Show More
release-notes-4.8.0.rst
102 lines
| 4.3 KiB
| text/x-rst
|
RstLexer
r1848 | |RCE| 4.8.0 |RNS| | ||
----------------- | |||
Release Date | |||
^^^^^^^^^^^^ | |||
- 2017-06-30 | |||
New Features | |||
^^^^^^^^^^^^ | |||
- Code Review: added new reviewers logic. This features now is Common Criteria | |||
compatible and allows to define Mandatory (non-removable) reviewers. | |||
In addition new options were added to forbid adding new reviewers or forbid | |||
author of commits or the pull request itself to be a reviewer of the code. | |||
- Audit logs: introducing new audit logs tracking most important actions in | |||
the system. Admins can track important events such as deletion of resources, | |||
permissions changes, user groups changes. Each event tracks users with his | |||
IP and user agent. | |||
- Mercurial: enabled evolve extensions. Each repository can be now configured | |||
to support evolve, commit phases, and evolve state are also shown in | |||
commit and changelog views. | |||
- VCS: expose newly pushed bookmarks or branches as quick links to open a | |||
pull request on client output. Allows easier pull request creation via CLI. | |||
General | |||
^^^^^^^ | |||
- Core: ported many views into pure pyramid code with python3.6 compatibility. | |||
Now almost 80% of the code is ported, and future ready. It's our ongoing | |||
effort to allow support for modern python version. | |||
- Comments: show author tag in pull request comments to easily | |||
discover the author of changes in discussions. | |||
- Files: allow specifying custom filename for uploaded files via web interface. | |||
- Pull requests: changed who is allowed to close a pull request. Now it's only | |||
super-admin, owner or person who can merge. | |||
Before it was every reviewer can close. Which really doesn't make sense. | |||
- Users: show that user is disabled when editing his properties. | |||
- Integrations: expose user_id, and username in Webhook integration | |||
templates arguments. | |||
- Integrations: exposed extra repo variables in template arguments of | |||
Webhook integration. | |||
- Login: add link when using external auth to make it easier to login | |||
using oauth providers, such as Google or Github. | |||
- Maintenance: added svn verify command to tasks to be able to verify the | |||
filesystem and repo formats from web interface. Allows much easier tracking | |||
of incompatible filesystem storage of subversion repositories. | |||
- Events: expose permalink urls for pull requests, and repositories. | |||
Permalink url should provide a non-changeable url that can be used in | |||
external system. | |||
- Svn: increase possibility to specify compatibility to pre 1.9 version. | |||
Security | |||
^^^^^^^^ | |||
- security(high): fixed possibility to delete other users inline comments | |||
for users who were repository admins. | |||
- security(med): fixed XSS inside the tooltip for author string. | |||
- security(med): fixed stored XSS in notifications inbox. | |||
- security(med): use custom writer for RST rendering to prevent injection of javascript: tags. | |||
- security(med): escape flash messaged VCS errors to prevent reflected XSS attacks. | |||
- security(low): use 404 instead of 403 code on permission decorator to | |||
prevent brute force resource discovery attacks. | |||
- security(low): fixed self XSS inside autocomplete files view. | |||
- security(low): fixed self Xss inside repo strip view. | |||
- security(low): fixed self Xss inside the email add functionality. | |||
- security(none): use new safe escaped user attributes across the application. | |||
Will prevent all possible XSS attack vectors from user stored attributes. | |||
This specially can come from external authentication systems which doesn't | |||
validate the data. | |||
Performance | |||
^^^^^^^^^^^ | |||
Fixes | |||
^^^^^ | |||
- Pull requests: make sure we process comments in the order of IDS when | |||
linking them. In some edge cases it could lead to comments not displaying | |||
correctly. | |||
- Emails: fixed newlines in email templates that can break email sending code. | |||
- Markdown: fixed hr and strong tags styling. | |||
- Notifications: fixed problem with 500 errors on non-numeric entries in url. | |||
- API: use simple schema validator to be consistent how we validate between | |||
API and web views for create user and create user_group calls. | |||
- Users: fixed problem with personal repo group wasn't shown for disabled users. | |||
- Oauth: improve Google extraction of first/last name from returned data. | |||
Upgrade notes | |||
^^^^^^^^^^^^^ | |||
- API: the `update_pull_request` method will no longer support a close action. | |||
Users should use the existing `close_pull_request` method which allows | |||
specifying a message and status while closing a pull request. |