LedgerSMB

File Release Notes and Changelog

Release Name: 1.1.11

Notes:
RELEASE NOTES
LedgerSMB 1.1.x



1:  Welcome to LedgerSMB

LedgerSMB is an accounting and ERP program initially aimed at small to midsize
businesses.  Currently the financials and supply chain management modules are
fairly complete, while other modules such as project management exist in a
rudamentary form.  The initial features are identical to SQL-Ledger 2.6.17 from
which it was derived, but the feature set is starting to diverge rapidly.

1.1 System Requirements:

* Perl 5.6 and higher (prefer 5.8).
* Apache, IIS, or other web server that supports CGI.
* PostgreSQL 8.0 or higher.  7.3 and 7.4 could be supported with some effort but
will not work out of the box.
* Any operating system that supports the above environment.

2:  What's New in 1.1?

2.1: Database changes:
LedgerSMB 1.1 allows more flexibility in dataset creation. We now offer the
ability to create the dataset and language with a different user than is used to
populate the database.  If the superuser field is left blank, it will try to
populate an existing database, while if this field is filled in, it will try to
create the database with this account and add plpgsql to it (if the language
already exists, it will skip over that part).

Database backups now use pg_dump.  Some time ago, there were problems which
resulted in sequences not being restored properly but these have been resolved
in every version of PostgreSQL that we support.  The backup code is now more
robust and simple than it was in previous versions.

A foreign key constraint was added to acc_trans.chart_id, and primary keys were
added to the acc_trans and chart tables.  These changes further tighten the data
integrity controls and prevents invalid data from being entered into the 
database.  Also, some database schema changes were added to prevent against
duplicate (and ambiguous) transaction id's.

Finally, a standard means was added to extend the SQL-Ledger database schema.
To add a custom field to a table, use the following function:
add_custom_field(tablename, fieldname, datatype);

For example:
select add_cutom_field('ap', 'milage_start', 'numeric');

To drop a custom field, use drop_custom_field(tablename, fieldname).  For
example:
select drop_custom_field('ap', 'milage_start');

2.2:  Security
Previous versions installed the software with a blank admin password.  This
password would often be left at its default, and when this happened, the
application would not check the supplied password at all.  To correct this
problem, we have insituted a routine to require a password check when the admin
password is blank.

2.3:  Usability Changes
The Sales Data report from Metatron Technology Consulting was added to this
release of LedgerSMB.  This report allows you to track sales and purchases in a
given date range by good or service, and drill down into the AR and AP invoices
in that time period that contain those items.

Several changes have been made to check handling.  These include notices printed
on check stubs when the number of invoices exceeds a user defined number.  Also,
batch printing is now available for checks.

It is now possible (though still difficult) to print directly to a printer from
a Windows server.

3:  Known Issues
Reposting invoices is known to cause inaccuracies cost of goods sold and
inventory accounts.  This problem has been confirmed to affect SQL-Ledger 2.6.x 
as well and is caused by problems involving the de-allocation and trasaction
reversal routines.  It will be corrected in an upcoming release as we continue
to re-engineer the application.

4:  Differences between LedgerSMB and SQL-Ledger(TM)

4.1: Login name restrictions
Logins in SQL-Ledger can contain any printable characters.  In LedgerSMB these
are restricted to alphanumeric characters and the symbols ., @, and -.

4.2: Session handling
SQL-Ledger as of 2.6.17 uses session tokens for authentication.  These tokens
are based on the current timestamp and therefore insecure.  Furthermore, these
tokens are not tracked on the server, so one can easily forge credentials for
either the main application or the administrative interface.

LedgerSMB stores the sessions in the database.  These are generated as md5 sums
of random numbers and are believed to be reasonably secure.  The sessions time
out after a period of inactivity.  As of the initial release both
SQL-Ledger-style session ID's and the newer version are required to access the
application.  In future versions, the SQL-Ledger style session ID's will 
probably be removed.

4.3: Database Changes
Under certain circumstances where the Chart of Accounts is improperly modified,
it is possible to post transactions such that a portion of the transaction is
put into a NULL account.  LedgerSMB does not allow NULL values in the chart id
field of the transaction.

Also, the transaction amount has been changed from FLOAT to NUMERIC so that
arbitrary precision mathematics can be used in third party reports.  This ought
to also allow SQL-Ledger to properly scale up better as SUM operations on
floating points are unsafe for large numbers of records where accounting data is
involved.

5:  Roadmap
The project has no defined roadmap but rather a list of tasks and objectives
outlined in the TODO list.   There are many projects here and there are always
room for new ideas.

6:  Get Involved
Contributors should start by joining the LedgerSMB users and devel lists.  Code
contributions at the moment must be committed by either project maintainer and
should be submitted either using the patches interface at Sourceforge or the
devel mailing lists.

Additionally, we can use help in QA, documentation, advocacy, and many other
places. 

SQL-Ledger is a registered trademark of DWS systems and is not affiliated with 
this project or its members in any way.


Changes:
Changelog for LedgerSMB 1.1.11
* Corrected a bug involving currencies not being set properly when sales orders were generated from timecards.

Changelog for LedgerSMB 1.1.10
* Corrected directory transversal/arbitrary code execution via $form->{login}

Changelog for LedgerSMB 1.1.9
* Corrected authentication bypass issue in admin.pl

Changelog for LedgerSMB 1.1.8

* Fixed DBI error on order consolidation
* Fixed whitelisting errors on template editing

Changelog for LedgerSMB 1.1.7

* Fixed another login issue

Changelog for LedgerSMB 1.1.6

* Fixed problem with login failures

Changelog for LedgerSMB 1.1.5

* Updated version strings
* Whitelisted redirect destinations in Form::redirect
* Whitelisted destinations in bin/mozilla/am.pl
* Limited logout redirect destinations
* Whitelisted directories and file extensions used by the template editor
* Converted the template editor to using 3-arg open
* Limited configurable preferences in save_preferences
* Moved (error|info)_function strings from $form into environment variables
* Converted opens of $form->{IN} to 3-arg open in form printing
* User config items are now truncated at first newline when saving
* Converted username check in config load from regex to string comparison
* Added directory traversal check to username used in $USER.conf generation

Changelog for LedgerSMB 1.1.1

* Fixed problem with parts_short trigger not being created
* Fixed problem with custom fields functions not being created
* Pg driver is now checked by default. 

Changelog for LedgerSMB 1.1.0

Database
* Added add_custom_field and drop_custom_field functions.
	-- will be more integrated into API next version
* Added utility to partially recover from SQL-Ledger data corruption issues.
* Primary Key added to acc_trans table
* DB Updates now use one transaction per update file.
* FLOAT datatypes removed from database
* Protection against duplicate transaction id's.
* Added foreign key constraint to acc_trans.chart_id
* Database backups now use pg_dump
* Database creation routines now attempt to add plpgsql to the db if not there.
* Transaction reversal is now enforced by default

Security
* One is required to change the admin password when it is blank (on first login etc).

Usability
* We now support adding custom automation into a custom.pl
* Setup.pl use is now experimentally supported
* Disabled editing sub-assemblies in one area where it is unsafe.
* Utility included for near-real-time parts short email notifications.
* Fixed Lynx support
* Batch printing now available for checks
* Warnings are printed when check stub is truncated
* Sales Data Report added
* SL2LS.pl now dies if it cannot open the files with instructions on how to proceed manually
* Links between admin and login pages
* Experimental support for Windows printing

Changelog for LedgerSMB v 1.0.0p1
* Fixed directory transversal/arbitrary code execution vulnerability.

Changelog for LedgerSMB v 1.0.0

(Changes relative to the pre-fork SQL-Ledger 2.6.17)

* Corrected sessionid security hole allowing bypass of login to main application
* Corrected sessionid security hole allowing one to list logins and more.
* Changed acc_trans.amount to NUMERIC
* Tightened browser caching rules to prevent problems with back button.
* Added an open content manual to the main distribution.
* New logo. 
* Began whitespace reformatting of main application.