LedgerSMB

File Release Notes and Changelog

Release Name: 1.2.7

Notes:
RELEASE NOTES
LedgerSMB 1.2.6



1:  Welcome to LedgerSMB

LedgerSMB is an accounting and ERP program initially aimed at small to midsize
businesses.  Currently the financials and supply chain management modules are
fairly complete, while other modules such as project management exist in a
rudamentary form.  The initial features are identical to SQL-Ledger 2.6.17 from
which it was derived, but the feature set is starting to diverge rapidly.

1.1 System Requirements:

* Perl 5.8.
* Apache, IIS, or other web server that supports CGI.
* PostgreSQL 8.0 or higher.  7.3 and 7.4 could be supported with some effort but
will not work out of the box.
* Any operating system that supports the above environment.
* The following CPAN modules:
	* Data::Dumper
	* Locale::Maketext
	* Locale::Maketext::Lexicon
	* MIME::Base64
	* Digest::MD5
	* HTML::Entities
	* DBI
	* DBD::Pg
	* Math::BigFloat
	* IO::File
	* Encode
	* Locale::Country
	* Locale::Language
	* Time::Local
	* Cwd
	* Config::Std
	* MIME::Lite

	

2:  What's New in 1.2?

2.1: Database changes:

All core tables now have defined primary keys.  This allows Slony-I to be 
supported out of the box.

Chris Browne has contributed a setup script for Slony.  It is in the 
utils/replication directory.

Also all user information has been moved into the database and the password 
algorythm has been changed from crypt to md5.  This means that users will need 
to convert their accounts prior to first login on the new system (if this is an
upgrade).

Also now the defaults table has moved from a one column per value structure to a simple key->value structure.


2.2:  Security

LedgerSMB 1.2 has been through a detailed SQL injection audit of the codebase
inherited from SQL-Ledger.  As a result several vulnerabilities which were known
to be exploitable were corrected along with hundreds of places where
vulnerabilities may have been exploitable but we didn't have time to verify the
what was involved in exploiting it.  We believe though that many or most of the
issues were exploitable given a little time and effort.

Also, we discovered the template editor's security system was moved from
blacklisting to whitelisting, eliminating a whole class of possible security
issues.

2.3:  New Features

Metatron Technology Consulting's SL-POS codebase was merged with this project,
providing a framework for POS hardware support and more.

Online credit card processing support has been added.

LSMB now supports an arbitrary number of defined currencies for a business and 
is no longer limited to 3.

2.4:  Localization Changes

Localization functions now use Gettext .po files on all platforms.  This means 
that standard translation management tools will work with LSMB translations.

2.5:  Other changes

The ledger-smb.conf is now an inifile which will reduce the level of expertise 
necessary to configure it for non-Perl users.

3:  Known Issues
Reposting invoices is known to cause inaccuracies cost of goods sold and
inventory accounts.  This problem has been confirmed to affect SQL-Ledger 2.6.x 
as well and is caused by problems involving the de-allocation and trasaction
reversal routines.  It will be corrected (by removing the ability to truly
repost invoices) in an upcoming version as we continue to re-engineer the
application.

4:  Differences between LedgerSMB and SQL-Ledger(TM)

4.1: Login name restrictions
Logins in SQL-Ledger can contain any printable characters.  In LedgerSMB these
are restricted to alphanumeric characters and the symbols ., @, and -.

4.2: Session handling
SQL-Ledger as of 2.6.17 used session tokens for authentication.  These tokens
are based on the current timestamp and therefore insecure.  Furthermore, these
tokens are not tracked on the server, so one can easily forge credentials for
either the main application or the administrative interface.  While this was 
corrected in 2.6.18, the solutions chosen by SQL-Ledger (caching the crypted 
password by the browser) is not in line with commonly accepted best security
practices.

LedgerSMB stores the sessions in the database.  These are generated as md5 sums
of random numbers and are believed to be reasonably secure.  The sessions time
out after a period of inactivity.  In the initial release both
SQL-Ledger-style session ID's and the newer version were required to access the
application.  In newer versions, the SQL-Ledger style session ID's have been 
removed.

4.3: Database Changes
Under certain circumstances where the Chart of Accounts is improperly modified,
it is possible to post transactions such that a portion of the transaction is
put into a NULL account.  LedgerSMB does not allow NULL values in the chart id
field of the transaction.

Also, the transaction amount has been changed from FLOAT to NUMERIC so that
arbitrary precision mathematics can be used in third party reports.  This ought
to also allow SQL-Ledger to properly scale up better as SUM operations on
floating points are unsafe for large numbers of records where accounting data is
involved.

5:  Roadmap
This project has no defined roadmap but rather a set of statements and 
objectives contained in the documentation manager and trackers of sourceforge.
In general, our development is focused around the following principles:

* LSMB as infrastructure:  LSMB should be accessible from other applications.

* Universal applicability:  LSMB should be usable by any any business and should
always do the right thing in the background.  Businesses should never find that 
they have outgrown the software.

* Focus on Small to Midsize Businesses:  LSMB's core market will remain in the
small to midsize market.

6:  Get Involved
Contributors should start by joining the LedgerSMB users and devel lists.  Code
contributions at the moment must be committed by either project maintainer and
should be submitted either using the patches interface at Sourceforge or the
devel mailing lists.

Additionally, we can use help in QA, documentation, advocacy, and many other
places. 

SQL-Ledger is a registered trademark of DWS systems and is not affiliated with 
this project or its members in any way.

DEPRECATIONS:
=============================
The entire set of Perl modules and database structures should be seen as 
deprecated from the perspective of add-on development.  For advice in making
add-ons as upgrade-safe as possible, please email the -devel list.  Please 
include a description of what you are trying to accomplish.

KNOWN ISSUES:
==============================
The POS printing system gives an access denied message because the printer
triggers the directory transversal checks.  To work around this problem, ensure
that you do not need to use absolute paths for the printer program (use lpr or
put netdirect.pl in /usr/local/bin and reference without the full path).

Bugs Fixed in 1.2.6:
================================
1) Customer_id field not found error when posting AP transaction.  This error 
was caused by a mistake in the performance optimizations made in 1.2.5.

2) Erroneous headers printed to balance sheet and income statement.

3) Meta tags were added to force UTF-8 charsets, fixing occasional display
issues with multibyte characters where Apache was misconfigured.

4) ledgersmb-httpd.conf is now more internally consistant.  The alias directive
was changed to /ledgersmb (from /ledger-smb).

5) Minor html fixes were added to ca.pl, contributed by Donna Robertson

6) Error when searching for customer by address is corrected. 

7) Invalid format for integer error fixed when saving projects unconnected to 
customers.

None of the above fixes involved changes to API's that are widely used by the 
application.  Impacts elsewhere from these bug fixes should be minimal.

8) Unbound placeholder error when saving items with custom fields.  This error
involved a centrally used API that is invoked when custom fields exist.  The fix
is only likely to affect those installations which have custom fields attached
to orders, invoices, or parts.


Changes:
Changelog for 1.2.7
* Fixed user@company logins (Chris T)
* Fixed closed books detection (Chris T)
* Fixed AR/AP print and post endless loop (Chris T)
* Fixed subtotal not working on AR/AP Transaction Report (Seneca)
* Fixing incorrect tax account selection issues in POS screen (Chris T)
* Fixed:  Titlebar does not show user info (Seneca)
* Fixing error searching for parts with sales invoice links (Chris T)
* Fixed a number of COGS bugs on invoice reversal (Victor S)
* Fixing bareword error with pos.conf.pl (Chris T)
* Fixing SQL error when creating assembly (Seneca)
* Fixing Template use check in user deletion (Seneca)
* Fixing bug partial transaction commit bug wrt invoices (Chris T)
* Fixed line items were dropped on order consolidation (Chris T)
* Correcting errors on transaction list after posting (Chris T)
* Updated ebuild files (Chris T)
* Backporting POD and tests for Menu.pm from trunk (Seneca)
* Fixing constraint issue deleting part (Chris T)
* fixing vendor taxes displaying improperly when printing PO (Seneca)
* Corrected security bypass in login.pl (Seneca)

Changelog for 1.2.6
* More date tests added (Seneca)
* Fixed customer_id error in AP transactions (Chris T)
* Added meta tags to set to utf-8 by default (Chris T)
* Fixed the alias inconsistancy for the ledgersmb-httpd.conf (Chris T).
* Fixed invalid html in ca.pl (reported by Donna Robinson) (Chris T)
* Fixed error searching for customer by address (Chris T)
* Fixed error db error saving items with custom fields (Chris T)
* Fixed db error saving project with NULL customer id (Chris T)
* Improved upgrade_templates' tag handling (Seneca)

Changelog for 1.2.5
* Partsgroup handling corrected on POS and Sales invoice screens (Chris T)
* Closed books handling is corrected (Chris T)
* Corrected intermediate rounding issues involving sales tax (Chris T)
* Fixed FX issue with posting cash transfers (Chris T)
* Corrected multibyte handling in form generation (Seneca)
* Corrected NaN issues in invoice printing (Seneca)
* Corrected PO and order number searches not working (Chris T).
* Corrected Exchange Rate display issue (CHris T).
* Corrected number parsing issues with 1.000,00 formats (Chris T).
* Corrected a number of date handling issues and added tests (Seneca).
* Applied invoice performance patch from Ashley Gittins (Chris T)
* Applide performance improvements to lastname_used (Chris T)

Changelog for 1.2.4
* Fixed internal functions avgcost() and lastcost() to not use float (Joshua D)
* Fixed error posting vendor invoice with fraction costs.  (Chris M)
* Fixed sales tax display issue on invoice/order entry screen (Chris T)
* Fixed inconsistant error when setting to recur 0 times (Chris T)
* Fixed Access Denied when sending email (CHris T)
* Added Makefile.PL as optional means of dependency checking (experimental, Chris T)
* Updated INSTALL file to use correct globaldbh syntax (Chris T)
* Updated UNGRADE file to recommend reading INSTALL first (Chris T)


Changelog for 1.2.3
* Corrected per-user locale selection (Seneca)
* Corrected partial commits for invoices and orders (Chris T)
* Corrected data types for invoice.qty and invoice.allocated in new dbs (CHris T)
* Corrected suffix error in 1.2.1 to use .sqlc for backups (Joshua D)

Changelog for 1.2.2
* Corrected sales tax display bug in order entry screen (Chris T)
* Corrected database update unable to connect (Seneca)
* Corrected login problems on 1.2.1
* Corrected INSTALL for [GlobalDBH] (Joshua Drake)

Changelog for LedgerSMB 1.2.1
* Modifed AM.pm to correctly use globals from ledgersmb.conf (Joshua Drake)
* Simplified backup functions in AM.pm (Joshua Drake)
* Corrected serious sales tax posting bug (Chris Travers)
* Corrected two sales tax display bugs (Chris Travers)
* Corrected configure_apache.sh not rewriting WORKING_DIR (Chris Travers)
* Corrected documentation about tax entry (Chris Travers)
* Corrected logos not printing on PDF/PS invoices (Chris Travers)

Changelog for LedgerSMB 1.2.0

Database:
* Added script to configure Slony replication (Chris Browne)
* Added defined primary keys to all tables (Chris T)
* Database upgrades now use psql (Chris T)
* Defaults table now uses a simple key->value system (Chris T)
* Merged Pg-tables, Pg-functions, and Pg-indeces into Pg-database (Chris T)

Security:
* Added whitelist of allowed directories to file editor (Seneca)
* Audited All Perl Modules for SQL Injection attacks (Chris T)
* Forced edited files to have whitelisted extensions and no .. strings (Chris T)
* Users are now stored in a separate database instead of fs. (Chris M)
* User database schema now included (Joshua D)

Localization:
* Moved localization files to standard codes (Seneca)
* Added cumulative tax support (Seneca)
* Translations now use Gettext (Seneca)
* Removed back-translation of function names for i18n (Seneca)
* Corrected parsing of numbers so that they are multi-run safe (Chris T)
* Added modular tax calculation support (no modules included yet) (Seneca)
* Added "1 000.00" number format (Chris T)
* Buttons are now localization-safe (Seneca)

Code Quality and API:
* Added logging module (Jason)
* Added session method abstraction (Chris T)
* Broke out price matrix calls into PriceMatrix.pm (Chris T)
* Added $form->callproc($procname, @args) returns @hashrefs (Chris T)
* Corrected rounding errors (Seneca)
* Code cleanup and template correction (Chris Murtagh)
* New template system (Chris T)
* IC.pm, OE.pm, and IS.pm are aware of custom fields (Chris T)
* Added LedgerSMB::Sysconfig for site-wide configuration (Chris T)
* LedgerSMB::IC is aware of custom fields (Chris T)
* LedgerSMB::PE is aware of custom fields (Chris T)
* Testing suite added (Seneca)
* Moved all database calls to $form->{dbh} (CHris T)
* Form->redirect no longer makes use of exec (Chris T)
* LedgerSMB::Sysconfig now uses more reasonable ledgersmb.conf optiions (Joshua Drake)
* Removal of Lock Application (Joshua Drake)
* Removal of users/ depenency (Joshua Drake)

Packaging:
* Added first version of rpm spec from Mads Kiilerich (Chris T)
* Added Gentoo ebuilds documentation and metadata (Jason R)

Point of Sale:
* Added experimental TrustCommerce credit card processing (Chris T)
* Merged most of the rest of the SL-POS interface (Chris T)
* POS register now goes from add invoice to add invoice. (Chris T)
* Added pole display and separate cash drawer open calls. (Chris T)

User Interface:
* Moved IS/IR/OE the lineitem column list to the LedgerSMB::Sysconfig Chris T) 
* Invoice now has an Onhand column (Chris T)
* Added simple text import function for invoices received (PDT's) (Chris T)

Other:
* ledger-smb.conf is now an ini file (Seneca)
* Experimental scripting wrapper in utils/cli (Chris T)
* doc/database directory now contains postgresql_autodoc output (Chris T)

Changelog for LedgerSMB 1.1.1

* Fixed problem with parts_short trigger not being created
* Fixed problem with custom fields functions not being created
* Pg driver is now checked by default. 

Changelog for LedgerSMB 1.1.0

Database
* Added add_custom_field and drop_custom_field functions.
	-- will be more integrated into API next version
* Added utility to partially recover from SQL-Ledger data corruption issues.
* Primary Key added to acc_trans table
* DB Updates now use one transaction per update file.
* FLOAT datatypes removed from database
* Protection against duplicate transaction id's.
* Added foreign key constraint to acc_trans.chart_id
* Database backups now use pg_dump
* Database creation routines now attempt to add plpgsql to the db if not there.
* Transaction reversal is now enforced by default

Security
* One is required to change the admin password when it is blank (on first login etc).

Usability
* We now support adding custom automation into a custom.pl
* Setup.pl use is now experimentally supported
* Disabled editing sub-assemblies in one area where it is unsafe.
* Utility included for near-real-time parts short email notifications.
* Fixed Lynx support
* Batch printing now available for checks
* Warnings are printed when check stub is truncated
* Sales Data Report added
* SL2LS.pl now dies if it cannot open the files with instructions on how to proceed manually
* Links between admin and login pages
* Experimental support for Windows printing

Changelog for LedgerSMB v 1.0.0p1
* Fixed directory transversal/arbitrary code execution vulnerability.

Changelog for LedgerSMB v 1.0.0

(Changes relative to the pre-fork SQL-Ledger 2.6.17)

* Corrected sessionid security hole allowing bypass of login to main application
* Corrected sessionid security hole allowing one to list logins and more.
* Changed acc_trans.amount to NUMERIC
* Tightened browser caching rules to prevent problems with back button.
* Added an open content manual to the main distribution.
* New logo. 
* Began whitespace reformatting of main application.