##// END OF EJS Templates
auth: don't break hashing in case of user with empty password....
auth: don't break hashing in case of user with empty password. In some cases such as LDAP user created via external scripts users might set the passwords to empty. The hashing uses the md5(password_hash) to store reference to detect password changes and forbid using the same password. In case of pure LDAP users this is not valid, and we shouldn't raise Errors in such case. This change makes it work for empty passwords now.

File last commit:

r302:37a52f4e default
r2203:8a18c3c3 default
Show More
release-notes-4.2.0.rst
70 lines | 2.6 KiB | text/x-rst | RstLexer

|RCE| 4.2.0 |RNS|

Release Date

  • 2016-06-30

General

  • Autocomplete: add GET flag support to show/hide active users on autocomplete, also display this information in autocomplete data. ref #3374
  • Gravatar: add flag to show current gravatar + user as disabled user (non-active)
  • Repos, repo groups, user groups: allow to use disabled users in owner field. This fixes #3374.
  • Repos, repo groups, user groups: visually show what user is an owner of a resource, and if potentially he is disabled in the system.
  • Pull requests: reorder navigation on repo pull requests, fixes #2995
  • Dependencies: bump dulwich to 0.13.0

New Features

  • My account: made pull requests aggregate view for users look like not created in 1995. Now uses a consistent look with repo one.
  • emails: expose profile link on registation email that super-admins receive. Implements #3999.
  • Social auth: move the buttons to the top of nav so they are easier to reach.

Security

  • Encryption: allow to pass in alternative key for encryption values. Now users can use rhodecode.encrypted_values.secret that is alternative key, de-coupled from beaker.session key.
  • Encryption: Implement a slightly improved AesCipher encryption. This addresses issues from #4036.
  • Encryption: encrypted values now by default uses HMAC signatures to detect if data or secret key is incorrect. The strict checks can be disabled using rhodecode.encrypted_values.strict = false .ini setting

Performance

  • Sql: use smarter JOINs when fetching repository information
  • Helpers: optimize slight calls for link_to_user to save some intense queries.
  • App settings: use computed caches for repository settings, this in some cases brings almost 4x performance increase for large repos with a lot of issue tracker patterns.

Fixes

  • Fixed events on user pre/post create actions
  • Authentication: fixed problem with saving forms with errors on auth plugins
  • Svn: Avoid chunked transfer for Subversion that caused checkout issues in some cases.
  • Users: fix generate new user password helper.
  • Celery: fixed problem with workers running action in sync mode in some cases.
  • Setup-db: fix redundant question on writable dir. The question needs to be asked only when the dir is actually not writable.
  • Elasticsearch: fixed issues when searching single repo using elastic search
  • Social auth: fix issues with non-active users using social authentication causing a 500 error.
  • Fixed problem with largefiles extensions on per-repo settings using local .hgrc files present inside the repo directory.