Indico

-------------

*Released on June 26, 2023*

Security fixes
^^^^^^^^^^^^^^

- Fix an XSS vulnerability in the LaTeX ``\href`` macro when rendering it client-side.
Previously, it was possible to embed arbitrary JavaScript there using the ``javascript:``
protocol. The underlying MathJax library has now been updated to version 3 which allows
blacklisting certain protocols, thus allowing only ``http``, ``https`` and ``mailto``
links in ``\href`` macros (:pr:`5818`)

Improvements
^^^^^^^^^^^^

- Show actual recipient data in the email preview instead of the that of the event creator
(:pr:`5794`)
- Add an option to set a maximum number of choices in a multi-choice field (:pr:`5800`)

Bugfixes
^^^^^^^^

- Fix width of time column in PDF timetable when using 12-hour time format (:pr:`5788`)
- Fix wrong date in email subject for room booking occurrence cancellations (:pr:`5790`)
- Fix excessive queries being sent in meetings that have registration form with limited
places and many registrants (:pr:`5799`)
- Fix extremely slow query when retrieving list of registration forms in conferences with
many registrants while not logged in (:pr:`5799`)
- Fix title of session conveners being always empty in HTTP API with XML serialization
(:pr:`5813`)
- Fix editable filters not working simultaneously with editable search (:pr:`5796`)
- Fix missing icons in Abstract Markdown editor (:pr:`5815`)
- Fix text overflow in event manage button (:pr:`5816`)
- Fix undone revisions being used instead of the latest valid one when downloading
revision files as a ZIP archive (:pr:`5820`)
- Fix custom actions not showing on revisions if the latest revision has been undone
(:pr:`5820`)

Internal Changes
^^^^^^^^^^^^^^^^

- Some basic but useful docs for the Registration Form model classes

-------------

*Released on May 26, 2023*

Security fixes
^^^^^^^^^^^^^^

- Set ``Vary: Cookie`` header when session data is present and used. This ensures
that data linked to a (logged-in) session cannot leak between requests even in case
of a poorly-configured caching proxy in front of Indico (:pr:`5753`)

Improvements
^^^^^^^^^^^^

- Use the revision's timestamp when downloading its files as a ZIP archive (:pr:`5686`)
- Use more consistent colors on the editing judgment button (:issue:`5687`, :pr:`5697`)
- Keep history when undoing judgments on editables (:pr:`5630`)
- Add search field to the abstracts list for reviewers (:issue:`5698`, :pr:`5703`)
- Align status box colors with judgment dropdown (:issue:`5699`, :pr:`5706`)
- Use a gender-neutral chairperson icon (:pr:`5710`)
- Add option to set the abstracts' primary authors as the default submitters for the
corresponding contributions (:pr:`5711`)
- Allow commenting on accepted/rejected editables (:issue:`5712`, :pr:`5722`)
- Hide deleted sections and fields from registration summary (:pr:`5716`)
- Add support for authorized submitters in Call for Papers (:pr:`5728`)
- Display abstract submission comment in the list of abstracts (:pr:`5733`)
- Allow searching for contributions by author in the management area (:pr:`5742`)
- Include start/end dates of the whole booking in the timeline tooltip of recurring
room bookings (:issue:`5730`, :pr:`5740`)
- Add day of the week to room booking details modal and timeline (:issue:`5718`,
:pr:`5743`)
- Allow acceptance and rejection of editables in the editable list (:pr:`5721`)
- Email verification attempts during signup now trigger rate limiting to prevent
spamming large amounts of confirmation emails (:pr:`5727`)
- Allow bulk-commenting editables in the editable list (:pr:`5747`)
- Allow emailing contribution persons that have not yet made any submissions to a
given editable type (:pr:`5755`)
- Show only "ready to review" editables on the "get next editable" list (:pr:`5765`)
- Disallow uploading empty files (:pr:`5767`)
- Include non-speaker authors in the timetable export API (:issue:`5412`, :pr:`5738`)
- Add setting to force track selection when accepting abstracts (:pr:`5771`)
- Log detailed changes when editing contributions (:pr:`5777`)
- Allow managers to ignore required field restrictions in registration forms
(:issue:`5644`, :pr:`5682`, thanks :user:`kewisch`)
- Allow selecting the global noreply address as the sender for event reminders
(:pr:`5784`)
- Allow admins to change the password of local accounts (:pr:`5789`, thanks
:user:`omegak`)

Bugfixes
^^^^^^^^

- Fix creating invited abstracts (:pr:`5696`)
- Fix error on contribution page when there is no paper but the peer reviewing module
is enabled and configured to hide accepted papers
- Clone all protection settings (in particular submitter privileges) when cloning events
(:pr:`5702`)
- Fix searching in single-choice dropdown fields in registration forms (:pr:`5709`)
- Fix uploading files in registration forms where the user only has access through the
registration's token (:pr:`5719`)
- Fix being unable to set the "speakers and authors" as the default contribution
submitter type (:pr:`5711`)
- Check server-side if Call for Papers is open when submitting a paper (:pr:`5725`)
- Fix room notification email list showing up empty when editing it (:issue:`5729`,
:pr:`5731`)
- Fix performance issues in paper assignment list (:pr:`5736`)
- Fix performance issues in event export API with large events when including
contributions (:pr:`5736`)
- Fix error when a search query matches content from unlisted events (:issue:`5759`,
:pr:`5761`)
- Fix ToS and Privacy Policy links in room booking module not working when using an
external URL (:pr:`5774`)
- Do not apply default values to new registration form fields when editing an existing
registration (:pr:`5781`)
- Allow ``0`` for a required registration form numbe field (unless a higher minimum
value is set) (:pr:`5781`)

Internal Changes
^^^^^^^^^^^^^^^^

- Update Python & JavaScript dependencies (:pr:`5726`, :pr:`5752`)
- Add support for the watchfiles live reloader (:pr:`5732`)
- Add an endpoint to allow resetting the state of an accepted editable to "ready to
review" (:pr:`5758`)
- Add RESTful endpoints for custom contribution fields (:pr:`5768`)

-------------

*Released on February 23, 2023*

Security fixes
^^^^^^^^^^^^^^

- Sanitize HTML in global announcement messages
- Update `cryptography <https://pypi.org/project/cryptography/>`__ library due to
vulnerabilities in OpenSSL (:cve:`2023-0286`)
- Update `werkzeug <https://pypi.org/project/werkzeug/>`__ library due to a potential
Denial of Service vulnerability (:cve:`2023-25577`)

.. note::

The risk of malicious HTML (e.g. scripts) in the global announcement is minimal
as only Indico administrators can set such an announcement anyway. However, in the
unlikely case that an administrator becomes malicious or is compromised, they would
have been be able to perform XSS against their Indico instance.

Improvements
^^^^^^^^^^^^

- Include co-authors in abstract list columns and spreadsheet exports (:pr:`5605`)
- Include speakers in abstract list columns and spreadsheet exports (:pr:`5615`)
- Add an option to export all events in a series to ical at once (:issue:`5617`, :pr:`5620`)
- Make it possible to load more events in series management (:pr:`5629`)
- Check manually entered email addresses of speakers/authors/chairpersons
to avoid collisions and inconsistencies (:pr:`5478`)
- Add option to use review track as accepted track when bulk-accepting abstracts
(:pr:`5608`)
- Add setting to only allow managers to upload attachments to events and
contributions (:pr:`5597`)
- Support Markdown when writing global announcement and apply standard HTML
sanitization to the message (:pr:`5640`)
- Add BCC field on contribution email dialogs (:pr:`5637`)
- Allow filtering by location in room booking (:issue:`4291`, :pr:`5622`,
thanks :user:`mindouro`)
- Add button to adapt column widths in paper & contribution lists (:pr:`5642`)
- Add event language settings to set default and additional languages (:issue:`5606`,
:pr:`5607`, thanks :user:`vasantvohra`)
- Fail nicely when trying to import an event from another Indico instance (:issue:`5619`,
:pr:`5653`)
- Add option to send reminders to invited registrants who have not yet responded
(:issue:`5579`, :pr:`5654`)
- Hide the top box with the latest files of an editable until it has been accepted
and published (:issue:`5660`, :pr:`5665`)
- Allow uploading files when requesting changes on the editing timeline (:pr:`5612`)
- Add ``locked_fields`` to the identity provider settings in ``indico.conf`` to
prevent non-admin users from turning off their profile's personal data
synchronization (:pr:`5648`)
- Add an option to sync event persons with users (:pr:`5677`)
- Disallow repeated filenames in editing revisions (:pr:`5681`)
- Add setting to hide peer-reviewed papers from participants even after they have
been accepted (:issue:`5666`, :pr:`5671`)
- Prevent concurrent assignment of editors to editables (:pr:`5684`)
- Add color labels to the filter dropdown (:issue:`5675`, :pr:`5680`)

Bugfixes
^^^^^^^^

- Correctly show contribution authors in participant roles list (:pr:`5603`)
- Disable Sentry trace propagation to outgoing HTTP requests (:pr:`5604`)
- Include token in notification emails for private surveys (:pr:`5618`)
- Fix some API calls not working with personal access tokens (:pr:`5627`)
- Correctly handle paragraphs and linebreaks in plaintext conversion (:pr:`5623`)
- Send manager notifications and email participant if they withdraw from an event
(:issue:`5633`, :pr:`5638`, thanks :user:`kewisch`)
- Do not break registrations with purged accommodation fields (:issue:`5641`,
:pr:`5643`)
- Do not show blocked rooms as available on the very last day of the blocking
(:pr:`5663`)
- Do not show blocked rooms as available for admins unles they have admin override
mode enabled (:pr:`5663`)
- Fix roles resetting to the default ones when editing person data in an abstract
or contribution (:pr:`5664`)
- Correctly show paragraphs in CKEditor fields (:issue:`5624`, :pr:`5656`, thanks
:user:`kewisch`)
- Fix empty iCal file being attached when registering for a protected event
(:pr:`5688`)

Internal Changes
^^^^^^^^^^^^^^^^

- Add ``rh.before-check-access`` signal (:pr:`5639`, thanks :user:`omegak`)
- Add ``indico celery --watchman ...`` to run Celery with the Watchman reloader
(:pr:`5667`)
- Allow overriding the cache TTL for remote group membership checks (:pr:`5672`)
- Allow a custom editing workflow service to mark new editables as ready-for-review
without creating a new replacement revision (:pr:`5668`)
- Update Python dependencies (:pr:`5689`)

-------------

*Released on December 09, 2022*

Improvements
^^^^^^^^^^^^

- Display program codes in 'My contributions' (:pr:`5573`)
- Warn when a user cannot create an event in the current category (:pr:`5572`)
- Display all contributions in 'My contributions' and not just those with
submitter privileges (:pr:`5575`)
- Apply stronger sanitization on rich-text content pasted into CKEditor
(:issue:`5560`, :pr:`5571`)
- Allow raw HTML snippets when editing custom conference pages and event
descriptions (:issue:`5584`, :pr:`5587`)
- Warn more clearly that link attachments are just a link and do not copy
the file (:issue:`5551`, :pr:`5593`)
- Add option to email people with specific roles about their contributions
or abstracts (:pr:`5598`)
- Add setting to allow submitters to edit custom fields in their contributions
(:pr:`5599`)

Bugfixes
^^^^^^^^

- Fix broken links in some notification emails (:pr:`5567`)
- Fix always-disabled submit button when submitting an agreement response
on someone's behalf (:pr:`5574`)
- Disallow nonsensical retention periods and visibility durations (:pr:`5576`)
- Fix sorting by program code in editable list (:pr:`5582`)
- Do not strip custom CSS classes from HTML in CKEditor (:issue:`5584`, :pr:`5585`)
- Use the instance's default locale instead of "no locale" (US-English) in places
where no better information is known for email recipients (:pr:`5586`)

Internal Changes
^^^^^^^^^^^^^^^^

- Refactor email-sending dialog using React (:pr:`5547`)

-------------

*Released on November 10, 2022*

Security fixes
^^^^^^^^^^^^^^

- Update `cryptography <https://pypi.org/project/cryptography/>`__ library due to
vulnerabilities in OpenSSL (:cve:`2022-3602`, :cve:`2022-3786`)

.. note::

We do not think that Indico is affected by those vulnerabilities as it does
not use the *cryptography* library itself, and the dependency that uses it
is only used during SSO (OAuth) logins and most likely in a way that is not
vulnerable. It is nonetheless recommended to update as soon as possible.

Internationalization
^^^^^^^^^^^^^^^^^^^^

- Make email templates translatable (:issue:`5263`, :pr:`5488`, thanks :user:`Leats`)

Improvements
^^^^^^^^^^^^

- Enable better image linking UI in CKEditor (:pr:`5492`)
- Restore the "fullscreen view" option in CKEditor (:pr:`5505`)
- Display & enforce judging deadline (:pr:`5506`)
- Add a setting to disable entering persons in person link fields manually (:pr:`5499`)
- Allow taking minutes in markdown (:issue:`3386`, :pr:`5500`, thanks :user:`Leats`)
- Add setting to preselect "Include users with no Indico account" when adding
authors/speakers (:pr:`5553`)
- Include event label in email reminders (:issue:`5554`, :pr:`5556`,
thanks :user:`omegak`)
- Include emails of submitters, speakers and authors in abstract/contribution
Excel/CSV exports (:pr:`5565`)

Bugfixes
^^^^^^^^

- Fix meeting minutes being shown when they are expected to be hidden (:pr:`5475`)
- Force default locale when generating Book of Abstracts (:pr:`5477`)
- Fix width and height calculation when printing badges (:pr:`5479`)
- Parse escaped quotes (``&quot;``) in ckeditor output correctly (:pr:`5487`)
- Fix entering room name if room booking is enabled but has no locations (:pr:`5495`)
- Fix privacy information dropdown not opening on Safari (:pr:`5507`)
- Only let explicitly assigned reviewers review papers (:pr:`5527`)
- Never count participants from a registration forms with a fully hidden participant
list for the total count on the participant page (:pr:`5532`)
- Fix "Session Legend" not working in all-days timetable view (:pr:`5539`)
- Fix exporting unlisted events via API (:pr:`5555`)

Internal Changes
^^^^^^^^^^^^^^^^

- Require at least Postgres 13 during new installations. This check can be
forced on older Postgres versions (11+ should work), but we make no guarantees
that nothing is broken (the latest version we test with is 12) (:pr:`5503`)
- Refactor service request email generation so plugins can override sender and
reply-to addresses for these emails (:pr:`5501`)
- Deleting a session no longer leaves orphaned session blocks (:pr:`5533`,
thanks :user:`omegak`)
- Indicate in the ``registration_deleted`` signal whether it's a permanent deletion
from the database or just a soft-deletion (:pr:`5559`)

-----------

*Released on August 25, 2022*

Major Features
^^^^^^^^^^^^^^

- The registration form frontend has been completely rewritten using modern web
technology.
- Registrations can now have a retention period for the whole registration and
individual fields, after which their data is permanently deleted.
- The participant list of an event can now use consent to determine whether a
participant should be displayed, and its visibility can be different for the
general public and other registered participants.
- An event can now have one or more privacy notices and it's possible to set the
name and contact information of the "Data controller" (useful where GDPR or
similar legislation applies).

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: German

Improvements
^^^^^^^^^^^^

- Add a new event management permission that grants access only to the abstracts
module (:pr:`5212`)
- Add a link to quickly view the current stylesheet on the conference layout
customization page (:issue:`5239`, :pr:`5259`)
- Add more powerful filters to "get next editable" and the list of editables
(:issue:`5188`, :pr:`5224`, :pr:`5241`)
- Add the ability to create speaker-only menu entries for conferences (:issue:`5261`,
:pr:`5268`)
- Highlight changed fields in notification emails about modified registrations
(:issue:`5265`, :pr:`5269`)
- Add an option to send notifications of new abstract comments (:issue:`5266`, :pr:`5284`)
- Badge/poster templates can have additional images besides the background image
(:pr:`5273`, thanks :user:`SegiNyn`)
- Add ability to add alerts to iCal exports (:issue:`5318`, :pr:`5320`, thanks
:user:`PerilousApricot`)
- Show affiliations of submitters and authors in abstract/contribution lists and
add an extra column with this information to Excel/CSV exports (:pr:`5330`)
- Add option to delete persons from the event if they have no roles or other ties
to the event anymore (:issue:`5294`, :pr:`5313`)
- Allow events to be favorited (:issue:`1662`, :pr:`5338`, thanks :user:`Leats`)
- Include abstract content in CSV/Excel export if enabled in the abstract list
(:issue:`5356`, :pr:`5372`, thanks :user:`rppt`)
- Add the ability to include an optional static javascript file when defining
custom conference themes from within a plugin (:pr:`5414`, thanks :user:`brittyazel`)
- Add option to make the 'Affiliation' and 'Comment' fields mandatory in the account
request form (:issue:`4819`, :pr:`5389`, thanks :user:`elsbethe`)
- Include tags in registrant API (:pr:`5441`)
- Subcontribution speakers can now be granted submission privileges in the event's
protection settings (:issue:`2363`, :pr:`5444`)
- Registration forms can now require a CAPTCHA when the user is not logged in
(:issue:`4698`, :pr:`5400`)
- Account creation now requires a CAPTCHA by default to prevent spam account creation
(:issue:`4698`, :pr:`5446`)
- Add contribution's program code to revision's "Download ZIP" filename (:pr:`5449`)
- Add UI to manage series of events (:issue:`4048`, :pr:`5436`, thanks :user:`Leats`)
- Event series can now specify a title pattern to use when cloning an event in the
series (:pr:`5456`)
- Insert new categories into the correct position if the list is already sorted (:pr:`5455`)
- Images can now be uploaded by pasting or dropping them into the editor for minutes
or the event description (:pr:`5458`)
- Add JSON export for contribution details (:pr:`5460`)

Bugfixes
^^^^^^^^

- Fix selected state filters not showing up as selected in abstract list customization
(:pr:`5363`)
- Do not propose an impossible date/time in the Room Booking module when accessing it
shortly before midnight (:pr:`5371`)
- Do not fail when viewing an abstract that has been reviewed in a track which has
been deleted in the meantime (:pr:`5386`)
- Fix error when editing a room's nonbookable periods (:pr:`5390`)
- Fix incorrect access check when directly accessing a registration form (:pr:`5406`)
- Fix error in rate limiter when using Redis with a UNIX socket connection (:issue:`5391`)
- Ensure that submitters with contribution edit privileges can only edit basic fields
(:pr:`5425`)
- Do not return the whole contribution list when editing a contribution from elsewhere
(:pr:`5425`)
- Fix session blocks not being sorted properly in a timetable PDF export when they
have the same start time (:pr:`5426`)
- Fix printing badges containing text elements with malformed HTML (:pr:`5437`,
thanks :user:`omegak`)
- Fix misleading start and end times for Poster contributions in the timetable HTTP API
and the contributions placeholder in emails (:pr:`5443`)
- Do not mark persons as registered if the registration form has been deleted (:pr:`5448`)
- Fix error when a room owner who is not an admin edits their room (:pr:`5457`)

Internal Changes
^^^^^^^^^^^^^^^^

- When upgrading an existing instance, Postgres 11 or newer is required. The upgrade will
fail on Postgres 9.6 (or 10).
- Add new ``regform-container-attrs`` template hook to pass additional (data-)attributes
to the React registration form containers (:pr:`5271`)
- Add support for JavaScript plugin hooks to register objects or react components for use
by JS code that's in the core (:pr:`5271`)
- Plugins can now define custom registration form fields (:pr:`5282`)
- Add :data:`EMAIL_BACKEND` configuration variable to support different email sending
backends e.g. during development (:issue:`5375`, :pr:`5376`, thanks :user:`Moist-Cat`)
- Make model attrs to clone interceptable by plugins (:pr:`5403`, thanks :user:`omegak`)
- Add ``signal_query`` method in the ``IndicoBaseQuery`` class and the ``db_query``
signal, allowing to intercept and modify queries by signal handlers (:pr:`4981`,
thanks :user:`omegak`).
- Update WYSIWYG editor to CKEditor 5, resulting in a slightly different look for the
editor controls and removal of some uncommon format options (:pr:`5345`)


----