##// END OF EJS Templates
security: limit the maximum password lenght to 72 characters to prevent possible...
security: limit the maximum password lenght to 72 characters to prevent possible server side resource consumption attack. - bcrypt heavy computation can lead to DOS using a very long password .eg 10**8 lenght. - we allowed this on registration or on password update

File last commit:

r1:854a839a default
r2192:a51e727d stable
Show More
release-notes-3.0.0.rst
166 lines | 8.0 KiB | text/x-rst | RstLexer
/ docs / release-notes / release-notes-3.0.0.rst
project: added all source files and assets
r1 |RCE| 3.0.0 |RNS|
-----------------
As |RCM| 3.0 is a big release, the release notes have been split into the following sections:
* :ref:`general-rn-ref`
* :ref:`security-rn-ref`
* :ref:`api-rn-ref`
* :ref:`performance-rn-ref`
* :ref:`prs-rn-ref`
* :ref:`gists-rn-ref`
* :ref:`search-rn-ref`
* :ref:`fixes-rn-ref`
.. _general-rn-ref:
General
^^^^^^^
* Released 2015-01-27
* Basic |svn| support added
* GPLv3 components removed
* Server/Client architecture for VCS systems created
* Python 2.5 and 2.6 support deprecated
* Server info pages now show gist/archive cache storage, and also CPU/Memory/Load information.
* Added new bulk commit (changeset) status comment form into compare view which enables bulk code-reviews without
opening a pull-request.
* License checks and limits now only apply to active users.
* Removed CLI command for |repo| scans as it can be done via an API call.
* VCS backends can be globally enabled/disabled from the :file:`rhodecode.ini` file.
* Added a UI option to set default rendering to rst or markdown.
* Added syntax highlighting to 2 way compare diff.
* Markup rendering can now render checkboxes for easy checklists generation.
* Gravatars are now retina ready.
* Admins can define custom CSS or JavaScript in the header or footer via new pre/post code options.
* Replaced ``graph.js`` with ``commits-graph.js`` html5 implementation.
* Added editable owner field for repository groups, and user group.
* Added an option to detach/delete user repositories when deleting users from the system.
* Added a Supervisor control page that shows status of processes.
* User admin grid can now filter by username OR email.
* Added personal |repo| group link for easier fork creation.
* Added support for using subdirectories when creating and uploading new files.
* Added option to rename a file from the web interface.
* Added arrow key navigation to file filter and fixed the back button behaviour.
* Added fuzzy matching to file filter.
* Added functionality to create folder structures along with files when adding content via the web interface.
* Separated default permissions UI into `global`, `user`, or `object` permissions management.
* Added an inheritance flag to object permissions which allows for explicit permissions which disregard global
permissions.
* Added post create repository group hook.
* Added trigger push hooks on online file editor.
* Added default title for pull request.
* More detailed logs during Authentication.
* More explicit logging when permission checks occur.
* Switched the implementation of |git| ``fetch clone pull checkout`` commands to pure |py| without any subprocess
calls.
* Introduced the ``rcserver`` command for custom development.
* Added the ability to force no cache archived via the ``GET no_cache`` flag
.. _security-rn-ref:
Security
^^^^^^^^
* CSRF (Cross-Site Request Forgery) tokens now in all pages that use forms.
* The ``clone_url`` field is now AES encrypted inside the database.
* ACLs (Access Control Lists) are checked on the gist edit page for logged in users.
* New repository groups and repositories are created with 0755 permissions and not not 0777.
* Explicit RSS tokens are used for the RSS journal, when leaked, limits access to RSS only.
* Fixed XSS issues when rendering raw SVG files.
* Added force password reset option for users.
* IP list now accepts comma-separated values, and also ranges using `-` to specify multiple addresses.
* Added ``auth tokens``, these authentication tokens can be used as an alternative to passwords.
* Added roles (``http, api, rss, all, vcs``) into authentication tokens (previously called ``apikeys``).
* LDAP Group Support added.
* Added JASIG CAS auth plugin support.
* Added a plugin parameter that defines if a plugin can create new users on the fly.
.. _api-rn-ref:
API
^^^
* Added permissions delegation when creating |repos| or |repo| groups.
* Added ``strip`` support for |hg| and |git| |repos|.
* Added comments API for commits.
* Added add/remove methods for extra fields in repositories.
* ``get_*`` calls now use ``permission()`` and ``permission_user_group()`` methods for unified permissions structure.
* ``get_repo_nodes`` information sending has changed and is no longer a boolean flag, it's now ``basic`` or ``full``.
* Due to configurable backends ``repo_type`` is now mandatory parameter for the ``create_repo`` call.
.. _performance-rn-ref:
Performance
^^^^^^^^^^^
* Significant performance improvements across all application functions.
* HTTP Authentication performance enhancements.
* Added a ``scope`` variable to the permissions fetching function which improves building permission trees in large
amounts by a factor of 10.
* Implemented caching logic for all authentication plugins. The ``AUTH_CACHE_TTL = <int>`` property now allow you to
set the cache in seconds.
.. _prs-rn-ref:
Pull Requests
^^^^^^^^^^^^^
* Pull requests can be now updated and merged from the web interface
* Fixed creating a Mercurial |pr| from a bookmark.
* Forbid closing pull requests when calculated status is different that the approved or rejected version.
* Properly display calculated pull request review status on listing page.
* Disable delete comment button if |pr| is closed.
.. _gists-rn-ref:
Gists
^^^^^
* New UI based on grids with filtering.
* Super-admins can see all gists.
* Gists can now be created with a custom names.
.. _search-rn-ref:
Search
^^^^^^
* New API based indexer.
* Added the ability to create size limits for indexed files.
* Added a new mapping configuration file which gives a very high level of flexibility when creating full text search.
.. _fixes-rn-ref:
Fixes
^^^^^
* General: fixed issues with dependent objects, such as ``users`` in ``user groups``. Cleaning up these dependent
objects is now done in a safe way.
* General: deleting a ``user group`` from **settings > advanced** will use force removal and cleanup from all
associations.
* General: fixed issue with filter proxy middleware it's now more error prone.
* General: fixed issues with unable to create fork inside a group.
* General: fixed bad logic in ``ext_json`` lib, that checked bool on microseconds, in case it was 0 bool it returned False.
* General: authors in annotation mode shows authors of current source, not from all history (that is in normal mode)
* Permissions: fix issue when inherit flag for user group stopped working after initial permissions set.
* |git|: fixed shallow clones.
* |git|: added ``\n`` into the service line of |git| protocol. It is in the specifications and some python clients
require this.
* |hg|: fix thread safety for mercurial ``in-memory`` commits.
* Windows: fixed issue with shebang and env headers.
* MySQL: fixed database fields with 256 char length with added indexes. Mysql had problems with them.
* Database: fixed bad usage of matching using ``ILIKE``. Previously it could happen that if you had
``marcin_1@rhodecode.com`` and ``marcin_2@rhodecode.com`` emails, using ``marcin_@rhodecode.com`` would match both.
* VCS: fixed issues with double new lines on the commit patches.
* VCS: repository locking now requires write permission to repository. If we allowed locking with read,
people can lock repository without an option to unlock it.
* Models: removed the ``isdigit`` call that can create issues when names are actually numbers on fetching objects.
* Files: Fix bug with show authors in annotate view.
* Hooks: truncate excessive commit lists on ``post_push`` hook.
* Hooks: in |git|, support added to set the default branch if it is not ``master``.
* Notifications: now can be marked as read when you are not admin.
* Notifications: marking all notifications as read will hide the counter.
* Frontend: fixed branch-tag switcher multiple ajax calls.
* Repository group: |repo| group owners can now change group settings even if they don't have access to top-level
permissions.
* Repositories: if you set ``Fork of`` in advanced repository settings it will now only show valid repositories
with the same type.