Indico

-------------

*Released on March 11, 2021*

Security fixes
^^^^^^^^^^^^^^

- Fix some open redirects which could help making harmful URLs look more trustworthy by linking
to Indico and having it redirect the user to a malicious site (:issue:`4814`, :pr:`4815`)
- The :data:`BASE_URL` is now always enforced and requests whose Host header does not match
are rejected. This prevents malicious actors from tricking Indico into sending e.g. a
password reset link to a user that points to a host controlled by the attacker instead of
the actual Indico host (:pr:`4815`)

.. note::

If the webserver is already configured to enforce a canonical host name and redirects or
rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires
user interaction: they would need to click on a password reset link which they never requested,
and which points to a domain that does not match the one where Indico is running.

Improvements
^^^^^^^^^^^^

- Fail more gracefully is a user has an invalid locale set and fall back to the default
locale or English in case the default locale is invalid as well
- Log an error if the configured default locale does not exist
- Add ID-1 page size for badge printing (:pr:`4774`, thanks :user:`omegak`)
- Allow managers to specify a reason when rejecting registrants and add a new placeholder
for the rejection reason when emailing registrants (:pr:`4769`, thanks :user:`vasantvohra`)

Bugfixes
^^^^^^^^

- Fix the "Videoconference Rooms" page in conference events when there are any VC rooms
attached but the corresponding plugin is no longer installed
- Fix deleting events which have a videoconference room attached which has its VC plugin
no longer installed
- Do not auto-redirect to SSO when an MS office user agent is detected (:issue:`4720`,
:pr:`4731`)
- Allow Editing team to view editables of unpublished contributions (:issue:`4811`, :pr:`4812`)

Internal Changes
^^^^^^^^^^^^^^^^

- Also trigger the ``ical-export`` metadata signal when exporting events for a whole category
- Add ``primary_email_changed`` signal (:pr:`4802`, thanks :user:`openprojects`)

-------------

*Released on January 25, 2021*

Security fixes
^^^^^^^^^^^^^^

- JSON locale data for invalid locales is no longer cached on disk; instead a 404 error is
triggered. This avoids creating small files in the cache folder for each invalid locale
that is requested. (:pr:`4766`)

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: Ukrainian

Improvements
^^^^^^^^^^^^

- Add a new "Until approved" option for a registration form's "Modification allowed"
setting (:pr:`4740`, thanks :user:`vasantvohra`)
- Show last login time in dashboard (:pr:`4735`, thanks :user:`vasantvohra`)
- Allow Markdown in the "Message for complete registrations" option of a registration
form (:pr:`4741`)
- Improve video conference linking dropdown for contributions/sessions (hide unscheduled,
show start time) (:pr:`4753`)
- Show timetable filter button in conferences with a meeting-like timetable

Bugfixes
^^^^^^^^

- Fix error when converting malformed HTML links to LaTeX
- Hide inactive contribution/abstract fields in submit/edit forms (:pr:`4755`)
- Fix adding registrants to a session ACL

Internal Changes
^^^^^^^^^^^^^^^^

- Videoconference plugins may now display a custom message for the prompt when deleting
a videoconference room (:pr:`4733`)
- Videoconference plugins may now override the behavior when cloning an event with
attached videoconference rooms (:pr:`4732`)

-------------

*Released on November 30, 2020*

Improvements
^^^^^^^^^^^^

- Disable title field by default in new registration forms (:issue:`4688`, :pr:`4692`)
- Add gender-neutral "Mx" title (:issue:`4688`, :pr:`4692`)
- Add contributions placeholder for emails (:pr:`4716`, thanks :user:`bpedersen2`)
- Show program codes in contribution list (:pr:`4713`)
- Display the target URL of link materials if the user can access them (:issue:`2599`,
:pr:`4718`)
- Show the revision number for all revisions in the Editing timeline (:pr:`4708`)

Bugfixes
^^^^^^^^

- Only consider actual speakers in the "has registered speakers" contribution list filter
(:pr:`4712`, thanks :user:`bpedersen2`)
- Correctly filter events in "Sync with your calendar" links (this fix only applies to newly
generated links) (:pr:`4717`)
- Correctly grant access to attachments inside public sessions/contribs even if the event
is more restricted (:pr:`4721`)
- Fix missing filename pattern check when suggesting files from Paper Peer Reviewing to submit
for Editing (:pr:`4715`)
- Fix filename pattern check in Editing when a filename contains dots (:pr:`4715`)
- Require explicit admin override (or being whitelisted) to override blockings (:pr:`4706`)
- Clone custom abstract/contribution fields when cloning abstract settings (:pr:`4724`,
thanks :user:`bpedersen2`)
- Fix error when rescheduling a survey that already has submissions (:issue:`4730`)

-------------

*Released on October 27, 2020*

Security fixes
^^^^^^^^^^^^^^
- Fix potential data leakage between OAuth-authenticated and unauthenticated HTTP API requests
for the same resource (:pr:`4663`)

.. note::

Due to OAuth access to the HTTP API having been broken until this version, we do not
believe this was actually exploitable on any Indico instance. In addition, only Indico
administrators can create OAuth applications, so regardless of the bug there is no risk
for any instance which does not have OAuth applications with the ``read:legacy_api``
scope.

Improvements
^^^^^^^^^^^^

- Generate material packages in a background task to avoid timeouts or using excessive
amounts of disk space in case of people submitting several times (:pr:`4630`)
- Add new :data:`EXPERIMENTAL_EDITING_SERVICE` setting to enable extending an event's Editing
workflow through an `OpenReferee server <https://github.com/indico/openreferee/>`__ (:pr:`4659`)

Bugfixes
^^^^^^^^

- Only show the warning about draft mode in a conference if it actually has any
contributions or timetable entries
- Do not show incorrect modification deadline in abstract management area if no
such deadline has been set (:pr:`4650`)
- Fix layout problem when minutes contain overly large embedded images (:issue:`4653`,
:pr:`4654`)
- Prevent pending registrations from being marked as checked-in (:pr:`4646`, thanks
:user:`omegak`)
- Fix OAuth access to HTTP API (:pr:`4663`)
- Fix ICS export of events with draft timetable and contribution detail level
(:pr:`4666`)
- Fix paper revision submission field being displayed for judges/reviewers (:pr:`4667`)
- Fix managers not being able to submit paper revisions on behalf of the user (:pr:`4667`)

Internal Changes
^^^^^^^^^^^^^^^^

- Add ``registration_form_wtform_created`` signal and send form data in
``registration_created`` and ``registration_updated`` signals (:pr:`4642`,
thanks :user:`omegak`)
- Add ``logged_in`` signal

-----------

*Released on September 14, 2020*

.. note::

We also published a `blog post <https://getindico.io/indico/update/release/milestone/2020/07/22/indico-2-3-news.html>`_
summarizing the most relevant changes for end users.

Major Features
^^^^^^^^^^^^^^

- Add category roles, which are similar to local groups but within the
scope of a category and its subcategories. They can be used for assigning
permissions in any of these categories and events within such categories.
- Events marked as "Invisible" are now hidden from the category's event list
for everyone except managers (:issue:`4419`, thanks :user:`openprojects`)
- Introduce profile picture, which is for now only visible on the user dashboard
(:issue:`4431`, thanks :user:`omegak`)
- Registrants can now be added to event ACLs. This can be used to easily restrict
parts of an event to registered participants. If registration is open and a registration
form is in the ACL, people will be able to access the registration form even if they
would otherwise not have access to the event itself. It is also possible to restrict
individual event materials and custom page/link menu items to registered participants.
(:issue:`4477`, :issue:`4528`, :issue:`4505`, :issue:`4507`)
- Add a new Editing module for papers, slides and posters which provides a workflow
for having a team review the layout/formatting of such proceedings and then publish
the final version on the page of the corresponding contribution. The Editing module
can also be connected to an external microservice to handle more advanced workflows
beyond what is supported natively by Indico.

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: Chinese (Simplified)

Improvements
^^^^^^^^^^^^

- Sort survey list by title (:issue:`3802`)
- Hide "External IDs" field if none are defined (:issue:`3857`)
- Add LaTeX source export for book of abstracts (:issue:`4035`,
thanks :user:`bpedersen2`)
- Tracks can now be categorized in track groups (:issue:`4052`)
- Program codes for sessions, session blocks, contributions and
subcontributions can now be auto-generated (:issue:`4026`)
- Add draft mode for the contribution list of conference events
which hides pages like the contribution list and timetable until
the event organizers publish the contribution list. (:issue:`4095`)
- Add ICS export for information in the user dashboard (:issue:`4057`)
- Allow data syncing with multipass providers which do not support
refreshing identity information
- Show more verbose error when email validation fails during event
registration (:issue:`4177`)
- Add link to external map in room details view (:issue:`4146`)
- Allow up to 9 digits (instead of 6) before the decimal point in
registration fees
- Add button to booking details modal to copy direct link (:issue:`4230`)
- Do not require new room manager approval when simply shortening a booking
(:issue:`4214`)
- Make root category description/title customizable using the normal
category settings form (:issue:`4231`)
- Added new :data:`LOCAL_GROUPS` setting that can be used to fully disable
local groups (:issue:`4260`)
- Log bulk event category changes in the event log (:issue:`4241`)
- Add CLI commands to block and unblock users (:issue:`3845`)
- Show warning when trying to merge a blocked user (:issue:`3845`)
- Allow importing event role members from a CSV file (:issue:`4301`)
- Allow optional comment when accepting a pre-booking (:issue:`4086`)
- Log event restores in event log (:issue:`4309`)
- Warn about cancelling/rejecting whole recurring bookings instead of just
specific occurrences (:issue:`4092`)
- Add "quick cancel" link to room booking reminder emails (:issue:`4324`)
- Add visual information and filtering options for participants'
registration status to the contribution list (:issue:`4318`)
- Add warning when accepting a pre-booking in case there are
concurrent bookings (:issue:`4129`)
- Add event logging to opening/closing registration forms, approval/rejection of
registrations, and updates to event layout (:issue:`4360`,
thanks :user:`giusedb` & :user:`omegak`)
- Add category navigation dialog on category display page (:issue:`4282`,
thanks :user:`omegak`)
- Add UI for admins to block/unblock users (:issue:`3243`)
- Show labels indicating whether a user is an admin, blocked or soft-deleted
(:issue:`4363`)
- Add map URL to events, allowing also to override room map URL (:issue:`4402`,
thanks :user:`omegak`)
- Use custom time picker for time input fields taking into account the 12h/24h
format of the user's locale (:issue:`4399`)
- Refactor the room edit modal to a tabbed layout and improve error
handling (:issue:`4408`)
- Preserve non-ascii characters in file names (:issue:`4465`)
- Allow resetting moderation state from registration management view
(:issue:`4498`, thanks :user:`omegak`)
- Allow filtering event log by related entries (:issue:`4503`, thanks
:user:`omegak`)
- Do not automatically show the browser's print dialog in a meeting's print
view (:issue:`4513`)
- Add "Add myself" button to person list fields (e.g. for abstract authors)
(:issue:`4411`, thanks :user:`jgrigera`)
- Subcontributions can now be managed from the meeting display view (:issue:`2679`,
:pr:`4520`)
- Add CfA setting to control whether authors can edit abstracts (:issue:`3431`)
- Add CfA setting to control whether only speakers or also authors should
get submission rights once the abstract gets accepted (:issue:`3431`)
- Show the Indico version in the footer again (:issue:`4558`)
- Event managers can upload a custom Book of Abstract PDF (:issue:`3039`,
:pr:`4577`)
- Display each news item on a separate page instead of together with all the
other news items (:pr:`4587`)
- Allow registrants to withdraw their application (:issue:`2715`, :pr:`4585`,
thanks :user:`brabemi` & :user:`omegak`)
- Allow choosing a default badge in categories (:pr:`4574`, thanks
:user:`omegak`)
- Display event labels on the user's dashboard as well (:pr:`4592`)
- Event modules can now be imported from another event (:issue:`4518`, thanks :user:`meluru`)
- Event modules can now be imported from another event (:issue:`4518`, :pr:`4533`,
thanks :user:`meluru`)
- Include the event keywords in the event API data (:issue:`4598`, :pr:`4599`,
thanks :user:`chernals`)
- Allow registrants to check details for non-active registrations and prevent
them from registering twice with the same registration form (:issue:`4594`,
:pr:`4595`, thanks :user:`omegak`)
- Add a new :data:`CUSTOM_LANGUAGES` setting to ``indico.conf`` to override the
name/territory of a language or disable it altogether (:pr:`4620`)

Bugfixes
^^^^^^^^

- Hide Book of Abstracts menu item if LaTeX is disabled and no custom Book
of Abstracts has been uploaded
- Use a more consistent order when cloning the timetable (:issue:`4227`)
- Do not show unrelated rooms with similar names when booking room from an
event (:issue:`4089`)
- Stop icons from overlapping in the datetime widget (:issue:`4342`)
- Fix alignment of materials in events (:issue:`4344`)
- Fix misleading wording in protection info message (:issue:`4410`)
- Allow guests to access public notes (:issue:`4436`)
- Allow width of weekly event overview table to adjust to window
size (:issue:`4429`)
- Fix whitespace before punctuation in Book of Abstracts (:pr:`4604`)
- Fix empty entries in corresponding authors (:pr:`4604`)
- Actually prevent users from editing registrations if modification is
disabled
- Handle LaTeX images with broken redirects (:pr:`4623`, thanks :user:`bcc`)

Internal Changes
^^^^^^^^^^^^^^^^

- Make React and SemanticUI usable everywhere (:issue:`3955`)
- Add ``before-regform`` template hook (:issue:`4171`, thanks :user:`giusedb`)
- Add ``registrations`` kwarg to the ``event.designer.print_badge_template``
signal (:issue:`4297`, thanks :user:`giusedb`)
- Add ``registration_form_edited`` signal (:issue:`4421`, thanks :user:`omegak`)
- Make PyIntEnum freeze enums in Alembic revisions (:issue:`4425`, thanks
:user:`omegak`)
- Add ``before-registration-summary`` template hook (:issue:`4495`, thanks
:user:`omegak`)
- Add ``extra-registration-actions`` template hook (:issue:`4500`, thanks
:user:`omegak`)
- Add ``event-management-after-title`` template hook (:issue:`4504`, thanks
:user:`meluru`)
- Save registration id in related event log entries (:issue:`4503`, thanks
:user:`omegak`)
- Add ``before-registration-actions`` template hook (:issue:`4524`, thanks
:user:`omegak`)
- Add ``LinkedDate`` and ``DateRange`` form field validators (:issue:`4535`,
thanks :user:`omegak`)
- Add ``extra-regform-settings`` template hook (:issue:`4553`, thanks
:user:`meluru`)
- Add ``filter_selectable_badges`` signal (:issue:`4557`, thanks :user:`omegak`)
- Add user ID in every log record logged in a request context (:issue:`4570`,
thanks :user:`omegak`)
- Add ``extra-registration-settings`` template hook (:pr:`4596`, thanks
:user:`meluru`)
- Allow extending polymorphic models in plugins (:pr:`4608`, thanks
:user:`omegak`)
- Wrap registration form AngularJS directive in jinja block for more easily
overriding arguments passed to the app in plugins (:pr:`4624`, thanks
:user:`omegak`)


----

-------------

*Unreleased*

Bugfixes
^^^^^^^^

- Fix error when building LaTeX PDFs if the temporary event logo path contained
an underscore (:issue:`4521`)
- Disallow storing invalid timezones in user settings and reduce risk of sending
wrong timezone names when people automatically translate their UI (:issue:`4529`)