The release of OpenACS 5.10.1 contains the 94 packages of the oacs-5-10 branch. These packages include the OpenACS core packages, -the major application packages (e.g. most the ones used on -OpenACS.org), and DotLRN 2.10.1.
Improved templating
Client-side double click prevention
Support for generic icon names, which can be mapped differently
-depending on the installed packages and themes: The generic names
-are supported via <adp:icon
-name="NAME" title=....>. By using this feature,
-one can use font-based icons (like e.g. glyphicons of Bootstrap5,
+the major application packages (e.g. most the ones used on
+OpenACS.org), and DotLRN 2.10.1.
Altogether, OpenACS 5.10.1 differs from OpenACS 5.10.0 by the +following statistics
+ 3027 files changed, 428212 insertions(+), 219697 deletions(-)
contributed by 8 committers (Antonio Pisano, Gustaf Neumann, +Günter Ernst, Héctor Romojaro, Michael Aram, Raúl Rodríguez, +Sebastian Scheder, and Thomas Renner) and additional 8 patch/bugfix +providers (Felix Mödritscher, Frank Bergmann, Franz Penz, Josue +Cardona, Keith Paskett, Markus Moser, Marty Israelsen, and Monika +Andergassen) - all sorted by the first names.
In terms of changes, this is the largest amount of changes at +least since the release of OpenACS 5.9.0. Below is a summary of the +most important changes, often together with the commit references +in Git. The summary was made on subjective criteria, to get an +overview of the changes.
For all details, consult the raw +ChangeLog.
+Security and Privacy Posture +Overview: As expressed as a wish from OpenACS users +at the last OpenACS conference, a “Security and Privacy Posture Overview” was +added that offers a quick overview of the state of the system and +eases access to the parameters scattered over different packages in +the system. The page offers:
/acs-admin).+Stronger Password Hashes for +OpenACS (commit fe2bdb547, 8eee6a932, 52d2c997e, +62d969c85): Introduction of new password hash functions alongside +the pre-existing “salted-sha1”. The new algorithms are named +“scram-sha-256”, “scrypt-16384-8-1”, +“argon2-argon2-12288-3-1”, “argon2-rfc9106-high-mem”, and “argon2-rfc9106-low-mem”. +These algorithms can be specified via the kernel package parameter +“PasswordHashAlgorithm”. The algorithms +require a recent version of NaviServer and a recent version of +OpenSSL, which serves as a crypto library. This feature enhances +security against brute-force attacks on password hashes (when db is +compromised). Preferences of the password hash algorithms can be +set via kernel package parameter “PasswordHashAlgorithm”, the first available +algorithm is taken from the preference list, hash re-coding happens +automatically at the next login.
+Setting of CSP rules based on MIME
+types (commit 6bc253f1e, commit 94b8513ae). This is
+necessary to mitigate certain attacks on static SVG files uploaded
+to, e.g., the content repository. For example, set the following to
+the ns/server/$server/acs section of
+your NaviServer configuration file:
+ ns_param StaticCSP {
+ image/svg+xml "script-src 'none'"
+ }
+
+Support for generic icon
+names Support for generic icon names, which can be
+mapped differently depending on the installed packages and themes.
+The support provides a mapping from a set of generic names to the
+names provided by different libraries sich as Glyph Icons,
+Bootstrap Icons, Font-Awsome. The provided support can be inspected
+on the site-wide page of acs-templating.
The generic names can be used via the special tag <adp:icon name="NAME"
+title=....> in .adp-files. By using this feature, one can
+use font-based icons (like e.g. glyphicons of Bootstrap5,
bootstrap-icons, fa-icons, ...) instead of the old-style .gif and
.png images. This makes the appearance more uniform, has better
resizing behavior, and works more efficiently (fewer requests for
embedded resources). Most of the occurrences of the old-style
images in standard core and non-core packages in oacs-5-10 are
-already replaced.
Support for listing registered URNs
+Better Automated Site
+Configurability: Support for installing themes from
+install.xml (commit 2f9761160).
+Dynamic Cluster Nodes and Cluster +Infrastructure (commit 5738761db, 7cbc3e63c, +1a7a7656c, 3faceddc4, 5fba13c0f, 7cbc3e63c, 3faceddc4, 1a7a7656c): +Added support for dynamically adding and removal of nodes in an +OpenACS cluster. In contrast to static cluster nodes, the IP +addresses of dynamic cluster nodes do not have to be provided at +startup time. The changes introduce new admin pages and further +configuration options.
+Optional Caching
+Deactivation (commit 75c3f2b25): It is possible to
+deactivate caching via the ns_cache
+infrastructure when the NaviServer configuration variable
+cachingmode is set to none. The change modifies per_thread_cache to behave like a per_connection_cache. This option is useful for
+cluster configurations, when legacy components do not handle cache
+coherency (e.g. via acs::clusterwide)
+Support for Cloud Identity
+Providers (commit e506dee05, fd7af8d17, 06954d83b).
+Additional Identity providers can be added as secondary registries
+(e.g., MS Azure via oauth2), to support e.g. logins via the
+classical register page and via a
+cloud registry (requires package xooauth for full
+functionality)
+Client-side double click +prevention: This change makes it possible to +provide a double click prevention for HTML elements via the CSS +class “prevent-double-click”. The double click +prevention deactivates a button or an anchor element after clicking +for a short time (per default for 1s) and ignores in this time +window further clicks. The time window can be specified via the +data element oacs-timeout. (commit 5f2edeec2a9a831, +916d365aa11f2d)
+Cookie Namespaces +(commit ce1573ed8): Important, when multiple OpenACS instances are +served from the same domain name, but different cookies have to be +used.
lc_time_tz_convert: Enforce ISO format for dates
+and other changes (commit 9a5b5cd97).template::element
+validation reform to improve validation on fields (commit
+87919f923).Streamlined resource_info handling by adding versioning and +better management of external library dependencies. External +libraries can be used from CDN or downloaded, the versions are +checked for vulnerabilities, which are reported via posture +overview and package-specific site-wide admin pages.
CSSToolkit and IconSet for acs-subsite (commit fc56a275b).ad_html_security_check configurable (commit
+bc63ee424).update_content-lob.set_content (commit a3effac23,
+4ce8e9fae).ad_acs_admin_node (commit 34a823c51).ad_approval_system_inuse_p implementation (commit
+bd8afdeeb).db_multirow_group_last_row_p (commit
+aafd1db58).ns_parseurl in util::split_location (commit aee571ad1).db_driverkey when OpenACS connects to multiple
+databases, involving the removal of per-thread caching (commit
+18e656b00).version_dir handling for download of external
+resources (commit 8e9a6a5c8).db_foreach with -column_set flag (commit 95e8970d7).ad_mktmpdir and ad_opentmpfile (commit a10b55d3d).parametersecret is not set (commit
+0ec8f0183).Security improvements
Stronger password hashes (scram-sha-256 hash in addition to the
-classical salted-sha1)
Added optional CSP rules based on MIME types. This is important
-for user-contributed content. When users upload e.g. SVG-files to
-the file storage, and the content is served from there, it poses a
-potential security hole. One can now define an additional parameter
-called StaticCSP in the section
-ns/server/$server/acs of the
-OpenACS configuration file to deactivate execution of script files
-from static content.
- ns_param StaticCSP {
- image/svg+xml "script-src 'none'"
- }
-
-
+Performance
+Improvementsad_html_security_check based on ns_parsehtml (commit 387f3de3e).ns_trim -prefix (commit
+500099e0).Cookie-Namespace: When multiple OpenACS instances are served
-from the same domain name, the same cookies (e.g. ad_session_id,
-ad_login, ...) are set to all servers. For sensible cases, a
-cookie-namespace can be used, which can be used as a replacement of
-the traditional ad_ prefix.
-This can be as well set in the section ns/server/$server/acs of the OpenACS
-configuration file:
- # Provide optionally a different cookie namespace - # (used for prefixing OpenACS cookies) - ns_param CookieNamespace "ad_" - -+Additional +Filters for Page Contracts
ad_page_contract filter object type (commit
+2f9d127a0).clock page contract filter (commit
+5544faffc).tmpfile page contract filter (commit
+1a179e9bc).ad_log_deprecated for unified logging of
+deprecated usages (commit 0e03b3358).Further reduce divergence between Oracle and Postgres SQL. -Target version of Oracle could be 12.*, as Extended support ends in -2022 (see https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf)
limit / rownum -> fetch first
use Postgres schemas for stored procedures so that they can be -invoked with the same Oracle idiom
util::join_location usable for UDP and SMTP
+(commit 01b5c0d61).ad_unless_script_abort,
+aa_silence_log_entries, and
+util::json2dict to enhance error
+handling and logging cleanliness (commit aeb027aeb, f455d60c6,
+e9298cf02).Deprecated commands
acs_message_id contract
-filter
acs_privacy::*
acs_tcl_vars_list_to_ns_set
acs_tcl_vars_to_ns_set
ad_apply
ad_approval_system_inuse_p
ad_dateentrywidget
ad_db_select_widget
ad_decorate_top
ad_ns_set_to_tcl_vars
ad_package_admin_home
ad_parameter_all_values_as_list
ad_user_class_description
apm_file_type_keys
application_group::child_application_groups
attachments::root_folder_map_p
bulk_mail::parameter
bulk_mail::pretty_name
calendar_portlet_display::get_url_stub
calendar::adjust_date
calendar::assign_permissions
calendar::from_sql_datetime
calendar::item::assign_permission
calendar::make_datetime
content::revision::update_attribute_index
dotlrn_chat::add_portlet_helper
dt_widget_*
export_entire_form
export_entire_form_as_url_vars
export_ns_set_vars
-f::* API that cannot be
-replaced by a drop-in alternative
forum::new_questions_allowed_p
forum::new_questions_allow
forum::new_questions_deny
fs::add_created_version
fs::get_archive_extension
fs::get_folder_contents
fs::item_editable_info
fs::torrent::get_hashsum
notification::get_delivery_method_id
notification::get_interval_id
oacs_util::vars_to_ns_set
template::adp_levels
template::form::export
template::util::array_to_vars
template::util::is_true
template::util::list_to_array
template::util::list_opts
template::util::nvl
template::util::tcl_to_sql_list
template::util::set_to_list
template::util::set_to_vars
template::util::vars_to_array
twt::server_url
twt::user::create
twt::user::delete
util_AnsiDatetoPrettyDate
util_commify_number
util_get_current_url
util_list_to_ns_set
util_ns_set_to_list
util_report_successful_library_load
util_report_library_entry
util::string_check_urlsafe
Color widget API
...
New proc ad_log_deprecated:
-unified interface for logging deprecated usages The existing code
-used a larger variety of different messages to denote invocations
-of deprecated procs and other artifacts. ad_log_deprecated provides a unified
-interface, and provides a usage hint what to use instead based on
-the API-doc definitions in the log-file.
Move deprecated code into separate files
Give people the chance to use OpenACS with WithDeprecatedCode set to 0. When OpenACS
-is configured to omit loading of long deprecated code (WithDeprecatedCode set to 0) files like
-deprecated-procs.tcl are not loaded. Therefore, these files should
-only contain code, which was deprecated at LEAST ONE RELEASE
-EARLIER, such that site admins have one release time to fix calls
-to deprecated code. This is especially important for public
-procs.
For a description of all packages, see: https://openacs.org/repository/5-10/ +
General cleanup/maintenance
Modernization of Tcl idioms.
Compliance of files, proc names, ... to the naming -conventions.
White space cleanup, indentation changes.
Improvement of public API documentation
Adjustment of proc protection levels (public, private)
Adjustment of log severity
Cleanup of obsolete files
Replacement of handcrafted forms by ad_form
Typo fixing
Editor hints
Replacement of deprecated calls
Addition of missing contracts
...
util_commify_number, with lc_numeric (518e1b34)New Packages:
openacs-bootstrap5: Bootstrap 5 theme for OpenACS
bootstrap-icons: Free, high-quality, open-source icon library -with over 1,600 icons. Include them anyway you -like””SVGs, SVG sprite, or web fonts. Use them -with or without Bootstrap in any project
fa-icons: Free, high-quality, open-source icon library with over -2,000 free icons. As of 2020, Font Awesome was used by 38% of sites -that use third-party font scripts, placing Font Awesome in second -place after Google Fonts
highcharts: The Highcharts library is a JavaScript and -TypeScript package for producing data visualizations (line/bar/pie -charts etc.). The OpenACS package offers support to load this -library either via CDN or from a local installation (via acs-admin -and global administration UI)
Migrate to bootstrap 5. Bootstrap 3 reached EOL in 2019, -Bootstrap 4 had EOL 2022. See https://github.com/twbs/release -
Potential incompatibility with OpenACS 5.10.0: -"permission::permission_p" returns Boolean values as -"t" and "f" and not "1" and -"0". Avoid literal comparisons of the result and use -boolean tests available in Tcl/OpenACS.
Support for fresh installations on Oracle 19c.
Require NaviServer (i.e. drop AOLserver support). AOLserver -cannot be compiled with the required modules with recent Tcl -versions. Trying to backport NaviServer compatibility functions -seems to be an overkill for the OpenACS project.
Require Tcl 8.6, XOTcl 2.1, PostgreSQL 11 (PostgreSQL 10 EOL: -November 2022), tdom 0.9
Altogether, OpenACS 5.10.1 differs from OpenACS 5.10.0 by the -following statistics
- 2886 files changed, 197060 insertions(+), 182613 deletions(-) - -
contributed by 6 committers (Antonio Pisano, Gustaf Neumann, -Günter Ernst, Héctor Romojaro, -Raúl RodrÃguez, Thomas Renner) and -additional 7 patch/bugfix providers (Felix -Mödritscher, Frank Bergmann, Franz Penz, Markus Moser, -Marty Israelsen, Monika Andergassen, Sebastian Scheder). All -packages of the release were tested with PostgreSQL 13.* and Tcl -8.6.*.
For more details, consult the raw -ChangeLog.
+calendar::adjust_date -> inlined the one
+occurrence (fbd97314)calendar::from_sql_datetime, calendar::make_datetime -> not used upstream,
+superseded by modern clock idioms and HTML5 features (bccd1c3a,
+7264a2fe)cal_outlook_gmt_sql -> last usage in the
+codebase 2002 (1ee22f96)calendar::item::assign_permission. calendar::assign_permissions -> trivial
+wrappers over the permission api (a1ddaed5, f174fd12)template::util::is_true with inline string idiom
+(f2604994)site_node:: (commit 4d025e63)site_node:: (39bcaf3f)ns_quotehtml (commit 4476e815)notification::get_interval_id with notification::interval::get_id_from_name (commit
+871dd502)notification::get_delivery_method_id with
+notification::delivery::get_id (commit
+a9760fc4)template::util::is_true with [string is true -strict $value] (commit
+38981891)util_commify_number with lc_numeric (commit 7c14688e)twt::user::create and twt::user::delete with the respective acs::test::user:: counterparts (commit
+dea8673e)template::util::nvl (commit 0775f434,
+73b52fba)acs_privacy:: (commit d31c3b6f, 9ae5aa4a)bulk_mail::parameter with parameter::get (commit b10c5f26)forum::new_questions_deny and forum::new_questions_allow with permission::grant (commit 4880f884)bulk_mail::pretty_name with
+parameter::get (commit b6b7aec1)notification::get_interval_id with notification::interval::get_id_from_name (commit
+d77b24b7)notification::get_delivery_method_id with
+notification::delivery::get_id (commit
+075b8adc)ns_mktemp with ad_tmpnam (commit f5fd2c96)util_commify_number with lc_numeric (commit 990b0b0a)notification::get_interval_id with notification::interval::get_id_from_name (commit
+586cc6ae)notification::get_delivery_method_id with
+notification::delivery::get_id
+(28661484)export_ns_set_vars with export_vars (commit e8ab835d)dotlrn-portlet (e.g., commit dcfe916b, 712e8793,
+59ec97b0)twt::user::create and twt::user::delete with their acs::test::user::
+counterpart (27286797)rp_form_put with plain ns_set idioms
+(d7deda66)fs::get_file_package_id more robust to cases where
+the package_id is not set on the object itself (bbbbf93b)template::util::tcl_to_sql_list with NaviServer
+own ns_dbquotelist (8b1a62d0)twt::user::create and twt::user::delete with their acs::test::user::
+counterpart (cbc632d0)ad_tmpnam
+with ad_opentmpfile and ad_mktmpdir, safer from race conditions (576d51a1,
+8a9ac2b9)fs::add_created_version -> behavior specific to
+this proc was to fs::add_version,
+largely similar (815cbaae)fs::torrent::get_hashsum -> superseded by
+NaviServer ns_md command
+(aaf2751d)fs::item_editable_p, fs::item_editable_info -> Unused, unclear
+usefulness (86cd3917)fs::get_archive_extension -> trivial wrapper
+over the parameter api (aa63e153)fs::get_folder_contents -> Not used in the
+codebase, same result can be achieved with other api
+(72e444b8)template::util::get_opts
+(16b22e9e)template::util::is_true with inline string idiom
+(88c779b5)export_ns_set_vars with alternative idioms
+(4892cc8d)ad_convert_to_html with ad_html_text_convert (e48e5624)signed (commit 1ce581a)oneof (commits 58bc938, 2dbadad, 65575bf,
+58bc938).cr_item_of_package (commit 6fc46f3)ns_set in database “sets” method (commit
+158a831)ns_set
+storage more eager (when e.g. large queries are used in longer
+loops) (commit 3d6b05a)form_parameter specs with value checkers added
+(commit 64bb847).xowiki::bootstrap::card for increased
+configurability (commits 97685004, 4e09efa9, 136edcc5).www-delete and
+www-toggle-publish-status with
+return_url for workflow-specific
+behavior (commit abba6cd1).
+PackageInitParameter for instance-specific package
+behavior (commit cc5b9959).parameter_name:value_constraint to xowiki::Package.get_parameter (commit
+9df95cb3).acs::test::xpath::get_form_values proc (commit
+f495cac3).create_form_with_form_instance automated test
+(commit a9a37dcc).parent_id == 0 (commit 7637ff52).Page.create_form_page_instance (commit
+c0ee21d6).ad_log_deprecated (commit
+56d4b9d5).menu-Clipboard-Copy (commit ba901036).xo::db::sql to acs::dc interface (Commit a2d4688).The registered URN can be used like classical URL after registration.
Example consumer:
- template::head::add_javascript -src urn:ad:js:jquery -+ template::head::add_javascript -src urn:ad:js:jquery
Declare composite files: Provide an interface to define that a .js file or a .css file contains multiple other .js/.css files in order to reduce the number of requests.
- template::head::includes -container urn:js::style.js -parts {urn:ad:js:jquery ...}
-
+ template::head::includes -container urn:js::style.js -parts {urn:ad:js:jquery ...}
Improved API browser: Visualization for code dependencies (which @@ -476,8 +1491,8 @@
New Packages:
cookie-consent: alerting users about the use of cookies on a -website
boomerang: performance of your website from your end -user”™s point of view
xooauth: OAuth implementation, including LTI (Learning Tools +website
boomerang: performance of your website from your end user’s +point of view
xooauth: OAuth implementation, including LTI (Learning Tools Interoperability)
dotlrn-bootstrap3-theme: Bootstrap 3 theme for DotLRN
xowf-monaco-plugin: Integration of Monaco editor with for code exercise types in xowf
proctoring-support: utilities and user interfaces to implement proctoring of the user session, mainly intended in the context of @@ -496,14 +1511,13 @@ following statistics
3445 files changed, 215464 insertions(+), 193642 deletions(-)
contributed by 7 committers (Antonio Pisano, Gustaf Neumann, -Günter Ernst, Hector Romojaro, Michael Aram, Stefan -Sobernig, Thomas Renner) and additional 13 patch/bugfix providers -(Felix Mödritscher, Florian Mosböck, -Frank Bergmann, Franz Penz, Hanifa Hasan, Keith Paskett, Markus -Moser, Maurizio Martignano, Monika Andergassen, Nathan Coulter, -Rainer Bachleitner, Stephan Adelsberger, Tony Kirkham). All -packages of the release were tested with PostgreSQL 13.* and Tcl -8.6.*.
For more details, consult the raw ChangeLog.
Altogether, OpenACS 5.9.1 differs from OpenACS 5.9.1 by the following statistics
3548 files changed, 113292 insertions(+), 90507 deletions(-)
-
-contributed by 5 committers (Michael Aram, Gustaf Neumann, +
contributed by 5 committers (Michael Aram, Gustaf Neumann, Antonio Pisano, Hector Romojaro, Thomas Renner) and 8 patch/bugfix -providers (Frank Bergmann, Günter Ernst, Brian -Fenton, Felix Mödritscher, Marcus Moser, Franz Penz, -Stefan Sobernig, Michael Steigman). All packages of the release -were tested with PostgreSQL 9.6.* and Tcl 8.5.*.
For more details, consult the raw ChangeLog.
+providers (Frank Bergmann, Günter Ernst, Brian Fenton, Felix +Mödritscher, Marcus Moser, Franz Penz, Stefan Sobernig, Michael +Steigman). All packages of the release were tested with PostgreSQL +9.6.* and Tcl 8.5.*.For more details, consult the raw ChangeLog.
Altogether, OpenACS 5.9.0 differs from OpenACS 5.8.1 by the following statistics
3658 files changed, 120800 insertions(+), 97617 deletions(-)
-
-contributed by 4 committers (Michael Aram, Victor Guerra, Gustaf +
contributed by 4 committers (Michael Aram, Victor Guerra, Gustaf Neumann, Antonio Pisano) and patch/bugfix providers (Frank -Bergmann, Andrew Helsley, Felix Mödritscher, Markus -Moser, Franz Penz, Thomas Renner). These are significantly more -changes as the differences in the last releases. All packages of -the release were tested with PostgreSQL 9.4.* and Tcl 8.5.*.
For more details, consult the raw ChangeLog.
+Bergmann, Andrew Helsley, Felix Mödritscher, Markus Moser, Franz +Penz, Thomas Renner). These are significantly more changes as the +differences in the last releases. All packages of the release were +tested with PostgreSQL 9.4.* and Tcl 8.5.*.For more details, consult the raw ChangeLog.
Please report bugs using our Bug Tracker at the OpenACS website.
You may want to begin by reading our installation documentation -for the section called “a -Unix-like system”. Note that the Windows -documentation is not current for OpenACS 5.9.0, but an alternative -is to use John Sequeira's Oasis VM -project.
After installation, the full documentation set can be found by +for the section called “a Unix-like +system”. Note that the Windows documentation is not current for +OpenACS 5.9.0, but an alternative is to use John Sequeira's +Oasis VM project.
After installation, the full documentation set can be found by
visiting http://yourserver/doc.
New features in this release:
Internationalization support. A message catalog to store translated text, localization of dates, number formatting, timezone