|
From: John R. <ro...@ie...> - 2026-07-13 05:39:05
|
Hello all: I have uploaded 2.6.0 to pypi and a new docker image is also released. I don't have access to the main web site at the moment. A ticket is open with sourceforge. So hopefully the new docs will be deployed sometime later today (July 13th). Once the new docs are up I'll do another announcement. There are 14 items in the upgrading doc none of which are required. However the first two items are fixes for CVE's if you are running an older version of Roundup. Until the new web site is up, you can look at the security page on the current website to get the fixes. I'm proud to release version 2.6.0 of the Roundup issue tracker. This release is a bugfix and feature release, so make sure to read the upgrading doc at https://www.roundup-tracker.org/docs/upgrading.html to bring your tracker up to date. The 49 changes, as usual, include some new features and many bug fixes. Version 2.6.0 requires Python version 3.10 or newer. Note that you should run ``roundup-admin ... migrate`` to update the database schema version. Do this before you use the web, command-line or mail interface and before any users access the tracker. You can install it with:: pip install roundup (preferably in a virtual environment). To download it, use:: pip download roundup then unpack and test/install from the tarball. Among the significant enhancements in version 2.6.0 compared to the 2.5.0 release are: * Fix old CSRF prevention for PATCH method The PATCH method was not covered by the old CSRF protection method. * Filter history entries where permissions are handled by check function When a property's permission uses a check command, the history of changes for that property were shown. The permissions are now properly checked using the check function. * Modern CSRF prevention method available This release implements CSRF protection using `Cross-Site Request Forgery by Filippo Valsorda <https://words.filippo.io/csrf/>`_. This is an effective method for CSRF protection and is much simpler as well. There are no configurable options unlike the 8 options for the older method. This can be opted into using config.ini. * Require reauthentication when making changes to sensitive fields You can trigger a reauthentication when the user changes particular fields. For example you can require a password be entered before the user changes their password. * Classic UI interface modernization. The classic tracker has basic responsive support for mobile. The table based layout was removed and HTML 5 landmarks (main, nav ...) are used along with flex and grid layouts. The left hand menu now collapses to a grid layout in a single column when on a smaller display. This can be retrofitted to existing classic trackers. When you moved from one page to the next on an index, the query/search name was lost. This release now preserves the search name. Queries triggered from the query edit page now include the query name in the index view. The web UI now allows users to log in without a password. Before the password field was required which prevented completing the login action. The user.item.html template now generates valid javascript. The jinja2 template got an updated copy of bootstrap. Other miscellaneous fixes include: * Multiple internal cleanups: * remove some Python2 support code * reformat * refactor code replacing with faster/pythonic code * restructuring exception handling to stop ignoring important exceptions * Documentation: wsgi updates replacing uwsgi (abandoned) with waitress (which also works on windows). * rest updates with a null value no longer cause update failures. The file CHANGES.txt has a detailed list of feature additions and bug fixes for each release. You can view it at: https://sourceforge.net/p/roundup/code/ci/default/tree/CHANGES.txt -- rouilj |