Roundup

Fixed:

- encoding for SSHA encoded passwords with Python 3 (Christof
Meerwald)
- exception in logout action when there is no session (Christof
Meerwald)
- quote all non-numeric data in csv export functions. Report that a
title like '=a2+b3' could be interpreted as a function in Excel and
executed. csv.writer now includes quoting=csv.QUOTE_NONNUMERIC to
generate quoted values for all fields. This makes the string
starting with = be interpreted as a string and not a formula. (John
Rouillard as reported in the decomissioned bpo meta tracker IIRC.)
- issue2551084 - Fix inefficiency in roundup-admin. Streamline code and
bring in line with 2.7 and newer python functionality. (Patch by Tom
Ekberg (tekberg); John Rouillard)
- provide fallback for import gdbm under python3. If gdbm import
fails, try import of dbm.gnu. (John Rouillard)

Features:

- When defining Link or Multilink properties in the schema, it's now
possible to add a parameter rev_multilink that accepts a property name
to be inserted into the linked-to class. So this creates a reverse
Multilink property in the linked-to class. This Multilink is read-only
(cannot be updated) but can be used in filter -- and thus in normal
index templates as well as in the REST and XMLRPC APIs. (Ralf
Schlatterbeck)
- Add a 'is_restore_ok' method similar to 'is_retire_ok' for use in
templates.
- Allow to configure the mysql charset when opening a connection to the
database. The parameter was conditional on python version > 2 but
seems to work fine with python2.7. According to the MySQLdb API docs,
the charset argument is supported with MySQL 4.1 which was released in
2004. There are some legacy reasons why one would want to not pass a
charset argument or pass an argument different from the default of
'utf8'. (Ralf Schlatterbeck)
- Index created for documentation. Links created for website docs and
released docs. Needs more refinement, but it exists at least.
(John Rouillard)
- New filter command defined in roundup-admin. (Partial fix for
issue724648.) (John Rouillard)
- New parameter stats for REST interface that provides the same
performance stats as the web interface's CGI_SHOW_TIMING env
variable. (John Rouillard)
- New roundup-admin command importtables allows importing just the
database dump created by exporttables. (John Rouillard)
- New config-option 'cookie_takes_precedence' in the [web] section. This
allows sub-logins (e.g. without a password given a specific role) even
when a non-cookie login mechanism (like Kerberos) is in use. With that
mechanism e.g., a Kerberos ticket will not take precedence over an
existing cookie. This might become the default in the future and the
new option might go away.
- Add data attributes to classhelp templating code. This provides
a method to allow classhelp to work if there is a
Content-Security-Policy implemented by the roundup admin that uses
the client_nonce. See:
https://wiki.roundup-tracker.org/AddingContentSecurityPolicy for details.

2020-04-05 2.0.0 beta 0

Features:

- Allow to pass additional headers to nosymessage, nice if a message
needs to be marked as urgent or similar, e.g., Outlook uses an
"Importance" header, when set to "high" it highlights the message.
(Ralf Schlatterbeck)
- issue2550926 - Original author adding a second message shouldn't set
status to 'chatting'. See upgrading.txt for details. (John Rouillard)
- issue2550919 - Anti-bot signup using 4 second delay. New config.ini
param [web] registration_delay must be set to 0 if template
user.register.html is not modified. See upgrading.txt for details.
- Reimplement -u <login>[:<password>]. This opens the database as the
user and applies expected permissions. It also creates history
entries for the user. Note that the password is unused, no mention
of it is in the spec that I can find, so not sure what it was
supposed to be used for as the CLI has full access to the files so a
password check is not useful. An edge case is when the login has a :
in it. In this case it may not work as expected. So don't do that.
- Implement Cache-Control headers for static files. Allows tracker
admin to control caching for css, js and other static files. See
customizing.html. The use is documented in the section describing
how to use interfaces.py.
- issue2551071 Update jinja template to bootstrap 4. Updated to 4.4.1.
The pull request has been around for a while. (Patch: Paul Spooren;
templates merged and additional changes by Christof Meerwald; other
merged by John Rouillard)
- Add config option 'http_auth_convert_realm_to_lowercase'
If usernames consist of a name and a domain/realm part of the form
userrealm and we're using REMOTE_USER for authentication (e.g. via
Kerberos), convert the realm part of the incoming REMOTE_USER to
lowercase before matching against the roundup username. This allows
roundup usernames to be lowercase (including the realm) and still
follow the Kerberos convention of using an uppercase realm. In
addition this is compatible with Active Directory which stores the
username with realm as UserPrincipalName in lowercase.
- Cleaned up the WSGI interface implementation by separating the
request handler from the request displatcher. Also allow
customisation of tracker instance creation via an overridable
"get_tracker" context manager.
- Allow transitive properties in fields in REST API. These transitive
properties may not cross Multilinks, e.g., when querying 'issue' the
property 'messages.author' is not allowed (because 'messages' is a
multilink). A multilink at the end (e.g. messages in the example) is
fine.
- Added markdown rendering using markdown, markdown2 or mistune; use
SimpleMDE markdown editor in jinja2 template (Christof Meerwald)
- Allow filtering by multiple date ranges or empty date. Date ranges are
separated by comma, an empty date is represented by '-'
- issue2551083 - Replace BaseException and Exception as base classes
with new RoundupException (inheriting from Exception) for most
roundup exceptions. (John Rouillard and Ralf Schlatterbeck on
request from Robert Klonner.)

Fixed:

- issue2550996 - Give better error message when running with -c
(install as windows service) and pywin32 is not importable. Could use
better testing on a windows box. (John Rouillard)
- issue2550921 - Can create login name with , in it. Confuses nosy
list editing. Also can embed html tags. Updated userauditor.py
to prevent this. See updating.txt. (John Rouillard)
- issue1344046 - Search for "All text" can't find some Unicode words
(John Rouillard, Ezio Melotti)
- issue1195739 - search in russian does not work (John Rouillard, Ezio
Melotti)
- issue2550920 - Registration with confirmation detects duplcate name
when using validation. Added option to allow detection of duplicate
username when the user tries to register. Previously user was
rejected when confirming registration. (John Rouillard)
- French translation gave errors with Python 3 because of ISO-8859-1
character in .mo file header. (Joseph Myers)
- Fix representation of boolean html attributes to be 'required'
rather than the xhtml form of 'required="required"'. Specify
(reverted attribute value same as attribute name or) attribute
value of None, to output attribute as boolean. (John Rouillard)
Reverted (part of) this change. It breaks rendering of non-boolean
attributes (like name="name"). So only value of None renders
attribute properly as boolean. (Ralf Schlatterbeck)
- issue2551076 - in responsive template, default searches for bugs and
tasks sets status=new default should be "don't care". (Report:
Ludwig Reiter; Fix: John Rouillard)
- issue2551077 - In "jinja2" template: cannot login if German language
is used. Fixed three places where the value of a hidden action
input field was translated. (Reported by Ludwig Reiter. John
Rouillard)
- Document security issues in xmlrpc interface in doc/xmlrpc.txt.
- Enable autoescape in the jinja2 template and use the i18n extension
for translations. (Report: John Rouillard; Fix: Christof Meerwald)
- Cleanup code by linting using flake8. (John Rouillard)
- Cleanup code by security linting using bandit. (John Rouillard)
- issue2550912 - fixed missing query string in __came_from for jinja2
template. (Christof Meerwald)
- issue2551019 - handle character set conversions for CSV export
action in Python 3. (Christof Meerwald)
- issue2551051: Return a 403 on non-existing or non-searchable
transitive properties when queried via REST-API (same behavior for
sorting and searching).
- Fixed ReStructuredText encoding with Python 3.

2019-10-23 2.0.0 alpha 0

Features:

- issue2550901: add search page to jinja2 template (Christof Meerwald)
- issue2550982: use PBKDF2 in Python's hashlib, if available (Python
2.7.8+), to improve performance over bundled pure Python
version. Note that acceleration via m2crypto is no longer supported
(Christof Meerwald)
- issue2550989: PGP encryption is now done using the gpg module
instead of pyme. (Christof Meerwald)
- issue2550987: Use updated MySQL client module that supports Python
3. (Christof Meerwald)
- issue2550967: the jinja2 loader has been extended to look for .xml
files as well as .html files similar to the TAL loader. (Christof
Meerwald)
- Support for Python 3 (3.4 and later). See doc/upgrading.txt for
details of what is required to move an existing tracker from Python
2 to Python 3 (Joseph Myers, Christof Meerwald)
- Merge the Google Summer of Code Project of 2015, the implementation of
a REST-API for Roundup. This was implemented by Chau Nguyen under the
supervision of Ezio Melotti. Some additions were made, most notably we
never destroy an object in the database but retire them with the
DELETE method. We also don't allow to DELETE a whole class. Python3
support was also fixed and we have cherry-picked two patches from the
bugs.python.org branch in the files affected by the REST-API changes.
- Patch to client.py and roundup-server needed by REST-API
code. Support OPTIONS verb and prevent hangs when processing a verb
other than GET that doesn't have a payload. E.G. DELETE, PATCH or
OPTIONS. Verbs like PUT and POST usually have payloads, so this
patch doesn't touch processing of these methods. (John Rouillard)
- Patches to new rest code:
- Generated links in responses should use the base url specified
in config.ini.
- allow user (e.g. in browser) to override response type/Accept
header using extension in url. E.G. .../issues.json. This fixes
the existing code so it works.
- fix SECURITY issue. Retrieving the item of a class
(e.g. /rest/data/user/2) would display properties the user wasn't
allowed to access. Note that unlike the web interface, passwords
and roles for users are still retreivable if the user has access
rights to the properties.
- ETags are sent by GET operations and required for DELETE, PUT and
PATCH operations. ETag can be supplied by HTTP header or in the
payload by adding the field etag to the form with the value of
the etag.
- If dict2xml.py is installed, the rest interface can produce an XML
format response if the accept header is set to text/xml.
(See: https://pypi.org/project/dict2xml/)
- When retrieving collection move list of collection elements to
collection property. Add links property with self, next and prev
links (where needed). Add total_size with size of entire
collection (unpaginated). Pagination index starts at 1 not 0.
- accept content-type application/json payload for PUT, PATCH, POST
requests in addition to application/x-www-form-urlencoded.
(John Rouillard)
- issue2550833: the export_csv web action now returns labels/names
rather than id's. Replace calls to export_csv with the export_csv_id
action to return the same data as the old export_csv action. (Tom
Ekberg (tekberg), Andreas (anrounham14) edited/applied and tests
created by John Rouillard)
- issue2551018: Add new note_filter parameter to nosymessage. The
function supplied by this parameter can rewrite the body of the
nosymessage before it gets sent. See issue:
https://issues.roundup-tracker.org/issue2551018 for example
nosyreaction and generated email. (Tom Ekberg (tekberg))
- issue2550949: Rate limit password guesses/login attempts. Rate
limit mechanism added for web page logins. Default is 3 login
attempts/minute for a user. After which one login attempt every 20
seconds can be done. (John Rouillard)
- issue2551043: Add X-Roundup-issue-id email header. Add a new header
to make it easier to filter notification emails without having to
parse the subject line. (John Rouillard)
- The database filter method now can also do an exact string search.
- The database filter method now has limit and offset parameters that
map to the corresponding parameters of SQL.
- issue2551061: Add rudimentary experimental support for JSON Web
Tokens (jwt) to allow delegation of limited access rights to third
parties. See doc/rest.txt for details and intent. (John Rouillard)
- issue2551058: Add new permissions: 'Rest Access' and 'Xmlrpc Access'
to allow per-user access control to rest and xmlrpc interfaces using
roles. (John Rouillard)
- issue2551059: added new values for tx_Source to indicate when /rest
or /xmlrpc endpoint is being used rather than the normal web
endpoints. (John Rouillard)
- issue2551062: roundup-admin security now validates all properties in
permissions. It reports invalid properties. (John Rouillard)
- issue2551065: Reorder html entities generated by submit button so that
styles can be applied. Thanks to Garth Jensen for the patch against

Features:

- doc updates. Link rot fixed and some grammar changes.
'Provisional User' config example fixed. Issue tracker is
now https. (John Rouillard)

Fixed:

- issue2550994: avoid breakage caused by use of backports of Python 3
configparser module to Python 2. (Joseph Myers)
- issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by C<E9>dric Krier, reviewed/applied John Rouillard.)
- issue2551035 - fix XSS issue in wsgi and cgi when handing url not
found/404. Reported by hannob at
https://github.com/python/bugs.python.org/issues/34, issue opened
by JulienPalard.
- issue2551029: Jinja2 template install error. Remove config.ini
from templates to make sure that roundup-admin install writes a new
default config.ini based on configuration.py.
- issue2551029: Jinja2 template install error. Handle issue with
template's config.ini not getting updated. Provide an alternate
file: config_ini.ini for required config settings that are merged
into the default values producing an up to date config.ini on
install.

Schlatterbeck).

Fixed:

- issue2550811: work around Unicode encoding issues in jinja2 template
by explicitly converting data to Unicode; also fixed pagination and
selecting columns to display in the issues list (Christof Meerwald)
- issue2550988: fixed fallback to pseudo random number generator in
case SystemRandom isn't available, prefer use of secrets module if
available (Python 3.6+) (Christof Meerwald)
- issue2550993: fixed edit CSV action to update restored items to the
new value instead of restoring with the previous value (Christof
Meerwald)
- issue2550994: avoid breakage caused by use of backports of Python 3
configparser module to Python 2. (Joseph Myers)
- Make non-existent items in history not cause a traceback (Ralf
Schlatterbeck)
- issue2550722: avoid errors from selecting "no selection" on
multilink. (Joseph Myers)
- issue2550992: avoid errors from invalid Authorization
headers. (Joseph Myers)
- issue2551022: support non-ASCII prefixes in instance config for
finding static files. (C\E9dric Krier)
- issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by C\E9dric Krier, reviewed/applied John Rouillard.)
- issue2551035 - fix XSS issue in wsgi and cgi when handing url not
found/404. Reported by hannob at
https://github.com/python/bugs.python.org/issues/34, issue opened by
JulienPalard.
- issue2551026: template variable not defined even though it is.
Fix issue where variables defined in TAL expression are not
available in the scope of the definition. (Tom Ekberg (tekberg))
- Make all links created with rel=nofollow include noopener. Deals
with possible hijack of original page due to malicious link target.
https://mathiasbynens.github.io/rel-noopener/ (John Rouillard)
- Fix bug where some protected properties were not identified as such
when using the anydbm backend (John Rouillard)
- issue2551041 - change permission check from "Create User" to "Register
User" in page.html for the responsive and devel templates. (reporter
C\E9dric Krier, John Rouillard)
- issue2550144 - fix use of undefined icing macro in devel
template. Replace with frame macro. (C\E9dric Krier)
- handle UnicodeDecodeError in file class when file contents are
not text (e.g. jpg). (John Rouillard)
- issue2551033: prevent reverse engineering hidden data by using etags
as an oracle to identify when the right data has been
guessed. (Joseph Myers, John Rouillard)
- issue2551029: Jinja2 template install error. Update configuration
code to make sure valid backend database is set. Remove config.ini
from templates to make sure that roundup-admin install writes a new
default config.ini based on configuration.py.
- issue2551040: New release of psycopg2 drops support for psycopg1 -
need to rewrite. Now uses psycopg2 throughout. (John Rouillard)
- issue2551009: Flint not supported error during reindex. Upgrading
doc updates to discuss this when reindexing. (Reported by Gabi,
Change by John Rouillard)
- issue2551030: Roundup fails to start if pytz to access Olson
timezone database not installed. (John Rouillard)
- issue2551029: Jinja2 template install error. Handle issue with
template's config.ini not getting updated. Provide an alternate
file: config_ini.ini for required config settings that are merged
into the default values producing an up to date config.ini on
install.
- issue2551008: fix incorrect encoding handling in mailgw.py
(Ezio Melotti, John Rouillard)
- issue2551053: the routing dictionary in rest.py used compiled regular
expressions as dictionary keys. This worked most of the time because
the regex lib uses a cache but resulted in duplicate keys in the
dictionary in some cases where a single key should have been used.
Thanks to Robert Klonner for discovering the problem, debugging the
root cause and providing a first proposed fix.
- Make searching with a multiselect work for Link/Multilink properties
that may contain numeric *key* values. For these a menu would render
options with IDs and later look up the IDs as *key* of the
Link/Multilink. Now numeric IDs take precedence -- like they already
do in the menu method of Link and Multilink.
- issue2551013: Reversed sorting in hyperdb property wrapper object's
sorted() method. Patch by David Sowder, application and doc change
by John Rouillard.
- issue2550821 - patches for depricated mod_python apache.py interface
(John Rouillard)
- issue2551005 - deprecation of mod_python (John Rouillard)
- issue2551066: IMAP mail handling wasn't working and produced a
traceback.
- issue2550925 if deployed as CGI and client sends an http PROXY
header, the tainted HTTP_PROXY environment variable is created. It
can affect calls using requests package or curl. A roundup admin
would have to write detectors/extensions that use these mechanisms.
Not exploitable in default config. (John Rouillard)
- Add config option to keep/delete previous logging config. Needed to
make gunicorn --access-logfile work as it uses python logfile module
too.

Features:

- issue2550894: migrate test suite and run_test.py to py.test (John Kristensen)
- issue2550880: Ability to choose password store scheme and SSHA
support. Discussion on devel list is tending in favor of this patch.
Embedded test works, my manual test with a SSHA password
assigned to a user allowed the user to log in. Ran the test suite
and the tests that were not skipped passed. (applied by John Rouillard)
- New Link/Multilink property attribute 'msg_header_property', can be
used to configure additional headers in outgoing emails. See
documentation in ``doc/customizing.txt``. (Ralf Schlatterbeck)
- Allow multiple file uploads: If the html template specifies
multiple="multiple" for a file upload the user can attach multiple
files and the form parser now handles this. (Ralf Schlatterbeck)
- issue2550886: Add support for an integer type to join the existing
number type. This can be used for properties used for ordering,
counts etc. where a decimal point isn't needed. Developed by
Anthony (antmail). Doc updates written by John Rouillard. (applied
by John Rouillard)
- Updated html/_generic.404.html to use the page template. So 404
errors now include the left hand menu, a proper page title and
body content. Note added to doc/upgrading.txt on how to add it to
deployed trackers. (John Rouillard)
- issue2109308 - Allow subject of nosy messages be changed from reactor
Adds a subject parameter to nosymessage function. Patch initally
generated by Frank Niessink. Tests, adaptation by John Rouillard.
- issue2550683 Allow indexargs_form filter variable exclusion.
Patch generated by Bruce Tulloch (bruce). Applied and docstring for
indexargs_form updated by John Rouillard. Patch description is:
This is required to allow indexargs_form to be used in conjunction with
other form variables which *replace* some filterspec parameters.

One must exclude all variables from the indexargs_form call which are to
be replaced with values that are derived from other form input elements,
otherwise they will clash with the "hidden" input elements generated by
indexargs_form itself.

For example::

<tal:block replace="structure python:request.indexargs_form(
sort=0,group=0,filter=0,columns=0,
exclude=['type','status','assignedto'])"/>

where the variables type, status and assignedto are supplied via other
form input elements. Without the new exclude argument to indexargs_form,
all hidden input elements otherwise generated by this call would need to
be manually added to the template code. Further, given that the template
may not know what other variables may be defined, it may not even be
possible to code this without some python helpers.

[ rouilj I think this is an example usecase. Possible assignedto
users need to have a specific role. Create TAL that
filters the users to the select few. Defines a select list for
assignedto. Use exclude=['assignedto'] to prevent the
indexargs_form from generating a confliciting assignedto field
which lists all users regardless of the role.]

- allow user to recover account password using an entry in the
Alternate E-mail addresses list. See:

http://psf.upfronthosting.co.za/roundup/meta/issue564

for description. Merge request at:

https://sourceforge.net/p/roundup/code/merge-requests/1/

Patch supplied by kinggreedy. Applied/tested by John Rouillard
- issue2550636, issue2550909: Added support for Whoosh indexer.
Also adds new config.ini setting called indexer to select
indexer. See ``doc/upgrading.txt`` for details. Initial patch
done by David Wolever. Patch modified, docs added and committed
by John Rouillard.
- issue2550803: Replying to NOSY mail goes to the tracker through
reply-to, not original message author.
Created new [tracker] replyto_address config.ini option to allow:

1) setting reply-to header to the tracker
2) setting reply-to header to the address of the author
of the change
3) setting it to a fixed address (like noreplysome.place)

Done by John Rouillard from proposal by Peter Funk (pefu)
in discussion with Tom Ekberg (tekberg). See doc/upgrading.txt.
- issue1714899: Feature Request: Optional Change Note. Added a new
quiet=True/False option for all property types. When quiet=True
changes to the property will not be displayed in the::

- confirmation banner (shown in green) when a change is made
- property change section of change note (nosy emails)
- web history display for an item.

Note that this may confuse users if used on a property that is
meant to be changed by a user. It is most useful on administrative
properties that are changed by an auditor as part of a user
generated change. Original patch by Daniel Diniz (ajaksu2)
discussed also at:

http://psf.upfronthosting.co.za/roundup/meta/issue249

Support for setting quiet when calling the class specifiers:
E.G. prop=String(quiet=True) rather than::

prop=String()
prop.quiet=True

support for anydb backend, added tests, doc updates, support for
ignoring quiet setting using showall=True in call to history()
function in templates by (John Rouillard). (Note implementation
changed while implementing fix for issue2550864. Filtering of
quiet properties pushed down to the hyperdb.py::Class::history
function. This fixes a small bug in the implementation that caused
a limiting the templating history call to display fewer than the
the requested number of items if some were quiet.)
- issue2550767: Add newitemcopy.py detector to notify users of new
items. Added to detectors directory and a README.txt generated to
describe the purpose of the directory. It also says the detectors
are provided on an as-is basis and may not work. Detector by W.
Trevor King (wking), rest by John Rouillard.
- issue934009: Have New Issues Submitted By Email *Not* Change Body!
The mailgw config options: keep_quoted_text and leave_body_unchanged
can now have a new values: new. If set to new, keep_quoted_text acts
like yes if the message is starting a new issue. Otherise it strips
quoted text. This allows somebody to start a new issue by forwarding
a threaded email (with multiple quoted parts) into roundup and
keeping all the quoted parts. If leave_body_unchanged is set to
new, even the signature on the email that starts a new issue will be
preserved.
- New cgi action restore (RestoreAction) which reverses the effects of
the retire action. Created while implementing fix for
issue2550831. Requires restore permission in the schema. See
upgrading.txt for migrating to 1.6.0 for details. (John Rouillard)
- issue2550751: Email Header Issue. Noel Garces requested the ability
to suppress email headers like "x-roundup-issue-files". With Ralf's
addition of the Link/Multilink property attribute
'msg_header_property' we can do this easily. Setting the
'msg_header_property' to the empty string '' (not to None) will
suppress the header for that property. (John Rouillard)
- issue2550891: Allow subdir in template value. Anthony (antmail)
requested the ability to put templates into subdirectories. So
the issue class can accept template=issues/item to get the
html/issues/issue.item.html template. See ``doc/upgrading.txt``.
- issue1842687: Keywords: After creating, stay in "Create New" mode.
Change to classic tracker template to provide a check box (checked
by default) that keeps the user on the "Add new keyword" page after
submitting a new keyword. Usually after submission, you will see the
the page for the new keyword to allow you to change the name of the
keyword. (John Rouillard)
- issue2550757 - internal restructuring to allow admin.py to be tested
more easily. W. Trevor King (wking)/ John Rouillard.
- When storing user-defined queries we now store the template with the
query if the template name is different from 'index'. This allows
stored queries for templates different from the default 'index'
template. (Ralf Schlatterbeck)
- Number properties now have an optional attribute use_double to request
double precision float as the storage type for this property. (Ralf
Schlatterbeck)
- issue2550796: Calendar and Classhelp selection tools don't cause
onchange event to be triggered.
Using the helper popups for modifying lists of users, lists of
issues, dates etc.. now trigger the change event on the form's
field. This allows onchange javascript to trigger to highlight
changes, recalculate other form values etc. See ``upgrading.txt``
for details on applying these changes to your tracker. (John Rouillard)
- menu template function has a new parameter "showdef". When set to a
string, the string is appended to the displayed option value. This
allows the user to reset the value for the menu (select) to the
original value. (John Rouillard)
- template html url parameter can be set to "oktmpl|errortmpl". When
a form is submitted, if the form passes validation the oktmpl is
used for the resulting page. If the form fails submission the
errortmpl page is used to display the form. The errortmpl will
usually be the same template used to edit the form. See the section
on "Implementing Modal Editing Using template" in
``customizing.txt``. (John Rouillard)
- New form of check function is permitted in permission definitions.
If the check function is defined as::

check(db, userid, itemid, **ctx)

the ctx variable will have::

ctx['property']: the name of the property being checked or None
ctx['classname']: the class that is being checked or None
ctx['permission']: the name of the permission (e.g. View, Edit)

At some future date the older 3 argument style check command will
be deprecated. See ``upgrading.txt`` for details.
- New property for permissions added to simplify the model. See
``reference.txt`` and search for props_only and
set_props_only_default in the section 'Adding a new Permission'.
(John Rouillard)
- issue2550690 - Inadequate CSRF protection. Improvements in
Cross Site Request Forgery protection to check HTTP headers
and nonces. If the header/nonce is present, they are
validated. But if headers or nonces are missing access is
granted. The enforcement policy can be set in config.ini.
Requiring enforcement will need some changes to
templates. Support for protecting xmlrpc endpoint not well
tested. See ``upgrading.txt``. (John Rouillard)
- Added support for using the SameSite cookie option on the
session cookie. Default is lax, but there is a settable
option in config.ini file to change to strict or
suppress it entirely. See ``upgrading.txt``. (John Rouillard)
- Added a new roundup-admin command: updateconfig. Similar to
genconfig but it uses values from an existing config.ini
rather than default values. Use to update an existing
config.ini with new options and help text. (John Rouillard)
- issue2550864: Potential information leakage via journal/history
Hyperdb history function now only returns properties that the user
can View or Edit and links to objects the user can see. Can be
overridden by setting a parameter when calling the method.
Also restructured code that implemented issue1714899 moving it
from the templating class to the hyperdb. (John Rouillard)
- Improves diagnostics for mail processing: When using logging level = DEBUG,
bounces and bounce problems are logged. (Bernhard Reiter)
- In roundup-server, pass X-Forwarded-For and X-Forwarded-Proto
headers as the environment variables: HTTP_X-FORWARDED-FOR and
HTTP_X_FORWARDED_PROTO. If the user is running roundup server behind
a proxy, these headers allow the user to write extensions that can
figure out the original client ip and protocol. None of the core
roundup code uses these headers/env vars. These headers can be
spoofed by bad proxies etc. so you have been warned.
- issue2550799: provide basic support for handling html only emails
Emails missing text/plain parts but with text/html parts can be
converted into text. If this is done the email will no longer be
bounced back to the sender with an error. Enable by configuring the
convert_htmltotext option in your upgraded config.ini. (Initial
patch by Igor Ippolitov merged with changes by John Rouillard.)
- Add a 'retired' parameter to Class.filter to allow searching for
retired, non-retired or all (retired and non-retired) items similar
to the argument of the same name to Class.getnodeids. This is 'False'
by default (finding only non-retired items for backwards
compatibility) and can be set to None (for finding retired and
non-retired items) or True (for finding only retired items).
- Requires Python 2.7 now, indicated in version_check.py
and doc/installation.txt. (Bernhard Reiter)
- New -L flag to roundup-server to send http/https request logs
through the python logger module (using roundup.http). This allows
automatic log rotation. Without it, log file rotation requires restarting
the server. (John Rouillard)
- Part of issue2550960. Applied patch 0038 to upgrade documentation
code examples to support both python 2 and 3. (Joseph Myers)
- Release no longer includes binary windows installer. Pypi no longer
accepts it for upload.

Fixed:

- issue1615201: Optionally restore the original (version 0.6) mailgw
behaviour of ignoring a Resent-From:-header and using the real
From-header instead: new configuration option EMAIL_KEEP_REAL_FROM
(Peter Funk aka Pefu).
- issue2550717: Changed a couple of residual email references into
E-Mail in German translation (John Rouillard)
- issue2550669: Adding documentation for csv_field_size to the
customizing tracker section of doc/customizing.txt (John Rouillard)
- issue2550601: gsoc-2009 "bug" class doesn't have "patches" property
Added multilink to patches to the bug schema in the devel template.
(applied by John Rouillard)
- issue2550748: Crash when creating new issues with non-existing
multilink values (in classic template). Applied patch so it
now errors the same way as an update does. (applied by John Rouillard)
- issue2550757: one bug raised by issue fixed. Patch created by
W. Trevor King (wking) for documentation of mailgw applied by
John Rouillard.
- Fix processing of additional arguments to cgi method 'menu': This
would not work if more than one additional argument is used.
(Ralf Schlatterbeck)
- Update documentation of some existing property attributes (like
'do_journal' for Link/Multilink properties), this also adds missing
documentation for issue1444214. (Ralf Schlatterbeck)
- issue2550763 Strip whitespace from Multilink values after + or -.
(W. Trevor King) Test heavily modified by John Rouillard. (applied
by John Rouillard)
- issue2550907 Fix errors when creating documentation. Work done by
Peter Funk (pefu). (Applied by John Rouillard with small change
omitting obsolete security.txt.)
- issue2550826 Capture some exceptions from auditors/reactors and
raise a DetectorError instead. This allows failures like IOErrors
from the detectors (e.g. unable to access files) to be handled.
Previously an IOError just resulted in no output (premature end of
headers under apache). Problem diagnosed and initial patch created by
Tom Ekberg (tekberg). Further testing and patch change done by
John Rouillard.
- issue2550851 in installation doc removed directions for
installing additional codecs for Asian languages. They
they appear to be part of the standard python since at least 2.6.
Also the quoted url is obsolete. See ticket if you think you need
the codecs.
- issue2550823 improve mailgw logging for node creation errors.
Patch by r.david.murray (applied by John Rouillard).
- issue2550549 Postgres error on message templating
Exception gets thrown and not captured if nodeid is too large
on postgres. Added a check in rdbms_common layer that max nodeid
is < 2^31 -1. Large nodeid now return no such id error upstream.
Patch idea from: martin.v.loewis. (John Rouillard)
- issue2550723 Fix propagation of pagesize
When pagesize=0 is specified (indicating show all), the value of
pagesize is not propigated to the prev link. This patch fixes that.
Patch provided by John Kristensen. (Applied, light testing by John
Rouillard.)
- issue2550850 ``anypy/email_.py`` uses BSPACE which is not defined \
in python 2.7. Supplied a definition for BSPACE since it seems to
not be defined anywhere. Reported by Dennis Boone. (John Rouillard)
- Validate properties specified for sorting and grouping in index
views. Original patch from martin.v.loewis via:
https://hg.python.org/tracker/roundup/rev/439bd3060df2
Applied by John Rouillard with some modification to properly
identify if the bad property is a sort or grouping property. Tests
added.
- Validate Integer and Numeric type filter parameters rather than
passing output down to db level. Initial patch at:
http://hg.python.org/tracker/roundup/rev/98508a47c126 by
Martin.V.Loewis. Numeric test patch applied, Integer code and tests
developed by John Rouillard.
- issue1926124: fix crash in roundup_admin migrate option.
Patch submitted by Henry (henryl), modified value to False
since this produces the correct "No migration action required"
output from the migrate command.
- issue2161722: oudated docs (sic)
Fix old entry in FAQ, update roundup-server config docs and
example file from current roundup-server output. Update
some typos in .py files. John Rouillard.
- issue2550572: setting nosy=+foo on multiple issues gives them all
the same exact nosy list. Fixed a missing reinitialization that has
to occur every time though the loop in do_set. Manual tests work.
(John Rouillard)
- issue2550653: xapian search, stemming is not working
This is a partial fix for the issue. It does make stemming work
(so searching for silent will also return docs with silently in
them). However to do this we need to lowercase the text so the
porter stemmer will work. This means capitalization is not
preserved. Fix done by David Wolever (wolever). Committed and doc
updates John Rouillard.
- issue2550855: "show unassigned" link shows all open issues if not
logged in. This adds permission for the anonymous user to search
the users class. Without this the unassigned search can't see if
there is a user assigned to an issue, so it acts like all open
issues. Patch supplied by Stuart McGraw (smcgraw). For caveats
see ``upgrading.txt`` and the comments in the default templates.
(Docs created and applcation by John Rouillard)
- issue2550854: including new field in All text* search.
Fixed documentation in customizing.txt. The default for indexme on
String fileds is 'no' not 'yes'. So to get a new string field into
the full text/all text index you need to use String(indexme='yes').
Reported by Michael Belleville. (John Rouillard)
- issue2550853 - better error handling and cleanup on some postgres
tests by Stuart McGraw.
- issue2086536 - back_postgresql: fixing pg_command and prefering
psycopg2. Patch done by Philipp Gortan (mephinet). His patch
also improves handling of retryable errors. Applied and
edited by John Rouillard. Edits included removing support for
psycopg1. See:

https://sourceforge.net/p/roundup/mailman/message/32855027/

for rational for dropping it.
- issue2550831: Make the classic template query.edit page work.
Many fixes and improvements. See ``upgrading.txt`` for details.
Diagnosis and fix with patch by R David Murray. Support for
restoring retired but active queries, html layout changes and doc
by John Rouillard.
- issue2550785: Using login from search (or logout) fails. When
logging in from a search page or after a logout it fails with an
error. These failures have been fixed. The fix also keeps the user
on the same page they started from before the login. There are two
parts to this: 1) changes to the templates to properly define the
__came_from form element. See ``upgrading.txt``. 2) code changes
to the LoginAction code in roundup/cgi/actions.py. (John Rouillard)
- issue2550648 - partial fix for problem in this issue. Ezio Melotti
reported that the expression editor allowed the user to generate an
expression using retired values. To align the expression editor with
the simple dropdown search item, retired values are now removed from
the expression editor. (We have an open question as to whether this
is desirable.)
- issue2550743 - Reindex with MySQL Server failed. It looks like
indexing large documents may require increasing mysql's
max_allowed_packet setting. Documented the issue in doc/mysql.txt.
Possible solutions include: increasing value of MySQL parameter,
changing the full text search engine to whoosh or xapian. Problem
report by telsch. Analysis/doc by John Rouillard.
- issue2550882. Reported by Karl-Philipp Richter. Fixed
installation.txt documentation to include better directions on
starting roundup-server on different ports/ip addresses. Also
updated man page to include default use of localhost for -n and use
of -n 0.0.0.0 to bind to all addresses on the host. (John Rouillard)
- issue2550827, issue2550718. Doc additions so people know that a
python 32 bit installation may be required for windows. Additional
documentation on the requirement of pywin32 for running roundup as a
windows service. Also the windows installer must be run as
administrator and strong encouragement for installing the pytz
module added to ``doc/installation.txt``.
- issue2550776: imapServer.py problem. Fixed a missing initialization of the
logging level if no logging level option is supplied. (John Rouillard)
- issue2550839: Xapian, DatabaseLockError: Unable to get write lock on
db/text-index: already locked. Put in a retry loop that will attempt
to get the lock. Total delay approx 4.5 seconds. (John Rouillard)
- issue2550727: db.newid is broken with sqlite. Added proper transaction
lock around the sql code to get a new id. The the locking
that pysqlite attempts had to be defeated because it is broken.
Had to explicitly manage transactions with BEGIN IMMEDIATE and call
sql_commit. Note that this reduces performance in return for accuracy.
Problem reported by Matt Mackall (mpm) (John Rouillard).
- issue2550701: Path traversal from template names. This affects the
tal based template engines (zopetal, chameleon). If a directory
with a specific name is created in the html subdirectory, the
template name in the url can be used to get access to files outside
of the tracker html directory. This has been fixed by normalizing
the path and comparing to the normalized path for the html
directory. See ``doc/upgrading.txt``. (John Rouillard)
- Fix subject parsing in mail gateway. The previous parsing routine
would not ensure that arguments are at the end of the subject and when
subject_suffix_parsing was configured to be 'loose' it would truncate
the subject when encountering a double prefix, e.g.
Subject: [frobulated] [frobulatedagain] this part would be lost
(Ralf Schlatterbeck)
- issue2550795: dispname query args in page.html search links
not valid html. Some queries with names that include spaces are not
properly url encoded/quoted. I.E. a space should be replaced with
%20. Fixes to allow a url_query method to be applied to
HTMLStringProperty to properly quote string values passed as part of
a url.
- issue2550755: exceptions.NotFound(msg) msg is not reported to user
in cgi. When an invalid column is specified return error code 400
rather than 404. Make error code 400 also return an error message to
the user. Reported by: Bernhard Reiter, analysis, fix by John Rouillard.
- issue1408570: Finally fix that form values are lost on edit
exceptions. This occured for example if editing an issue with the
classic template and setting 'superseder' to a non-existing issue
number. All changes to the form where the original field was non-empty
were lost. (Ralf Schlatterbeck)
- Fix submit_once Javascript function: This needs to return a boolean
value (not and integer like 0 or 1). And the work-around for an
ancient version of Internet Explorer would make it break for a recent
Firefox. The old version would show the popup but after clicking away
the alert it would load the page. The new version (tested with
Chromium and Firefox) doesn't load the page. (Ralf Schlatterbeck)
- Fix Traceback in backends/portalocker.py on windows due to missing
windll import, thanks to Heiko Stegmann for suggesting a first fix.
(Ralf Schlatterbeck)
- issue2550933 - Fix Traceback in cgi/templating.py when a string is
passed to PasswordHTMLProperty::plain. (John Rouillard)
- issue2550934 - templating.py-indexargs_form() returns id's as
space separated list not comma separated. This fixes the format of
the id url parameter when generated by indexargs_form. (John
Rouillard)
- issue2550932 - html_calendar produces templating errors for bad date
strings. Fixed to ignore bad date and highlight todays date in the
calendar popup.
- Query handling requires that query names for a user are unique.
Different users are allowed to use the same query name. Under some
circumstances a user could generate a second query with the same
name. The SearchAction function has been corrected to report this
error. Also the index.search.html template in the classic tracker
and corresponding templates in the other example trackers
has been modified to include:

<input type="hidden" name="template" value="index|search"/>

so an error from SearchAction will display an error message and keep
the user on the search page so they can correct the error. See
``doc/upgrading.txt``. (John Rouillard)
- When a new named search is created, the index page that is displayed
doesn't show the name. This has been fixed by setting the dispname
to the query's name. (John Rouillard)
- Passing args into indexargs_url(..,{'queryname': request/dispname
or None, 'Title': 'some' }) where the value of the arg is None
will not add the arg to the url. In the example above queryname
will only be in the url if dispname is set in the request.
(John Rouillard)
- The HTMLClass::properties() method produced a list of properties
that the user could not search. As a result these properties can not
be used for sorting or grouping index pages. This patch eliminates
the confusion that results from this mismatch by verifying that all
properties returned are searchable. (John Rouillard)
- Mutilinks can be displayed with their labelprop using the plain()
method, but they can not be looped over using tal:repeat if the user
doesn't have view access to the class the multilink represents. The
permissions check was changed to require that the user have View
access to the labelprop for the class rather than View access to the
class. (John Rouillard)
- issue2550937: fix crash by verifying that sendto is not null before
calling mailer.smtp_send. Discovered and patched by Trent Gamblin.
Applied by John Rouillard.
- removed old code from roundup-admin that implemented the obsolete
config (do_config) command. (John Rouillard)
- Modified configuration option static_files to be a space separated
list of directories to search for static files in the web interface.
If one of the elements is -, the search stops and the TEMPLATES
directory is not searched. See:

https://sourceforge.net/p/roundup/mailman/message/35773357/

subject is "showing template sources to all".
- issue2550945: OpenPGP: Extends newissuecopy.py to encrypt if configured.
(Bernhard Reiter)
- CSRF protection broke the retire function for query edit. Fix
javascript and make sure csrf tokens are provided in the right
places. (John Rouillard)
- query.item.html was missing checks to verify that a query should
be visible to the user. This is fixed and users can only view
queries that they own or that are not private. (John Rouillard)
- issue2550953: Patch: fix for context.is_view_ok check in jinja2 template
Form controls are displayed when anonymous views indexes but is
denied access. (patch by Anton Schur applied by John Rouillard)
- issue2550957: Duplicate emails (with patch).
Bcc and cc users passed to nosymessage are not properly recorded.
This results in duplicate emails. (patch by Trent Gamblin (trentgg)
applied by John Rouillard).
- issue2550954: History display breaks on removed properties
Now changes to removed properties, and link/unlink events from
non-existing properties or classes no longer trigger a traceback.
Concerning the visibility: We have a new config-item
obsolete_history_roles in the main section that defines which roles
may see removed properties. By default only role Admin is allowed to
see these.
- Fix issue2550955: Roundup commits although a Reject exception is raised
Fix the problem that changes are committed to the database (due to
commits to otk handling) even when a Reject exception occurs. The fix
implements separate database connections for otk/session handling and
normal database operation.
- Allow empty content property for file and message via xmlrpc
interface. This used to raise a traceback in the (sql) backend.
- Work around a limitation in python2.7 implementation of poplib (for
the pop3 protocol for fetching emails): It seems poplib applies a
line-length limit not just to the lines involving the pop3 protocol
but to any email content, too. This sometimes leads to tracebacks
whenever an email exceeding this limit is encountered. We "fix" this
by monkey-patching poplib with a larger line-limit. Thanks to Heiko
Stegmann for discovering this.
- Fix issue2550963: After refactoring one-time keys from the main
database we need to commit the password change in the password reset
mechanism separately. This used to be committed by the otk commit.

Pay attention:

If you have installed an intermediate version from our version control
system and have modified your tracker instance to escape OK and
error-messages in the HTML templates you need to revert this change.
If you're upgrading from a previous roundup release version
you should look into ``doc/upgrading.txt``. (Ralf Schlatterbeck)

Also note the default user permissions, see ``doc/upgrading.txt``.

Features:

- The example local_replace.py has been updated to show how to link to
modern revision systems using hex revision identifiers.
This extension is used to expand shortcuts in msgs. (Bernhard Reiter)
- Drop comment in user settings about numeric hour offsets instead of using
pytz timezone names. Due to DST these are wrong half of the year, it is
much better to use timezone names. (Thomas Arendsen Hein)
- issue2550793: Wrap messages with very long lines in the web interface.
(Thomas Arendsen Hein)
- New Link / Multilink option "try_id_parsing": Sometimes the key of a
class can be numeric -- in that case roundup will try to parse the
value as an ID when evaluating form values -- not as a key. Specifying
try_id_parsing='no' for these Link/Multilink will skip the ID step,
default is 'yes'. (Ralf Schlatterbeck)
- New configuration option 'isolation_level' in rdbms section. Currently
supported for Postgres and mysql, sets the transaction isolation level.
Wrong history entries for concurrent database updates observed in
issue2550806 can be prevented by setting this to 'repeatable read' if
you want to pay the performance penalty. We test this behaviour in the
regression tests for Postgres but not currently for mysql.
See http://www.postgresql.org/docs/9.1/static/transaction-iso.html
(Ralf Schlatterbeck)
- /xmlrpc endpoint now shows link to XML-RPC documentation if accessed
through browser, without text/xml Content-Type (anatoly techtonik)
- docs: New dedicated chapter for extensions in ``doc/customizing.txt``
(anatoly techtonik)
- Increase default height of classhelp windows from 400 to 600.
(Thomas Arendsen Hein)
- Date properties now can specify (on input) an explicit timezone suffix
(similar to RFC 2822), e.g. +0200 for CEST or -0500 for EST. This also
works in the XMLRPC interface. For examples see roundup.date.Date.
(Ralf Schlatterbeck)
- Add RejectRaw exception to allow unescaped HTML error messages to be
displayed to the user (thanks Ezio Melotti for the initial patch)
(John Kristensen)
- Add rel=nofollow to http and https url's in the body of messages.
This should reduce the value of a public roundup tracker to spammers.
References like issue20 or msg10 will hyperlink without
rel=nofollow so that robots can index them. Similar work was done
for the history display in roundup 1.5.0. (John Rouillard)

Fixed:

- issue2550869 Duplicate mail headers (Reply-To, Message-ID, In-Reply-To)
when sending out email. Reported with first fix by Mathias Behrle.
(Bernhard Reiter)
- issue2550830 An empty LinkHTMLProperty cannot be compared successfully.
Improves the query editing page. Reported and fixed by R David Murray
(Bernhard Reiter).
- Fix Release-date of 1.5.0 in this file (thanks to Bernhard for
discovery) (Ralf Schlatterbeck)
- Pythons cgi form code can return a TypeError, we now guard for this
condition. (Ralf Schlatterbeck)
- Small bug-fix in SQL backends: A query (e.g. in a html menu) with a
where-clause that always evaluates to false now will not raise a
traceback. (Ralf Schlatterbeck)
- Remove Python 2.3 compatibility code for i18n (anatoly techtonik)
- If documentation 'sphinx-build' tool is not found in system PATH,
'setup.py build_doc' command now tries to detect it from PYTHONPATH
(anatoly techtonik)
- Read version and release for generated documentation from
roundup/__init__.py. (Thomas Arendsen Hein)
- Do not throw an internal error if a .mo file can not be read
(Thomas Arendsen Hein)
- issue2550673 Make the "Make a copy" link work by fixing copy_url to properly
handle multilink properties. (John Rouillard)
- issue2550583, issue2550635 Do not limit results with Xapian indexer
(Thomas Arendsen Hein)
- Allow using plain() on unsaved dates in HTML forms
(Thomas Arendsen Hein)
- setup.py now installs static files of the HTML documentation (stylesheets,
images, etc.) (Thomas Arendsen Hein)
- executable .py scripts need "!/usr/bin/env python", add this to demo.py,
remove exec bits from website/wiki/wiki/data/plugin/theme/roundup.py
(Thomas Arendsen Hein)
- issue2550822: Fix showing more than one additional property in class menu.
Report and fix by James Mack (Thomas Arendsen Hein)
- Fix String search with special SQL wildcard characters in LIKE/ILIKE
clause and add testcase (Ralf Schlatterbeck)
- Fix subtle bug when sorting by a Link that contains a Multilink from
which we also search for an attribute. In that case the LEFT OUTER
JOIN clause was missing in generated SQL. (Ralf Schlatterbeck)
- Fix another XSS issue2550817. Note that the code that triggers that
particular bug is no longer in roundup core. But the change to the
templates we suggest is a *lot* safer as it by default escapes the
error and ok messages now. Thanks to Thibault Fevry for the original
bug-report. (Ralf Schlatterbeck)
- issue2117897: Fixed two more places in date.py where seconds can be
rounded to 60.0 and causing exceptions. Change them to 59.999 as was
done in the fix for issue2550802. (Thomas Arendsen Hein)
- Fix batch.propchanged for transitive id properties (would result in a
backtrace when trying to group by property.id) (Ralf Schlatterbeck)
- Fix issue2550835, the test checks for date-range queries with an
interval that depends on the local time. Put the queried date a little
later to avoid a race condition where the queried interval doesn't
match the date because the clock has advanced. (Ralf Schlatterbeck)
- Apply german translation fixes from Debian team in issue2550761,
thanks to Kai Storbeck for taking the time to report these.
(Ralf Schlatterbeck)
- Fix issue2550843 Pass text of Unauthorised and Login exceptions instead
of the exception instance to avoid traceback with string operations.
(Thomas Arendsen Hein)
- Fix issue2550841 roundup-demo templates not found in virtualenv (John
Kristensen)
- Security: Default user permissions should not include all user
attributes. We now limit this to the username, realname and some
further attributes depending on the schema. Note that we no longer
include the email addresses, depending on your installation you may
want to further restrict this or add some attributes like ``address``
and ``alternate_addresses``. (Ralf Schlatterbeck)
- Correctly recreate the database directory when re-initialising a tracker
instance. (John Kristensen)
- In case of an error, date fields would lose the calendar help, fixed.
(Ralf Schlatterbeck)
- demo.py usage message improved: explains "nuke" now. (Bernhard Reiter)
- Fix issue2550735 Missing doc for xmlrpc schema. Thanks to Cedric Krier
for the patch. (anatoly techtonik)
- Fix two line-break accidents in devel and responsive milestone.item.html
(Thomas Arendsen Hein)
- Fix broken images in legacy spec.html and original_overview.html, and
restore web presence for "Roundup's Design Document" (anatoly techtonik)
- Template jinja2: Updated URL to point to http://www.roundup-tracker.org/,
fixed a typo. (Bernhard Reiter)
- Security: Add mime-type whitelist for attachmens that can be safely
rendered from Roundup without trigerring security bugs in browser
plugins, XSS issues and spam. The option ``allow_html_file`` didn't
provide protection for invalid content-type, in which case browser
tried to guess the best one. Thanks to Kay Hayen for reporting and
helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik)
- Documentation: configuration messages_to_author value "nosy" now documented
in chapter "customizing". (Bernhard Reiter)
- issue2550877 Failures in test_mailgw.py because of duplicated headers
and more precise comparision. Writing headers with the email module will use
continuation_ws = ' ' now for python 2.5 and 2.6. (Bernhard Reiter)
- issue2550870 migrate use of 'rfc822' module to the 'email' module
(Bernhard Reiter/John Kristensen)
- Doctests for roundup.date.Date are now really executable and don't
fail. Bug-Fixes in range properties, open intervals with 'to' didn't
always work. (Ralf Schlatterbeck)
- issue2550881 demo.py: Add pointer how to access demo from remote host.
Suggested by Karl-Philipp Richter. (Bernhard Reiter)
- issue2550884 roundup-mailgw --help text improved to explain the allowed
parameters better. Suggested by by Karl-Philipp Richter. (Bernhard Reiter)
- Fix form-parsing: If multiple new items are added to a multilink
property, the old version would create the new items but only link
one. (Ralf Schlatterbeck)
- issue2550892 (translation error of priority in locale de) Thanks
Martin Thomas Swaton for reporting. (Bernhard Reiter)
- Help-Window now gets focus, this prevents the case that help doesn't
work because an old help-window is below the main window.
(Ralf Schlatterbeck)
- issue2550811 20% fix: jinja2 template engine now has an example
how to use non-ascii unicode contents with a custom filter ('| u').
See updates on http://www.roundup-tracker.org/cgi-bin/moin.cgi/Jinja2
(Bernhard Reiter)

Features:

- issue2550775 Added rel=nofollow to links in the journal linking to
attachments to allow the admin to delete attachment spam and prevent
search engines from increasing the rankings. (John Rouillard)
- issue2550808 Enhanced the boolean field template function. Now by
default the labels generated can be clicked on and select the
corresponding radio button. Also can create a trivalued radiobutton
(yes/no/unknown) as well as customize the labels for the
yes/no/unknown radio buttons. (John Rouillard)
- issue2550807 enhance classhelp method with ability to set html
properties on the generated link. (John Rouillard)
- Support for tx_Source property on database handle. Can be used by
detectors to find out the source of a change in an auditor to block
changes arriving by unauthenticated mechanisms (e.g. plain email
where headers can be faked). The property db.tx_Source has the
following values:

* None - Default value set to None. May be valid if it's a script
that is created by the user. Otherwise it's an error and indicates
that some code path is not properly setting the tx_Source property.
* "cli" - this string value is set when using roundup-admin and
supplied scripts.
* "web" - this string value is set when using any web based
technique: html interface, xmlrpc ....
* "email" - this string value is set when using an unauthenticated
email based technique.
* "email-sig-openpgp" - this string value is set when email with a
valid pgp signature is used. (*NOTE* the testing for this mode
is incomplete. If you have a pgp infrastructure you should test
and verify that this is properly set.) (John Rouillard)

- Introducing Template Loader API (anatoly techtonik)
- Experimental support for Jinja2, try 'jinja2' for template_engine
in config (anatoly techtonik)
- A new jinja2 template based on Classic schema and using Twitter
bootstrap for responsive behaviour. Run as -
python demo.py -t jinja2 nuke (Pradip P Caulagi)
- roundup_admin.py and other scripts can now be run directly from the
sources dir as roundup\scripts\roundup_admin.py (anatoly techtonik)
- Renamed old Templates classes to Loader classes to clarify sources
for alternative templating engines, updated docs (anatoly techtonik)
- Template selection code is moved from Loader classes into cgi.client
limiting the responsibility of Loaders to compilation and rendering.
Internally, templating.find_template is replaced with
client.selectTemplate (anatoly techtonik)
- Increased generated password length to 12 symbols to slow down GPGPU
attacks (anatoly techtonik)
- Implement XMLRPC MultiCall (including test), see
http://docs.python.org/2/library/xmlrpclib.html#xmlrpclib.MultiCall
(Ralf Schlatterbeck)

Fixed:

- issue2550789: add documentation on how to initialise a tracker
without exposing the admin password.
- issue2550805: Postgres should search title attribute case insensitive
like sqlite. Reported and fixed by Tom Ekberg. (Bernhard Reiter)
- Removed some old left over "rlog" references in documentation and code.
Makes the debugging.txt advise for the database unit tests work again.
(Bernhard Reiter)
- Fixed OpenPGP support for modern versions of libgpgme. (Bernhard Reiter)
- Restored compatibility with old style trackers (anatoly techtonik)
- Make roundup play nice with setup tools (for using with virtualenv)
(Pradip Caulagi)
- [minor] Template responsive: make demo.py work out of the box with it,
by setting the static_files config.ini setting to "static".
Footer: link fixed and hardcoded last modified date removed. (Bernhard Reiter)
- demo.py print location of tracker home and fully erase its directory
when nuking (anatoly techtonik)
- demo.py changing hostname in config.ini actually changes the address
where demo.py listens. (John Rouillard)
- issue2550802: Fixed date so second fraction can't cause rounding to
60.000 when serialising. Report and fix by Erik Hanspers. (Bernhard Reiter)
- issue2550595: Allow migrating from roundup 0.x to 1.4 (Thomas Arendsen Hein)
- issue2550634: New German orthography corrections (Thomas Arendsen Hein)