Indico

-------------

*Unreleased*

Improvements
^^^^^^^^^^^^

- Nothing so far :(

Bugfixes
^^^^^^^^

- Nothing so far :)

Accessibility
^^^^^^^^^^^^^

- Nothing so far

Internal Changes
^^^^^^^^^^^^^^^^

- Nothing so far

-------------

*Released on March 24, 2025*

Security fixes
^^^^^^^^^^^^^^

- Update the `Jinja2 <https://pypi.org/project/Jinja2/>`__ library due to a
sandbox escape vulnerability (:cve:`2025-27516`).

.. note::

Since document templates can only be managed by Indico admins (unless granted to
specific other trusted users as well), the impact of this vulnerability is considered
low to medium, as it would require a malicious admin to abuse this e.g. to to read
``indico.conf`` data, which is otherwise only accessible to people with direct server
access.

Improvements
^^^^^^^^^^^^

- Add a new "Accepted by Submitter" state for editables when a submitter approved
the changes proposed by the editor (:issue:`6185`, :pr:`6186`)
- Highlight editables in the editable list that have been updated since the last time
they were viewed (:pr:`6500`)
- Refresh the looks of the PDF timetable (:issue:`6554`, :pr:`6558`)
- Redact session cookie value in error emails (:pr:`6666`)
- Allow creating a new local account during password reset if the user does not have
one yet (:pr:`6688`)
- Set session cookies with ``SameSite=Lax`` so they are not sent when Indico is embedded
in a third-party iframe (:pr:`6690`)
- Make the event export/import util much more flexible to support exporting whole
category subtrees, add better support for dealing with files, and add various things
that were not correctly exported before (:pr:`6446`)
- Add a setting to limit the information room booking users can see for bookings not
linked to them or their rooms (:pr:`6704`)
- Add shortcuts to the past and closest events in a category (:pr:`6710`)
- Improve the appearance of the date pickers (:issue:`6719`, :pr:`6720`, thanks :user:`foxbunny`)
- Add a new setting (:data:`ALLOW_ADMIN_USER_DELETION`) to let administrators permanently
delete Indico users from the user management UI (:pr:`6652`, thanks :user:`SegiNyn`)
- Support ``==text==`` to highlight text in markdown (:issue:`6731`, :pr:`6732, 6767`)
- Add an event setting to allow enforcing search before entering a person manually to
a persons list in abstracts and contributions (:pr:`6689`)
- Allow users to login using their email address (:pr:`6522`, thanks :user:`SegiNyn`)
- Do not "inline" the full participant list in conference events using a meeting-style
timetable and link to the conference participant list instead (:pr:`6753`)
- Add new setting :data:`LOCAL_USERNAMES` to disable usernames for logging in and only
use the email address (:pr:`6751`, :pr:`6810`)
- Tell search engines to not index events marked as "invisible" (:pr:`6762`, thanks
:user:`openprojects`)
- Make the minimum length of local account passwords configurable, and default to ``15``
instead of ``8`` for new installations (:issue:`6629`, :pr:`6740`, thanks :user:`amCap1712`)
- Include submitter email in abstract PDF export (:issue:`3631`, :pr:`6748`, thanks
:user:`amCap1712`)
- Remove anonymized users from local groups (:pr:`6738`, thanks :user:`SegiNyn`)
- Add ACLs for room booking locations which can grant privileges on the location itself
and/or all its rooms (:pr:`6566`, thanks :user:`SegiNyn`)
- Support alternative names in predefined affiliations and make its search more powerful
(:pr:`6758`)
- Add setting to disallow entering custom affiliations when predefined affiliations are used
(:pr:`6809`)
- Log changes to event payment methods (:pr:`6739`)
- Add button to select all rooms for exporting in the room list (:pr:`6773`, thanks
:user:`Michi03`)
- Include abstract details in comment notification email subject (:issue:`6449`, :pr:`6782`,
thanks :user:`amCap1712`)
- Use markdown editor field in survey questionnaire setup (:pr:`6783`, thanks :user:`amCap1712`)
- Use markdown editor field for contribution description (:issue:`6723`, :pr:`6749`, thanks
:user:`amCap1712`)
- Allow resetting registrations back to pending in bulk (:issue:`5954`, :pr:`6784`, thanks
:user:`amCap1712`)
- Allow to configure a restrictive set of allowed contribution keywords (:pr:`6778`, thanks
:user:`tomako, unconventionaldotdev`)
- Add a log for user actions, similar to that in events and categories (:pr:`6779`, :pr:`6813`,
thanks :user:`tomako`)

Bugfixes
^^^^^^^^

- Fix error when using the "Request approval" editing action on an editable that
does not have publishable files (:pr:`6186`)
- Do not fail if a user has an invalid timezone stored in the database (:pr:`6647`)
- Ensure the event name is correctly encoded to prevent issues with special characters
in the share event widget (:pr:`6649`)
- Fix sending emails if site name contains an ` character (:pr:`6687`)
- Do not show country field description twice in registration forms (:pr:`6708`)
- Do not show "other" document templates from deleted events/categories (:pr:`6711`)
- Fix price display of choice fields in registration form (:issue:`6728`, :pr:`6729`)
- Fix error when creating a new room and setting attributes or equipment during creation
(:pr:`6730`)
- Fix the usage of select list scrollbar causing it to close immediately (:issue:`6735`,
:pr:`6736`, thanks :user:`foxbunny`)
- Trigger event creation notification emails when cloning events (:pr:`6744`)
- Fix image uploading not working when editing an existing note without having permissions
to manage materials on the event level (:pr:`6760`)
- Do not redirect to the ToS acceptance page when impersonating a user (:pr:`6770`)
- Fix display issues after reacting to a favorite category suggestion (:pr:`6771`)
- Include event labels in dashboard ICS export (:issue:`5886, 6372`, :pr:`6769`, thanks
:user:`amCap1712`)
- Do not show default values for purged registration fields (:issue:`5898`, :pr:`6772, 6781`,
thanks :user:`amCap1712`)
- Do not create empty survey sections during event cloning (:pr:`6774`)
- Fix inaccurate timezone in the dates of the timetable PDF (:pr:`6786`)
- Fix error with accommodation fields that have the "no accommodation" option disabled
(:pr:`6812`)
- Reset token-based links for correct user when done by an admin (:pr:`6814`)

Accessibility
^^^^^^^^^^^^^

- Make field validation error messages more accessible in the registration form
(:pr:`6324`, thanks :user:`foxbunny`)
- Implement a new date range picker and use it in the Room Booking module
(:pr:`6464`, thanks :user:`foxbunny`)
- Make main section title in the base layout the default bypass blocks target
(:pr:`6726`, thanks :user:`foxbunny`)
- Improve places selection accessibility in SingleChoiceInput
(:pr:`6763`, thanks :user:`foxbunny`)
- Improve places selection accessibility in MultiChoiceInput
(:pr:`6764`, thanks :user:`foxbunny`)
- Improve BooleanInput accessibility (:pr:`6756`, thanks :user:`foxbunny`)
- Improve keyboard navigation order within the category list page
(:pr:`6776`, thanks :user:`foxbunny`)

Internal Changes
^^^^^^^^^^^^^^^^

- Remove the `marshmallow-enum` dependency (:issue:`6701`, :pr:`6703`, thanks
:user:`federez-tba`)
- Add new signals during signup email validation and login which can make the
process fail with a custom message (:pr:`6759`, thanks :user:`openprojects`)

-------------

*Released on December 02, 2024*

Security fixes
^^^^^^^^^^^^^^

- Fix an open redirect during account creation. Exploitation requires initiating
account creation with a maliciously crafted link, and then finalizing the signup
process, after which the user would be redirected to an external page instead of
staying on Indico (thanks :user:`GauthierGitHub`)

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: Japanese

Improvements
^^^^^^^^^^^^

- Allow specifying "prev" and "next" as the date param on the category overview
page to show the previous or next period relative to the current date (:pr:`6537`)
- Add caching and rate-limiting (configurable via :data:`LATEX_RATE_LIMIT`, and only applied
to unauthenticated users) for endpoints that trigger LaTeX PDF generation (:pr:`6526`)
- Log changes to registration form settings in the event log (:pr:`6544`, thanks :user:`vtran99`)
- Improve conference participant list, especially when participants from multiple registration
forms are shown separately (:issue:`6440`, :pr:`6489`)
- Include information about attached files in JSON export of abstracts (:pr:`6556`)
- Take session program codes into account when sorting parallel sessions with the same start time
in meeting timetable (:pr:`6575`)
- Enforce browser-side caching of event logos and custom stylesheets (:issue:`6555`, :pr:`6559`)
- Default to banner-style (full width) logos in newly created conference events (:pr:`6572`,
thanks :user:`omegak`)
- Add email placeholder for the picture associated with a registration (:pr:`6580`, thanks
:user:`vtran99`)
- Allow setting placeholders for text fields in document templates (:pr:`6587`)
- Add a new document template for Certificates of Attendance (:pr:`6587`)
- Show correct repetition details for bookings repeating every n weeks (:pr:`6592`)
- Show context (event/contribution title etc.) in the title of the minutes editor (:issue:`6584`,
:pr:`6591`)
- Streamline "get next editable" UI and only show editables that still unassigned (:pr:`6583`)
- Add preview link for custom text snippets in registration notification emails (:issue:`6539`,
:pr:`6560`, thanks :user:`Moliholy, unconventionaldotdev`)
- Stop spoofing email sender addresses when using the :data:`SMTP_ALLOWED_SENDERS` and
:data:`SMTP_SENDER_FALLBACK` config settings. Instead, the *From* address will be rewritten
to the fallback whenever the requested address is not an allowed sender (:pr:`6231`, thanks
:user:`SegiNyn`)
- Allow alternative CSV delimiters everywhere when importing content from CSV files (:pr:`6607`,
thanks :user:`Moliholy, unconventionaldotdev`)
- Improve readability of room booking room statistics card (:pr:`6616`)
- Add option to use flat zip file structure when downloading registration attachments
(:issue:`6536`, :pr:`6608`, thanks :user:`Moliholy, unconventionaldotdev`)

Bugfixes
^^^^^^^^

- Make picture field more resilient when uploading and resizing pictures close to
the max upload file size (:pr:`6530`, thanks :user:`SegiNyn`)
- Fix the order of the event classifications in edit mode (:issue:`6531`, :pr:`6534`)
- Fix an issue where scheduling a contribution on a day with an empty timetable would
schedule it on the first day of the event instead (:issue:`6540`, :pr:`6541`)
- Fix error in unmerged participant list when the picture field is enabled and participant
list columns have not been customized for that registration form (:pr:`6535`)
- Fix breakage of the registration form dropdown field (and anything else using a custom
element that uses ``ElementInternals``) in older versions of Safari (:pr:`6549`, thanks
:user:`foxbunny`)
- Fix linebreak display in markdown code blocks in survey section descriptions (:pr:`6553`)
- Include attached pictures when downloading registration attachments (:pr:`6564`)
- Only allow marking unpaid registrations as paid (:issue:`6330`, :pr:`6578`)
- Do not allow mixing notification rules for invited abstracts with other rules (:issue:`6563`,
:pr:`6567`)
- Use locale-aware price formatting in registration form fields (:pr:`6586`)
- Handle badge designer items exceeding the canvas boundaries more gracefully (:pr:`6603`,
thanks :user:`SegiNyn`)
- Fix tips not correctly positioning when contents are changed (:pr:`6797`, thanks
:user:`foxbunny`)

Accessibility
^^^^^^^^^^^^^

- Improve country input accessibility (:pr:`6551`, thanks :user:`foxbunny`)
- Reimplement Checkbox to make it programmatically focusable (:pr:`6528`, thanks :user:`foxbunny`)
- Implement a ``RadioButton`` component to replace the SUI radio button in order to improve
keyboard support (:pr:`6621`, thanks :user:`foxbunny`)
- Improve keyboard accessibility of the timetable sessions field in registration form (:pr:`6639`,
thanks :user:`foxbunny`)

Internal Changes
^^^^^^^^^^^^^^^^

- Make positioning logic from TipBase generic and reusable (:pr:`6577`, :pr:`6588`, thanks
:user:`foxbunny`)
- Add additional signals related to videoconferences and their event links (:pr:`6475`)
- Videoconference plugins now need to implement a ``delete_room`` method (:pr:`6475`)
- Support translator comments when extracting translatable strings (:pr:`6620`)
- ``renderAsFieldset`` option in the registration field registry can now be a function that
returns a boolean (:pr:`6621`, thanks :user:`foxbunny`)
- Allow overriding global theme settings for custom meeting themes (:pr:`6622`)

-------------

*Released on September 04, 2024*

Security fixes
^^^^^^^^^^^^^^

- Fix an XSS vulnerability during account creation. Exploitation requires initiating
account creation with a maliciously crafted link, and then finalizing the signup
process, so it can only target newly created (and thus unprivileged) Indico users.
We consider this vulnerability to be of "medium" severity since the ability to abuse
this is somewhat limited, but you should update as soon as possible nonetheless
(:cve:`2024-45399`)

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: Swedish

Improvements
^^^^^^^^^^^^

- Allow cropping an existing picture in registration form picture fields (:pr:`6423`,
thanks :user:`SegiNyn`)
- Add task to delete old registration files when they become orphaned due to a new
file being uploaded (:pr:`6434`, thanks :user:`SegiNyn`)
- Allow searching for author names in editable lists (:pr:`6451`)
- Add ability to filter editable lists by the parent session of the editable's
contribution (:pr:`6453`)
- Allow alternative CSV delimiters when importing registration invitations (:pr:`6458`,
thanks :user:`Moliholy, unconventionaldotdev`)
- A room's bookable hours can now be applied to specific weekdays, making it
unbookable on any other weekdays (:pr:`6439`)
- Add global settings for min/max registration form data retention periods (:pr:`6445`,
thanks :user:`SegiNyn`)
- Always open links in registration form field/section descriptions in a new tab
(:pr:`6512`)
- Preserve entered text when switching between commenting and judging in the editing
module (:issue:`6503`, :pr:`6502`)
- Add quick setup button to configure default notifications in Call for Abstracts
(:pr:`6454`, thanks :user:`jbtwist`)

Bugfixes
^^^^^^^^

- Fix display of empty session selection in registration summary (:pr:`6421`,
thanks :user:`jbtwist`)
- Include date when displaying session field data in registration summary (:pr:`6431`,
thanks :user:`jbtwist`)
- Fix the order of a day's session blocks in the registration form session field
(:pr:`6428`, thanks :user:`jbtwist`)
- Wrap overly long descriptions and filenames in registration form fields (:pr:`6436`,
thanks :user:`SegiNyn`)
- Fix validation error when clearing a date field in the registration form (:pr:`6470`)
- Fix access error when a manager registers a user in a private registration form (:pr:`6486`)
- Fix access error when a manager uploads files in a private registration form (:pr:`6487`,
thanks :user:`vtran99`)
- Improve color handling in badge designer (auto-add ` for hex colors) (:pr:`6492`)
- Do not count deleted rooms for equipment/attribute usage numbers (:issue:`6493`, :pr:`6494`)
- Allow deleting event persons which are linked to a deleted subcontribution (:pr:`6495`)
- Fix validation error in registration form date fields when using Safari (:issue:`6474`,
:pr:`6501`, thanks :user:`foxbunny`)
- Fix date picker month/year navigation not working in Safari (:pr:`6505`, thanks :user:`foxbunny`)
- Enforce a minimum size on the registration form picture cropper to avoid sending an empty
image after repeated cropping (:pr:`6498`, thanks :user:`jbtwist`)
- Fix future events being always displayed after current events in categories while not
logged in (:pr:`6509`)

Accessibility
^^^^^^^^^^^^^

- Improve registration form single choice input accessibility (:pr:`6310`, thanks :user:`foxbunny`)

Internal Changes
^^^^^^^^^^^^^^^^

- Indicate when a booking begins/ends in the booking calendar in day-based mode (when
using a plugin to customize the room booking module) (:pr:`6414`)
- Update the list of supported browsers so people using highly outdated browsers where
certain features are likely broken get a warning about having to update their browser
(:pr:`6442`)
- Convert Room Booking splash image to WEBP (20x smaller file size) (:pr:`6468`,
:issue:`6465`, thanks :user:`bbb-user-de`)
- Add support for TypeScript (and TSX) (:pr:`6456`)
- Add ``<ind-combo-box>`` custom element (:pr:`6310`, thanks :user:`foxbunny`)
- Add ``<ind-select>`` custom element (:pr:`6310`, thanks :user:`foxbunny`)
- Indico and plugin wheels are now built using hatchling instead of setuptools, and
package metadata is specified using ``pyproject.toml``. Developers who want to build
their own plugins need to switch from ``setup.py`` and/or ``setup.cfg`` to ``pyproject.toml``
as well (:pr:`6477`)
- Prevent timetable entries with zero/negative durations (:pr:`6420`)
- Warn when required ``indico.conf`` settings are missing or empty (:pr:`6504`, thanks
:user:`omegak`)

-------------

*Released on June 26, 2024*

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: Hungarian

Improvements
^^^^^^^^^^^^

- Add dialog to contact event participants about a survey (:issue:`6069`, :pr:`6144`)
- Allow linking existing room booking occurrences to an event (:pr:`6243`, thanks
:user:`Moliholy, unconventionaldotdev`)
- Support including a picture (from a registration's picture field) in the conference
participant list (:pr:`6228`, thanks :user:`vtran99`)
- Add :data:`FAVICON_URL` config option to set a custom URL for the favicon (:pr:`6323`,
thanks :user:`SegiNyn`)
- Allow filtering the contribution list in the management area by custom fields
(:issue:`6213`, :pr:`6214`)
- Show "Go to timeline" button on the contribution page to everyone who can see the
timeline of one of its editables instead of just submitters (:pr:`6344`)
- Add a new "Timetable Sessions" registration form field type which allows selecting
session blocks from the event (:pr:`6184`, thanks :user:`jbtwist`)
- Link the event title to the event in registration emails (:pr:`6358`)
- Add the option to make registration forms private so they can only be accessed using
a secret link (:pr:`6321`, thanks :user:`vtran99`)
- Add experimental support for creating Apple Wallet (Passbook / pkpass) tickets
(opt-in via :data:`ENABLE_APPLE_WALLET` ``indico.conf`` setting) (:pr:`6248`, thanks
:user:`openprojects`)
- Add a new event management permission that grants access only to the contributions
module (:pr:`6348`)
- Add bulk JSON export option in management contribution list (:pr:`6370`)
- Make the default roles of the contribution person link list field more similar to the
abstract person link list field when there is a linked abstract (:pr:`6342`)
- Add option to hide person titles throughout the event (:issue:`038`, :pr:`6104`, thanks
:user:`vasantvohra`)
- Preserve input when switching between judgment actions for an editable (:pr:`6375`)
- Allow generating documents from the registration summary page (:issue:`6212`, :pr:`6306`,
thanks :user:`hitenvidhani`)
- Modernize the event social share widget and add support for sharing to
Mastodon (:pr:`6289`)
- Enable the calendaring + social sharing widget in events by default (:pr:`6398`)
- Ignore diacritics when searching in the registration form country field (:pr:`6403`,
thanks :user:`tomako`)
- Add preview option for managers to see the participant list as shown to registered
participants or unregistered guests (:pr:`6052`, thanks :user:`vtran99`)

Bugfixes
^^^^^^^^

- Fix the dashboard iCal export returning old events instead of recent ones when the
maximum number of events to include is reached (:pr:`6312`)
- Fix an error in the Check-in app API wben retrieving details for a registration form
that includes static labels (:pr:`6326`)
- Fix action buttons being pushed outside the content area in the survey editor in case
of very long survey option titles (:pr:`6325`)
- Only allow accessing avatars for published registrations (:pr:`6347`)
- Fix error when trying to import data from an unlisted event (:issue:`6350`, :pr:`6351`)
- Show results from the Get Next Editable search on top of the list (:pr:`6353`)
- Attach registration pictures and display them inline when sending email notifications
instead of just showing their filename (:pr:`6336, 6411`, thanks :user:`SegiNyn`)
- Fix editable list filter storage being shared between different editable types and
events (:pr:`6359`)
- Fix UI breaking when performing bulk actions via the list of editables (:pr:`6369`)
- Include registration documents in user data export (:issue:`6331`, :pr:`6338`)
- Fix error when viewing an abstract with reviews in deleted tracks (:pr:`6393`)
- Do not include custom messages about the current registration status when sending
notifications about new documents (:pr:`6413`)
- Only normalize title slug in custom page URL after successful access check
(:issue:`6416`, :pr:`6417`)

Accessibility
^^^^^^^^^^^^^

- Improve registration form date picker accessibility (:pr:`6371`, thanks :user:`foxbunny`)

Internal Changes
^^^^^^^^^^^^^^^^

- Use unguessable URLs for user avatar pictures (:pr:`6346`, thanks :user:`vtran99`)
- Add ``<ind-date-picker>`` custom element (:pr:`6371, 6406`, thanks :user:`foxbunny`)
- Use native ESM for webpack config files (:pr:`6389`)
- Rename ``active_fields`` to ``available_fields`` in ``RegistrationFormSection``
(:pr:`6409`, thanks :user:`omegak`)
- Custom poster/badge designer placeholder returning images need to return a ``BytesIO``
instead of a Pillow ``Image`` object (:pr:`6441`)

-------------

*Released on April 19, 2024*

Improvements
^^^^^^^^^^^^

- Use more verbose page titles in management/admin areas (:pr:`6300`)
- Prioritize exact matches when searching for users (:pr:`6254`)
- Show document templates from non-parent categories and other events for cloning
as long as the user has management access (:pr:`6232`)
- Warn about conflicts from concurrent edits of minutes (:issue:`3410`, :pr:`6193`)
- Include up to two months (up from one week) of past events in dashboard iCal export
(:pr:`6304`)

Bugfixes
^^^^^^^^

- Fix adding additional event keywords when some keywords have already been set
(:pr:`6264`, thanks :user:`SegiNyn`)
- Fix overlapping times in some room booking timelines when using a locale with
a 12-hour time format (:pr:`6263`)
- Fix error when printing badges referencing a linked regform picture field that
contains no picture (:pr:`6276`)
- Fix error when creating a reminder for exactly one week before the event (:pr:`6283`)
- Fix error when unassigning the editor of an editable that has no editor (:pr:`6284`)
- Fix error when judging an editable from the list of editables (:pr:`6284`)
- Fix validation error when using a ``mailto:`` link in an email body (:pr:`6286`)
- Clear the flags indicating that registrations or a registration form field have been
purged when cloning an event (:pr:`6288`)
- Use English locale when formatting dates for room booking log entries (:pr:`6295`)
- Fix date validation in room booking failing in certain timezones

Internal Changes
^^^^^^^^^^^^^^^^

- Allow plugins to fully replace the data in a ticket QR code with a custom string
instead of just modifying/extending the JSON dict (:pr:`6266`)
- Replace deprecated ``pkg_resources`` with ``importlib`` from standard library
(:issue:`6272`, :pr:`6273`, thanks :user:`maxnoe`)