![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/CHANGES.txt b/CHANGES.txt
index ba91730e705af059a815a23a163583ce2cfdf78b..c3819b45e0a3f4beaebcd744e86540a3d11b9717 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
This file contains the changes to the Roundup system over time. The entries
are given with the most recent entry first.
This file contains the changes to the Roundup system over time. The entries
are given with the most recent entry first.
-2009-XX-XX 1.4.XX (rXXXX)
+2010-XX-XX 1.4.12 (rXXXX)
Fixes:
Fixes:
+- Proper handling of 'Create' permissions in both mail gateway (earlier
+ commit r4405 by Richard), web interface, and xmlrpc. This used to
+ check 'Edit' permission previously. See
+ http://thread.gmane.org/gmane.comp.bug-tracking.roundup.devel/5133
+ Add regression tests for proper handling of 'Create' and 'Edit'
+ permissions.
+- Fix handling of non-ascii in realname in the nosy mailer, this used to
+ mangle the email address making it unusable when replying. Thanks to
+ intevation for funding the fix.
+- Fix documentation on user required to run the tests, fixes
+ issue2550618, thanks to Chris aka 'radioking'
+
+
+2009-12-21 1.4.11 (r4411)
+
+Features:
+- Generic class editor may now restore retired items (thanks Ralf Hemmecke)
+
+Fixes:
+- Fix security hole allowing user permission escalation (thanks Ralf
+ Schlatterbeck)
- More SSL fixes. SSL wants the underlying socket non-blocking. So we
don't call socket.setdefaulttimeout in case of SSL. This apparently
never raises a WantReadError from SSL.
- More SSL fixes. SSL wants the underlying socket non-blocking. So we
don't call socket.setdefaulttimeout in case of SSL. This apparently
never raises a WantReadError from SSL.
sent via email. We now check that user has permission on the message
content and files properties. Thanks to Intevation for funding this
fix.
sent via email. We now check that user has permission on the message
content and files properties. Thanks to Intevation for funding this
fix.
+- Fix traceback on .../msgN/ url, this requests the file content and for
+ apache mod_wsgi produced a traceback because the mime type is None for
+ messages, fixes issue2550586, thanks to Thomas Arendsen Hein for
+ reporting and to Intevation for funding the fix.
+- Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
+ Thanks to Thomas Arendsen Hein for reporting and to Intevation for
+ funding the fix.
+- Add documentation for migrating to the Register permission and
+ fix mailgw to use Register permission, fixes issue2550599
+- Fix styling of calendar to make it more usable, fixes issue2550608
+- Fix typo in email section of user guide, fixes issue2550607
+- Fix WSGI response code (thanks Peter Pöml)
+- Fix linking of an existing item to a newly created item, e.g.
+ edit action in web template is name="issue-1@link@msg" value="msg1"
+ would trigger a traceback about an unbound variable.
+ Add new regression test for this case. May be related to (now closed)
+ issue1177477. Thanks to Intevation for funding the fix.
+- Clean up all the places where role processing occurs. This is now in a
+ central place in hyperdb.Class and is used consistently throughout.
+ This also means now a template can override the way role processing
+ occurs (e.g. for elaborate permission schemes). Thanks to intevation
+ for funding the change.
+- Fix issue2550606 (german translation bug) "an hour" is only used in
+ the context "in an hour" or "an hour ago" which translates to german
+ "in einer Stunde" or "vor einer Stunde". So "an hour" is translated
+ "einer Stunde" (which sounds wrong at first). Also note that date.py
+ already has a comment saying "XXX this is internationally broken" --
+ but at least there's a workaround for german :-) Thanks to Chris
+ (radioking) for reporting.
2009-10-09 1.4.10 (r4374)
2009-10-09 1.4.10 (r4374)