I'm proud to release version 2.6.0b1 of the Roundup issue
tracker.  This release is a bugfix and feature release, so
make sure to read `docs/upgrading.txt
<https://www.roundup-tracker.org/docs/upgrading.html>`_ to
bring your tracker up to date.

The 48 changes, as usual, include some new features and many
bug fixes.

Version 2.6.0 does not support Python 2. The minimum Python
version is 3.10.

Note that you should run ``roundup-admin ... migrate`` to
update the database schema version. Do this before you use
the web, command-line or mail interface and before any users
access the tracker.

You can install it with::

   pip install roundup

(preferably in a virtual environment). To download it, use::

   pip download roundup

then unpack and test/install from the tarball.

Among the significant enhancements in version 2.6.0 compared to
the 2.5.0 release are:

* **Filter history entries where permissions are handled by check function**
  When a property's permission uses a check command, the history
  of changes for that property were shown. The permissions are now
  properly checked using the check function.

* **Fix old CSRF prevention for PATCH method**

  The PATCH method was not covered by the old CSRF protection method.

* **Modern CSRF prevention method available**
  This release implements CSRF protection using `Cross-Site Request
  Forgery by Filippo Valsorda <https://words.filippo.io/csrf/>`_.  This
  is an effective method for CSRF protection and is much simpler as
  well. There are no configurable options unlike the 8 options for the
  older method. This can be opted into using config.ini.

* **Require reauthentication when making changes to sensitive fields**

  You can trigger a reauthentication when the user changes particular
  fields. For example you can rquire a password be entered before the
  user changes their password.

* **Classic UI interface modernization.**

  The classic tracker has basic responsive support for mobile.  The
  table based layout was removed and HTML 5 landmarks (main, nav ...)
  are used along with flex and grid layouts.  The left hand menu now
  collapses to a grid layout in a single column when on a smaller
  display. This can be retrofitted to existing classic trackers.

  When you moved from one page to the next on an index, the
  query/search name was lost. This release now preserves the search
  name.

  Queries triggered from the query edit page now include the query
  name in the index view.

  The web UI now allows users to log in without a password. Before the
  ``password`` field was required which prevented completing the login
  action.

  The user.item.html template now generates valid javascript.

  The jinja2 template got an updated copy of bootstrap.

Other miscellaneous fixes include:

* Multiple internal cleanups:
  * remove some Python2 support code
  * reformat
  * refactor code replacing with faster/pythonic code
  * restructuring exception handling to stop ignoring important exceptions

* Documentation wsgi updates replacing uwsgi (abandoned) with waitress
  (which also works on windows).

* rest updates with a null value no longer cause update failures.

The file CHANGES.txt has a detailed list of feature
additions and bug fixes for each release. The most recent
changes from there are at the end of this announcement. Also
see the information in doc/upgrading.txt.

If you find bugs, please report them to issues AT
roundup-tracker.org or create an account at
https://issues.roundup-tracker.org and open a new ticket. If
you have patches to fix the issues they can be attached to
the email or uploaded to the tracker.

Upgrading
=========

If you're upgrading from an older version of Roundup you
*must* follow all the "Software Upgrade" guidelines given in
the doc/upgrading.txt documentation.

Note that you should run ``roundup-admin ... migrate`` for
all your trackers to update the database schema version. Do
this before you use the web, command-line or mail interface
and before any users access the tracker.

Roundup requires Python 3 newer than or equal to version 3.10 for
correct operation. (Python 3.8 or 3.9 may work, but are not
tested.) Note that Roundup 2.4.0 was the last release to support
Python 2. You should deploy new trackers with Python 3 and plan on
upgrading older trackers from Python 2 to Python 3. See the upgrade
guide.

To give Roundup a try, just download (directions above),
unpack and run::

    python demo.py

then open the url printed by the demo app.

Release info and download page:

     https://pypi.org/project/roundup/

Source and documentation is available at the website:

     https://www.roundup-tracker.org/

Mailing lists - the place to ask questions:

     https://sourceforge.net/p/roundup/mailman/


About Roundup
=============

Roundup is a simple-to-use and install issue-tracking system
with command-line, web and e-mail interfaces. It is based on
the winning design from Ka-Ping Yee in the Software
Carpentry "Track" design competition.

Roundup manages a number of issues (with flexible properties
such as "description", "priority", and so on) and provides
the ability to:

(a) submit new issues,
(b) find and edit existing issues, and
(c) discuss issues with other participants.

The system facilitates communication among the participants
by managing discussions and notifying interested parties
when issues are edited. One of the major design goals for
Roundup that it be simple to get going. Roundup is therefore
usable "out of the box" with any Python 3.10+
installation. It doesn't even need to be "installed" to be
operational, though an install script is provided.

It comes with five basic issue tracker templates

* a classic bug/feature tracker
* a more extensive devel tracker for bug/features etc.
* a responsive version of the devel tracker
* a jinja2 version of the devel template (work in progress)
* a minimal skeleton

and supports four database back-ends (anydbm, sqlite, mysql
and postgresql).

Recent Changes
==============

From 2.5.0 to 2.6.0

Fixed:

- performance improvement to session_dbm.py:clean(). Also add warning
  log message if clean takes longer than 3 seconds. (John Rouillard)
- move RateLimitExceeded exception from roundup.exceptions to
  roundup.cgi.exceptions. Also it now inherits from HTTPException
  rather than Exception since it is an HTTP exception. (John
  Rouillard)
- cleaned up repo. Close obsolete branches and close a split head due
  to an identical merge in two different working copies. (John
  Rouillard)
- in roundup-admin, using 'pragma history_length interactively now
  sets readline history length. Using -P history_length=10 on the
  command line always worked. (John Rouillard)
- enhanced error reporting for errors in ini style logging
  configuration. (John Rouillard)
- fix bogus javascript emitted by user_src_input macro. (John
  Rouillard)
- replaced hostname localhost with 127.0.0.1 in docker healthcheck
  script. Found/patch by Norbert Schlemmer. (John Rouillard)
- change some internal classes to use __slots__ for hopefully a small
  performance improvement. (John Rouillard)
- issue2551413 - Broken MultiLink columns in CSV export. CSV export of
  a multilink link "messages" that does not have a 'name' property
  causes a crash. (found/fix by cmeerw; commit and better handling of
  non-labeled multilink by John Rouillard)
- in cgi/client.py, set self.language attribute when translator passed
  into Client(). (John Rouillard)
- issue2551393 -  Named searches lose their name in title when next
  page is selected. (John Rouillard)
- code cleanup replace bare except: with except Exception:. (patch by
  Sense_wang (haosenwang1018) applied by John Rouillard)
- handle "null" values in json objects sent to a rest endpoint by
  filtering them from the object before processing. A "null" value
  will not unset an attribute. The 'remove' action using the
  PATCH verb can unset the value. Before this change "null" values
  retrieved from the REST interface would cause errors when sent
  using POST or PUT verbs. Also guard against password being set to
  None. (John Rouillard)
- change the html templates so that the password is not required if
  the ``login_empty_passwords`` setting is enabled in ``config.ini``.
  Directions for your tracker are in upgrading.txt. (John Rouillard)
- fix traceback displayed when roundup-admin install was used with
  invalid settings for config.ini. It now reports the error and
  provides the usage output. Also usage output starts with a newline
  to provide a blank line between the command and the output to
  improve readability. (John Rouillard)
- fix bug in 2.5.0 where roundup-admin import (or importtable) fails
  to properly set the next available id for the class. (John Rouillard
  broke it and fixed it 8-))
- refactor mime detection/handling in the rest interface. Better
  supports some mime types, ads default mime type for files without a
  mime type (e.g. message contents). Cleaner code. (John Rouillard)
- run hexora and mitigate/fix some medium sev and above. (John Rouillard)
- Return 400 if environment or header variables 
  have values with characters outside of the printable ascii range
  (32-127). Applies to  roundup-server and roundup-cgi. wsgi and Zope
  depend on the hosting server for sanitizing. Se waitress wsgi server
  bug:
  https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
  (John Rouillard)
- Cleanups/minor enhancements to roundup.cgi script. (John Rouillard)
- fix back_anydm::Class::get() method to properly return default value
  if requested property is set to None. This should fix missing text
  indexing for the anydbm backend. (John Rouillard)
- ruff driven cleanups/refactor of indexer* files. (John Rouillard)
- remove ``roundup.anypy.scandir_`` which was needed for python 2 support.
  (John Rouillard)
- roundup-server no longer logs connection aborted when a client
  disconnects and is using HTTP 1.1 or newer. (John Rouillard)
- replace isinstance(..., type(X)) where X is an instance of a type
  (1, {}, [], '', u"") with the type itself (int, dict, list, str,
  str). This is a leftover construct from early Python 2. Replacing
  them speeds up code (e.g. type({}) vs dict). (John Rouillard)
- issue2551405 - Missing locale .mo files create 500 error on uwsgi
  without further info. Added more specific ConnectionAbortedError
  and changed IOError handling. Case in issue now logs the exception
  for diagnosis. (Reported by Ralf Schlatterbeck; John Rouillard)
- Make queries selected from query edit screen include the query
  name/display name. This makes it work the same as invoking a query
  from the main "Your Queries" menu. (John Rouillard)
- Fix SearchAction to not clobber a saved search when a new search of
  the same name is created.  Assume a search named "asearch"
  exists. Create a new search (not editing the existing
  "asearch"). Set new query params and name it "asearch". Roundup will
  warn you that "asearch" already exists and you need to choose a new
  name. In the warning form, you rename it to "bsearch" and
  save/execute. Before this would overwrite "asearch" as it set the
  "@old-queryname" of the warning form to "asearch". So it looked like
  you were trying to edit the existing query. This fix modifies the
  queryname before generating the error form. So when submitted it
  doesn't overwrite "asearch". (John Rouillard)
- update the classic tracker's page.html to remove table based
  layout. It now uses html5 landmarks like header, main, search,
  nav. It also uses flexbox and grid layouts and includes a viewport
  meta tag for use on mobile devices.  It can be navigated with the
  keyboard. Parts of the page that are too wide for the viewport can
  be scrolled horizontally with the keyboard or touch. Some other CSS
  changes make it easier to use. This is a first step to making the
  classic template more responsive. (John Rouillard)
- jinja2 template dependencies updated: bootstrap 4.4.1 -> 4.6.2.
  (John Rouillard)
- issue2551377 - Disabled submit button UI issues. When the submit
  button is clicked (triggering submit_once) but client side
  validation blocks the submission, the submit button no longer
  submits the form. Clicking it says the form has been submitted
  please wait. This change allows the submit button to submit the form
  again after 5 seconds.  (John Rouillard)
- Fix developers.txt doc bug (discovered by Ross Boylan, change by
  John Rouillard)
- Handle ConfigurationErrors in demo.py cleanly. Used to dump a full
  traceback. Now prints error and exits. (John Rouillard)
- Do not display journal/history fields when user does not have access
  to the property being changed. (John Rouillard)

Features:

- add support for authorized changes. User can be prompted to enter
  their password to authorize a change. If the user's password is
  properly entered, the change is committed. (John Rouillard)
- add support for dictConfig style logging configuration. Ini/File
  style configs will still be supported. (John Rouillard)
- add 'q' as alias for quit in roundup-admin interactive mode. (John
  Rouillard)
- add readline command to roundup-admin to list history, control input
  mode etc. Also support bang (!) commands to rerun commands in history
  or put them in the input buffer for editing. (John Rouillard)
- add format to logging section in config.ini. Used to set default
  logging format. (John Rouillard)
- the default logging format template includes an identifier unique
  for a request. This identifier (trace_id) can be use to identify
  logs for a specific transaction. Will use nanoid if installed, uses
  uuid.uuid4 otherwise. Logging also supports a trace_reason log token
  with the url for a web request. The logging format can be changed in
  config.ini. (John Rouillard)
- issue2551152 - added basic PGP setup/use info to admin_guide. (John
  Rouillard)
- add support for the 'justhtml' html 5 parser library for python >=
  3.10. It is written in pure Python. Used to convert html emails into
  plain text. Faster then beautifulsoup4 and it passes the html 5
  standard browser test suite. Beautifulsoup is still supported. (John
  Rouillard)
- add a new detector: immutable_file_contents.py that prevents
  changes to file contents. By default, the permissions assigned
  to FileClass based classes (files, msgs) do not prevent editing
  of file contents.  While the usual HTML templates don't provide
  a way to modify files, the REST interface allows changing file
  contents without an audit trail. Manually driving the HTML
  interface (via curl for example) also allows content
  changes. The new detector prevents changes to file contents via
  Roundup even by a user with admin rights. (John Rouillard)
- Added documentation on doing an in place database migration. This is
  faster for large databases. (John Rouillard)
- Added installation.txt docs on setting up SCGI support with the
  althttpd web server. (John Rouillard)
- add support for tokenless/nonceless CSRF prevention following
  https://words.filippo.io/csrf/. (John Rouillard)
- standardize use of ``roundup.anypy.urllib_``. Replace urlparse() with
  urlsplit() (recommended) for some speedup. (John Rouillard)
- issue2551368 - version 2.0.0 of the pgp module was published by
  Bernhard Reiter.  Updated documentation and tests. (Bernhard Reiter,
  John Rouillard)
