Moin

New features:
* Improved params for [[target|label|params]]:
Added accesskey link tag attribute, e.g.: [[target|label|accesskey=1]].
Additionally to specifying link tag attributes (like class=foo), you can
now also specify &key=value for getting that into the query string of
the link URL.
The "&" character is important, don't forget it or it won't get into the
query string!
E.g. for an attachment, you can use:
[[attachment:foo.pdf|Direct download of foo.pdf|&do=get]]
E.g. for linking to some specific diff, you can use:
[[SomePage|see that diff|&action=diff,&rev1=23,&rev2=42]]
See also the updated HelpOnLinking page!
* AdvancedSearch: make multipe categories/languages/mimetype selections possible
* Added a configuration directive to only do one bind to the LDAP server.
This is useful if you bind as the user the first time.
ldap_bindonce = False default

Fixes:
* Fix XSS issue in login action.
* Fix wrong pagename when creating new pages on Mac OS X - that was a big
showstopper for moin 1.6.0 on Mac OS X.
* Fixed 1.6 migration script:
Make sorting python 2.3 compatible.
Just skip corrupted event log lines.
Fix link conversion by using data.pre160 as data_dir.
Fix bad /InterWiki pagenames when encountering interwiki links with bad
wiki names.
Improve ImageLink conversion by using its argument parser code.
Added STONEAGE_IMAGELINK (default: False) switch to wiki markup converter,
toggle it if you had a very old ImageLink macro in production and the
converter output has target and image interchanged.
Fixed UnicodeDecodeError for wrongly encoded attachment filenames.
* Wiki parser:
Fix parsing of link/transclusion description and params.
Fix relative attachment targets.
Fix supported URL schemes (some got lost since 1.5.8).
Showing an upload link for non-existing non-text/non-image transclusions
now (like e.g. *.pdf).
* RST parser: fix attachment: and drawing: processing
* Fix quickhelp when editing RST markup pages.
* Fix Despam action: editor grouping was broken, increase time interval
to 30 days.
* Fix AdvancedSearch domain:system search crashing.
* Only switch off xapian search if we didn't use it because of missing index.
* Fix saving twikidraw drawings by removing 'java' from spider regex.
* Fix classic theme's unsubscribe icon's action link.
* Fix AttachFile action: don't show unzip for packages, only show install
for superuser.
* Fix "su user" troubles on UserPreferences.
* Removed unit tests from ?action=test (due to changes in our test
environment, using py.test now, this was broken).
* Duplicated the top directories' moin.py to wiki/server/moin.py so it gets
installed by setup.py.
* Fix MoinMoinBugs/1.6.0LanguageIgnoreBrowserConfigurationError
* Fix MoinMoinBugs/MoveAttachmentNotWorkingWithModPython
* Fix MoinMoinBugs/1.6.0SupplementationAndAccessRights
* Fix MoinMoinBugs/RenamingUserAllowsOldUsernameToLogin
* Fix MoinMoinBugs/GuiEditorExcelPasteExpatErrorUnboundPrefix

Other changes:
* I18n texts, system and help pages updated, please update your underlay
directory (see wiki/underlay/...).
* Improved "moin" script help, invoke it with "moin ... package command --help".
* Added some .ext -> mimetype mappings missing on some systems (like Mac OS X).
* Removed ImageLink macro, as this can be easily done with moin wiki link
syntax now - see HelpOnMacros/ImageLink (the 1.6 migration scripts convert
all ImageLink calls to moin wiki link syntax).
* Updated EmbedObject macro.

* This is a reduced CHANGES, ommitting details from rc/beta test and also
less interesting minor changes and fixes. If you want to see full detail,
read it there: http://hg.moinmo.in/moin/1.6/file/640f21787334/docs/CHANGES

It took MoinMoin development a lot of work and time to implement all the new
and fixed stuff, so please, before asking for support:
* take the time to read all the stuff below
* read the new help pages (copy them from wiki/underlay/ directory)

* HINT: If you are upgrading from a older moin version and want to keep your
existing data directory, it is essential that you read and follow
README.migration because the wiki markup and user profiles changed significantly.
See also more HINTs below...

New features: ==============================================================

User interface: ------------------------------------------------------------
* Removed "underscore in URL" == "blank in pagename magic" - it made more
trouble than it was worth. If you still want to have a _ in URL, just
put a _ into pagename.
* Discussion pages, see FeatureRequests/DiscussionAndOrCommentPages.
* cfg.password_checker (default: use some simple builtin checks for too
easy passwords and, if available, python-crack).
Use password_checker = None to disable password checking.
* We now have a drafts functionality (no */MoinEditorBackup pages any
more):
* If you edit a page and cancel the edit, use preview or save, a draft
copy gets saved for you to a internal cache area (data/cache/drafts/).
* If it is a save what you did and it succeeds, the draft copy gets
killed right afterwards.
* If you accidentally used cancel or your browser or machine crashes
after you used preview, then just visit that page again and edit it.
the editor will notify you that there is a draft of this page and you
will see a "Load draft" button. Click on it to load the draft into the
editor and save the page.
* The draft storage is per user and per page, but only one draft per page.
* cfg.quicklinks_default and cfg.subscribed_pages_default can be used to
preload new user profiles with configurable values.
* attachment links for non-existing attachments look different now:
the note about the non-existing attachment moved to the link title,
the link is shown with nonexistent class (grey).
* attachment embeddings for non-existing attachments show a grey clip
* The list of InterWiki sites is editable in the wiki (page InterWikiMap),
it is getting reloaded every minute.
* We support some new languages and also have new underlay pages, thanks
to all translators and people helping with the docs!

Actions: -------------------------------------------------------------------
* Synchronisation of wikis using the SyncPages action.
* Xapian (see http://xapian.org/) based indexed search code.
To use this:
* Install xapian-core and xapian-bindings on your machine.
We used 0.9.4, but newer code should hopefully work, too.
* cfg.xapian_search = True
* Execute this to build the index:
$ moin ... index build indexes pages and attachments
$ moin ... index build --files=files.lst same plus a list of files
You should run those commands as the same user you use for your wiki,
usually this is the webserver userid, e.g.:
$ sudo -u www-data moin --config=... --wiki-url=wiki.example.org/ \
index build --files=files.lst
* New searches:
- LanguageSearch: language:de
- CategorySearch: category:Homepage
- MimetypeSearch: mimetype:image/png (for attachments/files)
- DomainSearch: domain:underlay or domain:standard
- History Search: available in advanced ui
Note: Some currently only available when Xapian is used.
* New config options and their defaults:
xapian_search False enables xapian-powered search
xapian_index_dir None directory for xapian indices
(can be shared for wiki farms)
xapian_stemming True toggles usage of stemmer, fallback
to False if no stemmer installed
search_results_per_page 10 determines how many hits should be
shown on a fullsearch action
xapian_index_history False indexes all revisions of pages to
allow searching in their history
* Speeded up linkto search by avoiding read locks on the pagelinks file.

* The action menu now calls the actions for the revision of the page you
are currently viewing. If you are viewing the current page revision, you
get the same behaviour as in moin 1.5, but if you are viewing an old
page revision, action "raw" will now show you the raw text of this OLD
revision (not of the current revision as moin 1.5 did it).
Note that not every action does evaluate the rev=XX parameter it gets.
Also please note that the edit, info, ... links in the editbar do NOT
use the rev parameter, but operate on the latest page revision (as
they did in moin 1.5).
* Info action lost the links for "raw", "print" and "revert" actions,
because you can now just view an old revision and select those actions
from the menu there.

* ?action=sitemap emits a google sitemap (XML), listing all your wiki pages
and the wiki root URL.
Page Priority / Frequency / Last modification
--------------------------------------------------------------------
/ 1.0 / hourly / <now>
cfg.page_front_page 1.0 / hourly / page last edit
TitleIndex,RecentChanges 0.9 / hourly / <now>
content pages 0.5 / daily / page last edit
system/help pages 0.1 / yearly / page last edit

* Action DeletePage and RenamePage can now be used for subpages of a page, too.
* Added Action CopyPage so you can use now an existing page or page hierarchy
as template for a new page, see FeatureRequests/CloneOrCopyPages.
* "Package Pages" action supports attachments now.
* Added SisterPages support:
* action=sisterpages will generate a list of url pagename lines for all
pages in your moin wiki.
* action=pollsistersites will poll all sister sites listed in
cfg.sistersites = [(wikiname, fetchURL), ...]
The fetch URL for the sistersites depends on the wiki engine, e.g.:
moin based wiki:
('MoinExample', 'http://moin.example.org/?action=sisterpages')
oddmuse based wiki:
('EmacsWiki', 'http://www.emacswiki.org/cgi-bin/test?action=sisterpages')
JspWiki based wiki:
('JspWiki', 'http://www.jspwiki.org/SisterSites.jsp')
* If the current page exists on some sister wiki, a link to it will be
added to the navibar.
You can use sister wikis for adding another dimension to your wiki UI: use
it for simple multi language support, or for comments, or anything else
"related" you need.
TODO: add sistersites_force with sister sites we link to even if they do not
have the page yet (will work only for moin as we don't know
pagename>url transformation of other wikis)
* showtags action that lists all tags related to a page.
* action=view does use mimetypes of EmbedObject too and text files will be shown
by using their colorized parsers

Macros: --------------------------------------------------------------------
* RecentChanges:
* If a change has happened after your bookmark, the updated/new/renamed
icon links to the bookmark diff.
* If a page does not exist any more (because it was deleted or renamed),
we link the deleted icon to the diff showing what was deleted (for the
delete action). For the rename action, we just show the deleted icon.
* Conflict icon in RecentChanges is shown if a edit conflict is detected.
* Enhanced SystemAdmin's user browser, so a SuperUser can enable/disable
users from there.
* Included EmbedObject macro for embedding different major mimetypes:
application, audio, image, video, chemical, x-world.
You are able to change the defaults of allowed mimetypes in the config
var mimetypes_embed. The config var mimetypes_xss_protect is used to deny
mimetypes. The order of both variables is Allow, Deny (mimetypes_embed,
mimetypes_xss_protect).
* Added support for SELF to the NewPage macro.
* GetText2 macro that allows to translate messages that contain data.
* Make the FootNote macro filter duplicates and display a list of numbers
instead of a list of identical footnotes. Thanks to Johannes Berg for the
patch.

Parsers: -------------------------------------------------------------------
* Moin Wiki parser: Changed markup for links, images and macros, see these
wiki pages: HelpOnLinking, HelpOnMacros
* New wiki markup for /* inline comments */ - they get rendered as a span
with class="comment", see next item:
* There is a new item in the edit bar: "Comments". If you click it, the
visibility of all class "comment" tags will be toggled. There is a user
preferences item "show_comments" to set if the default view shows them or not.
* The wiki parser can be used with css classes now:
{{{!wiki comment
This will render output within a div with class "comment".
You can use any wiki markup as usual.
}}}
You can also combine multiple css classes like this:
{{{!wiki red/dotted/comment
This will render a red background, dotted border comment section.
}}}
The same thing will work for any other css classes you have.
If the css classes contain the word "comment", they will trigger some
special feature, see next item:
* Wiki nested parser/pre sections work now, using this syntax:
a) just use more curly braces if you have 3 closing in your content:
{{{{
}}} <- does not terminate the section!
}}}}
b) use {{{ + some magic string:
{{{somemagicstring
}}} <- does not terminate the section!
somemagicstring}}}
c) {{{whatever!python
py code
whatever}}}
Pitfall: stuff like below does not work as it did in 1.5:
{{{aaa
bbb}}}
Solution:
{{{
aaa
bbb
}}}
* Added support for ircs: URLs (secure IRC).
* New text/creole parser that allows you to use WikiCreole 1.0 markup,
use format creole.
* HTML parser (called "html") that allows you to use HTML on the page.
Thanks to the trac team for the nice code.
* Added the diff parser from ParserMarket, thanks to Emilio Lopes, Fabien
Ninoles and Juergen Hermann.

XMLRPC: --------------------------------------------------------------------
* actions_excluded now defaults to ['xmlrpc'] - this kind of disables the
built-in wiki xmlrpc server code (not completely: it will just answer
with a Fault instance for any request). If you want to use xmlrpc v1 or
v2, you have to remove 'xmlrpc' from the actions_excluded list (for
example if you want to use wikisync, mailimport or any other feature
using xmlrpc). If you enable xmlrpc, it will be possible that someone
changes your wiki content by using xmlrpc (it will of course honour ACLs).
* New XMLRPC methods (see doc strings for details):
* getMoinVersion
* system.multicall -- multicall support
* Authentication System: getAuthToken/appyAuthToken
* getDiff -- method to get binary diffs
* mergeDiff -- method to local changes remotely
* interwikiName -- method to get the IWID and the interwiki moniker
* getAllPagesEx -- method to get the pagelist in a special way (revnos,
no system pages etc.)
* getAuthToken -- make and authentication token by supplying username/password
* applyAuthToken -- set request.user for following xmlrpc calls (within the
same multicall)
* getUserProfile -- method to get user profile data for request.user
* Added XMLRPC methods for attachment handling. Thanks to Matthew Gilbert.
* XMLRPC putPage method adjusted to new AuthToken, config vars
xmlrpc_putpage_enabled and xmlrpc_putpage_trusted_only removed.

Scripts / Commandline interface: -------------------------------------------
* moin export dump now better conforms to the theme guidelines.
* Added a --dump-user option to the moin export dump command.
Thanks to Oliver O'Halloran.

Security / Auth / AntiSpam / etc.: -----------------------------------------
* Hierarchical ACLs are now supported, i.e. pages inheriting permissions
from higher-level pages. See HelpOnAccessControlLists.
* If you have "acl" (without the quotes) on a page, this means now:
"this page has own (empty) ACLs, so do not use acl_rights_default here"
Please note that this is COMPLETELY DIFFERENT from having no ACL line at
all on the page (acl_rights_default is used in that case).
* Antispam master url is now configurable via cfg.antispam_master_url.
The default is to fetch the antispam patterns from MoinMaster wiki.
* Antispam now checks the edit comments against BadContent also.
* TextCHAs (text-form CAPTCHAs).
Due to increasingly annoying wiki spammers, we added the option to use
TextCHAs (for page save (not for preview!), for attachment upload, for
user creation (not for profile save)).
This function is disabled by default. If you run a wiki that is editable
by anonymous or non-approved users from the internet (i.e. All: or Known:
in ACL terms), you should enable it in your wiki config by:
textchas = { DO NOT USE EXACTLY THESE QUESTIONS!!!
'en': {
u'H2O is ...': u'water', bad: too common
u'2 apples and three bananas makes how many fruits?': ur'(five|5)', good
u'2 apples and three pigs makes how many fruits?': ur'(two|2)', good
u'2+3': ur'5', bad: computable
u'
},
'de': { for german users
u'H2O ist ...': u'wasser',
},
}
This means that english users will get some random question from the 'en'
set, german users will get some from the 'de' set. If there is no 'de'
set configured, moin will fallback to language_default and then to 'en',
so make sure that you at least have a 'en' set configured (or whatever
you have set as language_default).
You need to use unicode for the questions and answers (see that u"...").
For the answer, you need to give a regular expression:
* In the easiest case, this is just some word or sentence (first en
example). It will be matched in a case-insensitive way.
* For more complex stuff, you can use the power of regular expressions,
e.g. if multiple answers are correct (second en example). Any answer
matching the regular expression will be considered as correct, any
non-matching answer will be considered as incorrect.

Tipps for making it hard to break for the spammers and easy for the users:
* Use site-specific (not too common) questions.
* Don't use too hard questions (annoys legitimate users).
* Don't use computable questions.
* Don't reuse textchas from other sites.

textchas_disabled_group = None (default)
Set this to some group name and noone in this group will get textchas.
E.g.: textchas_disabled_group = u'NoTextChasGroup'

* The login page gives now the possibility to recover a lost password, thanks to
Oliver Siemoneit. This is especially useful for wikis where access to user
preferences is restricted by acl.
* Session handling for logged-in users and (not by default due to expiry
problems) anonymous users.
* Updated the ldap_login code from 1.5 branch, supports TLS now.
See MoinMoin/config/multiconfig.py for supported configuration options
and their defaults (and please just change what you need to change,
in your wikiconfig).
* Interwiki auth: You need to define cfg.trusted_wikis and
cfg.user_autocreate to use it. Logging in works by entering:
Name: RemoteWikiName RemoteUserName
Password: remotepass
Then moin contacts RemoteWikiName after looking it up in the interwiki
map and tries to authenticate there using RemoteUserName and remotepass.
If it succeeds, the remote wiki will return the remote user profile items
and your local moin will autocreate an account with these values.

Server / Network / Logging: ------------------------------------------------
* The standalone server script moved to the toplevel directory. This makes
it possible to directly start moin.py without additional configuration
to run a MoinMoin DesktopEdition like wiki setup.
Be careful: DesktopEdition uses relaxed security settings only suitable
for personal and local use.
* Added TLS/SSL support to the standalone server. Thanks to Matthew Gilbert.
To use TLS/SSL support you must also install the TLSLite library
(http://trevp.net/tlslite/). Version 0.3.8 was used for development and
testing.

* cfg.log_reverse_dns_lookups [default: True] - you can set this to False
if rev. dns lookups are broken in your network (leading to long delays
on page saves). With False, edit-log will only contain IP, not hostname.
* Added support for "304 not modified" response header for AttachFile get
and rss_rc actions - faster, less traffic, less load.

* Added logging framework, using stdlib's "logging" module. Just do
import logging ; logging.debug("your text"). Depending on configuration
in the server Config class, your stuff will be written to screen (stderr),
to a moin logfile, to apache's error.log, etc.:
logPath = None 'moin.log'
loglevel_file = None logging.DEBUG/INFO/WARNING/ERROR/CRITICAL
loglevel_stderr = None logging.DEBUG/INFO/WARNING/ERROR/CRITICAL
NOTE: this is NOT in wikiconfig, but e.g. in moin.cgi or moin.py or ...

* Added some experimental and disabled code, that uses x-forwarded-for
header (if present) to get the right "outside" IP before a request
enters our chain of trusted (reverse) proxies.
This code has the problem that we can't configure it in wikiconfig, so
if you want to use it / test it, you have to edit the moin code:
MoinMoin/request/__init__.py - edit proxies_trusted (near the top).
We will try to make this easier to configure, but there was no time left
before 1.6.0 release for doing bigger code refactorings needed for that.

Mail: ----------------------------------------------------------------------
* You can send email to the wiki now (requires xmlrpc), see:
FeatureRequests/WikiEmailIntegration, HelpOnConfiguration/EmailSupport

* Mail notifications contain a link to the diff action so the user
can see the coloured difference more easily. Thanks to Tobias Polzin.

Other changes: =============================================================
* HINT: please copy a new version of your server script from the wiki/server/
directory and edit it to match your setup.
* HINT: instead of "from MoinMoin.multiconfig import DefaultConfig" you
need to use "from MoinMoin.config.multiconfig import DefaultConfig" now.
You need to change this in your wikiconfig.py or farmconfig.py file.
See MoinMoin/multiconfig.py for an alternative way if you can't do that.
* HINT: you need to change some imports (if you have them in your config):
Old: from MoinMoin.util.antispam import SecurityPolicy
New: from MoinMoin.security.antispam import SecurityPolicy
Old: from MoinMoin.util.autoadmin import SecurityPolicy
New: from MoinMoin.security.autoadmin import SecurityPolicy
* HINT: you need to change your auth stuff, the new way is:
from MoinMoin.auth import moin_login, moin_session
from MoinMoin.auth.http import http
auth = [http, moin_login, moin_session]
Do it in a similar way for other auth methods.
* HINT: you need to change your url_prefix setting in 2 ways:
1. The setting is now called url_prefix_static (to make it more clear
that we mean the static stuff, not the wiki script url).
2. The strongly recommended (and default) value of it is '/moin_static160'
for moin version 1.6.0 (and will be ...161 for moin 1.6.1). It is
possible and recommended to use a very long cache lifetime for static
stuff now (Expires: access plus 1 year), because we require to change
the URL of static stuff when the static stuff changes (e.g. on a
version upgrade of moin) to avoid problems with stale cache content.
Your moin will be faster with lower load and traffic because of this.
For standalone server, we use 1 year expiry for static stuff now.
For Apache, Lighttpd and other "external" servers, you have to care
for configuring them to use a long expiry and change url_prefix_static
related configuration on upgrade.
HINT: if you run standalone or Twisted server, the easiest way to get a
working configuration (with server configuration matching wiki
configuration) is to NOT set url_prefix_static at all. Moin will
use matching configuration defaults in this case.
* url_prefix_action ['action'] was introduced for lowering load and traffic
caused by searchengine crawlers. Up to now, crawlers where causing a high
load in internet moin wikis because they tried to get about everything,
including all actions linked from the user interface.
Known crawlers only get 403 for most actions, but nevertheless they first
tried. There was no means keeping them away from actions due to the rather
braindead robots.txt standard. You can only disallow pathes there, but
moin's actions were querystring based, not path based (this would need
regex support in robots.txt, but there is no such thing).
This changed now. Moin is able to generate action URLs you can handle in
robots.txt, like /action/info/PageName?action=info. So if you don't want
bots triggering actions, just disallow /action/ there. Keep in mind that
attachments are handled by /action/AttachFile, so if you want attached
files and pictures indexed by search engine, don't disallow
/action/AttachFile/ in your robots.txt. In order to use this feature,
set url_prefix_action in your wikiconfig to e.g. "action".
* We use (again) the same browser compatibility check as FCKeditor uses
internally, too. So if GUI editor invocation is broken due to browser
compatibility issues or a wrong browser version check, please file a bug
at FCKeditor development or browser development.
* HINT: We removed Lupy based indexed search code. If you were brave enough
to use cfg.lupy_search, you maybe want to try cfg.xapian_search instead.

Developer notes: ===========================================================
* We moved the IE hacks to theme/css/msie.css that gets included after all
other css files (but before the user css file) using a conditional
comment with "if IE", so it gets only loaded for MSIE (no matter which
version). The file has some standard css inside (evaluated on all MSIE
versions) and some * html hacks that only IE < 7 will read.
HINT: if you use custom themes, you want to update them in the same way.
* autofilters for databrowser widget. Thanks to Johannes Berg for the patch.
* changed formatter.attachment_link call (it is now more flexible,
because you can render the stuff between link start and link end yourself)
* Page.url() does not escape any more. You have to use wikiutil.escape()
yourself if you want to write the URL to HTML and it contains e.g. &.
* The testing wikiconfig moved to tests/wikiconfig.py, the testing wiki
is now created in tests/wiki/...
* HINT: Killed "processors" (finally), formatter method changed to:
formatter.parser(parsername, lines)
* Refactored some actions to use ActionBase base class.
* Moved "test" action from wikiaction to MoinMoin/action/
(and use ActionBase).
* Moved MoinMoin/config.py to MoinMoin/config/__init__.py.
* Moved MoinMoin/multiconfig.py to MoinMoin/config/multiconfig.py.
* Moved "SystemInfo" macro from wikimacro to MoinMoin/macro/.
* Moved wikiaction.py stuff to MoinMoin/action/__init__.py.
* Moved wikimacro.py stuff to MoinMoin/macro/__init__.py.
* Moved wikirpc.py stuff to MoinMoin/xmlrpc/__init__.py.
* Moved wikitest.py stuff to action/test.py (only used from there).
* Moved formatter/base.py to formatter/__init__.py (FormatterBase).
* Moved util/ParserBase.py to parser/ParserBase.py.
* Moved / splitted request.py into MoinMoin/request/*.
Most stuff will be broken, please help fixing it (usually some imports
will be missing and the adaptor script will need a change maybe):
Tested successfully: CGI, CLI, STANDALONE, FCGI, TWISTED
* Moved security.py to security/__init__.py.
* Moved wikiacl.py to security/__init__.py.
* Moved logfile/logfile.py to logfile/__init__.py.
* Moved mailimport.py to mail/mailimport.py.
* Moved util/mail.py to mail/sendmail.py.
* Moved auth.py to auth/__init__.py.
Moved util/sessionParser.py to auth/_PHPsessionParser.py.
teared auth code into single modules under auth/* - moin_session handling
and the builting moin_login method are in auth/__init__.py.
* Added wikiutil.MimeType class (works internally with sanitized mime
types because the official ones suck).
* Renamed parsers to module names representing sane mimetypes, e.g.:
parser.wiki -> parser.text_moin_wiki
* Added thread_monitor debugging aid. It can be activated using:
from MoinMoin.util import thread_monitor; thread_monitor.activate_hook()
and then triggered by requesting URL ...?action=thread_monitor - please
be aware that monitoring threads has a big performance impact on its own,
so you only want to temporarily enable this for debugging.
By default, it dumps its output to the data_dir as tm_<timestamp>.log,
you can change this at bottom of action/thread_monitor.py if you want to
see output in your browser.
* Introduced scope parameter to CacheEntry() - if you specify 'farm', it
will cache into a common directory for all wikis in the same farm, if you
specify 'wiki', it will use a cache directory per wiki and if you specify
'item', it will use a cache directory per item (== per page).
Creating a CacheEntry without explicit scope is DEPRECATED.
* Smileys moved from MoinMoin.config to MoinMoin.theme.
* Removed all _ magic in URLs and filenames.
* request.action now has the action requested, default: 'show'.
* Cleaned up duplicated http_headers code and DEPRECATED this function
call (it was sometimes confused with setHttpHeaders call) - it will
vanish with moin 1.7, so please fix your custom plugins!
The replacement is:
request.emit_http_headers(more_headers=[])
This call pre-processes the headers list (encoding from unicode, making
sure that there is exactly ONE content-type header, etc.) and then
calls a server specific helper _emit_http_headers to emit it.
Tested successfully: CGI, STANDALONE, FCGI, TWISTED
* setResponseCode request method DEPRECATED (it only worked for Twisted
anyway), just use emit_http_headers and include a Status: XXX header.
Method will vanish with moin 1.7.
* cfg.url_prefix is DEPRECATED, please use cfg.url_prefix_static.
* d['title_link'] is not supported any more. You can easily make that link
on your own in your theme, see example in MoinMoin/theme/__init__.py,
function "title".
* There is a new Page method called Page.get_raw_body_str that returns
the encoded page body. This is useful if you just deal with byte data
(e.g. while generating binary diffs).
* The TagStore/PickleTagStore system is used to store the syncronisation tags.
* XMLRPC functions may return Fault instances from now on
* Moin got multicall support, including a module that makes it usable on the
client-side without requiring Python 2.4
* Added no_magic to text_html formatter to disable tag autoclosing.
* MOIN_DEBUG can be set in the environment to let MoinMoin ignore exceptions
that would lead to a traceback in the browser. Thanks to Raphael Bossek.
* There is a new MoinMoin.Page.ItemCache class now with automatic cache
invalidation based on global edit-log. We currently use it to cache page
acls, speedup Page.get_rev and reading the page local edit-log.
* Added wikiutil.renderText parse and format raw wiki markup with all page elements.
* The user file format has changed, old files will be read correctly but
will silently be upgraded to the new format so old versions will not
read the new files correctly (this only affects 'subscribed_pages' and
'quicklinks' which will be lost when downgrading.)

New features:
* Added timing.log to help performance debugging. Use cfg.log_timing = True
to update <data_dir>/timing.log (default is False, meaning no logging).

Example log entries:


Timestamp PID Timing Flag action URL
-----------------------------------------------------------------------------
20070512 184401 22690 vvv None moinmoin.wikiwikiweb.de/RssFeeds
20070512 184401 22690 0.267s - show moinmoin.wikiwikiweb.de/RssFeeds

Timestamp: YYYYMMDD HHMMSS (UTC)
PID: the process ID of the moin process
Timing: when action starts, it will be "vvv"
when it ends, it logs the total time it needed for execution
Flag (some are only logged at end of action):
+ Page exists
- Page does not exist
B user agent was recognized as bot / spider
!x! Action took rather long (the higher the x, the longer it took - this
makes it easy to grep for problematic stuff).
Action: action name (None is when no action was specified, moin assumes
"show" for that case)
URL: the requested URL

For more information about tuning your moin setup, see:
http://moinmoin.wikiwikiweb.de/PerformanceTuning
* Added support for ircs, webcal, xmpp, ed2k and rootz protocols - we
moved all protocols to config.url_schemas, so this is not empty any more.
It is possible to use these protocols now on wiki pages and in the
navi_bar. We just generate the URLs, it is up to your browser what it
does when clicking on those links.
* cfg.traceback_show (default: 1) can be used to disable showing tracebacks.
cfg.traceback_log_dir (default: None) can be used to set a directory
that is used to dump traceback files to. Your users will get a notice to
which (random) file in that directory the traceback was been written.
NOTE: while you can feel free to set traceback_show = 0 and
traceback_log_dir = None, we will also feel free to reject bug reports
when you (or your site's users) don't give us enough information (like a
traceback file) to debug the problem. If you set traceback_show = 0,
we recommend pointing traceback_log_dir to a directory with reasonable
free space and putting a page onto your wiki that describes who has to
get contacted (usually the wiki server admin) in case a traceback happens.
The admin can then locate the traceback file and submit it to moin
development, if the bug is not already known (see MoinMoin:MoinMoinBugs).
Of course we will also need all the other details of a bug report, not
only the traceback file.

Other changes:
* Updated spider agents list.
* Reduce bot/spider cpu usage for SystemInfo, OrphanedPages, WantedPages,
PageHits, PageSize, WordIndex macros (we just return nothing for bots).

Bugfixes:
* XSS fixes, see http://secunia.com/advisories/24138/ (item 1 and 2).
* ACL security fixes:
* MonthCalendar respects ACLs of day pages now.
* Check the ACL for the rst markup include directive.
* Fixed cleaning of edit comments (control chars in there could damage
edit-log).
* Fixed in-process caching of antispam patterns (didn't update the cache
for multi-process, persistent servers).
* Correct encoding/decoding for surge-log data, fixes leftover
surge-logXXXXXXX.tmp files in data/cache/surgeprotect.
* Fixed mode of cache files (mkstemp creates them with 0600 mode).
* Symbolic entities with numbers (like &sup2;) did not work, fixed.
* We open data/error.log earlier now and we also use it for FastCGI.
* Fixed unicode cfg.page_group_regex.
* Fixed moin.spec to use english date format.
* GUI converter: fixed conversion of relative wiki links.
* Fixed NewPage macro button label to not be formatted as wiki text.

New features:
* added url_prefix_local which is used for stuff that must be loaded from
same site as the wiki engine (e.g. FCKeditor GUI editor applet), while
url_prefix can be a remote server serving the static files (css/img).
If not set (or set to None), url_prefix_local will default to the value
of url_prefix.
* We save some CPU and disk I/O by having EditTemplates and LikePages macro
(both used on MissingPage) check whether the requesting entity was
identified as a spider (e.g. search engine bot) and do nothing in that
case. Normal users won't see any difference.
* For AttachFile, you can now choose to overwrite existing files of same
name (nice for updating files).

Bugfixes:
* XSS Fixes:
* fixed unescaped page info display.
* fixed unescaped page name display in AttachFile, RenamePage and
LocalSiteMap actions
* WantedPages listed existing pages that are not readable for the user,
but are linked from pages that ARE readable for the user (so this is NOT
a privacy/security issue). We now don't list those pages any more as it
is pointless/confusing, the user can't read or edit there anyway.
* MoinMoin:MoinMoinBugs/TableOfContentsUsesNonExistingIncludeLinks
* MoinMoin:MoinMoinBugs/ActionsExcludedTriggerError
* GUI editor/converter:
* ignore <col>/<colgroup>/<meta> elements
* support <a> within blockquote
* Remove generated=... attribute from pagelink html output (this attr is
for internal use only). w3c validator is now happier again.
* Fixed css class "userpref" (not: "userprefs") of the Login form.
* Fixed the version number check in the xslt parser for 4suite >= 1.0.
* We reset the umask to the wanted value every request. This should fix
wrong file modes when used with Twisted (twistd uses a hardcoded 0077
umask in daemonize()).
* Avoid trouble when saving pages with antispam function when MoinMaster
wiki is having troubles (catch xmlrpc Fault).

Other changes:
* Standalone server does not do reverse DNS lookups any more (this is a
standard feature of BaseHTTPServer stdlib module, but we override this
now and just print the IP).
* We moved the IE hacks to theme/css/msie.css that gets included after all
other css files (but before the user css file) using a conditional
comment with "if IE", so it gets only loaded for MSIE (no matter which
version). The file has some standard css inside (evaluated on all MSIE
versions) and some * html hacks that only IE < 7 will read.
HINT: if you use custom themes, you want to update them in the same way.
* Improved ldap auth:
* cfg.ldap_name_attribute was removed because of new cfg.ldap_filter.
If you had ldap_name_attribute = 'sAMAccountName' before, just use
ldap_filter = '(sAMAccountName=%(username)s)' now.
* New cfg.ldap_filter used for the ldap filter string used in the ldap
search instead of the rather limited, partly hardcoded filter we used
before. This is much more flexible:
ldap_filter = '(sAMAccountName=%(username)s)'
You can also do more complex filtering expressions like:
'(&(cn=%(username)s)(memberOf=CN=WikiUsers,OU=Groups,DC=example,DC=org))'
* Added some processing to filter out result entries with dn == None.
* We set REFERRALS option to 0 before initializing the ldap server
connection (this seems to be needed for Active Directory servers).
* We support self-signed ssl certs for ldaps - completely untested.
* New cfg.ldap_surname_attribute (usually 'sn'), was hardcoded before.
* New cfg.ldap_givenname_attribute (usually 'givenName'), hardcoded before.
* New cfg.ldap_aliasname_attribute (usually 'displayName') - if this
attribute is not there or empty (in the results of the ldap lookup for
the user), we just make up the aliasname from surname and givenname
attribute.
* We only request the attributes we need from ldap (was: all attrs).
* We deny user login (and break out of auth chain) for the following cases:
* if a user is not found by ldap lookup
* if we find more than one matching entry
* if the password is empty or incorrect
* if some exception happens
* Please note that there is an updated ldap sample config in directory
wiki/config/more_samples/.
* Added experimental LDAP SSL/TLS support (untested, please help testing),
see also the sample config.
* Work around a IE7 rendering problem with long pages getting more and
more narrow. We just applied the same "fix" as we used for IE6, using
"display: none" for span.anchor for IE browsers.
* RSS feed related:
* We used to emit a <link> tag for the action=rss_rc RSS feed on any
page. This was changed, we now emit that link only on RecentChanges and
the current user's language translation of RecentChanges.
This was changed because Google Toolbar requests the RSS feed linked
by such a link tag every time it sees one. Thus, if you used the wiki
normally, it requested the RSS feed every few seconds and caused
problems due to surge protection kicking in because of that.
* HINT for custom theme users: if your theme code calls
rsslink(), then you need to change that to rsslink(d) for 1.5.7+.

A general security notice:
Check your Python version, there was a buffer overflow issue in Python
recently! Details: http://moinmoin.wikiwikiweb.de/PythonUnicodeEscapeBug

Bugfixes:
* Fix AttributeError traceback with Standalone server (if_modified_since)
* Fix AttachFile "304 not modified" and redirect status code for Twisted
* http auth: we now decode username and password to unicode (using
config.charset == utf-8). Same for SSL client cert auth and CN.
* Avoid infinite recursion in Page.parsePageLinks.
* Fixed standalone server failing to shutdown if interface == "".
* Now MoinMoin does not think anymore that every page links to various user
homepages.
* Made the irssi parser more tolerant (Thanks to "TheAnarcat").
* Now multiple formatters can be used per request, the send_page code was
not reentrant to this regard. Fixes "empty" search results.
* Fixed problem with "=" in ImageLink macro links.
* Not a moin bug, but a silly stdlib os.tempnam function made trouble to
some people because it lets you override the path given in the code
by setting the environment variable TMP(DIR). We now use a different
function to avoid renaming trouble when TMP(DIR) points to a different
file system.
* Fixed antispam update on every save (Thanks to "TheAnarcat").
* GUI converter: don't throw away rowclass for tables.
* GUI editor formatter: allow height for table cells.
* GUI editor formatter: comment texts are output using the formatter now.

New features:
* Mail notifications contain a link to the diff action so the user
can see the coloured difference more easily. Thanks to Tobias Polzin.
* FeatureRequests/MoveAttachments - you can move attachments from one
page to another (and also rename the attachment at the same time).
Thanks to Reimar Bauer.
* Added support for linking to attachment: and inline: URLs with ImageLink.
* Added UNIX socket support for FastCGI, just set the port to some (socket)
filename. Details see: MoinMoin:FeatureRequests/FastCgiUnixSocket
* [[Attachlist(pagename,mimetype)]] lists attachments of pagename (default:
current page) with optional mimetype restriction (default: all).
Thanks to Reimar Bauer.

Other changes:
* Minor performance improvements (might be noticeable if you have many
custom navi_bar entries and high server load).
* Avoid usage of no-cache because it breaks attachment download on IE6.
This is a IE bug, not a moin bug.
* Added XHTML to the unsafe list.
* Changed the rst parser to be compatible to the new docutils interface
for directives.
* Updated EmbedObject macro.

HINT: read docs/README.migration.
HINT: there was NO change in the underlay/ pages since 1.5.4.
HINT: If you experience problems with the reStructured Text (rst) parser,
please downgrade docutils to "0.4" because there were major interface
breaking API refactorings on the docutils trunk.

Bugfixes:
* GUI editor fixes:
* Fixed MoinMoinBugs/GuiEditorModifiesInterwikiPreferred.
* Fixed MoinMoinBugs/TableAlignmentProbsWithGUI.
* Not a moin bug, but it severely annoyed IE users and also was less
comfortable for users of other browser: since about 1.5.4, we served
attachments with Content-Disposition: attachment - so that the user has
to save them to disk. This was to fix a possible XSS attack using attached
HTML files with Javascript inside for stealing your moin cookie or doing
other nasty things. We improved this by using different behaviour depending
on the potential danger the attached file has when served inline:
mimetypes_xss_protect = ['text/html', 'application/x-shockwave-flash', ]
This is the default value. If you know more dangerous stuff, please just
add the mimetypes there to protect your users and file a bug report
telling us what we missed.
* Fixed MoinMoinBugs/ReStructuredTextRelativeLinksBroken, thanks to Stefan
Merten.
* Make tickets used for some actions more safe.

New features:
* edit_ticketing [True] - we protect page save by a ticket (same stuff we
already use for DeletePage and RenamePage action).
NOTE: If you don't use your browser for editing, but some tool like
"editmoin" or "MoinMoin plugin for jEdit", you'll need an update
of them supporting the ticket.
Alternatively, you can use edit_ticketing = False setting - this
is not recommended for internet wikis as it will make spamming them
easier.
* If we detect some spammer, we kick him out by triggering surge protection
(if surge protection is not disabled).