##// END OF EJS Templates
feat(hide recaptcha secrets): masked sensitive information related to reCaptcha configuration.
feat(hide recaptcha secrets): masked sensitive information related to reCaptcha configuration.

File last commit:

r3029:ffbe1931 stable
r5641:ad0048eb tip default
Show More
release-notes-4.13.0.rst
137 lines | 6.9 KiB | text/x-rst | RstLexer
/ docs / release-notes / release-notes-4.13.0.rst
docs: added release notes for 4.13
r2998 |RCE| 4.13.0 |RNS|
------------------
Release Date
^^^^^^^^^^^^
- 2018-09-05
New Features
^^^^^^^^^^^^
- Branch permissions: new set of permissions were added to control branch modification.
There are 4 basic permissions that can be set for branch names/branch patterns:
* no-access (any modification for given branch is forbidden)
* web-merge (modify branch by web based PR merge)
* push (only non-forced modification on branch are allowed)
* forced push (all modification to branch are allowed)
Available in EE edition only.
- Unified search and repo-switcher: a new persistent search box is now present allowing
to search for repositories, repository groups, commits (using full text search),
users, user-groups. Replaces redundant quick-filters/repo switcher.
- Default Reviewers: added possibility to match against regex based pattern as
alternative syntax to glob which didn't handle all the cases.
- Built-in Error tracker: added new exception tracking capability. All errors are now
tracked and stored. This allows instance admins to see potential problems without
access to the machine and logs.
- User Groups: each user group which users have access to expose public profile link.
It's possible to view the members of a group before attaching it to any resource.
- New caching framework: existing Beaker cache was completely replaced by dogpile.cache
library. This new cache framework in addition to solving multiple
performance/reliability problems of Beaker is used to cache permissions tree.
This gives huge performance boosts for very large and complex permission trees.
- Pull Requests: description field is now allowed to use a RST/Markdown syntax.
- SVN: added support for SVN 1.10 release line.
General
^^^^^^^
- Google: updated google auth plugin with latest API changes.
- Frontend: Switched to Polymer 2.0.
- Events: added a default timeout for operation calling the endpoint url, so
they won't block forever.
- SQLAlchemy: allow DB connection ping/refresh using dedicated flag from .ini file.
`sqlalchemy.db1.ping_connection = true`
- Pull Requests: added option to force-refresh merge workspace in case of problems.
Adding GET param `?force_refresh=1` into PR page triggers the refresh.
- Pull Requests: show more info about version of comment vs latest version.
- Diffs: skip line numbers during copy from a diff view.
- License: use simple cache to read license info.
Due to the complex and expensive encryption, this reduces requests time by ~10ms.
- Debug: add new custom logging to track unique requests across systems.
Allows tracking single requests in very busy system by unique ID added into logging system.
- Configuration: .ini files now can replace a special placeholders e.g "{ENV_NAME}"
into a value from the ENVIRONMENT. Allows easier setup in Docker and similar.
- Backend: don't support vcsserver.scm_app anymore, now it uses http even if scm_app
is specified.
- Repositories: re-order creation/fork forms for better UX and consistency.
- UI: Add the number of inactive users in _admin/users and _admin/user_groups
- UX: updated registration form to better indicate what is the process of binding a
RhodeCode account with external one like Google.
- API: pull-requests allow automatic title generation via API
- VCSServer: errors: use a better interface to track exceptions and tracebacks.
- VCSServer: caches: replaced beaker with dogpile cache.
- GIT: use GIT_DISCOVERY_ACROSS_FILESYSTEM for better compatibility on NFS servers.
- Dependencies: bumped mercurial to 4.6.2
- Dependencies: bumped evolve to 8.0.1
- Dependencies: bumped hgsubversion to 1.9.2
- Dependencies: bumped git version to 2.16.4
- Dependencies: bumped SVN to 1.10.2
- Dependencies: added alternative pymysql drivers for mysql
- NIX: updated to 18.03 nix packages, now shipped with python 2.7.15
release and multiple other new libraries.
Security
^^^^^^^^
- Mercurial: general protocol security updates.
* Fixes Mercurial's CVE for lack of permissions checking on mercurial batch commands.
* Introduced more strict checks for permissions, now they default to push instead of pull.
* Decypher batch commands and pick top-most permission to be required.
* This follows changes in Mercurial CORE after 4.6.1 release.
- Fixed bug in bleach sanitizer allowing certain custom payload to bypass it. Now
we always fails if sanitizing fails. This could lead to stored XSS
- Fixed stored XSS in binary file rendering.
- Fixed stored XSS in repo forks datagrid.
Performance
^^^^^^^^^^^
- Permissions: Permission trees for users and now cached, after calculation.
This reduces response time for some pages dramatically.
In case of any permission changes caches are invalidated.
- Core: new dogpile.cache based cache framework was introduced, which is faster than
previously used Beaker.
Fixes
^^^^^
- Audit Logs: store properly IP for certain events.
- External Auth: pass along came_from into the url so we get properly
redirected back after logging using external auth provider.
- Pull Requests: lock submit on pull request to prevent double submission on a fast click.
- Pull Requests: fixed a case of unresolved comments attached to removed file in pull request.
That prevented from closing it.
- Pull Requests: use numeric repo id for creation of shadow repos. Fixes a problem
when repository is renamed during PR lifetime.
- API: fixed creation of a pull request with default reviewer rules.
- Default Reviewers: fixed voting rule calculation on user group.
- Pull Requests: in GIT use force fetch and update for target ref.
This solves a case when in PR a target repository is force updated (by push force)
and is out of sync.
- VCSServer: detect early potential locale problem, and fallback to LC_ALL=C,
instead of crashing vcsserver.
- Pull Requests: use a safer way of destroying shadow repositories.
Fixes some problems in NFS storage and big repositories
Upgrade notes
^^^^^^^^^^^^^
- The direct backend `vcsserver.scm_app` is not supported anymore. This backed was
already deprecated some time ago. Now it will use `http` mode even if scm_app is
specified. Please contact us in case you still use it, and not sure how to upgrade.
- New dogpile cache settings are not ported to converted .ini. If users want to do
adjustments please copy the settings over dogpile cache section from a newly
generated rhodecode.template.ini file. This file is stored next to rhodecode.ini
- SVN 1.10.2 was introduced in this release. Please make sure to update your
mod_dav to the same version for best compatibility.
docs: added 4.13 release note about potential encoding problems
r3029 - This release brings new Database drivers. We discovered that in some setups it is now
required to explicitly define a encoding charset in the database connection string.
If you're getting a permanent exception such as `"UnicodeDecodeError: 'utf8' codec can't decode byte 0xfc in position 15: invalid start byte"`
please follow a fix from here: https://community.rhodecode.com/t/unicodedecodeerror-utf8-codec-cant-decode-byte-0xfc-in-position-15-invalid-start-byte/246