Please read ``doc/upgrading.txt`` to see how to bring you Roundup version
up to date with changes listed in this file. This may require schema
and template changes not listed here.
Each entry has the developer who committed the change in brackets.
Entries without name were done by Richard Jones.
**IMPORTANT** The v1.5.x releases of Roundup were the last to support
Python v2.5 and v2.6. Starting with the v1.6 releases of Roundup
v2.7.2 is required to run newer releases of Roundup. From v?.?
onwards Python 3.4 and later are also supported.
2019-??-?? ?.?.0
Features:
- issue2550901: add search page to jinja2 template (Christof Meerwald)
- issue2550982: use PBKDF2 in Python's hashlib, if available (Python
2.7.8+), to improve performance over bundled pure Python
version. Note that acceleration via m2crypto is no longer supported
(Christof Meerwald)
- issue2550989: PGP encryption is now done using the gpg module
instead of pyme. (Christof Meerwald)
- issue2550987: Use updated MySQL client module that supports Python
3. (Christof Meerwald)
- issue2550967: the jinja2 loader has been extended to look for .xml
files as well as .html files similar to the TAL loader. (Christof
Meerwald)
- Support for Python 3 (3.4 and later). See doc/upgrading.txt for
details of what is required to move an existing tracker from Python
2 to Python 3 (Joseph Myers, Christof Meerwald)
- Merge the Google Summer of Code Project of 2015, the implementation of
a REST-API for Roundup. This was implemented by Chau Nguyen under the
supervision of Ezio Melotti. Some additions were made, most notably we
never destroy an object in the database but retire them with the
DELETE method. We also don't allow to DELETE a whole class. Python3
support was also fixed and we have cherry-picked two patches from the
bugs.python.org branch in the files affected by the REST-API changes.
- Patch to client.py and roundup-server needed by REST-API
code. Support OPTIONS verb and prevent hangs when processing a verb
other than GET that doesn't have a payload. E.G. DELETE, PATCH or
OPTIONS. Verbs like PUT and POST usually have payloads, so this
patch doesn't touch processing of these methods. (John Rouillard)
- Patches to new rest code:
- Generated links in responses should use the base url specified
in config.ini.
- allow user (e.g. in browser) to override response type/Accept
header using extension in url. E.G. .../issues.json. This fixes
the existing code so it works.
- fix SECURITY issue. Retrieving the item of a class
(e.g. /rest/data/user/2) would display properties the user wasn't
allowed to access. Note that unlike the web interface, passwords
and roles for users are still retreivable if the user has access
rights to the properties.
- ETags are sent by GET operations and required for DELETE, PUT and
PATCH operations. ETag can be supplied by HTTP header or in the
payload by adding the field @etag to the form with the value of
the etag.
- If dict2xml.py is installed, the rest interface can produce an XML
format response if the accept header is set to text/xml.
(See: https://pypi.org/project/dict2xml/)
- When retrieving collection move list of collection elements to
collection property. Add @links property with self, next and prev
links (where needed). Add @total_size with size of entire
collection (unpaginated). Pagination index starts at 1 not 0.
- accept content-type application/json payload for PUT, PATCH, POST
requests in addition to application/x-www-form-urlencoded.
(John Rouillard)
- issue2550833: the export_csv web action now returns labels/names
rather than id's. Replace calls to export_csv with the export_csv_id
action to return the same data as the old export_csv action. (Tom
Ekberg (tekberg), Andreas (anrounham14) edited/applied and tests
created by John Rouillard)
- issue2551018: Add new note_filter parameter to nosymessage. The
function supplied by this parameter can rewrite the body of the
nosymessage before it gets sent. See issue:
https://issues.roundup-tracker.org/issue2551018 for example
nosyreaction and generated email. (Tom Ekberg (tekberg))
- issue2550949: Rate limit password guesses/login attempts. Rate
limit mechanism added for web page logins. Default is 3 login
attempts/minute for a user. After which one login attempt every 20
seconds can be done. (John Rouillard)
- issue2551043: Add X-Roundup-issue-id email header. Add a new header
to make it easier to filter notification emails without having to
parse the subject line. (John Rouillard)
- The database filter method now can also do an exact string search.
- The database filter method now has limit and offset parameters that
map to the corresponging parameters of SQL.
- issue2551061: Add rudimentary experimental support for JSON Web
Tokens to allow delegation of limited access rights to third
parties. See doc/rest.txt for details and intent. (John Rouillard)
Fixed:
- issue2550811: work around Unicode encoding issues in jinja2 template
by explicitly converting data to Unicode; also fixed pagination and
selecting columns to display in the issues list (Christof Meerwald)
- issue2550988: fixed fallback to pseudo random number generator in
case SystemRandom isn't available, prefer use of secrets module if
available (Python 3.6+) (Christof Meerwald)
- issue2550993: fixed edit CSV action to update restored items to the
new value instead of restoring with the previous value (Christof
Meerwald)
- issue2550994: avoid breakage caused by use of backports of Python 3
configparser module to Python 2. (Joseph Myers)
- Make non-existent items in history not cause a traceback (Ralf
Schlatterbeck)
- issue2550722: avoid errors from selecting "no selection" on
multilink. (Joseph Myers)
- issue2550992: avoid errors from invalid Authorization
headers. (Joseph Myers)
- issue2551022: support non-ASCII prefixes in instance config for
finding static files. (Cédric Krier)
- issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by Cédric Krier, reviewed/applied John Rouillard.)
- issue2551035 - fix XSS issue in wsgi and cgi when handing url not
found/404. Reported by hannob at
https://github.com/python/bugs.python.org/issues/34, issue opened by
JulienPalard.
- issue2551026: template variable not defined even though it is.
Fix issue where variables defined in TAL expression are not
available in the scope of the definition. (Tom Ekberg (tekberg))
- Make all links created with rel=nofollow include noopener. Deals
with possible hijack of original page due to malicious link target.
https://mathiasbynens.github.io/rel-noopener/ (John Rouillard)
- Fix bug where some protected properties were not identified as such
when using the anydbm backend (John Rouillard)
- issue2551041 - change permission check from "Create User" to "Register
User" in page.html for the responsive and devel templates. (reporter
Cédric Krier, John Rouillard)
- issue2550144 - fix use of undefined icing macro in devel
template. Replace with frame macro. (Cédric Krier)
- handle UnicodeDecodeError in file class when file contents are
not text (e.g. jpg). (John Rouillard)
- issue2551033: prevent reverse engineering hidden data by using etags
as an oracle to identify when the right data has been
guessed. (Joseph Myers, John Rouillard)
- issue2551029: Jinja2 template install error. Update configuration
code to make sure valid backend database is set. Remove config.ini
from templates to make sure that roundup-admin install writes a new
default config.ini based on configuration.py.
- issue2551040: New release of psycopg2 drops support for psycopg1 -
need to rewrite. Now uses psycopg2 throughout. (John Rouillard)
- issue2551009: Flint not supported error during reindex. Upgrading
doc updates to discuss this when reindexing. (Reported by Gabi,
Change by John Rouillard)
- issue2551030: Roundup fails to start if pytz to access Olson
timezone database not installed. (John Rouillard)
- issue2551029: Jinja2 template install error. Handle issue with
template's config.ini not getting updated. Provide an alternate
file: config_ini.ini for required config settings that are merged
into the default values producing an up to date config.ini on
install.
- issue2551008: fix incorrect encoding handling in mailgw.py
(Ezio Melotti, John Rouillard)
- issue2551053: the routing dictionary in rest.py used compiled regular
expressions as dictionary keys. This worked most of the time because
the regex lib uses a cache but resulted in duplicate keys in the
dictionary in some cases where a single key should have been used.
Thanks to Robert Klonner for discovering the problem, debugging the
root cause and providing a first proposed fix.
- Make searching with a multiselect work for Link/Multilink properties
that may contain numeric *key* values. For these a menu would render
options with IDs and later look up the IDs as *key* of the
Link/Multilink. Now numeric IDs take precedence -- like they already
do in the menu method of Link and Multilink.
2018-07-13 1.6.0
Features:
- issue2550894: migrate test suite and run_test.py to py.test (John Kristensen)
- issue2550880: Ability to choose password store scheme and SSHA
support. Discussion on devel list is tending in favor of this patch.
Embedded test works, my manual test with a SSHA password
assigned to a user allowed the user to log in. Ran the test suite
and the tests that were not skipped passed. (applied by John Rouillard)
- New Link/Multilink property attribute 'msg_header_property', can be
used to configure additional headers in outgoing emails. See
documentation in ``doc/customizing.txt``. (Ralf Schlatterbeck)
- Allow multiple file uploads: If the html template specifies
multiple="multiple" for a file upload the user can attach multiple
files and the form parser now handles this. (Ralf Schlatterbeck)
- issue2550886: Add support for an integer type to join the existing
number type. This can be used for properties used for ordering,
counts etc. where a decimal point isn't needed. Developed by
Anthony (antmail). Doc updates written by John Rouillard. (applied
by John Rouillard)
- Updated html/_generic.404.html to use the page template. So 404
errors now include the left hand menu, a proper page title and
body content. Note added to doc/upgrading.txt on how to add it to
deployed trackers. (John Rouillard)
- issue2109308 - Allow subject of nosy messages be changed from reactor
Adds a subject parameter to nosymessage function. Patch initally
generated by Frank Niessink. Tests, adaptation by John Rouillard.
- issue2550683 Allow indexargs_form filter variable exclusion.
Patch generated by Bruce Tulloch (bruce). Applied and docstring for
indexargs_form updated by John Rouillard. Patch description is:
This is required to allow indexargs_form to be used in conjunction with
other form variables which *replace* some filterspec parameters.
One must exclude all variables from the indexargs_form call which are to
be replaced with values that are derived from other form input elements,
otherwise they will clash with the "hidden" input elements generated by
indexargs_form itself.
For example:
where the variables type, status and assignedto are supplied via other
form input elements. Without the new exclude argument to indexargs_form,
all hidden input elements otherwise generated by this call would need to
be manually added to the template code. Further, given that the template
may not know what other variables may be defined, it may not even be
possible to code this without some python helpers.
[ rouilj I think this is an example usecase. Possible assignedto
users need to have a specific role. Create TAL that
filters the users to the select few. Defines a select list for
assignedto. Use exclude=['assignedto'] to prevent the
indexargs_form from generating a confliciting assignedto field
which lists all users regardless of the role.]
- allow user to recover account password using an entry in the
Alternate E-mail addresses list. See:
http://psf.upfronthosting.co.za/roundup/meta/issue564
for description. Merge request at:
https://sourceforge.net/p/roundup/code/merge-requests/1/
Patch supplied by kinggreedy. Applied/tested by John Rouillard
- issue2550636, issue2550909: Added support for Whoosh indexer.
Also adds new config.ini setting called indexer to select
indexer. See ``doc/upgrading.txt`` for details. Initial patch
done by David Wolever. Patch modified, docs added and committed
by John Rouillard.
- issue2550803: Replying to NOSY mail goes to the tracker through
reply-to, not original message author.
Created new [tracker] replyto_address config.ini option to allow:
1) setting reply-to header to the tracker
2) setting reply-to header to the address of the author
of the change
3) setting it to a fixed address (like noreply@some.place)
Done by John Rouillard from proposal by Peter Funk (pefu)
in discussion with Tom Ekberg (tekberg). See doc/upgrading.txt.
- issue1714899: Feature Request: Optional Change Note. Added a new
quiet=True/False option for all property types. When quiet=True
changes to the property will not be displayed in the::
confirmation banner (shown in green) when a change is made
property change section of change note (nosy emails)
web history display for an item.
Note that this may confuse users if used on a property that is
meant to be changed by a user. It is most useful on administrative
properties that are changed by an auditor as part of a user
generated change. Original patch by Daniel Diniz (ajaksu2)
discussed also at:
http://psf.upfronthosting.co.za/roundup/meta/issue249
Support for setting quiet when calling the class specifiers:
E.G. prop=String(quiet=True) rather than::
prop=String()
prop.quiet=True
support for anydb backend, added tests, doc updates, support for
ignoring quiet setting using showall=True in call to history()
function in templates by (John Rouillard). (Note implementation
changed while implementing fix for issue2550864. Filtering of
quiet properties pushed down to the hyperdb.py::Class::history
function. This fixes a small bug in the implementation that caused
a limiting the templating history call to display fewer than the
the requested number of items if some were quiet.)
- issue2550767: Add newitemcopy.py detector to notify users of new
items. Added to detectors directory and a README.txt generated to
describe the purpose of the directory. It also says the detectors
are provided on an as-is basis and may not work. Detector by W.
Trevor King (wking), rest by John Rouillard.
- issue934009: Have New Issues Submitted By Email *Not* Change Body!
The mailgw config options: keep_quoted_text and leave_body_unchanged
can now have a new values: new. If set to new, keep_quoted_text acts
like yes if the message is starting a new issue. Otherise it strips
quoted text. This allows somebody to start a new issue by forwarding
a threaded email (with multiple quoted parts) into roundup and
keeping all the quoted parts. If leave_body_unchanged is set to
new, even the signature on the email that starts a new issue will be
preserved.
- New cgi action restore (RestoreAction) which reverses the effects of
the retire action. Created while implementing fix for
issue2550831. Requires restore permission in the schema. See
upgrading.txt for migrating to 1.6.0 for details. (John Rouillard)
- issue2550751: Email Header Issue. Noel Garces requested the ability
to suppress email headers like "x-roundup-issue-files". With Ralf's
addition of the Link/Multilink property attribute
'msg_header_property' we can do this easily. Setting the
'msg_header_property' to the empty string '' (not to None) will
suppress the header for that property. (John Rouillard)
- issue2550891: Allow subdir in template value. Anthony (antmail)
requested the ability to put templates into subdirectories. So
the issue class can accept @template=issues/item to get the
html/issues/issue.item.html template. See ``doc/upgrading.txt``.
- issue1842687: Keywords: After creating, stay in "Create New" mode.
Change to classic tracker template to provide a check box (checked
by default) that keeps the user on the "Add new keyword" page after
submitting a new keyword. Usually after submission, you will see the
the page for the new keyword to allow you to change the name of the
keyword. (John Rouillard)
- issue2550757 - internal restructuring to allow admin.py to be tested
more easily. W. Trevor King (wking)/ John Rouillard.
- When storing user-defined queries we now store the template with the
query if the template name is different from 'index'. This allows
stored queries for templates different from the default 'index'
template. (Ralf Schlatterbeck)
- Number properties now have an optional attribute use_double to request
double precision float as the storage type for this property. (Ralf
Schlatterbeck)
- issue2550796: Calendar and Classhelp selection tools don't cause
onchange event to be triggered.
Using the helper popups for modifying lists of users, lists of
issues, dates etc.. now trigger the change event on the form's
field. This allows onchange javascript to trigger to highlight
changes, recalculate other form values etc. See ``upgrading.txt``
for details on applying these changes to your tracker. (John Rouillard)
- menu template function has a new parameter "showdef". When set to a
string, the string is appended to the displayed option value. This
allows the user to reset the value for the menu (select) to the
original value. (John Rouillard)
- @template html url parameter can be set to "oktmpl|errortmpl". When
a form is submitted, if the form passes validation the oktmpl is
used for the resulting page. If the form fails submission the
errortmpl page is used to display the form. The errortmpl will
usually be the same template used to edit the form. See the section
on "Implementing Modal Editing Using @template" in
``customizing.txt``. (John Rouillard)
- New form of check function is permitted in permission definitions.
If the check function is defined as:
check(db, userid, itemid, **ctx)
the ctx variable will have:
ctx['property'] the name of the property being checked or None
ctx['classname'] the class that is being checked or None
ctx['permission'] the name of the permission (e.g. View, Edit)
At some future date the older 3 argument style check command will
be deprecated. See ``upgrading.txt`` for details.
- New property for permissions added to simplify the model. See
``customizing.txt`` and search for props_only and
set_props_only_default in the section 'Adding a new Permission'.
(John Rouillard)
- issue2550690 - Inadequate CSRF protection. Improvements in
Cross Site Request Forgery protection to check HTTP headers
and nonces. If the header/nonce is present, they are
validated. But if headers or nonces are missing access is
granted. The enforcement policy can be set in config.ini.
Requiring enforcement will need some changes to
templates. Support for protecting xmlrpc endpoint not well
tested. See ``upgrading.txt``. (John Rouillard)
- Added support for using the SameSite cookie option on the
session cookie. Default is lax, but there is a settable
option in config.ini file to change to strict or
suppress it entirely. See ``upgrading.txt``. (John Rouillard)
- Added a new roundup-admin command: updateconfig. Similar to
genconfig but it uses values from an existing config.ini
rather than default values. Use to update an existing
config.ini with new options and help text. (John Rouillard)
- issue2550864: Potential information leakage via journal/history
Hyperdb history function now only returns properties that the user
can View or Edit and links to objects the user can see. Can be
overridden by setting a parameter when calling the method.
Also restructured code that implemented issue1714899 moving it
from the templating class to the hyperdb. (John Rouillard)
- Improves diagnostics for mail processing: When using logging level = DEBUG,
bounces and bounce problems are logged. (Bernhard Reiter)
- In roundup-server, pass X-Forwarded-For and X-Forwarded-Proto
headers as the environment variables: HTTP_X-FORWARDED-FOR and
HTTP_X_FORWARDED_PROTO. If the user is running roundup server behind
a proxy, these headers allow the user to write extensions that can
figure out the original client ip and protocol. None of the core
roundup code uses these headers/env vars. These headers can be
spoofed by bad proxies etc. so you have been warned.
- issue2550799: provide basic support for handling html only emails
Emails missing text/plain parts but with text/html parts can be
converted into text. If this is done the email will no longer be
bounced back to the sender with an error. Enable by configuring the
convert_htmltotext option in your upgraded config.ini. (Initial
patch by Igor Ippolitov merged with changes by John Rouillard.)
- Add a 'retired' parameter to Class.filter to allow searching for
retired, non-retired or all (retired and non-retired) items similar
to the argument of the same name to Class.getnodeids. This is 'False'
by default (finding only non-retired items for backwards
compatibility) and can be set to None (for finding retired and
non-retired items) or True (for finding only retired items).
- Requires Python 2.7 now, indicated in version_check.py
and doc/installation.txt. (Bernhard Reiter)
- New -L flag to roundup-server to send http/https request logs
through the python logger module (using roundup.http). This allows
automatic log rotation. Without it, log file rotation requires restarting
the server. (John Rouillard)
- Part of issue2550960. Applied patch 0038 to upgrade documentation
code examples to support both python 2 and 3. (Joseph Myers)
- Release no longer includes binary windows installer. Pypi no longer
accepts it for upload.
Fixed:
- issue1615201: Optionally restore the original (version 0.6) mailgw
behaviour of ignoring a Resent-From:-header and using the real
From-header instead: new configuration option EMAIL_KEEP_REAL_FROM
(Peter Funk aka Pefu).
- issue2550717: Changed a couple of residual email references into
E-Mail in German translation (John Rouillard)
- issue2550669: Adding documentation for csv_field_size to the
customizing tracker section of doc/customizing.txt (John Rouillard)
- issue2550601: gsoc-2009 "bug" class doesn't have "patches" property
Added multilink to patches to the bug schema in the devel template.
(applied by John Rouillard)
- issue2550748: Crash when creating new issues with non-existing
multilink values (in classic template). Applied patch so it
now errors the same way as an update does. (applied by John Rouillard)
- issue2550757: one bug raised by issue fixed. Patch created by
W. Trevor King (wking) for documentation of mailgw applied by
John Rouillard.
- Fix processing of additional arguments to cgi method 'menu': This
would not work if more than one additional argument is used.
(Ralf Schlatterbeck)
- Update documentation of some existing property attributes (like
'do_journal' for Link/Multilink properties), this also adds missing
documentation for issue1444214. (Ralf Schlatterbeck)
- issue2550763 Strip whitespace from Multilink values after + or -.
(W. Trevor King) Test heavily modified by John Rouillard. (applied
by John Rouillard)
- issue2550907 Fix errors when creating documentation. Work done by
Peter Funk (pefu). (Applied by John Rouillard with small change
omitting obsolete security.txt.)
- issue2550826 Capture some exceptions from auditors/reactors and
raise a DetectorError instead. This allows failures like IOErrors
from the detectors (e.g. unable to access files) to be handled.
Previously an IOError just resulted in no output (premature end of
headers under apache). Problem diagnosed and initial patch created by
Tom Ekberg (tekberg). Further testing and patch change done by
John Rouillard.
- issue2550851 in installation doc removed directions for
installing additional codecs for Asian languages. They
they appear to be part of the standard python since at least 2.6.
Also the quoted url is obsolete. See ticket if you think you need
the codecs.
- issue2550823 improve mailgw logging for node creation errors.
Patch by r.david.murray (applied by John Rouillard).
- issue2550549 Postgres error on message templating
Exception gets thrown and not captured if nodeid is too large
on postgres. Added a check in rdbms_common layer that max nodeid
is < 2^31 -1. Large nodeid now return no such id error upstream.
Patch idea from: martin.v.loewis. (John Rouillard)
- issue2550723 Fix propagation of @pagesize
When @pagesize=0 is specified (indicating show all), the value of
pagesize is not propigated to the prev link. This patch fixes that.
Patch provided by John Kristensen. (Applied, light testing by John
Rouillard.)
- issue2550850 anypy/email_.py uses BSPACE which is not defined in python 2.7
Supplied a definition for BSPACE since it seems to not be defined
anywhere. Reported by Dennis Boone. (John Rouillard)
- Validate properties specified for sorting and grouping in index
views. Original patch from martin.v.loewis via:
https://hg.python.org/tracker/roundup/rev/439bd3060df2
Applied by John Rouillard with some modification to properly
identify if the bad property is a sort or grouping property. Tests
added.
- Validate Integer and Numeric type filter parameters rather than
passing output down to db level. Initial patch at:
http://hg.python.org/tracker/roundup/rev/98508a47c126 by
Martin.V.Loewis. Numeric test patch applied, Integer code and tests
developed by John Rouillard.
- issue1926124: fix crash in roundup_admin migrate option.
Patch submitted by Henry (henryl), modified value to False
since this produces the correct "No migration action required"
output from the migrate command.
- issue2161722: oudated docs (sic)
Fix old entry in FAQ, update roundup-server config docs and
example file from current roundup-server output. Update
some typos in .py files. John Rouillard.
- issue2550572: setting nosy=+foo on multiple issues gives them all
the same exact nosy list. Fixed a missing reinitialization that has
to occur every time though the loop in do_set. Manual tests work.
(John Rouillard)
- issue2550653: xapian search, stemming is not working
This is a partial fix for the issue. It does make stemming work
(so searching for silent will also return docs with silently in
them). However to do this we need to lowercase the text so the
porter stemmer will work. This means capitalization is not
preserved. Fix done by David Wolever (wolever). Committed and doc
updates John Rouillard.
- issue2550855: "show unassigned" link shows all open issues if not
logged in. This adds permission for the anonymous user to search
the users class. Without this the unassigned search can't see if
there is a user assigned to an issue, so it acts like all open
issues. Patch supplied by Stuart McGraw (smcgraw). For caveats
see ``upgrading.txt`` and the comments in the default templates.
(Docs created and applcation by John Rouillard)
- issue2550854: including new field in All text* search.
Fixed documentation in customizing.txt. The default for indexme on
String fileds is 'no' not 'yes'. So to get a new string field into
the full text/all text index you need to use String(indexme='yes').
Reported by Michael Belleville. (John Rouillard)
- issue2550853 - better error handling and cleanup on some postgres
tests by Stuart McGraw.
- issue2086536 - back_postgresql: fixing pg_command and prefering
psycopg2. Patch done by Philipp Gortan (mephinet). His patch
also improves handling of retryable errors. Applied and
edited by John Rouillard. Edits included removing support for
psycopg1. See:
https://sourceforge.net/p/roundup/mailman/message/32855027/
for rational for dropping it.
- issue2550831: Make the classic template query.edit page work.
Many fixes and improvements. See ``upgrading.txt`` for details.
Diagnosis and fix with patch by R David Murray. Support for
restoring retired but active queries, html layout changes and doc
by John Rouillard.
- issue2550785: Using login from search (or logout) fails. When
logging in from a search page or after a logout it fails with an
error. These failures have been fixed. The fix also keeps the user
on the same page they started from before the login. There are two
parts to this: 1) changes to the templates to properly define the
__came_from form element. See ``upgrading.txt``. 2) code changes
to the LoginAction code in roundup/cgi/actions.py. (John Rouillard)
- issue2550648 - partial fix for problem in this issue. Ezio Melotti
reported that the expression editor allowed the user to generate an
expression using retired values. To align the expression editor with
the simple dropdown search item, retired values are now removed from
the expression editor. (We have an open question as to whether this
is desirable.)
- issue2550743 - Reindex with MySQL Server failed. It looks like
indexing large documents may require increasing mysql's
max_allowed_packet setting. Documented the issue in doc/mysql.txt.
Possible solutions include: increasing value of MySQL parameter,
changing the full text search engine to whoosh or xapian. Problem
report by telsch. Analysis/doc by John Rouillard.
- issue2550882. Reported by Karl-Philipp Richter. Fixed
installation.txt documentation to include better directions on
starting roundup-server on different ports/ip addresses. Also
updated man page to include default use of localhost for -n and use
of -n 0.0.0.0 to bind to all addresses on the host. (John Rouillard)
- issue2550827, issue2550718. Doc additions so people know that a
python 32 bit installation may be required for windows. Additional
documentation on the requirement of pywin32 for running roundup as a
windows service. Also the windows installer must be run as
administrator and strong encouragement for installing the pytz
module added to ``doc/installation.txt``.
- issue2550776: imapServer.py problem. Fixed a missing initialization of the
logging level if no logging level option is supplied. (John Rouillard)
- issue2550839: Xapian, DatabaseLockError: Unable to get write lock on
db/text-index: already locked. Put in a retry loop that will attempt
to get the lock. Total delay approx 4.5 seconds. (John Rouillard)
- issue2550727: db.newid is broken with sqlite. Added proper transaction
lock around the sql code to get a new id. The the locking
that pysqlite attempts had to be defeated because it is broken.
Had to explicitly manage transactions with BEGIN IMMEDIATE and call
sql_commit. Note that this reduces performance in return for accuracy.
Problem reported by Matt Mackall (mpm) (John Rouillard).
- issue2550701: Path traversal from template names. This affects the
tal based template engines (zopetal, chameleon). If a directory
with a specific name is created in the html subdirectory, the
template name in the url can be used to get access to files outside
of the tracker html directory. This has been fixed by normalizing
the path and comparing to the normalized path for the html
directory. See ``doc/upgrading.txt``. (John Rouillard)
- Fix subject parsing in mail gateway. The previous parsing routine
would not ensure that arguments are at the end of the subject and when
subject_suffix_parsing was configured to be 'loose' it would truncate
the subject when encountering a double prefix, e.g.
Subject: [frobulated] [frobulatedagain] this part would be lost
(Ralf Schlatterbeck)
- issue2550795: @dispname query args in page.html search links
not valid html. Some queries with names that include spaces are not
properly url encoded/quoted. I.E. a space should be replaced with
%20. Fixes to allow a url_query method to be applied to
HTMLStringProperty to properly quote string values passed as part of
a url.
- issue2550755: exceptions.NotFound(msg) msg is not reported to user
in cgi. When an invalid column is specified return error code 400
rather than 404. Make error code 400 also return an error message to
the user. Reported by: Bernhard Reiter, analysis, fix by John Rouillard.
- issue1408570: Finally fix that form values are lost on edit
exceptions. This occured for example if editing an issue with the
classic template and setting 'superseder' to a non-existing issue
number. All changes to the form where the original field was non-empty
were lost. (Ralf Schlatterbeck)
- Fix submit_once Javascript function: This needs to return a boolean
value (not and integer like 0 or 1). And the work-around for an
ancient version of Internet Explorer would make it break for a recent
Firefox. The old version would show the popup but after clicking away
the alert it would load the page. The new version (tested with
Chromium and Firefox) doesn't load the page. (Ralf Schlatterbeck)
- Fix Traceback in backends/portalocker.py on windows due to missing
windll import, thanks to Heiko Stegmann for suggesting a first fix.
(Ralf Schlatterbeck)
- issue2550933 - Fix Traceback in cgi/templating.py when a string is
passed to PasswordHTMLProperty::plain. (John Rouillard)
- issue2550934 - templating.py-indexargs_form() returns id's as
space separated list not comma separated. This fixes the format of
the id url parameter when generated by indexargs_form. (John
Rouillard)
- issue2550932 - html_calendar produces templating errors for bad date
strings. Fixed to ignore bad date and highlight todays date in the
calendar popup.
- Query handling requires that query names for a user are unique.
Different users are allowed to use the same query name. Under some
circumstances a user could generate a second query with the same
name. The SearchAction function has been corrected to report this
error. Also the index.search.html template in the classic tracker
and corresponding templates in the other example trackers
has been modified to include:
so an error from SearchAction will display an error message and keep
the user on the search page so they can correct the error. See
``doc/upgrading.txt``. (John Rouillard)
- When a new named search is created, the index page that is displayed
doesn't show the name. This has been fixed by setting the @dispname
to the query's name. (John Rouillard)
- Passing args into indexargs_url(..,{'@queryname': request/dispname
or None, 'Title': 'some' }) where the value of the arg is None
will not add the arg to the url. In the example above @queryname
will only be in the url if dispname is set in the request.
(John Rouillard)
- The HTMLClass::properties() method produced a list of properties
that the user could not search. As a result these properties can not
be used for sorting or grouping index pages. This patch eliminates
the confusion that results from this mismatch by verifying that all
properties returned are searchable. (John Rouillard)
- Mutilinks can be displayed with their labelprop using the plain()
method, but they can not be looped over using tal:repeat if the user
doesn't have view access to the class the multilink represents. The
permissions check was changed to require that the user have View
access to the labelprop for the class rather than View access to the
class. (John Rouillard)
- issue2550937: fix crash by verifying that sendto is not null before
calling mailer.smtp_send. Discovered and patched by Trent Gamblin.
Applied by John Rouillard.
- removed old code from roundup-admin that implemented the obsolete
config (do_config) command. (John Rouillard)
- Modified configuration option static_files to be a space separated
list of directories to search for static files in the web interface.
If one of the elements is -, the search stops and the TEMPLATES
directory is not searched. See:
https://sourceforge.net/p/roundup/mailman/message/35773357/
subject is "showing template sources to all".
- issue2550945: OpenPGP: Extends newissuecopy.py to encrypt if configured.
(Bernhard Reiter)
- CSRF protection broke the retire function for query edit. Fix
javascript and make sure csrf tokens are provided in the right
places. (John Rouillard)
- query.item.html was missing checks to verify that a query should
be visible to the user. This is fixed and users can only view
queries that they own or that are not private. (John Rouillard)
- issue2550953: Patch: fix for context.is_view_ok check in jinja2 template
Form controls are displayed when anonymous views indexes but is
denied access. (patch by Anton Schur applied by John Rouillard)
- issue2550957: Duplicate emails (with patch).
Bcc and cc users passed to nosymessage are not properly recorded.
This results in duplicate emails. (patch by Trent Gamblin (trentgg)
applied by John Rouillard).
- issue2550954: History display breaks on removed properties
Now changes to removed properties, and link/unlink events from
non-existing properties or classes no longer trigger a traceback.
Concerning the visibility: We have a new config-item
obsolete_history_roles in the main section that defines which roles
may see removed properties. By default only role Admin is allowed to
see these.
- Fix issue2550955: Roundup commits although a Reject exception is raised
Fix the problem that changes are committed to the database (due to
commits to otk handling) even when a Reject exception occurs. The fix
implements separate database connections for otk/session handling and
normal database operation.
- Allow empty content property for file and message via xmlrpc
interface. This used to raise a traceback in the (sql) backend.
- Work around a limitation in python2.7 implementation of poplib (for
the pop3 protocol for fetching emails): It seems poplib applies a
line-length limit not just to the lines involving the pop3 protocol
but to any email content, too. This sometimes leads to tracebacks
whenever an email exceeding this limit is encountered. We "fix" this
by monkey-patching poplib with a larger line-limit. Thanks to Heiko
Stegmann for discovering this.
- Fix issue2550963: After refactoring one-time keys from the main
database we need to commit the password change in the password reset
mechanism separately. This used to be committed by the otk commit.
2016-01-11: 1.5.1
Pay attention:
If you have installed an intermediate version from our version control
system and have modified your tracker instance to escape OK and
error-messages in the HTML templates you need to revert this change.
If you're upgrading from a previous roundup release version
you should look into ``doc/upgrading.txt``. (Ralf Schlatterbeck)
Also note the default user permissions, see ``doc/upgrading.txt``.
Features:
- The example local_replace.py has been updated to show how to link to
modern revision systems using hex revision identifiers.
This extension is used to expand shortcuts in msgs. (Bernhard Reiter)
- Drop comment in user settings about numeric hour offsets instead of using
pytz timezone names. Due to DST these are wrong half of the year, it is
much better to use timezone names. (Thomas Arendsen Hein)
- issue2550793: Wrap messages with very long lines in the web interface.
(Thomas Arendsen Hein)
- New Link / Multilink option "try_id_parsing": Sometimes the key of a
class can be numeric -- in that case roundup will try to parse the
value as an ID when evaluating form values -- not as a key. Specifying
try_id_parsing='no' for these Link/Multilink will skip the ID step,
default is 'yes'. (Ralf Schlatterbeck)
- New configuration option 'isolation_level' in rdbms section. Currently
supported for Postgres and mysql, sets the transaction isolation level.
Wrong history entries for concurrent database updates observed in
issue2550806 can be prevented by setting this to 'repeatable read' if
you want to pay the performance penalty. We test this behaviour in the
regression tests for Postgres but not currently for mysql.
See http://www.postgresql.org/docs/9.1/static/transaction-iso.html
(Ralf Schlatterbeck)
- /xmlrpc endpoint now shows link to XML-RPC documentation if accessed
through browser, without text/xml Content-Type (anatoly techtonik)
- docs: New dedicated chapter for extensions in ``doc/customizing.txt``
(anatoly techtonik)
- Increase default height of classhelp windows from 400 to 600.
(Thomas Arendsen Hein)
- Date properties now can specify (on input) an explicit timezone suffix
(similar to RFC 2822), e.g. +0200 for CEST or -0500 for EST. This also
works in the XMLRPC interface. For examples see roundup.date.Date.
(Ralf Schlatterbeck)
- Add RejectRaw exception to allow unescaped HTML error messages to be
displayed to the user (thanks Ezio Melotti for the initial patch)
(John Kristensen)
- Add rel=nofollow to http and https url's in the body of messages.
This should reduce the value of a public roundup tracker to spammers.
References like issue20 or msg10 will hyperlink without
rel=nofollow so that robots can index them. Similar work was done
for the history display in roundup 1.5.0. (John Rouillard)
Fixed:
- issue2550869 Duplicate mail headers (Reply-To, Message-ID, In-Reply-To)
when sending out email. Reported with first fix by Mathias Behrle.
(Bernhard Reiter)
- issue2550830 An empty LinkHTMLProperty cannot be compared successfully.
Improves the query editing page. Reported and fixed by R David Murray
(Bernhard Reiter).
- Fix Release-date of 1.5.0 in this file (thanks to Bernhard for
discovery) (Ralf Schlatterbeck)
- Pythons cgi form code can return a TypeError, we now guard for this
condition. (Ralf Schlatterbeck)
- Small bug-fix in SQL backends: A query (e.g. in a html menu) with a
where-clause that always evaluates to false now will not raise a
traceback. (Ralf Schlatterbeck)
- Remove Python 2.3 compatibility code for i18n (anatoly techtonik)
- If documentation 'sphinx-build' tool is not found in system PATH,
'setup.py build_doc' command now tries to detect it from PYTHONPATH
(anatoly techtonik)
- Read version and release for generated documentation from
roundup/__init__.py. (Thomas Arendsen Hein)
- Do not throw an internal error if a .mo file can not be read
(Thomas Arendsen Hein)
- issue2550673 Make the "Make a copy" link work by fixing copy_url to properly
handle multilink properties. (John Rouillard)
- issue2550583, issue2550635 Do not limit results with Xapian indexer
(Thomas Arendsen Hein)
- Allow using plain() on unsaved dates in HTML forms
(Thomas Arendsen Hein)
- setup.py now installs static files of the HTML documentation (stylesheets,
images, etc.) (Thomas Arendsen Hein)
- executable .py scripts need "#!/usr/bin/env python", add this to demo.py,
remove exec bits from website/wiki/wiki/data/plugin/theme/roundup.py
(Thomas Arendsen Hein)
- issue2550822: Fix showing more than one additional property in class menu.
Report and fix by James Mack (Thomas Arendsen Hein)
- Fix String search with special SQL wildcard characters in LIKE/ILIKE
clause and add testcase (Ralf Schlatterbeck)
- Fix subtle bug when sorting by a Link that contains a Multilink from
which we also search for an attribute. In that case the LEFT OUTER
JOIN clause was missing in generated SQL. (Ralf Schlatterbeck)
- Fix another XSS issue2550817. Note that the code that triggers that
particular bug is no longer in roundup core. But the change to the
templates we suggest is a *lot* safer as it by default escapes the
error and ok messages now. Thanks to Thibault Fevry for the original
bug-report. (Ralf Schlatterbeck)
- issue2117897: Fixed two more places in date.py where seconds can be
rounded to 60.0 and causing exceptions. Change them to 59.999 as was
done in the fix for issue2550802. (Thomas Arendsen Hein)
- Fix batch.propchanged for transitive id properties (would result in a
backtrace when trying to group by property.id) (Ralf Schlatterbeck)
- Fix issue2550835, the test checks for date-range queries with an
interval that depends on the local time. Put the queried date a little
later to avoid a race condition where the queried interval doesn't
match the date because the clock has advanced. (Ralf Schlatterbeck)
- Apply german translation fixes from Debian team in issue2550761,
thanks to Kai Storbeck for taking the time to report these.
(Ralf Schlatterbeck)
- Fix issue2550843 Pass text of Unauthorised and Login exceptions instead
of the exception instance to avoid traceback with string operations.
(Thomas Arendsen Hein)
- Fix issue2550841 roundup-demo templates not found in virtualenv (John
Kristensen)
- Security: Default user permissions should not include all user
attributes. We now limit this to the username, realname and some
further attributes depending on the schema. Note that we no longer
include the email addresses, depending on your installation you may
want to further restrict this or add some attributes like ``address``
and ``alternate_addresses``. (Ralf Schlatterbeck)
- Correctly recreate the database directory when re-initialising a tracker
instance. (John Kristensen)
- In case of an error, date fields would lose the calendar help, fixed.
(Ralf Schlatterbeck)
- demo.py usage message improved: explains "nuke" now. (Bernhard Reiter)
- Fix issue2550735 Missing doc for xmlrpc schema. Thanks to Cedric Krier
for the patch. (anatoly techtonik)
- Fix two line-break accidents in devel and responsive milestone.item.html
(Thomas Arendsen Hein)
- Fix broken images in legacy spec.html and original_overview.html, and
restore web presence for "Roundup's Design Document" (anatoly techtonik)
- Template jinja2: Updated URL to point to http://www.roundup-tracker.org/,
fixed a typo. (Bernhard Reiter)
- Security: Add mime-type whitelist for attachmens that can be safely
rendered from Roundup without trigerring security bugs in browser
plugins, XSS issues and spam. The option ``allow_html_file`` didn't
provide protection for invalid content-type, in which case browser
tried to guess the best one. Thanks to Kay Hayen for reporting and
helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik)
- Documentation: configuration messages_to_author value "nosy" now documented
in chapter "customizing". (Bernhard Reiter)
- issue2550877 Failures in test_mailgw.py because of duplicated headers
and more precise comparision. Writing headers with the email module will use
continuation_ws = ' ' now for python 2.5 and 2.6. (Bernhard Reiter)
- issue2550870 migrate use of 'rfc822' module to the 'email' module
(Bernhard Reiter/John Kristensen)
- Doctests for roundup.date.Date are now really executable and don't
fail. Bug-Fixes in range properties, open intervals with 'to' didn't
always work. (Ralf Schlatterbeck)
- issue2550881 demo.py: Add pointer how to access demo from remote host.
Suggested by Karl-Philipp Richter. (Bernhard Reiter)
- issue2550884 roundup-mailgw --help text improved to explain the allowed
parameters better. Suggested by by Karl-Philipp Richter. (Bernhard Reiter)
- Fix form-parsing: If multiple new items are added to a multilink
property, the old version would create the new items but only link
one. (Ralf Schlatterbeck)
- issue2550892 (translation error of priority in locale de) Thanks
Martin Thomas Swaton for reporting. (Bernhard Reiter)
- Help-Window now gets focus, this prevents the case that help doesn't
work because an old help-window is below the main window.
(Ralf Schlatterbeck)
- issue2550811 20% fix: jinja2 template engine now has an example
how to use non-ascii unicode contents with a custom filter ('| u').
See updates on http://www.roundup-tracker.org/cgi-bin/moin.cgi/Jinja2
(Bernhard Reiter)
2013-07-06: 1.5.0
Features:
- issue2550775 Added rel=nofollow to links in the journal linking to
attachments to allow the admin to delete attachment spam and prevent
search engines from increasing the rankings. (John Rouillard)
- issue2550808 Enhanced the boolean field template function. Now by
default the labels generated can be clicked on and select the
corresponding radio button. Also can create a trivalued radiobutton
(yes/no/unknown) as well as customize the labels for the
yes/no/unknown radio buttons. (John Rouillard)
- issue2550807 enhance classhelp method with ability to set html
properties on the generated link. (John Rouillard)
- Support for tx_Source property on database handle. Can be used by
detectors to find out the source of a change in an auditor to block
changes arriving by unauthenticated mechanisms (e.g. plain email
where headers can be faked). The property db.tx_Source has the
following values:
* None - Default value set to None. May be valid if it's a script
that is created by the user. Otherwise it's an error and indicates
that some code path is not properly setting the tx_Source property.
* "cli" - this string value is set when using roundup-admin and
supplied scripts.
* "web" - this string value is set when using any web based
technique: html interface, xmlrpc ....
* "email" - this string value is set when using an unauthenticated
email based technique.
* "email-sig-openpgp" - this string value is set when email with a
valid pgp signature is used. (*NOTE* the testing for this mode
is incomplete. If you have a pgp infrastructure you should test
and verify that this is properly set.) (John Rouillard)
- Introducing Template Loader API (anatoly techtonik)
- Experimental support for Jinja2, try 'jinja2' for template_engine
in config (anatoly techtonik)
- A new jinja2 template based on Classic schema and using Twitter
bootstrap for responsive behaviour. Run as -
python demo.py -t jinja2 nuke (Pradip P Caulagi)
- roundup_admin.py and other scripts can now be run directly from the
sources dir as roundup\scripts\roundup_admin.py (anatoly techtonik)
- Renamed old Templates classes to Loader classes to clarify sources
for alternative templating engines, updated docs (anatoly techtonik)
- Template selection code is moved from Loader classes into cgi.client
limiting the responsibility of Loaders to compilation and rendering.
Internally, templating.find_template is replaced with
client.selectTemplate (anatoly techtonik)
- Increased generated password length to 12 symbols to slow down GPGPU
attacks (anatoly techtonik)
- Implement XMLRPC MultiCall (including test), see
http://docs.python.org/2/library/xmlrpclib.html#xmlrpclib.MultiCall
(Ralf Schlatterbeck)
Fixed:
- issue2550789: add documentation on how to initialise a tracker
without exposing the admin password.
- issue2550805: Postgres should search title attribute case insensitive
like sqlite. Reported and fixed by Tom Ekberg. (Bernhard Reiter)
- Removed some old left over "rlog" references in documentation and code.
Makes the debugging.txt advise for the database unit tests work again.
(Bernhard Reiter)
- Fixed OpenPGP support for modern versions of libgpgme. (Bernhard Reiter)
- Restored compatibility with old style trackers (anatoly techtonik)
- Make roundup play nice with setup tools (for using with virtualenv)
(Pradip Caulagi)
- [minor] Template responsive: make demo.py work out of the box with it,
by setting the static_files config.ini setting to "static".
Footer: link fixed and hardcoded last modified date removed. (Bernhard Reiter)
- demo.py print location of tracker home and fully erase its directory
when nuking (anatoly techtonik)
- demo.py changing hostname in config.ini actually changes the address
where demo.py listens. (John Rouillard)
- issue2550802: Fixed date so second fraction can't cause rounding to
60.000 when serialising. Report and fix by Erik Hanspers. (Bernhard Reiter)
- issue2550595: Allow migrating from roundup 0.x to 1.4 (Thomas Arendsen Hein)
- issue2550634: New German orthography corrections (Thomas Arendsen Hein)
2012-12-21: 1.4.21
Features:
- issue2550782: Added a new irker detector to send notifications on IRC
when an issue is created or messages are added. (Ezio Melotti)
- Beta version of responsive templates using devel schema
and Twitter Bootstrap for styling (Pradip Caulagi)
- pywin32 is no longer required to run on Windows (anatoly techtonik)
- Rewritten portalocker.py logic in ctypes for Windows (anatoly techtonik)
- Add an interface to register clearCache callbacks in roundupdb.
Sometimes complicated computations may require an application cache.
This application can now register a callback to clear the application
cache, because roundup knows better when to clear it (usually when a
transaction ends, either with rollback or with commit). The interface
for this is currently considered experimental. The current interface
is registerClearCacheCallback(self, method, param) where method is
called with param as the only parameter. (Ralf Schlatterbeck)
- Add a script to remove file-spam from a tracker, see
scripts/spam-remover. (Ralf Schlatterbeck)
Fixed:
- issue2550765: Don't show links in calendar that will fail.
Found and fixed by Cédric Krier. (Bernhard)
- issue2550765: use in the
_generic.calendar.html to prevent robots to follow all the links in the
calendar. (Ezio Melotti)
- "BaseException.with_traceback" is not available on Python 2, so use
"raise E, V, T" instead of "raise E(V).with_traceback(T)". This change was
originally introduced in 74476eaac38a. (Ezio Melotti)
- issue2550759: Trailing punctuation is no longer included when URLs are
converted to links. (Ezio Melotti)
- issue2550574: Restore sample detectors removed in roundup 1.4.9
(Thomas Arendsen Hein)
- Prevent AttributeError when removing all roles of a user
(Thomas Arendsen Hein)
- issue2550762 Minor Documentation fix in doc/developers.txt, thanks
to W. Trevor King. (Bernhard Reiter)
- issue2550766: Minor formatting issues in the docs for date properties,
thanks John Kristensen. (Bernhard Reiter)
- issue2550738: Fixes for various documentation typoes,
thanks Nathan Russell. (John Kristensen)
- issue2550756: Fix `oder' typo in mailer.Mailer.bounce_message docstring,
thanks W. Trevor King (John Kristensen)
- Fix basic authentication: instatiating the login action would fail if
the user is not set. We now first set the user to anonymous and then
try basic authentication if enabled. (Ralf Schlatterbeck)
- Fix xmlrpc permissions for lookup method: Allow if the key attribute
is either searchable or viewable, don't check id attribute (Ralf
Schlatterbeck)
- Fix installation documentation (section Prerequisites) to require at
least python 2.5, thanks to John P. Rouillard for discovering this.
(committed by Ralf Schlatterbeck)
- Fix version_check.py to require at least python 2.5 (anatoly techtonik)
- Fixing the download button re-activating the cheeseshop plugin in the
sphinx config. Thanks to Richard for the hint. (Bernhard Reiter)
- issue2550783 devel template's schema.py permissions referenced the
organization property for the user, but the property is called
organisation. Thanks to Pradip Caulagi. (committed by John Rouillard)
- issue2550749 - the xmlrpc interface is invoked on content type
and not url path. Sending any text/xml data to roundup results in
invoking the xml-rpc interface, but a REST or other interface could
also consume xml data and do something different. So require the use
of 'http(s)://.../xmlrpc' uri to trigger the xmlrpc interface.
(John Rouillard)
- issue2550774: Remove generating documentation with rst2html, and update the
README.txt with how to create the html docs using sphinx, thanks Kai Storbeck
(John Kristensen)
- issue2550774: Include doc/conf.py in the release tarball, so people can build
their own documentation in html, thanks Kai Storbeck (John Kristensen)
- issue2550774: Update website/www/Makefile to symlink COPYING.txt so "make"
works again, thanks Kai Storbeck (John Kristensen)
- issue2550760: Several improvements to the manpages
thanks Kai Storbeck & Bastian Kleineidam (John Kristensen)
2012-05-15: 1.4.20
Features:
- Experimental support for the new Chameleon templating engine.
We now have two configurable templating engines, the old Zope TAL
templates (called zopetal in the config) and the new Chameleon (called
chameleon in the config). A new config-option "template_engine" under
[main] can take these config-options, the default is zopetal.
Thanks to Cheer Xiao for the idea of making this configurable *and*
for the actual implementation! (Ralf)
WARNING: Chameleon support is highly experimental and *not* recommended for
production use. It has known performance issues and i18n is not yet
functioning. It's still under active development. Only use this feature if
you want to experiment with Chameleon and/or help with Roundup
developement. If you found a bug in Chameleon support, please report after
testing against latest Roundup source from the Mercurial repository.
- issue2550678: Allow pagesize=-1 which returns all results.
Suggested and implemented by John Kristensen.
Tested by Satchidanand Haridas. (Bernhard)
- Allow to turn off translation of generated html options in menu method
of LinkHTMLProperty and MultilinkHTMLProperty -- default is
translation as it used to be (Ralf)
- Sending of OpenPGP encrypted mail to all users or selected users (via
roles) is now working. (Ralf)
- Add config-option "nosy" to messages_to_author setting in [nosy]
section of config: This will send a message to the author only
in the case where the author is on the nosy-list (either added
earlier or via the add_author setting). Current config-options
for this setting will send / not send to author without considering
the nosy list. (Ralf)
Fixed:
- issue2550730: FAQ has broken link to Zope book. Reported and fixed by
John Rouillard.(Bernhard)
- issue2550728: remove buggy parentheses in TAL/DummyEngine.py.
Reported and fixed by Ralf Hemmecke. (Bernhard)
- issue2550715: IndexError when requesting non-existing file via http.
Reported and fixed by Cédric Krier. (Bernhard)
- issue2550712: exportcsvaction errors poorly when given invalid columns.
Reported by Will Kahn-Greene, fixed by Cédric Krier. (Bernhard)
- issue2550695: 'No sort or group' settings not retained when editing queries.
Reported and fixed by John Kristensen. Tested by Satchidanand Haridas.
(Bernhard)
- Fix matching of incoming email addresses to the alternate_addresses
field of a user -- this would match substrings, e.g. if the user has
discuss-support@example.com as an alternate email and an incoming mail
is addressed to support@example.com this would (wrongly) match. (Ralf)
- issue2550729: Fix password history display for anydbm backend, thanks
to Ralf Hemmecke for reporting. (Ralf)
- OpenPGP support is again working (pyme API has changed significantly) and
we now have a regression test. We now take care that bounce-messages
for incoming encrypted mails or mails where the policy dictates that
outgoing traffic should be encrypted is actually OpenPGP encrypted. (Ralf)
- Ignore confirm set() fields by themselves in the absence of non-"confirm"
values; otherwise a bare confirm field can be used to change the a
password. Reported by Cam Blackwood. (Ralf)
- Updated version of simplified Chinese message file by Cheer Xiao:
Corrected some mistakes, added a few more items and did some
formating. (Ralf)
- Fix xmlrpc URL parsing so that passwords may contain a ':' character
(Ralf)
- Be more tolerant when parsing RFC2047 encoded mail headers. Use
backported version of my proposed changes to
email.header.decode_header in http://bugs.python.org/issue1079
(Ralf)
- issue2550684 Fix XSS vulnerability when username contains HTML code,
thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)
- issue2550711 Fix XSS vulnerability in @action parameter,
thanks to "om" for reporting. (Ralf)
- issue2550535 In some cases even when keep_quoted_text=yes is
configured we would strip quoted sections. This hit the python
bug-tracker especially for python interpreter examples with leading
'>>>' strings. The fix is slightly different compared to the proposal
as this broke keep_quoted_text=no in certain cases. We also fix a bug
where keep_quoted_text=no would drop the last line of a non-quoted
section if there wasn't an empty line between the next quotes. (Ralf)
- issue2431638 wrong registration link in bounce mail for non-registered
users reported *years* ago by anonymous (Ralf)
- Fix doc/upgrading.txt which produces errors with latest docutils about
wrong block structure. Fix .gitignore in doc directory. Thanks to
Cheer Xiao for the patches. (Ralf)
- Fix wrong execute permissions on some files, thanks to Cheer Xiao for
the patch. (Ralf)
- Fix override of TemplatingUtils in instance.py, thanks to Cheer Xiao
for the patch. (Ralf)
- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
reporting. (Ralf)
- Mark cookies HttpOnly and -- if https is used -- secure. Fixes
issue2550689, but is untested if this really works in browsers.
Thanks to Joseph Myers for reporting. (Ralf)
- Fix another XSS with the ok- and error message, see issue2550724. We
now escape messages when added to the list so we can decide whether to
escape a message individually for each message. The default is to
escape. Thanks to David Benjamin for the bug-report and to Ezio
Melotti for several proposed fixes. (Ralf)
2011-07-15: 1.4.19
Features:
- Xapian indexing improved: Slightly faster and slightly smaller database.
Closes issue2550687. Thanks to Olly Betts for the patch. (Bernhard Reiter)
- PostgreSQL backend minor improvement: database creation less likely to fail
for PostgreSQL versions >= 8.1 as the table "postgres" is used by default.
Closes issue2550543. Thanks to Kai Storbeck for the patch. (Bernhard Reiter)
- Allow HTMLRequest.batch to filter on other permissions than "View"
(e.g. on the new "Search" permission") by adding a "permission"
parameter. Thanks to Eli Collins for the patch. Closes issue2550699. (Ralf)
Fixed:
- Installation: Fixed an issue that prevented to use EasyInstall
and a Python egg. Thanks to Satchidanand Haridas for the patch and
John Kristensen for testing it. (Bernhard Reiter)
- The PostgreSQL backend quotes database names now for CREATE and DROP,
enabling more exotic tracker names. Closes issue2550497.
Thanks to Sebastian Harl for providing the patch. (Bernhard Reiter)
- Updated the url to point to www.roundup-tracker.org in two places in the
docs. (Bernhard Reiter)
- Do not depend on a CPython implementation detail anymore to make Roundup
more compatible with other Python implementations like PyPy.
Closes issue2550707. Thanks to Christof Meerwald. (Bernhard Reiter, Richard)
- Yet another fix to the mail gateway, messages got *all* files of
an issue, not just the new ones. Thanks to Rafal Bisingier for
reporting and proposing a fix. The regression test was updated.
(Ralf)
- Fix version numbers in upgrade documentation, the file-unlink defect
was in 1.4.17 not 1.4.16. Thanks to Rafal Bisingier. (Ralf)
- Fix encoded email header parsing if multiple encoded and non-encoded
parts are present. RFC2047 specifies that spacing is removed only
between encoded parts, we always removed the space. Note that this bug
was present before mail gateway refactoring :-) Thanks for thorough
testing of mail gateway code by Rafal Bisingier. (Ralf)
- The "Retire" permission was not being registered. (Richard)
- Fix StringIO issue2550713: io.StringIO in newer versions of python
returns unicode strings and expects a unicode string in the
constructor. Unfortunately csv doesn't handle unicode (yet). So we
need to use a BytesIO which gets the utf-8 string from the
web-interface. Compatibility for old versions by using
StringIO.StringIO for emulating a io.BytesIO also works.
Thanks to Cédric Krier for reporting. Closes issue2550713.
Added a regression test for EditCSVAction (Ralf)
- Fix issue2550691 where a Unix From-Header was sometimes inserted in
outgoing emails, thanks to Joseph Myers for the patch. (Ralf)
2011-05-29: 1.4.18
Features:
- Norwegian Bokmal translation by Christian Aastorp (Ralf)
- Allow to specify additional cc and bcc emails (not roundup users) for
nosymessage used by the nosyreaction reactor. (Ralf)
Fixed:
- File-unlink defect in mailgw fixed! If an email was received
that contained no attachments, all previous files of the issue were unlinked.
This defect was introduced with the 1.4.17 release as an unwanted result
of the mail gate code refactoring. Thanks to Rafal Bisingier for reporting
and proposing a fix. There is now a regression test in place. (Ralf)
2011-05-13: 1.4.17
Features:
- Allow declaration of default_values for properties in schema.
- Add explicit "Search" permissions, see Security Fix below.
- Add "lookup" method to xmlrpc interface (Ralf Schlatterbeck)
- Multilinks can be filtered by combining elements with AND, OR and NOT
operators now. A javascript gui was added for "keywords", see issue2550648.
Developed by Sascha Teichmann; funded by Intevation. (Bernhard Reiter)
- Factor MailGW message parsing into a separate class, thanks to John
Kristensen who did the major work in issue2550576 -- I wouldn't
have attempted it without this. Fixes issue2550576. (Ralf)
- Now if the -C option to roundup-mailgw specifies "issue" this refers
to an issue-like class. The real class is determined from the
configured default class, or the -c option to the mailgw, or the class
resulting from mail subject parsing. We also accept multiple -S
options for the same class now. (Ralf)
- Optimisation: Late evaluation of Multilinks (only in rdbms backends):
previously we materialized each multilink in a Node -- this creates an
SQL query for each multilink (e.g. 'files' and 'messages' for each
line in the issue index display) -- even if the multilinks aren't
displayed. Now we compute multilinks only if they're accessed (and
keep them cached).
- Add a filter_iter similar to the existing filter call. This feature is
considered experimental. This is currently not used in the
web-interface but passes all tests for the filter call except sorting
by Multilinks (which isn't supported by SQL and isn't a sane concept
anyway). When using filter_iter instead of filter this saves a *lot*
of SQL queries: Filter returns only the IDs of Nodes in the database,
the additional content of a Node has to be fetched in a separate SQL
call. The new filter_iter also returns the IDs of Nodes (one by one,
it's an iterator) but pre-seeds the cache with the content of the
Node. The information needed for seeding the cache is retrieved in the
same SQL query as the ids.
Fixed:
- Security Fix: Add a check for search-permissions: now we allow
searching for properties only if the property is readable without a
check method or if an explicit search permission (see above unter
"Features) is given for the property. This fixes cases where a user
doesn't have access to a property but can deduce the content by
crafting a clever search, group or sort query.
see doc/upgrading.txt for how to fix your trackers! (Ralf Schlatterbeck).
- Range support in roundup-server so large files can be served,
e.g. media files on iOS/iPads; issue2550694. (Bernhard Reiter;
Thanks to Jon C. Thomason for the patch.)
- Fix search for xapian 1.2 issue2550676
(Bernhard Reiter; Thanks to Olly Betts for providing the patch.)
- Some minor typos fixed in doc/customizing.txt (Thanks Ralf Hemmecke).
- XML-RPC documentation now linked from the docs/index (Bernhard Reiter).
- Fix setting of sys.path when importing schema.py, fixes issue2550675,
thanks to Bryce L Nordgren for reporting. (Ralf Schlatterbeck)
- clear the cache on commit for rdbms backends: Don't carry over cached
values from one transaction to the next (there may be other changes
from other transactions) see new ConcurrentDBTest for a
read-modify-update cycle that fails with the old caching behavior.
(Ralf Schlatterbeck)
- Fix incorrect setting of template in customizing.txt example action,
patch via issue2550682 (thanks John Kristensen)
- Configuration issue: On some postgresql 8.4 installations (notably on
debian squeeze) the default template database used for database
creation doesn't match the needed character encoding UTF8 -- a new
config option 'template' in the rdbms section now allows specification
of the template. You know you need this option if you get the error
message:
psycopg2.DataError: new encoding (UTF8) is incompatible with the
encoding of the template database (SQL_ASCII)
HINT: Use the same encoding as in the template database, or use
template0 as template.
(Ralf Schlatterbeck)
- Fixed bug in mailgw refactoring, patch issue2550697 (thanks Hubert
Touvet)
- Fix Password handling security issue2550688 (thanks Joseph Myers for
reporting and Eli Collins for fixing) -- this fixes all observations
by Joseph Myers except for auto-migration of existing passwords.
- Add new config-option 'migrate_passwords' in section 'web' to
auto-migrate passwords at web-login time. Default for the new option
is "yes" so if you don't want that passwords are auto-migrated to a
more secure password scheme on user login, set this to "no" before
running your tracker(s) after the upgrade.
- Add new config-option 'password_pbkdf2_default_rounds' in 'main'
section to configure the default parameter for new password
generation. Set this to a higher value on faster systems which want
more security. Thanks to Eli Collins for implementing this (see
issue2550688).
- Fix documentation for roundup-server about the 'host' parameter as
suggested in issue2550693, fixes the first part of this issue. Make
'localhost' the new default for this parameter, note the upgrading
documentation of changed behaviour. We also deprecate the empty host
parameter for binding to all interfaces now (still left in for
compatibility). Thanks to Toni Mueller for providing the first version
of this patch and discussing implementations.
- Fixed bug in filter_iter refactoring (lazy multilinks), in rare cases
this would result in duplicate multilinks to the same node. We're now
going the safe route and doing lazy evaluation only for read-only
access, whenever updates are done we fetch everything.
2010-10-08: 1.4.16
Features:
- allow trackers to override the classes used to render properties in
templating per issue2550659 (thanks Ezio Melotti)
- new mailgw configuration item "subject_updates_title": If set to "no"
a changed subject in a reply to an issue will not update the issue
title with the changed subject. Thanks to Arkadiusz Kita and Peter
Funk for requesting the feature and discussing the implementation.
http://thread.gmane.org/gmane.comp.bug-tracking.roundup.user/10169
- new rdbms config item sqlite_timeout makes the previously hard-coded
timeout of 30 seconds configurable. This is the time a client waits
for the locked database to become free before giving up. Used only for
SQLite backend.
- new mailgw config item unpack_rfc822 that unpacks message attachments
of type message/rfc822 and attaches the individual parts instead of
attaching the whole message/rfc822 attachment to the roundup issue.
Fixed:
- fixed reporting of source missing warnings
- relevant tests made locale independent, issue2550660 (thanks
Benni Bärmann for reporting).
- fix for incorrect except: syntax, issue2550661 (thanks Jakub Wilk)
- No longer use the root logger, use a logger with prefix "roundup",
see http://thread.gmane.org/gmane.comp.bug-tracking.roundup.devel/5356
- improve handling of '>' when URLs are converted to links, issue2550664
(thanks Ezio Melotti)
- fixed registration, issue2550665 (thanks Timo Paulssen)
- make sorting of multilinks in the web interface more robust, issue2550663
- Fix charset of first text-part of outgoing multipart messages, thanks Dirk
Geschke for reporting, see
http://thread.gmane.org/gmane.comp.bug-tracking.roundup.user/10223
- Fix handling of incoming message/rfc822 attachments. These resulted in
a weird mail usage error because the email module threw a TypeError
which roundup interprets as a Reject exception. Fixes issue2550667.
Added regression tests for message/rfc822 attachments with and without
configured unpacking (mailgw unpack_rfc822, see Features above)
Thanks to Benni Bärmann for reporting.
- Allow search_popup macro to work with all db classes, issue2550567
(thanks John Kristensen)
- lower memory footprint for (journal-) import
2010-07-12: 1.4.15
Fixed:
- A bunch of regressions were introduced in the last release making Roundup
no longer work in Python releases prior to 2.6
- make URL detection a little smarter about brackets per issue2550657
(thanks Ezio Melotti)
2010-07-01: 1.4.14
Features:
- Preparations for getting 2to3 work, not completed yet. (Richard Jones)
Fixed:
- User input not escaped when a bad template name is supplied (thanks
Benjamin Pollack)
- The email for the first message on an issue was having its In-Reply-To
set to itself (thanks Eric Kow)
- Handle multiple @action values from broken trackers.
- Accept single-character subject lines
- xmlrpc handling of unicode characters and binary values, see
http://thread.gmane.org/gmane.comp.bug-tracking.roundup.user/10040
thanks to Hauke Duden for reporting these.
- frontends/roundup.cgi got out of sync with the roundup.cgi.Client API
- Default to "text/plain" if no Content-Type header is present in email
(thanks Hauke Duden)
- Small documentation update regarding debugging aids (Bernhard Reiter)
- Indexer Xapian, made Xapian 1.2 compatible. Needs at least Xapian 1.0.0 now.
(Bernhard Reiter; Thanks to Olly Betts for providing the patch Issue2550647.)
2010-02-19: 1.4.13
Fixed:
- Multilink edit fields lose their values (thanks Will Maier)
2010-02-09: 1.4.12
Features:
- Support IMAP CRAM-MD5, thanks Jochen Maes
Fixes:
- Proper handling of 'Create' permissions in both mail gateway (earlier
commit r4405 by Richard), web interface, and xmlrpc. This used to
check 'Edit' permission previously. See
http://thread.gmane.org/gmane.comp.bug-tracking.roundup.devel/5133
Add regression tests for proper handling of 'Create' and 'Edit'
permissions.
- Fix handling of non-ascii in realname in the nosy mailer, this used to
mangle the email address making it unusable when replying. Thanks to
intevation for funding the fix.
- Fix documentation on user required to run the tests, fixes
issue2550618, thanks to Chris aka 'radioking'
- Add simple doc about translating customised tracker content
- Add "flup" setup documentation, thanks Christian Glass
- Fix "Web Access" permission check to allow serving of static files to
Anonymous again
- Add check for "Web Access" permission in all web templating permission
checks
- Improvements in upgrading documentation, thanks Christian Glass
- Display 'today' in the account user's timezone, thanks David Wolever
- Fix file handle leak in some web interfaces with logging turned on,
fixes issue1675845
- Attempt to generate more human-readable addresses in email, fixes
issue2550632
- Allow value to be specified to multilink form element templating, fixes
issue2550613, thanks David Wolever
- Fix thread safety with stdin in roundup-server, fixes issue2550596
(thanks Werner Hunger)
2009-12-21: 1.4.11
Features:
- Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Fixes:
- Fix security hole allowing user permission escalation (thanks Ralf
Schlatterbeck)
- More SSL fixes. SSL wants the underlying socket non-blocking. So we
don't call socket.setdefaulttimeout in case of SSL. This apparently
never raises a WantReadError from SSL.
This also fixes a case where a WantReadError is raised and apparently
the bytes already read are dropped (seems the WantReadError is really
an error, not just an indication to retry).
- Correct initial- and end-handshakes for SSL
- Update FAQ to mention infinite redirects with pathological settings of
the tracker->web variable. Closes issue2537286, thanks to "stuidge"
for reporting.
- Fix some format errors in italian translation file
- Some bugs issue classifiers were causing database lookup errors
- Fix security-problem: If user hasn't permission on a message (notably
files and content properties) and is on the nosy list, the content was
sent via email. We now check that user has permission on the message
content and files properties. Thanks to Intevation for funding this
fix.
- Fix traceback on .../msgN/ url, this requests the file content and for
apache mod_wsgi produced a traceback because the mime type is None for
messages, fixes issue2550586, thanks to Thomas Arendsen Hein for
reporting and to Intevation for funding the fix.
- Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Thanks to Thomas Arendsen Hein for reporting and to Intevation for
funding the fix.
- Add documentation for migrating to the Register permission and
fix mailgw to use Register permission, fixes issue2550599
- Fix styling of calendar to make it more usable, fixes issue2550608
- Fix typo in email section of user guide, fixes issue2550607
- Fix WSGI response code (thanks Peter Pöml)
- Fix linking of an existing item to a newly created item, e.g.
edit action in web template is name="issue-1@link@msg" value="msg1"
would trigger a traceback about an unbound variable.
Add new regression test for this case. May be related to (now closed)
issue1177477. Thanks to Intevation for funding the fix.
- Clean up all the places where role processing occurs. This is now in a
central place in hyperdb.Class and is used consistently throughout.
This also means now a template can override the way role processing
occurs (e.g. for elaborate permission schemes). Thanks to intevation
for funding the change.
- Fix issue2550606 (german translation bug) "an hour" is only used in
the context "in an hour" or "an hour ago" which translates to german
"in einer Stunde" or "vor einer Stunde". So "an hour" is translated
"einer Stunde" (which sounds wrong at first). Also note that date.py
already has a comment saying "XXX this is internationally broken" --
but at least there's a workaround for german :-) Thanks to Chris
(radioking) for reporting.
2009-10-09: 1.4.10
Fixes:
- Minor update of doc/developers.txt to point to the new resources
on www.roundup-tracker.org (Bernhard Reiter)
- Small CSS improvements regaring the search box (thanks Thomas Arendsen Hein)
(issue 2550589)
- Indexers behaviour made more consistent regarding length of indexed words
and stopwords (thanks Thomas Arendsen Hein, Bernhard Reiter)(issue 2550584)
- fixed typos in the installation instructions (thanks Thomas Arendsen Hein)
(issue 2550573)
- New config option csv_field_size: Pythons csv module (which is used
for export/import) has a new field size limit starting with python2.5.
We now issue a warning during export if the limit is too small and use
the csv_field_size configuration during import to set the limit for
the csv module. (Ralf Schlatterbeck)
- Small fix for CGI-handling of XMLRPC requests for python2.4, this
worked only for 2.5 and beyond due to a change in the xmlrpc interface
in python (Ralf Schlatterbeck)
- Document filter method of xmlrpc interface (Ralf Schlatterbeck)
- Fix interaction of SSL and XMLRPC, now XMLRPC works with SSL
(Ralf Schlatterbeck)
2009-08-10: 1.4.9
Fixes:
- fixed action taken in response to invalid GET request
- fixed classic tracker template to submit POST requests when appropriate
- fix problems with french and german locale files (issue 2550546)
- Run each message of the mail-gateway in a separate transaction,
see http://thread.gmane.org/gmane.comp.bug-tracking.roundup.user/9500
- fix problem with bounce-message if incoming mail has insufficient
privilege, e.g., user not existing (issue 2550534)
- fix construction of individual messages to nosy recipents with
attachments (issue 2550568)
- re-order sqlite imports to handle multiple installed versions (issue
2550570)
- don't show entire history by default
(fixes http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540629)
- remove use of string exception
2009-03-18: 1.4.8
Fixes:
- bug introduced into hyperdb filter (issue 2550505)
- bug introduced into CVS export and view (issue 2550529)
- bugs introduced in the migration to the email package (issue 2550531)
- handle bogus pagination values (issue 2550530)
- fix TLS handling with some SMTP servers (issues 2484879 and 1912923)
2009-03-13: 1.4.7
Features:
- Provide a "no selection" option in web interface selection widgets
- Debug logging now uses the logging module rather than print
- Allow CGI frontend to serve XMLRPC requests.
- Added XMLRPC actions, as well as bridging CGI actions to XMLRPC actions.
- Optimized large file serving via mod_python / sendfile().
- Support resuming downloads for (large) files.
Fixes:
- a number of security issues were discovered by Daniel Diniz
- EditCSV and ExportCSV altered to include permission checks
- HTTP POST required on actions which alter data
- HTML file uploads served as application/octet-stream
- Handle Unauthorised in file serving correctly
- New item action reject creation of new users
- Item retirement was not being controlled
- Roundup is now compatible with Python 2.6
- Improved French and German translations
- Improve consistency of item sorting in HTML interface
- Various other small bug fixes, robustification and optimisation
2008-09-01: 1.4.6
Fixed:
- Fix bug introduced in 1.4.5 in RDBMS full-text indexing
- Make URL matching code less matchy
- Try to clarify mail_domain config setting
2008-08-19: 1.4.5
Feature:
- Add use of username/password stored in ~/.netrc in mailgw (sf patch
#1912105)
Fixed:
- 'Make a Copy' failed with more than one person in nosy list (sf #1906147)
- xml-rpc security checks and tests across all backends (sf #1907211)
- Send a Precedence header in email so (well-written) autoresponders don't
- Fix mailgw total failure bounce message generation (thanks Bradley Dean)
- Fix for postgres 8.3 compatibility (and bug) (sf patch #2030479 and bug
#1959261)
- Fix for translations (sf patch #2032526)
- Fire reactors after file storage is all done (sf patch #2001243)
- Allow negative ids other than -1 for item generation (sf patch #1982481)
- Better German translation for retiring users (sf #1998701)
- More improvements to German translation (sf #1919446)
- Add filter() to XML-RPC interface (sf patch #1966456)
- Fix IndexError when there are no messages to an issue (sf patch #1894249)
- Prevent broken pipe errors in csv export (sf patch #1911449)
- New session API and cleanup (anatoly techtonik)
- Make WSGI handler threadsafe (sf #1968027)
- Improved URL matching RE (sf #2038858)
- Allow binary file content submission via XML-RPC (sf #1995623)
- Don't run old code on newer database (sf #1979556)
- Fix HTML injection into page title
- Fix indexer handling of indexed Link properties (sf #1936876)
2008-03-01: 1.4.4
Fixed:
- Security fixes (thanks Roland Meister)
2008-02-27: 1.4.3
Fixed:
- MySQL backend bug introduced in 1.4.2 (TEXT columns need a size when
being indexed)
2008-02-08: 1.4.2
Feature:
- New config option in mail section: ignore_alternatives allows to
ignore alternatives besides the text/plain part used for the content
of a message in multipart/alternative attachments.
- Admin copy of error email from mailgw includes traceback (thanks Ulrik
Mikaelsson)
- Messages created through the web are now given an in-reply-to header
when email out to nosy (thanks Martin v. Löwis)
- Nosy messages now include more information about issues (all link
properties with a "name" attribute) (thanks Martin v. Löwis)
Fixed:
- Searching date range by supplying just a date as the filter spec
- Handle no time.tzset under Windows (sf #1825643)
- Fix race condition in file storage transaction commit (sf #1883580)
- Make user utils JS work with firstname/lastname again (sf #1868323)
- Fix ZRoundup to work with Zope 2.8.5 (sf #1806125)
- Fix race condition for key properties in rdbms backends (sf #1876683)
- Handle Reject in mailgw final set/create (sf #1826425)
2007-11-09: 1.4.1
Fixed:
- Removed some metakit references
2007-11-04: 1.4.0
Feature:
- Roundup has a new xmlrpc frontend that gives access to a tracker using
XMLRPC.
- Dates can now be in the year-range 1-9999
- The metakit backend has been removed
- Add simple anti-spam recipe to docs
- Allow customisation of regular expressions used in email parsing, thanks
Bruno Damour
- Italian translation by Marco Ghidinelli
- Multilinks take any iterable
- config option: specify port and local hostname for SMTP connections
- Tracker index templating (i.e. when roundup_server is serving multiple
trackers) (sf bug 1058020)
- config option: Limit nosy attachments based on size (Philipp Gortan)
- roundup_server supports SSL via pyopenssl
- templatable 404 not found messages (sf bug 1403287)
- Unauthorized email includes a link to the registration page for
the tracker
- config options: control whether author info/email is included in email
sent by roundup
- support for receiving OpenPGP MIME messages (signed or encrypted)
Fixed:
- Handling of unset Link search in RDBMS backend
- Journal export of anydbm didn't correctly export previously empty values
- Fix handling of defaults for date fields
- Fix