mysql 2.0 conversion doc issue2551115 Werner Hunger
John Rouillard <rouilj@ieee.org>
parents: 6290
diff changeset
2561 if you know what charset is enabled (e.g. via a setting in ~roundup/.my.cnf,
6210
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2562 or the default charset for the database) you can set it in
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2563 ``config.ini`` and not need to covert the database. However the
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2564 underlying issues with misconverted data and bad searches will still
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2565 exist if they did before.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2566
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2567 None of the roundup developers run mysql, so the exact steps to take
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2568 during the upgrade were tested with test and not production databases.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2569
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2570 **Before doing anything else:**
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2571
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2572 Backup the mysql database using mysql dump or other mysql
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2573 supported tool.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2574
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2575 Backup roundup using your current backup tool and take the roundup
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2576 instance offline.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2577
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2578 Then the following steps (similar to the conversion in needed for
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2579 Python 3) should work:
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2580
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2581 1. Export the tracker database
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2582 using your **current** 1.6 instance::
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2583
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2584 roundup-admin -i <trackerdir> exporttables <export_dir>
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2585
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2586 replacing tracker_dir and export_dir as appropriate.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2587
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2588 2. Import the exported database using the **new** 2.0 roundup::
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2589
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2590 roundup-admin -i <trackerdir> importtables <export_dir>
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2591
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2592 replacing tracker_dir and export_dir as appropriate.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2593
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2594 The imported data should overwrite the original data. Note it is
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2595 critically important that the ``exporttables`` be done with the *old
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2596 tracker* and the ``importtables`` be done with the *new tracker*. An
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2597 import/export cycle between roundup 1.6.0 and roundup 2.0 has been
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2598 done successfully. So the export format for 1.6 and 2.0 should be
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2599 compatible.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2600
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2601 Note that ``importtables`` is new in roundup-2.0, so you will not be
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2602 able to import the result of ``exporttables`` using any 1.x version of
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2603 roundup.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2604
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2605 Following the same sequence as above using ``export`` and ``import``
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2606 should also work, but it will export all the files and messages. This
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2607 will take longer but may be worth trying if the ``exporttables`` and
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2608 ``importtables`` method fails for some reason.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2609
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2610 Another way that should be faster, but is untested is to use mysql
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2611 dump to dump the database.
8111
394f72021dad docs: replace redirecting url's with target
John Rouillard <rouilj@ieee.org>
parents: 8081
diff changeset
2612 https://makandracards.com/makandra/595-dumping-importing-mysql-utf-8-safe-way
7793
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
2613 recommends:
6210
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2614
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2615 Note that when your MySQL server is not set to UTF-8 you need to do
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2616 mysqldump --default-character-set=latin1 (!) to get a correctly
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2617 encoded dump. In that case you will also need to remove the SET
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2618 NAMES='latin1' comment at the top of the dump, so the target machine
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2619 won't change its UTF-8 charset when sourcing.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2620
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2621 Then import the dump. Removing ``SET NAMES`` should allow the import
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2622 to use UTF-8.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2623
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2624 Please report success or issues with this conversion to the
7961
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
2625 roundup-users at lists.sourceforge.net mailing list.
6210
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2626
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2627 As people report successful or unsuccessful conversions, we will update
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2628 the errata page at: https://wiki.roundup-tracker.org/ReleaseErrata.
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2629
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2630 Upgrade tracker's config.ini file (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2631 -----------------------------------------------
6210
13f5cbbcd4e6 Add directions for mysql conversion for python 2.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
2632
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2633 Once you have installed the new roundup, use::
5726
e199d0ae4a25 issue2551033: prevent reverse engineering hidden data by using etags
John Rouillard <rouilj@ieee.org>
parents: 5543
diff changeset
2634
5944
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2635 roundup-admin -i /path/to/tracker updateconfig newconfig.ini
5726
e199d0ae4a25 issue2551033: prevent reverse engineering hidden data by using etags
John Rouillard <rouilj@ieee.org>
parents: 5543
diff changeset
2636
e199d0ae4a25 issue2551033: prevent reverse engineering hidden data by using etags
John Rouillard <rouilj@ieee.org>
parents: 5543
diff changeset
2637 to generate a new ini file preserving all your settings. You can then
e199d0ae4a25 issue2551033: prevent reverse engineering hidden data by using etags
John Rouillard <rouilj@ieee.org>
parents: 5543
diff changeset
2638 merge any local comments from the tracker's ``config.ini`` into
5944
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2639 ``newconfig.ini``. Compare the old and new files and configure any new
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2640 settings as you want. Then replace ``config.ini`` with the
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2641 ``newconfig.ini`` file.
5941
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2642
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2643 .. _Python 3 support:
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2644
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2645 Python 3 support (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2646 -----------------------
5941
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2647
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2648 Many of the ``.html`` and ``.py`` files from Roundup that are copied
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2649 into tracker directories have changed for Python 3 support. If you
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2650 wish to move an existing tracker to Python 3, you need to merge in
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2651 those changes. Also you need to make sure that locally created python
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2652 code in the tracker is correct for Python 3.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2653
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2654 If your tracker uses the ``anydbm`` or ``mysql`` backends, you also
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2655 need to export the tracker contents using ``roundup-admin export``
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2656 running under Python 2, and them import them using ``roundup-admin
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2657 import`` running under Python 3. This is detailed in the documention
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2658 for migrating to a different backend. If using the ``sqlite`` backend,
5941
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2659 you do not need to export and import, but need to delete the
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2660 ``db/otks`` and ``db/sessions`` files when changing Python version.
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2661 If using the ``postgresql`` backend, you do not need to export and
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2662 import and no other special database-related steps are needed.
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2663
5967
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2664 If you use the whoosh indexer, you will need to reindex. It looks like
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2665 a database created with Python 2 leads to Unicode decode errors when
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2666 accessed by Python 3. Reindexing can take a while (see details below
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2667 look for "reindexing").
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2668
5944
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2669 Octal values in config.ini change from the Python 2 representation
5941
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2670 with a leading ``0`` (``022``). They now use a leading ``0o``
29d428927362 prep for 2.0.0alpha0 release.
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
2671 (``0o22``). Note that the ``0o`` format is properly handled under
5944
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2672 python 2. You can use the ``newconfig.ini`` generated using ``python3
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2673 roundup-admin -i ... updateconfig newconfig.ini`` if you want to go
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2674 back to using python 2. (Note going back to Python 2 will require
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2675 the same steps as moving from 2 to 3 except using Python 3 to perform
d7e6bcde5cbe Final touchups python -> Python, reconcile config file names.
John Rouillard <rouilj@ieee.org>
parents: 5941
diff changeset
2676 the export.)
5726
e199d0ae4a25 issue2551033: prevent reverse engineering hidden data by using etags
John Rouillard <rouilj@ieee.org>
parents: 5543
diff changeset
2677
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2678 Rate Limit New User Registration (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2679 ---------------------------------------
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2680
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2681 The new user registration form can be abused by bots to allow
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2682 automated registration for spamming. This can be limited by using the
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2683 new ``config.ini`` ``[web]`` option called
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2684 ``registration_delay``. The default is 4 and is the number of seconds
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2685 between the time the form was generated and the time the form is
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2686 processed.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2687
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2688 If you do not modify the ``user.register.html`` template in your
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2689 tracker's html directory, you *must* set this to 0. Otherwise you will
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2690 see the error:
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2691
7793
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
2692 .. code-block:: text
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
2693
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2694 Form is corrupted, missing: opaqueregister.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2695
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2696 If set to 0, the rate limit check is disabled.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2697
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2698 If you want to use this, you can change your ``user.register.html``
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2699 file to include::
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2700
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2701 <input type="hidden" name="opaqueregister" tal:attributes="value python: utils.timestamp()">
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2702
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2703 The hidden input field can be placed right after the form declaration
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2704 that starts with::
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2705
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2706 <form method="POST" onSubmit="return submit_once()"
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2707
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2708 If you have applied Erik Forsberg's tracker level patch to implement
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2709 (see: https://hg.python.org/tracker/python-dev/rev/83477f735132), you
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2710 can back the code out of the tracker. You must change the name of the
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2711 field in the html template to ``opaqueregistration`` from ``opaque``
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2712 in order to use the core code.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2713
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2714 PGP mail processing (required)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2715 ------------------------------
5501
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2716
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2717 Roundup now uses the ``gpg`` module instead of ``pyme`` to process PGP
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2718 mail. If you have PGP processing enabled, make sure the ``gpg``
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2719 module is installed.
dd242cd7a182 mention change from pyme to gpg module for PGP processing
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5332
diff changeset
2720
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2721 MySQL client module (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2722 ---------------------------------
5510
e2978ed3b550 update link to new mysqlclient module and recommend update in upgrading.txt
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5501
diff changeset
2723
e2978ed3b550 update link to new mysqlclient module and recommend update in upgrading.txt
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5501
diff changeset
2724 Although the ``MySQLdb`` module from
e2978ed3b550 update link to new mysqlclient module and recommend update in upgrading.txt
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5501
diff changeset
2725 https://pypi.org/project/MySQL-python/ is still supported, it is
e2978ed3b550 update link to new mysqlclient module and recommend update in upgrading.txt
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5501
diff changeset
2726 recommended to switch to the updated module from
e2978ed3b550 update link to new mysqlclient module and recommend update in upgrading.txt
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5501
diff changeset
2727 https://pypi.org/project/mysqlclient/.
e2978ed3b550 update link to new mysqlclient module and recommend update in upgrading.txt
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5501
diff changeset
2728
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2729 XMLRPC Access Role (info/required)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2730 ----------------------------------
5879
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2731
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2732 A new permission has been added to control access to the XMLRPC
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2733 endpoint. If the user doesn't have the new "Xmlrpc Access" permission,
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2734 they will not be able to log in using the /xmlrpc end point. To add
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2735 this new permission to the "User" role you should change your
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2736 tracker's schema.py and add::
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2737
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2738 db.security.addPermissionToRole('User', 'Xmlrpc Access')
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2739
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2740 This is usually included near where other permissions like "Web Access"
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2741 or "Email Access" are assigned.
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5756
diff changeset
2742
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2743 New values for db.tx_Source (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2744 ----------------------------------
5881
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2745
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2746 The database attribute tx_Source reports "xmlrpc" and "rest" when the
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2747 /xmlrpc and /rest web endpoints are used. Check all code (extensions,
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2748 detectors, lib) in trackers looking for tx_Source. If you have code
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2749 like::
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2750
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2751 if db.tx_Source == "web":
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2752
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2753 or::
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2754
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2755 if db.tx_Source in ['web', 'email-sig-openpgp', 'cli' ]:
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2756
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2757 you may need to change these to include matches to "rest" and
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2758 "xmlrpc". For example::
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2759
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2760 if db.tx_Source in [ "web", "rest", "xmlrpc" ]
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2761
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2762 or::
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2763
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2764 if db.tx_Source in ['web', 'rest', 'xmlrpc', 'email-sig-openpgp', 'cli' ]:
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2765
6190
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2766
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2767 CSV export changes (info)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2768 -------------------------
6190
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2769
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2770 The original Roundup CSV export function for indexes reported id
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2771 numbers for links. The wiki had a version that resolved the id's to
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2772 names, so it would report ``open`` rather than ``2`` or
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2773 ``user2;user3`` rather than ``[2,3]``.
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2774
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2775 Many people added the enhanced version to their extensions directory.
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2776
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2777 The enhanced version was made the default in roundup 2.0. If you want
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2778 to use the old version (that returns id's), you can replace references
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2779 to ``export_csv`` with ``export_csv_id`` in templates.
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2780
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2781 Both core csv export functions have been changed to force quoting of
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2782 all exported fields. To incorporate this change in any CSV export
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2783 extension you may have added, change references in your code from::
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2784
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2785 writer = csv.writer(wfile)
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2786
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2787 to::
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2788
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2789 writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2790
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2791 this forces all (non-numeric) fields to be quoted and empty quotes to
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2792 be added for missing parameters.
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2793
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2794 This turns exported values that may look like formulas into strings so
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2795 some versions of Excel won't try to interpret them as a formula.
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6174
diff changeset
2796
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2797 Update userauditor.py to restrict usernames (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2798 ---------------------------------------------------------
5958
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2799
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2800 A username can be created with embedded commas and < and >
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5971
diff changeset
2801 characters. Even though the < and > are usually escaped when
5958
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2802 displayed, the embedded comma makes it difficult to edit lists of
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2803 users as they are comma separated.
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2804
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2805 If you have not modified your tracker's userauditor.py, you can just
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2806 copy the userauditor.py from the classic template into your tracker's
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2807 detectors directory. Otherwise merge the changes from the template
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2808 userauditor.py. https://issues.roundup-tracker.org/issue2550921 may be
5148e46dd314 issue2550921 - prevent usernames with characters ',' and '<', '>'
John Rouillard <rouilj@ieee.org>
parents: 5944
diff changeset
2809 helpful.
5881
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
2810
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2811 Consider reindexing if you use European languages (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2812 ---------------------------------------------------------------
5967
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2813
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2814 A couple of bugs dealing with incorrect indexing of European languages
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2815 (Russian and German were reported) have been fixed. Note reindexing
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2816 all your data may take a long time. See:
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2817 https://issues.roundup-tracker.org/issue1195739 and
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2818 https://issues.roundup-tracker.org/issue1344046 for a description of
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2819 the problem. If you determine that this a problem for your tracker,
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2820 you can use::
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2821
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2822 roundup-admin -i /path/to/tracker reindex
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2823
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2824 to rewrite your full text indexes. The tracker used for reindex timing
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2825 had 140MB of file/message data and 2500 issues with a slow 5400RPM
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2826 SATA drive. Using native indexing with sqlite took about 45
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2827 minutes. Using whoosh took about 2 hours. Using xapian took about 6
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2828 hours. All examples were with Python 2. Anecdotal evidence shows
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2829 Python 3 is faster, but YMMV.
9a980675105d Add reindex info to upgrading.doc
John Rouillard <rouilj@ieee.org>
parents: 5958
diff changeset
2830
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2831 Merge improvements in statusauditor.py (optional)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2832 -------------------------------------------------
5971
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2833
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2834 By default the detector statusauditor.py will change the status from
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2835 "unread" to "chatting" when a second message is added to an issue.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2836 The distributed classic and jinja templates implement this feature in
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2837 their copies of ``detectors/statusauditor.py``.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2838
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2839 This can be a problem. Consider a person sending email to create an
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2840 issue. Then the person sends a followup message to add some additional
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2841 information to the issue. The followup message will trigger the status
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2842 change from "unread" to "chatting". This is misleading since the
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2843 person is "chatting" with themselves.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2844
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2845 Statusauditor.py has been enhanced to prevent the status from changing
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2846 to "chatting" until a second user (person) adds a message. If you
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2847 want this functionality, you need to merge the distributed
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2848 statusauditor.py with your tracker's statusauditor.py. If you have not
7499
a072331c843b Change customizing to customising in all variants.
John Rouillard <rouilj@ieee.org>
parents: 7452
diff changeset
2849 customised your tracker's statusauditor.py, copy the one from the
5971
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2850 distibuted template. In addition to the python file, you also must
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2851 copy/merge the distributed ``detectors/config.ini`` into your
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2852 tracker's detectors directory. Most people can copy
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2853 ``detectors/config.ini`` from the distributed templates as they won't
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2854 have a ``detectors/config.ini`` file. (Note this is
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2855 ``detectors/config.ini`` do not confuse it with the main
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2856 ``config.ini`` file at the root of the tracker home.)
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2857
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2858 This enhancement is disabled by default. Enable it by changing the
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2859 value in ``detectors/config.ini`` from::
5971
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2860
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2861 chatting_requires_two_users = False
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2862
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2863 to::
5971
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2864
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2865 chatting_requires_two_users = True
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2866
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2867 (the values ``no`` and ``yes`` can also be used). Restart the tracker
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2868 to enable the change.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2869
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2870 If you don't do this quite right you will see one of two error
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2871 messages in the web interface when you try to update an issue with a
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2872 message::
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2873
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2874 Edit Error: Unsupported configuration option: Option
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2875 STATUSAUDITOR_CHATTING_REQUIRES_TWO_USERS not found in
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2876 detectors/config.ini.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2877 Contact tracker admin to fix.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2878
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2879 This happens if detectors/config.ini is not found or is missing the
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2880 ``chatting_requires_two_users`` option in the ``statusauditor``
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2881 section.
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2882
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2883 If you have an incorrect value (say you use ``T`` rather than
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2884 ``True``) you see a different error::
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2885
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2886 Edit Error: Invalid value for
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2887 DETECTOR::STATUSAUDITOR_CHATTING_REQUIRES_TWO_USERS: 'T'
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2888 Allowed values: yes, no
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2889
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2890 to fix this set the value to ``yes`` (True) or ``no`` (False).
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2891
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2892 Responsive template changes (optional)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2893 --------------------------------------
5990
0face8e45224 issue2551076 - responsive template, search links should ignore status
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
2894
0face8e45224 issue2551076 - responsive template, search links should ignore status
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
2895 There have been some changes to the responsive template. You can
5991
b0940ad50f43 issue2551075 Update jinja template to bootstrap 4.
John Rouillard <rouilj@ieee.org>
parents: 5990
diff changeset
2896 diff/merge these changes into your responsive template based tracker.
b0940ad50f43 issue2551075 Update jinja template to bootstrap 4.
John Rouillard <rouilj@ieee.org>
parents: 5990
diff changeset
2897
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2898 Jinja template changes (required)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2899 ---------------------------------
5991
b0940ad50f43 issue2551075 Update jinja template to bootstrap 4.
John Rouillard <rouilj@ieee.org>
parents: 5990
diff changeset
2900
6055
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2901 Auto escaping has been enabled in the jinja template engine, this
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2902 means it is no longer necessary to manually escape dynamic strings
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2903 with ``|e``, but strings that should not be escaped need to be marked
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2904 with ``|safe`` (e.g. ``{{ context.history()|u|safe }}``). Also, the i18n
6055
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2905 extension has been enabled and the template has been updated to use
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2906 the extension for translatable text instead of explicit ``i18n.gettext``
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2907 calls::
6055
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2908
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2909 {% trans %}List of issues{% endtrans %}
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2910
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2911 instead of::
6055
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2912
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2913 {{ i18n.gettext('List of issues')|u }}
5260c15d153f updated changes and upgrading doc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5994
diff changeset
2914
5991
b0940ad50f43 issue2551075 Update jinja template to bootstrap 4.
John Rouillard <rouilj@ieee.org>
parents: 5990
diff changeset
2915 The jinja template has been upgraded to use bootstrap 4.1.3 (from
b0940ad50f43 issue2551075 Update jinja template to bootstrap 4.
John Rouillard <rouilj@ieee.org>
parents: 5990
diff changeset
2916 2.2.2). You can diff/merge changes into your jinja template based
b0940ad50f43 issue2551075 Update jinja template to bootstrap 4.
John Rouillard <rouilj@ieee.org>
parents: 5990
diff changeset
2917 tracker.
5971
e5acd1843517 - issue2550926 - Original author adding a second message shouldn't set
John Rouillard <rouilj@ieee.org>
parents: 5967
diff changeset
2918
5994
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2919 Also search _generic.index.html, navigation.html and file.index.html
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2920 in the html directory of your tracker. Look for::
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2921
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2922 <input type="hidden" name="@action"
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2923
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2924 where the value is a jinja expression that calls i18n.gettext. Set the
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2925 value to the argument of the gettext call. E.G. replace::
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2926
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2927 <input type="hidden" name="@action" value="{{ i18n.gettext('editCSV')|u }}">
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2928
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2929 with::
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2930
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2931 <input type="hidden" name="@action" value="editCSV">
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2932
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2933 The action keywords should not be translated.
0e04fcdd1ff2 issue2551077-"jinja2" template: cannot login if German language used.
John Rouillard <rouilj@ieee.org>
parents: 5991
diff changeset
2934
6168
de9d602c8ce6 more index entries and CHANGES.txt update for them.
John Rouillard <rouilj@ieee.org>
parents: 6128
diff changeset
2935 .. index:: Upgrading; 1.5.1 to 1.6.0
de9d602c8ce6 more index entries and CHANGES.txt update for them.
John Rouillard <rouilj@ieee.org>
parents: 6128
diff changeset
2936
5041
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
2937 Migrating from 1.5.1 to 1.6.0
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
2938 =============================
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
2939
5304
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2940 Update tracker config file
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2941 --------------------------
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2942
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2943 After installing the new version of roundup, you should
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2944 update the ``config.ini`` file for your tracker. To do this:
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2945
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2946 1. backup your existing ``config.ini`` file
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2947 2. using the newly installed code, run::
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2948
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2949 roundup-admin -i /path/to/tracker updateconfig config.ini.new
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2950
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2951 to create the file config.ini.new. Replace
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2952 ``/path/to/tracker`` with the path to your tracker.
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
2953 3. replace your tracker's config.ini with config.ini.new
5304
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2954
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2955 Using updateconfig keeps all the settings from your
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2956 tracker's config.ini file and adds settings for all the new
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2957 options.
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2958
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2959 If you have added comments to your original config.ini file,
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2960 merge the added comments into the config.ini.new file. Then
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2961 replace your tracker's config.ini with config.ini.new.
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2962
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2963 Read the new config.ini and configure it to enable new
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2964 features. Details on using these features can be found in
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2965 this section.
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
2966
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
2967 Make sure that user can view labelprop on classes (required)
5267
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2968 ------------------------------------------------------------
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2969
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
2970 If you have View permissions that use ``properties=...``, make sure
7505
62409b4a3a52 Link labelprop to setlabelprop in reference
John Rouillard <rouilj@ieee.org>
parents: 7499
diff changeset
2971 that the `labelprop <reference.html#setlabelprop-property>`_ for the
62409b4a3a52 Link labelprop to setlabelprop in reference
John Rouillard <rouilj@ieee.org>
parents: 7499
diff changeset
2972 class is listed in the properties list.
5267
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2973
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2974 The first one of these that exists must must be in the list:
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2975
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2976 1. the property set by a call to setlabelprop for the class
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2977 2. the key of the class (as set by setkey())
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2978 3. the "name" property (if it exists)
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2979 4. the "title" property (if it exists)
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2980
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2981 if none of those apply, you must allow
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2982
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2983 * the "id" property
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2984
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2985 E.G. If your class does a setlabelprop("foo") you must include "foo"
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2986 in the properties list even if the class has name or title properties.
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2987
7506
38de0d748284 Fix reference for setlabelprop
John Rouillard <rouilj@ieee.org>
parents: 7505
diff changeset
2988 See: `reference.html setlabelprop
38de0d748284 Fix reference for setlabelprop
John Rouillard <rouilj@ieee.org>
parents: 7505
diff changeset
2989 <reference.html#setlabelprop-property>`_ for further details on the
38de0d748284 Fix reference for setlabelprop
John Rouillard <rouilj@ieee.org>
parents: 7505
diff changeset
2990 labelprop.
5267
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2991
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2992 If you don't do this, you will find that multilinks (and possibly
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2993 links) may not be displayed properly. E.G. templates that iterate over
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2994 a mutlilink field (with tal:repeat for example) may not show any
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2995 content.
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2996
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2997 See: https://sourceforge.net/p/roundup/mailman/message/35763294/
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2998 for the initial discussion of the issue.
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
2999
7343
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
3000 .. _cross site request forgery detection added:
955a4efe9cbc Typo fix in example; formatting fix for priorty labels
John Rouillard <rouilj@ieee.org>
parents: 7341
diff changeset
3001
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
3002 Cross Site Request Forgery Detection Added (recommended)
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
3003 --------------------------------------------------------
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3004
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3005 Roundup 1.6. supports a number of defenses against CSRF.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3006
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3007 Http header verification against the tracker's ``web``
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3008 setting in the ``[tracker]`` section of config.ini for the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3009 following headers:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3010
7344
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3011 1. Analyze the ``Referer`` HTTP header to make sure it
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3012 includes the web setting.
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3013 2. Analyze the ``Origin`` HTTP header to make sure the
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3014 schema://host matches the web setting.
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3015 3. Analyze the ``X-Forwarded-Host`` header set by a proxy
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3016 running in front of roundup to make sure it agrees with
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3017 the host part of the web setting.
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3018 4. Analyze the ``Host`` header to make sure it agrees with
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3019 the host part of the web setting. This is not done if
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3020 ``X-Forwarded-Host`` is set.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3021
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3022 By default roundup 1.6 does not require any specific header
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3023 to be present. However at least one of the headers above
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3024 *must* pass validation checks (usually ``Host`` or
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3025 ``Referer``) or the submission is rejected with an error.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3026 If any header fails validation, the submission is
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3027 rejected. (Note the user's form keeps all the data they
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3028 entered if it was rejected.)
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3029
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3030 Also the admin can include unique csrf tokens for all forms
5271
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3031 submitted using the POST method. (Delete and put methods are also
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3032 included, but not currently used by roundup.) The csrf
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3033 token (nonce) is tied to the user's session. When the user
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3034 submits the form and nonce, the nonce is checked to make
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3035 sure it was issued to the user and the same session. If this
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3036 is not true the post is rejected and the user is notified.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3037
5271
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3038 The standard context/submit templating item creates CSRF tokens by
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3039 default. If you have forms using the POST method that are not using
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3040 the standard submit routine, you should add the following field to all
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3041 forms::
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3042
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3043 <input name="@csrf" type="hidden"
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3044 tal:attributes="value python:utils.anti_csrf_nonce()">
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3045
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3046 A unique random token is generated by every call to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3047 utils.anti_csrf_nonce() and is put in a database to be
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3048 retreived if the token is used. Token lifetimes are 2 weeks
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3049 by default but can be configured in config.ini. Roundup will
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3050 automatically prune old tokens. Calling anti_csrf_nonce with
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3051 an integer lifetime, for example::
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3052
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3053 <input name="@csrf" type="hidden"
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3054 tal:attributes="value python:utils.anti_csrf_nonce(lifetime=10)">
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3055
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3056 sets the lifetime of that nonce to 10 minutes.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3057
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3058 If you want to change the default settings, you have to
5304
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3059 update the web section in your tracker's config.ini file. Follow the
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3060 section above to generate an updated config.ini file. Then
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3061 look for settings that start with csrf. The updated config.ini
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3062 file includes detailed descriptions of the settings.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3063
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3064 In general one of four values can be set for these
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3065 settings. The default is ``yes``, which validates the header
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3066 or nonce and blocks access if the validation fails. If the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3067 field/header is missing it allows access. Setting these
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3068 fields to ``required`` blocks access if the header/nonce is
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3069 missing.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3070
5275
fee207407dee Add error and troubleshooting headers. Clarified the suggestion to a
John Rouillard <rouilj@ieee.org>
parents: 5274
diff changeset
3071 It is recommended that you change your templates so every form
fee207407dee Add error and troubleshooting headers. Clarified the suggestion to a
John Rouillard <rouilj@ieee.org>
parents: 5274
diff changeset
3072 that is not submitted via GET has an @csrf field. Then change
fee207407dee Add error and troubleshooting headers. Clarified the suggestion to a
John Rouillard <rouilj@ieee.org>
parents: 5274
diff changeset
3073 the csrf_enforce_token setting to 'required'.
fee207407dee Add error and troubleshooting headers. Clarified the suggestion to a
John Rouillard <rouilj@ieee.org>
parents: 5274
diff changeset
3074
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3075 Errors and Troubleshooting - @csrf in url
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3076 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5196
diff changeset
3077
5271
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3078 If you see the @csrf nonce in the URL, you have added the value to a
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3079 form that uses the GET method. You should remove the @csrf token from
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3080 these forms as it is not needed.
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3081
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3082 Errors and Troubleshooting - AttributeError list object no attribute value
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3083 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5271
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3084 If you get an error:
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3085
7793
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
3086 .. code-block:: text
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
3087
5271
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3088 AttributeError: 'list' object has no attribute 'value'
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3089
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3090 in handle_csrf, you have more than one @csrf token for the form. This
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3091 usually occurs because the form uses the standard context/submit
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3092 element but you also added an explicit @csrf statement. Simply remove
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3093 the @csrf element for that form.
bee4008a2840 Added info on dealing with common errors when adding @csrf tokens.
John Rouillard <rouilj@ieee.org>
parents: 5270
diff changeset
3094
5298
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3095 Errors and Troubleshooting - xmlrpc Required Header Missing
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3096 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6768
15238a434368 formatting fixes.
John Rouillard <rouilj@ieee.org>
parents: 6753
diff changeset
3097 When performing and xmlrpc call, if you see something like::
5298
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3098
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3099 xmlrpclib.Fault: <Fault 1: "<class
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3100 'roundup.exceptions.UsageError'>:Required Header Missing">
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3101
7507
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3102 change your xmlrpc client to add appropriate headers to
5298
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3103 the request including the:
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3104
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3105 X-Requested-With:
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3106
7507
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3107 header as well as any other required csrf headers (e.g. referer,
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3108 origin) configured in config.ini. See the `advanced python client
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3109 <xmlrpc.html#advanced-python-client-adding-anti-csrf-headers>`_ at
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3110 the end of the xmlrpc guide.
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3111
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3112 Alternatively change the setting of
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3113 csrf_enforce_header_x-requested-with in config.ini to ``no``. So it
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3114 looks like::
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3115
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3116 csrf_enforce_header_x-requested-with = no
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3117
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3118 This is not recommended as it reduces csrf protection.
f3c456e9a6c2 Link to example advanced xmlrpc client and recommend it first.
John Rouillard <rouilj@ieee.org>
parents: 7506
diff changeset
3119
5298
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3120
5212
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3121 Support for SameSite cookie option for session cookie
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3122 -----------------------------------------------------
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3123
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3124 Support for serving the session cookie using the SameSite cookie option
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3125 has been added. By default it is set to lax to provide a better user
6688
f1f2d59dab8b Add allowed_api_origins to upgrading doc
John Rouillard <rouilj@ieee.org>
parents: 6684
diff changeset
3126 experience. But this can be changed to strict or the option can be
5212
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3127 removed entirely.
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3128
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3129 Using the process for merging config.ini changes described in
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3130 `Cross Site Request Forgery Detection Added`_ you can add the
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3131 ``samesite_cookie_setting`` to the ``[web]`` section of the config
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3132 file.
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
3133
5147
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3134 Fix for path traversal changes template resolution
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3135 --------------------------------------------------
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3136
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3137 The templates in the tracker's html subdirectory must not be
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3138 symbolic links that lead outside of the html directory.
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3139
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3140 If you don't use symbolic links for templates in your html
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3141 subdirectory you don't have to make any changes. Otherwise you need to
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3142 replace the symbolic links with hard links to the files or replace the
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3143 symbolic links with the files.
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3144
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3145 This is a side effect of fixing a path traversal security issue. The
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3146 security issue required a directory with a specific unusual name. This
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3147 made it difficult to exploit. However allowing the use of
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3148 subdirectories to organize the templates required that it be fixed.
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3149
d16ba6e6624b upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
John Rouillard <rouilj@ieee.org>
parents: 5122
diff changeset
3150
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
3151 Database back end specified in config.ini (required)
5267
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
3152 ----------------------------------------------------
5068
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3153
5041
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3154 The ``db/backend_name`` file is no longer used to configure the database
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3155 backend being used for a tracker. The backend is now configured in the
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3156 ``config.ini`` file using the ``backend`` option located in the ``[rdbms]``
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3157 section. For example if ``db/backend_name`` file contains ``sqlite``, a new
5096
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3158 entry in the tracker's ``config.ini`` will need to be created::
5041
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3159
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3160 [rdbms]
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3161
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3162 ...
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3163
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3164 # Database backend.
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3165 # Default:
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3166 backend = sqlite
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3167
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3168 Once the ``config.ini`` file has been updated with the new ``backend`` option,
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3169 you can safely delete the ``db/backend_name`` file.
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3170
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3171 Note: the ``backend_name`` file may be located in a directory other than
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3172 ``db/`` if you have configured the ``database`` option in the ``[main]``
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3173 section of the ``config.ini`` file to be something other than ``db``.
5251e97b1de0 Configure the database backend in the config.ini
John Kristensen <john@jerrykan.com>
parents: 5025
diff changeset
3174
5304
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3175 Note 2: if you are using the anydbm back end, you still set
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3176 it using the backend option in the rdbms section of the
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3177 config.ini file.
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3178
5096
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3179 New config file option 'indexer' added
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3180 --------------------------------------
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3181
5304
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3182 This release added support for the Whoosh indexer, so a new
ae32f082e623 Add section on updating config.ini. Reference in CSRF doc. Other doc updates.
John Rouillard <rouilj@ieee.org>
parents: 5298
diff changeset
3183 config file option has been
5096
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3184 added. You can force Roundup to use a particular text indexer by
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3185 setting this value in the [main] section of the tracker's
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3186 ``config.ini`` file (usually placed right before indexer_stopwords)::
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3187
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3188 [main]
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3189
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3190 ...
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3191
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3192 # Force Roundup to use a particular text indexer.
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3193 # If no indexer is supplied, the first available indexer
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3194 # will be used in the following order:
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3195 # Possible values: xapian, whoosh, native (internal).
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3196 indexer =
e74c3611b138 - issue2550636, issue2550909: Added support for Whoosh indexer.
John Rouillard <rouilj@ieee.org>
parents: 5078
diff changeset
3197
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3198 Errors and Troubleshooting - Full text searching not working
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3199 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3200
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3201 If after the upgrade full text searching is not working try changing
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3202 the indexer value. If this is failing most likely you need to set
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3203 '''indexer = native''' to use the rdbms or db text indexing systems.
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3204
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3205 Alternatively you can do a
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3206 '''roundup-admin -i /path/to/tracker reindex'''
5752
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3207 to generate a new index using roundup's preferred indexer from the
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3208 list above.
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3209
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3210 Xapian error with flint when reindexing
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3211 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3212 If you reindex and are using xapian, you may get the error that
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3213 "flint" is not supported (looks like flint was removed after xapian
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3214 1.2.x). To fix this, you can delete the full text search database
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3215 located in the tracker home directory in the file '''db/text-index'''
4c0cdfe4f678 Added x-roundup-issue-id to FAQ which discusses other x-roundup header
John Rouillard <rouilj@ieee.org>
parents: 5735
diff changeset
3216 and then perform a reindex.
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3217
5108
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3218 Stemming improved in Xapian Indexer
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3219 -----------------------------------
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3220
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3221 Stemming allows a search for "silent" also match silently. The Porter
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3222 stemmer in Xapian works with lowercase English text. In this release we
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3223 lowercase the documents as they are put into the indexer.
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3224
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3225 This means capitalization is not preserved, but produces more hits by
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3226 using the stemmer.
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3227
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3228 You will need to do a roundup-admin reindex if you are using the
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3229 Xapian full text indexer on your tracker.
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3230
67fad01d2009 issue2550653: xapian search, stemming is not working
John Rouillard <rouilj@ieee.org>
parents: 5098
diff changeset
3231
5098
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3232 New config file option 'replyto_address' added
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3233 ----------------------------------------------
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3234
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3235 A new config file option has been added to let you control the
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3236 Reply-To header on nosy messages.
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3237
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3238 Edit your tracker's ``config.ini`` and place the following after
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3239 the email entry in the tracker section::
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3240
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3241 [tracker]
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3242 ...
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3243
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3244 # Controls the reply-to header address used when sending
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3245 # nosy messages.
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3246 # If the value is unset (default) the roundup tracker's
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3247 # email address (above) is used.
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3248 # If set to "AUTHOR" then the primary email address of the
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3249 # author of the change will be used as the reply-to
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3250 # address. This allows email exchanges to occur outside of
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3251 # the view of roundup and exposes the address of the person
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3252 # who updated the issue, but it could be useful in some
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3253 # unusual circumstances.
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3254 # If set to some other value, the value is used as the reply-to
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3255 # address. It must be a valid RFC2822 address or people will not be
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3256 # able to reply.
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3257 # Default:
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3258 replyto_address =
5098
99e289359798 issue2550803: Replying to NOSY mail goes to the tracker through
John Rouillard <rouilj@ieee.org>
parents: 5096
diff changeset
3259
7341
7321c0e6c53e Add priority markers to heading back to 1.5.0->1.6.0 upgrade
John Rouillard <rouilj@ieee.org>
parents: 7321
diff changeset
3260 Login from a search or after logout works better (required)
5270
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3261 -----------------------------------------------------------
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3262
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3263 The login form has been improved to work with some back end code
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3264 changes. Now when a user logs in they stay on the same page where they
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3265 started the login. To make this work, you must change the tal that is
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
3266 used to set the ``__came_from`` form variable. Note that the url
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
3267 assigned to __came_from must be url encoded/quoted and be under the
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3268 tracker's base url. If the base_url uses http, you can set the url to
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
3269 https.
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3270
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3271 Replace the existing code in the tracker's html/page.html page that
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3272 looks similar to (look for name="__came_from"):
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3273
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3274 .. code::
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3275 :class: big-code
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3276
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3277 <input type="hidden" name="__came_from" tal:attributes="value string:${request/base}${request/env/PATH_INFO}">
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3278
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3279 with the following:
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3280
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3281 .. code:: html
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3282 :class: big-code
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3283
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3284 <input type="hidden" name="__came_from"
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3285 tal:condition="exists:request/env/QUERY_STRING"
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3286 tal:attributes="value string:${request/base}${request/env/PATH_INFO}?${request/env/QUERY_STRING}">
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3287 <input type="hidden" name="__came_from"
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3288 tal:condition="not:exists:request/env/QUERY_STRING"
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3289 tal:attributes="value string:${request/base}${request/env/PATH_INFO}">
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3290
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3291 Now search backwards for the nearest form statement before the code
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3292 that sets __came_from. If it looks like::
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3293
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3294 <form method="post" action="#">
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3295
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3296 replace it with::
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3297
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3298 <form method="post" tal:attributes="action request/base">
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3299
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3300 or with::
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3301
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3302 <form method="post" tal:attributes="action string:${request/env/PATH_INFO}">
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3303
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3304 the important part is that the action field **must not** include any query
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3305 parameters ('#' includes query params).
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5120
diff changeset
3306
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3307 Errors and Troubleshooting - Unrecognized scheme in ...
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3308 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5275
fee207407dee Add error and troubleshooting headers. Clarified the suggestion to a
John Rouillard <rouilj@ieee.org>
parents: 5274
diff changeset
3309
5270
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3310 One symptom of failing to do this is getting an error:
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3311
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3312 Unrecognized scheme in ....
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3313
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3314 where the .... changes depending on the url path. You can see this
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3315 when logging in from any screen other than the main index.
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3316
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3317 Option to make adding multiple keywords more convenient
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3318 -------------------------------------------------------
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3319
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3320 In the classic tracker, after adding a new keyword you are redirected
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3321 to the page for the new keyword so you can change the keyword's
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3322 name. This is usually not desirable as you usually correctly set the
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3323 keyword's name when creating the keyword. The new classic tracker has
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3324 a new checkbox (checked by default) that keeps you on the same page so
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3325 you can add a new keywords one after the other.
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3326
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3327 To add this to your own tracker, add the following code (prefixed with
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3328 a +) after the entry box for the new keyword in html/keyword.item.html:
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3329
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3330 .. code::
7344
4be6434014ee Fix unintended blockquote.
John Rouillard <rouilj@ieee.org>
parents: 7343
diff changeset
3331 :class: big-code
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3332
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3333 <tr>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3334 <th i18n:translate="">Keyword</th>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3335 <td tal:content="structure context/name/field">name</td>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3336 + <td tal:condition="not:context/id">
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3337 + <tal:comment tal:replace="nothing">
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3338 + If we get here and do not have an id, we are creating a new
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3339 + keyword. It would be nice to provide some mechanism to
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3340 + determine the preferred state of the "Continue adding keywords"
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3341 + checkbox. By default it is enabled.
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3342 + </tal:comment>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3343 + <input type="checkbox" id="continue_new_keyword"
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3344 + name="__redirect_to"
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3345 + tal:attributes="value
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3346 + string:${request/base}${request/env/PATH_INFO}?@template=item;
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3347 + checked python:True" />
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3348 + <label for="continue_new_keyword" i18n:translate="">Continue adding keywords.</label>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3349 + </td>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3350 </tr>
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3351
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3352 Note remove the leading '+' when adding this to the templates.
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3353
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3354 The key component here is support for the '__redirect_to' query
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3355 property. It is a url which can be used when creating any new item
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3356 (issue, user, keyword ....). It controls the next page displayed after
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3357 creating the item. If '__redirect_to' is not set, then you end up on
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
3358 the page for the newly created item. The url value assigned to
5270
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3359 __redirect_to must start with the tracker's base url and must be properly
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
3360 url encoded.
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5156
diff changeset
3361
5179
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3362 Helper popups trigger change events on the original page
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3363 --------------------------------------------------------
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3364
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3365 The helper popups used to set dates (from a calendar), change lists of
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3366 users or lists of issues did not notify the browser that the fields
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3367 had been changed. This release adds code to trigger the change event.
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3368
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3369 To add the change event to the calendar popup, you don't need to do
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3370 any changes to the tracker. It is all done in the roundup python code
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3371 in templating.py.
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3372
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3373 To add the change event when updating users using the help-submit
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3374 template, copy
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3375 share/roundup/templates/devel/html/_generic.help-submit.html and
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3376 replace your tracker's html/_generic.help-submit.html. If you have
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3377 done local changes to this file, change your file to include the code
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3378 that defines the onclick event for the input field with
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3379 id="btn_apply".
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3380
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3381 To add the change event when updating lists of issues copy
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3382 share/roundup/templates/devel/html/help_controls.js to your tracer's
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3383 html directory. If you have made local changes to the javascript file,
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3384 merge the two if/else blocks labeled::
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3385
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3386 /* trigger change event on the field we changed */
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3387
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3388 into your help_controls.js
e8b3d3a14563 - issue2550796: Calendar and Classhelp selection tools don't cause
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
3389
5068
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3390 html/_generic.404.html in trackers use page template
5078
487dc55e3c5e issue2550907 Fix errors when creating documentation. Work done by
John Rouillard <rouilj@ieee.org>
parents: 5068
diff changeset
3391 ----------------------------------------------------
5068
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3392
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3393 The original generic 404 error pages for many trackers did not use the
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3394 standard page layout. This change replaces the html/_generic.404.html
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3395 page with one that uses the page template.
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3396
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3397 If your deployed tracker is based on: classic, minimal, responsive or
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3398 devel templates and has not changed the html/_generic.404.html file,
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3399 you can copy in the new file to get this additional functionality.
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3400
5154
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3401 Organize templates into subdirectories
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3402 --------------------------------------
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3403
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3404 The @template parameter to the web interface allows the use of
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3405 subdirectories. So a setting of @template=view/view for an issue would
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3406 use the template in the tracker's html/view/issue.view.html. Similarly
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3407 for a caller class, you could put all the templates under the
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3408 html/caller directory with names like: html/caller/caller.item.html,
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3409 html/caller/caller.index.html etc. You may want to symbolically link the
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3410 html/_generic* templates into your subdirectory so that missing
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3411 templates (e.g. a missing caller.edit.html template) can be satisfied
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3412 by the _generic.edit.html template.
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5147
diff changeset
3413
5156
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3414 Properly quote query dispname (displayed name) in page.html
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3415 -----------------------------------------------------------
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3416
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3417 A new method has been added to HTMLStringProperty called url_quote.
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3418 The default templates have been updated to use this in the "Your
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3419 Query" section of the trackers html/page.html file. You will want to
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3420 change your template. Lines starting with - are the original line and
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3421 you want to change it to match the line starting with the + (remove
7277
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3422 the + from the line):
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3423
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3424 .. code::
41b2a0e12899 Formatting fixes
John Rouillard <rouilj@ieee.org>
parents: 7275
diff changeset
3425 :class: big-code
5156
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3426
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3427 <tal:block tal:repeat="qs request/user/queries">
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3428 - <a href="#" tal:attributes="href string:${qs/klass}?${qs/url}&@dispname=${qs/name}"
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3429 + <a href="#" tal:attributes="href string:${qs/klass}?${qs/url}&@dispname=${qs/name/url_quote}"
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3430 tal:content="qs/name">link</a><br>
5156
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3431 </tal:block>
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3432
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3433 Find the tal:repeat line that loops over all queries. Then
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3434 change the value assigned to @dispname in the href attribute from
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3435 ${qs/name} to ${qs/name/url_quote}. Note that you should *not* change
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3436 the value for tal:content.
882fa4d9bead issue2550795: @dispname query args in page.html search links
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
3437
5267
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
3438 Allow "Show Unassigned" issues link to work for Anonymous user
64ae2108df60 Add section on allowing user access to the labelprop for a class so
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
3439 --------------------------------------------------------------
5113
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3440
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3441 In this release the anonymous user is allowed to search the user
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3442 class. The following was added to the schema for all templates that
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3443 provide the search option::
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3444
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3445 p = db.security.addPermission(name='Search', klass='user')
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3446 db.security.addPermissionToRole ('Anonymous', p)
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3447
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3448 If you are running a tracker that **does not** allow read access for
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3449 anonymous, you should remove this entry as it can be used to perform
cf112b90fa8d issue2550855: added search perms for anonymous to the user class.
John Rouillard <rouilj@ieee.org>
parents: 5108
diff changeset
3450 a username guessing attack against a roundup install.
5068
5b2ce5723abb Updated _generic.404.html to use the page template so 404 errors still
John Rouillard <rouilj@ieee.org>
parents: 5041
diff changeset
3451
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3452 Errors and Troubleshooting - Unassigned issues for anonymous
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3453 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5276
a034f8d09a21 add doc on wierdness in 'Show Unassigned' error if user search for anon not added
John Rouillard <rouilj@ieee.org>
parents: 5275
diff changeset
3454
a034f8d09a21 add doc on wierdness in 'Show Unassigned' error if user search for anon not added
John Rouillard <rouilj@ieee.org>
parents: 5275
diff changeset
3455 If you notice that the "Unassigned Issues" search on page.html
a034f8d09a21 add doc on wierdness in 'Show Unassigned' error if user search for anon not added
John Rouillard <rouilj@ieee.org>
parents: 5275
diff changeset
3456 is displaying assigned issues for users with the Anonymous role,
a034f8d09a21 add doc on wierdness in 'Show Unassigned' error if user search for anon not added
John Rouillard <rouilj@ieee.org>
parents: 5275
diff changeset
3457 you need to allow search permissions for the user class.
a034f8d09a21 add doc on wierdness in 'Show Unassigned' error if user search for anon not added
John Rouillard <rouilj@ieee.org>
parents: 5275
diff changeset
3458
5120
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3459 Improvements in Classic Tracker query.edit.html template
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3460 --------------------------------------------------------
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3461
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3462 There is a new query editing template included in the distribution at:
5122
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3463
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3464 ``share/roundup/templates/classic/html/query.edit.html``
5120
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3465
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3466 This template fixes:
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3467
5122
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3468 * public query could not be removed from "Your Queries" once it was added.
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3469 Trying to do so would cause a permissions error.
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3470 * private yes/no dropdown always showed "yes" regardless of
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3471 underlying state
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3472 * query Delete button did not work.
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3473 * same query being displayed multiple times
5120
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3474
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3475 It also adds:
5122
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3476 * the table layout displays queries created by the user first,
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3477 then available public queries.
5120
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3478 * public query owners are shown
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3479 * better support for deleted queries. When a query is deleted, it is
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3480 still available for those who added it to their query list. If you
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3481 are the query owner, you can restore (undelete) the query. If you
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3482 are not the owner you can remove it from your query list.
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3483 (If a query is deleted and nobody had it in their query list, it
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3484 will not show up in the "Active retired queries" section. You will
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3485 have to use the class editor or roundup_admin command line to
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3486 restore it.)
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3487 * notifies the user that delete/restore requires javascript. It
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3488 always did, but that requirement wasn't displayed.
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3489
5122
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3490 To use the new template, you must add Restore permission on queries to
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3491 allow the user to restore queries (see below).
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3492
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3493 If you have not modified the query.edit.html template in your tracker,
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3494 you should be able to copy the new version from the location above.
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3495 Otherwise you will have to merge the changes into your modified template.
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3496
5272
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3497 Add the query Restore permission for the User role to your tracker's
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3498 schema.py file. Place it right after the query retire permission for
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3499 the user role. After the change it should look like::
5122
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3500
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3501 p = db.security.addPermission(name='Retire', klass='query', check=edit_query,
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3502 description="User is allowed to retire their queries")
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3503 db.security.addPermissionToRole('User', p)
5272
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3504 p = db.security.addPermission(name='Restore', klass='query',
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3505 check=edit_query,
5122
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3506 description="User is allowed to restore their queries")
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3507 db.security.addPermissionToRole('User', p)
1c90f15a177f issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
3508
5272
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3509 where the last four lines are the ones you need to add.
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3510
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3511 Usually you can add this to your User role. If all users have the User
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3512 role in common then all logged in users should be ok. If you have
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3513 users who do not include the User role (e.g. they may only have a
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3514 Provisional role), you should add the search permission to that role
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3515 (e.g. Provisional) as well if you allow them to edit their list of
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3516 queries.
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3517
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3518 Also see the `new search permissions for query in 1.4.17`_ section
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3519 discussing search permission requirements for editing queries. The
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3520 fixes in this release require the ability to search the creator of all
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3521 queries to work correctly.
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3522
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3523 If the test script for the `new search permissions for query in
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3524 1.4.17`_ doesn't report that a role has the ability to search queries
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3525 or at least search the creator property for queries, add the following
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3526 permissions to your schema.py::
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3527
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3528 s = db.security.addPermission(name='Search', klass='query',
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3529 properties=['creator'],
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3530 description="User is allowed to Search queries for creator")
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3531 db.security.addPermissionToRole('User', s)
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3532
5295
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3533 Errors and Troubleshooting - Public queries listed twice when editing
b2998cb86bae Add new section: Errors and Troubleshooting - Full text searching not
John Rouillard <rouilj@ieee.org>
parents: 5276
diff changeset
3534 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5275
fee207407dee Add error and troubleshooting headers. Clarified the suggestion to a
John Rouillard <rouilj@ieee.org>
parents: 5274
diff changeset
3535
5272
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3536 If you do not do this, public queries will be listed twice in the edit
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3537 interface. Once in the "Queries I created" section and again in the
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3538 "Queries others created" section of the query edit page
c6fbd4803eae If you upgrade to the newer query edit interface but did not allow
John Rouillard <rouilj@ieee.org>
parents: 5271
diff changeset
3539 (``http..../query?@template=edit``).
5120
722394a48d7b issue2550831: Make the classic template query.edit page work.
John Rouillard <rouilj@ieee.org>
parents: 5113
diff changeset
3540
5274
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3541 Fix security issues in query.item.html template
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3542 -----------------------------------------------
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3543 The default query.item.html template allows anybody to view all
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3544 queries.
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3545
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3546 This has been updated in the classic, devel and responsive templates
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3547 to only allow people to view queries they creates or queries that are
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3548 publicly viewable.
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3549
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3550 If you haven't modified you query.item.html template, simply copy the
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3551 query.item.html template from one of the above default templates to
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3552 your tracker's html directory.
07da34337f70 html/query.item.html was missing checks to verify that a query should
John Rouillard <rouilj@ieee.org>
parents: 5272
diff changeset
3553
8236
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3554 Enhancement to check command for Permissions (optional)
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3555 -------------------------------------------------------
5186
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3556 A new form of check function is permitted in permission definitions.
8236
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3557 An example check function is ``own_record(db, userid, itemid)`` in the
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3558 file schema.py. The three argument form is still supported and will
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3559 work the same as it always has (although it may be depricated in the
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3560 future).
5186
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3561
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3562 If the check function is defined as::
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3563
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3564 check(db, userid, itemid, **ctx)
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3565
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3566 the ctx variable will have the context to use when determining access
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3567 rights::
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3568
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3569 ctx['property'] the name of the property being checked or None if
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3570 it's a class check.
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3571
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3572 ctx['classname'] the name of the class that is being checked
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3573 (issue, query ....).
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3574
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3575 ctx['permission'] the name of the permission (e.g. View, Edit...).
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3576
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3577 This should make defining complex permissions much easier. Consider::
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3578
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3579 def issue_private_access(db, userid, itemid, **ctx):
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3580 if not db.issue.get(itemid, 'private'):
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3581 # allow access to everything if not private
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3582 return True
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3583
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3584 # It is a private issue hide nosy list
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3585 # Note that the nosy property *must* be listed
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3586 # in permissions argument to the addPermission
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3587 # definition otherwise this check command
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3588 # is not run.
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3589 if ctx['property'] == 'nosy':
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3590 return False # deny access to this property
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3591
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3592 # allow access for editing, viewing etc. of the class
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3593 return True
5186
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3594
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3595
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3596 e = db.security.addPermission(name='Edit', klass='issue',
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3597 check=issue_private_access,
7801
af898d1d66dc doc: run sphinx-lint over docs.
John Rouillard <rouilj@ieee.org>
parents: 7797
diff changeset
3598 properties=['nosy'],
5186
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3599 description="Edit issue checks")
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3600
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3601 It is suggested that you change your checks to use the ``**ctx``
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3602 parameter. This is expected to be the preferred form in the future.
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3603 You do not need to use the ``ctx`` parameter in the function if you do
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3604 not need it.
36630a062fb5 Check in enhanced form for check command used by addPermission.
John Rouillard <rouilj@ieee.org>
parents: 5179
diff changeset
3605
8236
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3606 If the new four argument form is required in the future, there will be
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3607 required (not optional) directions on upgrading your schema.
2d0bd038fc5e doc: clarify adding ctx argument to check command in schema.py
John Rouillard <rouilj@ieee.org>
parents: 8218
diff changeset
3608
5196
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3609 Changes to property permissions
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3610 -------------------------------
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3611
7793
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
3612 If you create a permission::
5196
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3613
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3614 db.security.addPermission(name='View', klass='user',
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3615 properties=['theme'], check=own_record,
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3616 description="User is allowed to view their own theme")
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3617
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3618 that combines checks and properties, the permission also matches a
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3619 permission check for the View permission on the user class. So this
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3620 also allows the user to see their user record. It is unexpected that
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3621 checking for access without a property would match this permission.
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3622
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3623 This release adds support for making a permission like above only be
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3624 used during property permission tests. See ``customizing.txt`` and
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3625 search for props_only and set_props_only_default in the section
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3626 'Adding a new Permission'
e0732fd6a6c7 Implement props_only feature for permissions.
rouilj@uland
parents: 5194
diff changeset
3627
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3628 Improve query editing
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3629 ---------------------
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3630
5194
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3631 If a user creates a query with the same name as one of their existing
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3632 queries, the query editing interface will now report an error. By
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3633 default the query editing page (issue.search.html) displays the index
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3634 page when the search is triggered. This is usually correct since the
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3635 user expects to see the results of the query. But now that
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3636 the code properly checks for duplicate search names, the user should
3124be3cc197 Hopefully making the doc for the query editing feature less confusing.
rouilj@uland
parents: 5192
diff changeset
3637 stay on the search page if there is an error. To add this to your
5270
84a844f50d1f Set min python version for release 1.6. Login changes now required,
John Rouillard <rouilj@ieee.org>
parents: 5267
diff changeset
3638 existing issue.search.html page, add the following line after the
7793
72a26f3b94db doc: fix formatting.
John Rouillard <rouilj@ieee.org>
parents: 7749
diff changeset
3639 hidden field ``@old-queryname``::
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3640
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3641 <input type="hidden" name="@template" value="index|search"/>
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3642
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3643 With this addition, the index template is displayed if there is no
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3644 error, and the user stays on the search template if there is an error.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5186
diff changeset
3645
5323
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3646 New -L (loghttpvialogger) option to roundup-server
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3647 --------------------------------------------------
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3648
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3649 Http request logs from roundup-server are sent to stderr or
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3650 can be recorded in a log file (if -l or the logfile options
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3651 is used). However there is no way to rotate the logfile
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3652 without shutting down and restarting the roundup-server.
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3653
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3654 If the -L flag is used, the python logging module is used
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3655 for logging the http requests. The name for the log
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3656 (qualname) is 'roundup.http'. You can direct these messages
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3657 to a rotating log file by putting the following::
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3658
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3659 [loggers]
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3660 keys=roundup.http
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3661
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3662 [logger_roundup.http]
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3663 level=INFO
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3664 handlers=rotate_weblog
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3665 qualname=roundup.http
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3666 propagate=0
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3667
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3668 [handlers]
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3669 keys=rotate_weblog
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3670
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3671 [handler_rotate_weblog]
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3672 class=logging.handlers.RotatingFileHandler
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3673 args=('httpd.log','a', 512000, 2)
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3674 formatter=plain
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3675
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3676 [formatters]
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3677 keys=plain
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3678
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3679 [formatter_plain]
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3680 format=%(message)s
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3681
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3682 into a file (e.g. logging.ini). Then reference this file in
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3683 the 'config' value of the [logging] section in the trackers
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3684 config.ini file.
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3685
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3686 Note the log configuration above is an example and can be
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3687 merged into a more full featured logging config file for
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3688 your tracker if you wish. It will create a new file in the
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3689 current working directory called 'httpd.log' and will rotate
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3690 the log file at 500K and keep two old copies of the file.
762222535a0b Allow http request logs to be logged using the python logging module
John Rouillard <rouilj@ieee.org>
parents: 5304
diff changeset
3691
6170
dadcb4fe9f1d Ading index entries.
John Rouillard <rouilj@ieee.org>
parents: 6168
diff changeset
3692 .. index:: Upgrading; 1.5.0 to 1.5.1
dadcb4fe9f1d Ading index entries.
John Rouillard <rouilj@ieee.org>
parents: 6168
diff changeset
3693
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3694 Migrating from 1.5.0 to 1.5.1
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3695 =============================
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3696
5025
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3697 User data visibility
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3698 --------------------
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3699
4902
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3700 For security reasons you should change the permissions on the user
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3701 class. We previously shipped a configuration that allowed users to see
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3702 too many of other users details, including hashed passwords under
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3703 certain circumstances. In schema.py in your tracker, replace the line::
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3704
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3705 db.security.addPermissionToRole('User', 'View', 'user')
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3706
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3707 with::
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3708
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3709 p = db.security.addPermission(name='View', klass='user',
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3710 properties=('id', 'organisation', 'phone', 'realname',
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3711 'timezone', 'username'))
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3712 db.security.addPermissionToRole('User', p)
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3713
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3714 Note that this removes visibility of user emails, if you want emails to
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3715 be visible you can add 'address' and 'alternate_addresses' to the list
a403c29ffaf9 Security fix default user permissions
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4901
diff changeset
3716 above.
5025
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3717
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3718 XSS protection for custom actions
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3719 ---------------------------------
cf22972fe080 Preparing 1.5.1 steps 3/16
anatoly techtonik <techtonik@gmail.com>
parents: 4902
diff changeset
3720
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3721 If you have defined your own cgi actions in your tracker instance
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3722 (e.g. in a custom ``extensions/spambayes.py`` file) you need to modify
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3723 all cases where client.error_message or client.ok_message are modified
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3724 directly. Instead of::
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3725
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3726 self.client.ok_message.append(...)
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3727
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3728 you need to call::
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3729
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3730 self.client.add_ok_message(...)
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3731
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3732 and the same for::
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3733
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3734 self.client.error_message.append(...)
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3735
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3736 vs.::
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3737
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3738 self.client.add_error_message(...)
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3739
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3740 The new calls escape the passed string by default and avoid XSS security
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
3741 issues.
4851
24b8011cd2dc Fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4678
diff changeset
3742
7321
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
3743
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
3744 Migrating from older versions
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
3745 =============================
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
3746
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
3747 See the `historical migration <upgrading-history.html>`_ document.
e21c7fe0b57a Move text into notes; add references to historic upgrade directions
John Rouillard <rouilj@ieee.org>
parents: 7296
diff changeset
3748
7091
849e9b2d6926 Rename security.py to security-history.py; change reference
John Rouillard <rouilj@ieee.org>
parents: 7064
diff changeset
3749 .. _`security documentation`: security-history.html
7961
32ead43b8299 docs: postgres user; wsgi default mode update; diff for task.index.html
John Rouillard <rouilj@ieee.org>
parents: 7959
diff changeset
3750 .. _`Roundup postgresql documentation`: postgresql.html
2409
Richard Jones <richard@users.sourceforge.net>
parents: 2374
diff changeset
3751 .. _`administration guide`: admin_guide.html
5298
6efa6d44c27a Add doc for xmlrpc changes and errors related to anti-csrf protections.
John Rouillard <rouilj@ieee.org>
parents: 5295
diff changeset
3752 .. _`xmlrpc guide`: xmlrpc.html
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6586
diff changeset
3753 .. _FTS5 full-text search engine: https://www.sqlite.org/fts5.html
6604
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
3754 .. _PostgreSQL's full text search: https://www.postgresql.org/docs/current/textsearch.html
0d99ae7c8de6 Allow Roundup to use PostgreSQL database native full text search
John Rouillard <rouilj@ieee.org>
parents: 6599
diff changeset
3755 .. _`administration guide notes on native-fts`: admin_guide.html#configuring-native-fts-full-text-search
6591
feab8c878d08 Fix code formatting, add link for Configuring Compression.
John Rouillard <rouilj@ieee.org>
parents: 6590
diff changeset
3756 .. _Configuring Compression: admin_guide.html#configuring-compression
7971
fe0348bbe45b issue2551353 - Add roundup-classhelper for 2.4.0 release
John Rouillard <rouilj@ieee.org>
parents: 7964
diff changeset
3757 .. _classhelper documentation: admin_guide.html#classhelper-web-component
6781
b3d4b25b4922 Add links some updates.
John Rouillard <rouilj@ieee.org>
parents: 6780
diff changeset
3758 .. _Software Upgrade: admin_guide.html#software-upgrade
7281
194093011cb7 Move upgrade directions for version < 1.5.0 to history document
John Rouillard <rouilj@ieee.org>
parents: 7277
diff changeset
3759 .. _new search permissions for query in 1.4.17:
194093011cb7 Move upgrade directions for version < 1.5.0 to history document
John Rouillard <rouilj@ieee.org>
parents: 7277
diff changeset
3760 upgrading-history.html#new-search-permissions-for-query-in-1-4-17
Roundup Issue Tracker: http://roundup-tracker.org/