CMF 1.3.3 (2003/10/26) Bug Fixes - Ensure that e-mail address to which we mail the user's password in 'registeredNotify' comes from the member, rather than the request (thanks to Yvo Schubbe for the report). - Restrict ability to search members to users who have the 'List portal members' permission (Collector #189). CMF 1.3.2 (2003/09/05) Bug Fixes - Initialize class security correctly on ActionProviderBase (Collector #186). - Remove ownership from filesystem-based skin methods, which can't be trojaned, and therefore need not pay the performance penalty of ownership checking. - Skinnable: Fix __of__ method so that it does not remove previous acquisition wrappers, which leads to invalid UIDs in the catalog when indexing objects using methods acquired from "above" the CMF site. - Sort candiate selection list when adding a FilesystemTypeInfo or ScriptableTypeInfo object to the types tool. - Open filesystem-based skin methods as text files, to avoid platform-specific line-ending issues (Collector #185). - Correct security assertion on CMFDefault.Image's manage_afterAdd (Collector #141). - Ensure that the security attributes are reindexed on all subobjects too when a folderish object changes state in the workflow (Collector #115). - Backport fix of CMFCore/tests/test_FSImage.py to work with recent Zopes (> 2.6), which force HTTP headers to be strings. - Use return instead of raise in RegistrationTool.testPropertiesValidity if id is incorrect (Collector #48). - CookieCrumbler: Accept authentication on HEAD requests. Thanks to Brent Hendricks. - Correctly cleanup temporaries in CMFCore.MemberDataTool when wrapping a user object (Collector #136). CMF 1.3.1 (2003/03/06) Bug Fixes - Fixed editSyInformationProperties in SyndicationTool to ensure that updateBase is saved as a DateTime instance. CMF 1.3.1beta1 (2003/02/26) New Features - Implemented PUT and GET support to CMFCalendar.Event for editing via FTP/WebDAV (thanks to Sidnei da Silva). Bug Fixes - Fixed incorrect security declaration in File.py (Collector #91). - Remove over-helpful default argument values in 'CMFDefault.DefaultDublinCoreImpl._editMetadata'. Now, if called without a value for an argument, the method will not change that value. Collector #10. - Remove workaround in CMFCore.utils for recognizing links in StructuredText: STX in CMF content should now recognize exactly the same links as the underlying Zope. Note that we *do* still provide a customized HTML class, to permit embedding images without generating the "whole" page. Collector #6. - Remove bizarre, shadowing import of CMFCore.utils as 'utils' into package namespace of CMFDefault; instead, import specific names from that package directly (thanks to Paul Winkler for pointing out the incongruity). - Fix (theoretical) bug in CMFCore.DirectoryView which allowed non-registered directories to slip through (UI didn't exercise it). - Merge Christian Theune's fix for funky default argument values on CMFCalendar.Event's constructor and edit methods (collector #76). - FSPageTemplates overwrote a user-generated 'Content-Type' header. We now check to make sure a Content-Type header is not already set before allowing a page template to set its own. - Fixed bugs around 'addActionProvider' in ActionsTool (Collector #42). - Fixed race condition in lazy initialization of filesystem-based skin methods; the bug led to odd name errors on 'context' for FSPythonScripts (Collector #37). - Removed crufty 'isDesktop' stuff from 'folder_factories' and 'folder_contents' methods. - Fixed HTML-invalidating call to 'filterCookie' in 'folder_contents'. - Fixed unclosed 'tr' element in ZPT version of 'folder_edit_form' (Collector #57). - Fixed CalendarTool to use portal_type and not Type to search for events in the catalog (Collector #28, thanks to Heimo Laukkanen for the report). - Fixed a bug in CalendarTool where events were not showing on the last day of the month. CMF 1.3 (2002/08/06) New Features - FSPageTemplates now autodetect XML if a document has the standard '<?xml version="xx"?>' at the top, setting the content_type to "text/xml" so that it is parsed and served as XML. - Added a 'Workflows' tab in the ZMI that displays the workflow state of the object. - Wired 'scrubHTML' check into default versions of 'document_edit' and 'newsitem_edit' skins (site managers who prefer to allow JavaScript in content can customize to remove the check). - Added utility methods for checking / scrubbing HTML content of unwanted tags: CMFDefault.utils: scrubHTML, isHTMLSafe Known bad tags ('script', 'applet', 'embed', 'object'), attributes (starting with 'on'), and values (starting with 'javascript:') cause 'scrubHTML' to raise an exception; unknown tags are silently dropped. 'isHTMLSafe' returns true if 'scrubHTML' would not raise an exception on the same text. - Exposed useful utility methods to scripting / skinning. CMFCore.utils: getToolByName, cookString, tuplize, format_stx, keywordsplitter, normalize, expandpath, minimalpath CMFDefault.utils: formatRFC822Headers, parseHeadersBody, semi_split, comma_split, seq_strip, tuplize, bodyfinder, html_headcheck. - Added two utility functions, 'isHTMLSafe' and 'scrubHTML', to CMFDefault utils; these modules check for / remove undesirable tags from textual content. - Made public functions of 'CMFCore.utils' and 'CMFDefault.utils' available for scripting. - Allowed Portal Folders to be discussable. - Improved the ActionsTool so that permission checking for actions is done in the context of the object for all categories that start with 'object' or 'workflow', in the context of the folder for those that start with 'folder', and in the context of the portal otherwise. This is useful for admin-defined additional categories. Bug Fixes - Fixed Image and File so that they reindex on PUT. - Fixed WorkflowTool so that it doesn't pretend to workflow non-CMF objects (Collector #19). - Removed redundant block of code from CMFDefault/Link.py (Collector #18). - Fixed discussion tree display not to embed entire HTML document (Collector #17, thanks to Jeffrey Shell for the inspiration). - Fixed CookieCrumbler to emit "Basic" and not "basic" auth as per HTTP spec (Collector #14, thanks to Simon Eisenmann for the report). This fixes some WebDAV locking problems with (rightfully) picky clients, like ExternalEditor. - Made old ListCriterion instances forward-compatible across earlier addition of 'operator' field. - Defaulted CMFCore.MembershipTool's createMemberArea flag to true, to preserve existing behavior: member area should be created by default on first login (Collector #5). - Hardened DefaultDublinCoreImpl's EffectiveDate() and ExpirationDate() methods to deal better with older / uninitialzed content. - Refactored content construction in the Types tool to make cataloguing and workflow notification more uniform. - Made Undo work again by removing any LF in transaction ids. - Made WorkflowTool.updateRoleMappings update security-related indexes. - Append '/' to links in skin templates to the root of the site, to pacify clients which won't send Basic Auth tokens because the path doesn't match. - Removed the binding of Folder and Topic types to the default workflow for newly-created CMFSites (Collector #4). Note that existing sites will still need to remove these bindings manually, as indicated in the "Upgrading" section of INSTALL.txt. - Updated initial action reported by CMFDefault's DefaultWorkflow: was "joined", now "created". - Fix 'index_html' template to filter using 'View' permission (folders which were not viewable were triggering authentication, instead of being skipped). - Repair free-form subject entry on 'full_metadata_edit_form' (was merging all keywords onto the same line, plus soft-wrapping!). Likewise the "Contributors" textarea. - Ensured that Link, File, and Image content objects reindex themselves after edit (wrapping 'edit' as a WorkflowMethod no longer guarantees that). - Fixed CMFCalendar's "day view" to accomodate the removal of 'title' metadata from catalog in favor of 'Title' (thanks to Dieter Maurer for pointing this out). - Corrected a skins performance optimization (the version as released in the beta did not take effect). CMF 1.3 beta2 (2002/07/07) New Features - Changed the modification date so that it is updated at reindex time and does not rely anymore on bobobase_modification_time. This makes export+import of objects not lose the modification date. Before exporting objects created with an older CMF version, reindex the "modified" index in the catalog (you just have to do it once, and only if you need to export objects). - Made the workflow tool compute chains using type names, as well as instances (Tracker #441). - Made the DCWorkflow worklists accept a list of formatted values for cataloged variable matches. The separator is a semicolon (Tracker #496). - Made the security-related indexes of the portal catalog be updated for all impacted objects whenever local roles are changed (Tracker #494). This feature makes use of the 'path' index. - Made 'path' (PathIndex) a standard index inside CMF. When upgrading from earlier versions this index will have to be created by hand. - Enabled "within day" queries for FriendlyDateCriteria E.g., field="modified", value="Now", operation="within_day", daterange="old" -> content which was modified "today". (Tracker #474). - Made the id of the current user available to old action providers (DCWorkflow being a prime example) as 'user_id' (Tracker #495, thanks to Luca Olivetti for the patch). - Modified the 'standard_error_message' page template to show the 'error_log_url', if passed in (Zope 2.6 will pass this argument if an error log is installed). - Extended the metadata tool to permit passing the type name directly (e.g., when building a new object, one might need to know the allowed subjects before construction). - Added a working calendar implementation to the CMFCalendar product, which had previously provided only an Event content type. Thanks to Andy Dawkins for the work. Note that we are disabling the use of sessions to track calendar selections by default; you can re-enable them by visiting the 'portal_calendar' tool in the ZMI. - Updated FS-based skin methods to read optional '.security files, whcih control the role-permission mappings for each skin method. See CMFCore/tests/fake_skins/fake_skin/test4.py.security for an example. Bugs Fixed - Fixed PortalFolder's filtering so that it correctly restricts itself to the portal types allowed by the TypesTool (Tracker #483). - Fixed the TypesTool so that TypeInformation's Title is decorrelated from its Id (the old TypeInformation.Type() should not be used anymore). The Id is what gets put in the "portal_type" attribute of a content object, which one gets at using somecontent.getPortalTypeName(). The Title is returned by somecontent.Type(). "portal_type" is now indexed, and in most cases should be used when doing catalog queries instead of "Type". - Provided all default skins (content_hide_form, content_show_form) for the DCWorkflow default workflow [rev 2]. Note that, when using this workflow, the descriptions in the retract and reject forms are slightly incorrect as they mention the "private" state but in fact go to the "visible" state. - Fixed verification of portal types in the TypesTool to work in the presence of portal types with a non-empty title (Tracker #497). - Removed unintentional sharing of ActionInformation data between class defaults and persistent instances derived from ActionProviderBase. Likewise for TypeInformation instances. - Enabled creation of "My Stuff" folder for users (e.g., the manager) authenticated "above" the normal user folder (Tracker #485, thanks to Dieter Maurer for the patch). - Fixed handling of discussion items so that they are correctly indexed, unindexed and reinserted into the workflows when copied or moved. - Correctly reindex the just-reset workflow variables of an object in a DCWorkflow after a paste. - Correctly insert into the workflows the objects created by a Scriptable Type. - Fixed Friendly Date Criterion edit form to correctly display the duration in its menu (Tracker #475, thanks to Axel Joester for the patch). - Fixed relative URL in metadata_edit_form that broke if the main_template had a base tag (Tracker #506). - Made discussion replies work correctly when hitting Enter in the title field (Tracker #515), and corrected discussion Preview followed by an Edit that lost body information (Tracker #516). - Fixed the deletion of replies (Tracker #513, thanks to Stefan H. Holek for the patch). - Made the Link objects deal correctly with empty remote urls (Tracker #507) and not strip trailing slashes (Tracker #451). - Made content_type_registry deal correctly with TypeInfos that have a title (Tracker #465, thanks to Juan Antonio Valiño García for the patch). - Changed CMFDefault.MembershipTool not to create a member folder at member creation time when the memberareaCreationFlag is false (Tracker #519). Note that any code that depended on the member folder being created after addMember will fail, that code should call createMemberarea directly if needed. - Fixed CMFDefault.RegistrationTool to correctly check the lack of 'email' property when creating a new member or when checking member's properties validity (Tracker #508). - Fixed addtoFavorites to correctly add a favorite of someone else's document (Tracker #501). - Fixed CatalogTool to create a meta_type index; this is needed now that ZCatalog doesn't create any default indexes when instantiated. - Fixed recent_news to use 'Title' instead of 'title' to display the title of each news ('title' isn't indexed anymore). - Fixed listFolderContents to take into account its optional 'spec' argument. - Fixed index_html to correctly filter out unauthorized subfolders (Tracker #503). - Fixed exception handling to not use a string exception in PortalFolder (Tracker #512). - Changed the permission protecting the "Join" action provided by the default registration tool from "View" to "Add portal member" (Tracker #509). - Removed redundant "Syndication" action from SkinnedFolder; the SyndicationTool provides this aciton. (Tracker #481) - Updated INSTALL.txt to note the dependency of CMF on the TAL and ZTUtils packages and on the PageTemplates product for Zopes < 2.5. (Tracker #489). - Updated CatalogTool to create a Vocabulary if none present (as won't be for catalogs created under Zope 2.6). - Adapted interface checks to work with new spellings in Zope 2.6 (older Zopes should still work). - Removed '##bind' headers from FSPythonScripts where they only repeat the defaults. - Corrected patterns used for "HTML body stripping" to avoid HTML embedded within structured text. - Fixed computed action of form in 'folder_rename_form' (Tracker #511; thanks to "yuppie" for the patch). - Improved cacheability of skin images by using absolute URLs. - Suppressed repeated load of FSImage content from filesystem (should only happen when in debug mode). - Repaired skin methods' read of '.properties' files, which hold additional metadata about the skin method beyond what can be expressed in the body. - Updated caching policy manager tool to use correct date format (RFC 1123 instead of RFC 822). CMF 1.3 beta 1 (2001/04/03) New Features - CMFDefault Documents, News Items and Discussion Items now support a 'plain' text format, which simply HTML-quote's the text before displaying it. - Added CachingPolicyManager tool, which manages caching policies for skin methods, and updated FSPageTemplate to use a CPM if found. - Added functionality such that only users who have the view permission on the relevent Type object can create content of that type. - Added the ability to limit what types of object an object of a given Portal Type can be created in. If 'Implicity Addable' is set (the default), then objects of that Type can be added anywhere. If it is not set, then objects of that Type can only be added to objects whose Type's allowed_content_types contains the Type. - Enabled querying actions from workflow tool in absence of actions tool (Tracker #401). - Added 'operator' attribute to CMFTopic.ListCriterion, to permit specifying an operator ('and', for the most part) for indexes which support it, e.g., KeywordIndex (Tracker #442). - Added ZMI interface for editing Link URL (Tracker #364). Bugs Fixed - Make ZMI editing of NewsItems safe (Tracker #472). - Made generated home pages for new members participate fully in workflow (Tracker #467). - Added 'text_format' widget to NewsItem's edit forms (Tracker #460). - Fix sharing bug pointed out by Dieter Maurer (Tracker #484) in ActionProviderBase. Thanks for the patch! - Added forwared-compatibility for "old" content (pre CMF 1.0!; Tracker #454, thanks to Lucas Hofman for the patch). - Made 'PortalFolder.invokeFactory' enforce the 'filter_content_types' property of the folder's type information object. - Added stripping of leading / trailing whitespace from Subject keywords (Tracker #479, thanks to Lucas Hofman for the patch!) - Gave URL tool explicit __roles__, to enable use in 'nocall:' expressions. - Turned off auto-expansion of customized FSPageTemplates (Tracker #477). - Fixed ActionProvidorBase for the case when no permission is specified for an action that is added TTW. - Fixed ActionsTool so that duplicate actions are stripped. - Caused CMFDefault Portal constructor to strip passed-in id before creating a portal object with that id. - Allowed the ActionsTool to gracefully handle objects which return ActionInformation objects. Thanks to Andy Dawkins for the analysis. (Tracker #457) - Made workflow Expressions use the correct ModuleImporter so that they operate correctly in their restricted environment. Thanks to Dieter Maurer for the patch. (Tracker 463) - Fixed incorrent permissions in "pending" state of default DCWorkflows. Thanks for Lynn Walton for the report and Florent Guillaume for the patch. (Tracker #464) - Fixed missing comma that affected manager permission to modify in the published state. Thanks to Florent Guillaume for the patch (Tracker #459) - html_quote'd errors raised by FSPageTemplates. Thanks to Dieter Maurer for the patch. (Tracker #462) - Fixed typo in zpt_stylesheet.css. Thanks to Florent Guillaume for the patch. (Tracker #461) - Fixed long standing bug in FSPythonScript where get_size returned the incorrect length. This broke editing using EMACS via FTP or WebDAV. Thanks to John Glavin at South River Technologies for help finding the bug. - Reworked functionality added in Tracker #409 which broke the Types Tool. (Tracker #458) - Fixed bug whereby DirectoryView instances were not noticing some of the changes they should when Zope was running in debug mode on Windows (Tracker #305) - Fixed a bug where the workflow notifyCreated method was called during manage_afterAdd in PortalContent, making it possible for the notification to occur on the wrong workflow. The notification has moved to the contstructInstance method on the TypesTool after the _setPortalTypeName method has been called on the object. - Extended TypesTool to permit registration of new TypeInformation implementations (Tracker #409, thanks to Jeffrey Shell for the work!) - Fixed a bug in Favorites.getObject to use restrictedTraverse on the portal object. - Made all tool-generated actions configurable through-the-web, via an "Actions" tab on each tool; made the list of ActionProviders configurable TTW as well. - Fixed setting the Link.format to URL_FORMAT so the initially returned metadata headers would return 'text/url' properly. Added unittests. - Enabled querying actions from workflow tool in absence of actions tool (Tracker #401). - Fixed CMFDefault.utils.parseHeadersBody to properly handle the headers generated on a windows app (i.e. Dreamweaver) with /r/n; added the compiled regular expression object to the method signature. - Added full webdav sipport code to Link.py. Changed _writeFromPUT to call _editMetadata instead of editMetadata. - Made links emitted by 'topic_view' play nice with virtual hosting (Tracker #433). - Cleaned up emission of RFC822-style headers (Tracker #407), terminating headers must be terminated with CRLF, and padding continuation lines (for values with embedded newlines) with leading whitespace). - Ensure that package initialization files are non-empty, to prevent suspicion that they were corrupted in download (Tracker #426). - Added external method update_catalogIndexes.py to run as part of a upgrade to CMFs migrating to Zope2.4+ from from CMF sites which were built using Zope2.3 catalog - Use ID to label Favorite when target has an empty Title (Tracker #440). - Allowed sub-folders to have different syndication properties than parents (Tracker #421). - Added 'CMFDefault.Upgrade.upgrade_decor_skins' external method to convert existing sites which had installed skin directories from the now-deprecated 'CMFDecor' product (Tracker #434). Added note explaining the issue, and the workaround, to 'ISSUES.txt'. - Ensure that Favorites display the correct, absolute URL to their target, without needing to have 'base' tag set (Tracker #419). - Worked around Opera's strange insistence on selecting an option, even for multi-select lists (Tracker #332). - Hardened CMFCore to initialize correctly in the absence of the PageTemplates product (Tracker #430). - Restored slot in 'head' of ZPT main template into which content can insert the 'base' tag (Tracker #418). - Fixed 'CMFTopic.SimpleIntegerCriterion.edit' to require a pair of values when 'direction' is 'min:max'; updated skins to use new 'getValueString', which renders such values properly (Tracker #439). - Ensured that Documents created with initial STX get cooked (Tracker #435). - Made links emitted by 'topic_view' play nice with virtual hosting (Tracker #433). - Made 'CMFCore/interfaces/__init__.py' non-empty, to remove suspicion that the file was corrupted in the download (Tracker #426).