%myvars; ]> Release 5.10.1 The release of OpenACS 5.10.1 contains the 94 packages of the oacs-5-10 branch. These packages include the OpenACS core packages, the major application packages (e.g. most the ones used on OpenACS.org), and DotLRN 2.10.1. Altogether, OpenACS 5.10.1 differs from OpenACS 5.10.0 by the following statistics 3027 files changed, 428212 insertions(+), 219697 deletions(-) contributed by 8 committers (Antonio Pisano, Gustaf Neumann, Günter Ernst, Héctor Romojaro, Michael Aram, Raúl Rodríguez, Sebastian Scheder, and Thomas Renner) and additional 8 patch/bugfix providers (Felix Mödritscher, Frank Bergmann, Franz Penz, Josue Cardona, Keith Paskett, Markus Moser, Marty Israelsen, and Monika Andergassen) - all sorted by the first names. In terms of changes, this is the largest amount of changes at least since the release of OpenACS 5.9.0. Below is a summary of the most important changes, often together with the commit references in Git. The summary was made on subjective criteria, to get an overview of the changes. For all details, consult the raw ChangeLog. Changes in the acs-core packages between OpenACS 5.10.0 and 5.10.1 New Features Security and Privacy Posture Overview: As expressed as a wish from OpenACS users at the last OpenACS conference, a Security and Privacy Posture Overview was added that offers a quick overview of the state of the system and eases access to the parameters scattered over different packages in the system. The page offers: Quick overview Check of security and privacy relevant package parameters Permission and accessibility check of mounted packages Response header check External library check (CDN vs local usage, vulnerable or outdated libraries) The page is linked from the site-wide-admin page (/acs-admin). Stronger Password Hashes for OpenACS (commit fe2bdb547, 8eee6a932, 52d2c997e, 62d969c85): Introduction of new password hash functions alongside the pre-existing salted-sha1. The new algorithms are named scram-sha-256, scrypt-16384-8-1, argon2-argon2-12288-3-1, argon2-rfc9106-high-mem, and argon2-rfc9106-low-mem. These algorithms can be specified via the kernel package parameter PasswordHashAlgorithm. The algorithms require a recent version of NaviServer and a recent version of OpenSSL, which serves as a crypto library. This feature enhances security against brute-force attacks on password hashes (when db is compromised). Preferences of the password hash algorithms can be set via kernel package parameter PasswordHashAlgorithm, the first available algorithm is taken from the preference list, hash re-coding happens automatically at the next login. Setting of CSP rules based on MIME types (commit 6bc253f1e, commit 94b8513ae). This is necessary to mitigate certain attacks on static SVG files uploaded to, e.g., the content repository. For example, set the following to the ns/server/$server/acs section of your NaviServer configuration file: ns_param StaticCSP { image/svg+xml "script-src 'none'" } Support for generic icon names Support for generic icon names, which can be mapped differently depending on the installed packages and themes. The support provides a mapping from a set of generic names to the names provided by different libraries sich as Glyph Icons, Bootstrap Icons, Font-Awsome. The provided support can be inspected on the site-wide page of acs-templating. The generic names can be used via the special tag <adp:icon name="NAME" title=....> in .adp-files. By using this feature, one can use font-based icons (like e.g. glyphicons of Bootstrap5, bootstrap-icons, fa-icons, ...) instead of the old-style .gif and .png images. This makes the appearance more uniform, has better resizing behavior, and works more efficiently (fewer requests for embedded resources). Most of the occurrences of the old-style images in standard core and non-core packages in oacs-5-10 are already replaced. (commit c129c89ec, 996740672, e9cae22dc, c7705c68b, a85ea7301, 58ad43055, 737da5514, a05813ec7, 110b2f5d6, 7011c8fd9, 286fd9e58, 927d9d5ef) Better Automated Site Configurability: Support for installing themes from install.xml (commit 2f9761160). Dynamic Cluster Nodes and Cluster Infrastructure (commit 5738761db, 7cbc3e63c, 1a7a7656c, 3faceddc4, 5fba13c0f, 7cbc3e63c, 3faceddc4, 1a7a7656c): Added support for dynamically adding and removal of nodes in an OpenACS cluster. In contrast to static cluster nodes, the IP addresses of dynamic cluster nodes do not have to be provided at startup time. The changes introduce new admin pages and further configuration options. Optional Caching Deactivation (commit 75c3f2b25): It is possible to deactivate caching via the ns_cache infrastructure when the NaviServer configuration variable cachingmode is set to none. The change modifies per_thread_cache to behave like a per_connection_cache. This option is useful for cluster configurations, when legacy components do not handle cache coherency (e.g. via acs::clusterwide) Support for Cloud Identity Providers (commit e506dee05, fd7af8d17, 06954d83b). Additional Identity providers can be added as secondary registries (e.g., MS Azure via oauth2), to support e.g. logins via the classical register page and via a cloud registry (requires package xooauth for full functionality) Client-side double click prevention: This change makes it possible to provide a double click prevention for HTML elements via the CSS class prevent-double-click. The double click prevention deactivates a button or an anchor element after clicking for a short time (per default for 1s) and ignores in this time window further clicks. The time window can be specified via the data element oacs-timeout. (commit 5f2edeec2a9a831, 916d365aa11f2d) Cookie Namespaces (commit ce1573ed8): Important, when multiple OpenACS instances are served from the same domain name, but different cookies have to be used. Reforms lc_time_tz_convert: Enforce ISO format for dates and other changes (commit 9a5b5cd97). template::element validation reform to improve validation on fields (commit 87919f923). Provide timeouts for caching operations to improve liveliness also when certain calls are hanging (commit 22cd530d4). Form widget attributes reform consolidating logics for merging tag attributes (commit 3a7fc6a8e). Streamlined resource_info handling by adding versioning and better management of external library dependencies. External libraries can be used from CDN or downloaded, the versions are checked for vulnerabilities, which are reported via posture overview and package-specific site-wide admin pages. Configuration Changes Set the (default) theme package on the subsite upon installation (commit 0ff7101b3). Improved clusterwide operations with new configuration parameters (commit 5738761db). New configuration options CSSToolkit and IconSet for acs-subsite (commit fc56a275b). Support specification of allowed tags/attributes/protocols via global package parameters (commit 657cef99a,fc46466e3). Made ad_html_security_check configurable (commit bc63ee424). Support for memory units as default cache sizes (commit 68c853abd). Bug Fixes Fixed missing update_content-lob.set_content (commit a3effac23, 4ce8e9fae). Fixed incorrect HTTP status code on result page (commit 636226cb2). Fixed signature of service contract implementation (commit b9f0c541c). Fixed implementation of ad_acs_admin_node (commit 34a823c51). Fixed reference in doc (commit e596b46f8). Fixed ad_approval_system_inuse_p implementation (commit bd8afdeeb). Fixed self-inflicted bug in form variable specification (commit 79e6df943). Fixed a bug in db_multirow_group_last_row_p (commit aafd1db58). Fixed issue with ns_parseurl in util::split_location (commit aee571ad1). Various fixes for Oracle 19c compatibility issues (numerous commits). Fixed broken function_args definition and other issues (commit 83e45f9b5, d166927d2, etc.). Fixed a bug in db_driverkey when OpenACS connects to multiple databases, involving the removal of per-thread caching (commit 18e656b00). Fixed and generalized version_dir handling for download of external resources (commit 8e9a6a5c8). Fixed selector for click all list callback in core.js (commit 00b9db614). Fixed a bug in db_foreach with -column_set flag (commit 95e8970d7). Handle null dates in core.js (commit 1dd928238). Fixed issues in SQL function calling to avoid incorrect function selection due to typecasting issues (commit bc33e9938). Corrected problems with session handling in cluster mode and fixed cache coherency issues in clustered environments (commit c0a1cf7b9). Improvements Security Improvements In addition to the new security features mentioned above, the new release was tested several times by different vulnerability scanners, which triggered a large number of changes as for example strengthening the input tests in page contracts, consequent use of bind variables and permission checks. New API ad_mktmpdir and ad_opentmpfile (commit a10b55d3d). Added support for elliptic curve certificates (ecdsa) when the lets-encrypt module from NaviServer is used (commit 2c40f1d9d). Hardened page contracts, added many constraints to address potential SQI and XQL etc. attacks (many commits, e.g. 8eee6a932, d4846d106) Warn warning when parametersecret is not set (commit 0ec8f0183). Safe creation of temporary directories (commit d25ff6593). Upgraded internal use of JavaScript and HTML standards to improve security and performance (commit e68a73c92). Performance Improvements New partial index for a common query in acs-tcl (commit aaaf86adb). Implemented ad_html_security_check based on ns_parsehtml (commit 387f3de3e). Added support for NaviServer built-in ns_trim -prefix (commit 500099e0). Change in storing and displaying util user messages (commit bb0702bf3). Additional Filters for Page Contracts Introduced ad_page_contract filter object type (commit 2f9d127a0). Introduced a new clock page contract filter (commit 5544faffc). Introduced new tmpfile page contract filter (commit 1a179e9bc). Allow more characters in argument specs (commit f952d9d5e). Code Refactoring Added a new procedure ad_log_deprecated for unified logging of deprecated usages (commit 0e03b3358). Improved configurability of LockfreeCache (commit 9bc412576). Reform of site-nodes-procs for improved clarity and ease of maintenance, esp. Oracle (commit 3fe93032e). Update of SQL function calls via API, made it callable during initial bootstrap (commit ad97aa747). Modernization of idioms and cleanup of deprecated code (e.g., commit a5c537515, e68a73c92, 1d1ff8c4e). Improved documentation, localization updates, and typo fixes (e.g., commit 5c23325a3, f3590415f, 7a97e0ea0). Phased out outdated procedures and functions that were superseded by more efficient and secure implementations (e.g., commit 6272226b6). Deprecated old APIs that no longer align with modern security practices or performance standards (commit cd0af7373). Removed legacy support for certain outdated browser features and replaced them with modern alternatives (commit a1a7c22a7). Further reduced divergence between Oracle and Postgres SQL. Target version of Oracle could be 12.*, as Extended support ends in 2022 (see https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf). This change implies: change limit ... rownum ... to standard fetch first ... use Postgres schemas where available for stored procedures so that they can be invoked with the same Oracle idiom Miscellaneous Message keys for content repository (commit 2f89a971a). Make util::join_location usable for UDP and SMTP (commit 01b5c0d61). Zero-dependency implementations of Modal and Tooltip using CSS and JavaScript (commit db0f52664, 02bfffbb2). Deprecation of specific functions and APIs in favor of modern replacements (e.g., commit 4493f07b9, 6db041083, 94c505b01). Extended API: Introduced new API functions like ad_unless_script_abort, aa_silence_log_entries, and util::json2dict to enhance error handling and logging cleanliness (commit aeb027aeb, f455d60c6, e9298cf02). Expanded timezone data and improved internationalization features, including better locale management and updated localization data (commit 828ab0bd4, 47d478bcf). Added Support for listing registered URNs (per package on the site-wide admin page of a package, full set on the adm page of acs-templating) Added support for relative redirects (commit 867d9441e). Regression Test: The regression test was substantially extended and in part overworked The test includes now checks for resource leaks (tDOM documents and nodes, temporary objects, etc.) and leaves less garbage in the /tmp directory For the major packages (core and application packages), the tests run without reporting errors. For the tests of the majro packages, the system.log is now free of error messages (e.g., when handling cases in the test that are supposed to fail) Version requirements Require NaviServer (i.e. drop AOLserver support). Rationale: AOLserver cannot be compiled with the required modules with recent Tcl versions. Trying to backport NaviServer compatibility functions seems to be an overkill for the OpenACS project. Bootstrap 3 reached EOL in 2019, Bootstrap 4 had EOL 2022, so we should migrate to Bootstrap 5 (details: https://github.com/twbs/release) Require Tcl 8.6.2, XOTcl 2.1, PostgreSQL 12 (PostgreSQL 11 EOL: November 23), tdom 0.9 Support for fresh installations on Oracle 19c (for details, see: oacs-5-10-on-oracle-19c) Changes in OpenACS Application Packages New Packages in OpenACS 5.10.1 bootstrap-icons caldav captcha fa-icons highcharts openacs-bootstrap5-theme For a description of all packages, see: https://openacs.org/repository/5-10/ Changes in package "attachments" Improvements Security Improvements Strengthen page contracts (3b9068ad) Code Refactoring Replace handcrafted HTML icons with new adp:icon adp tag (f45e6406) Replace deprecated util_commify_number, with lc_numeric (518e1b34) Miscellaneous Document public API (fd5b5e1c) Improve test suite and cover 100% of public api (3446f91c, c933a64e) Deprecations attachments::root_folder_map_p -> duplicates functionalities of attachments::root_folder_p (cc3177d1) Changes in package "calendar" New Features Inclusion of multiple calendars (77f4db84): name calendar forms in a way that multiple calendars can be embedded on the same page (relevant in the context of .LRN portlets) Bug Fixes Javascript fixes (b1d49bc1) Fix retrieval of a calendar item when a connection context is not available (772449b4, a049d806) Improvements Security Improvements Improve/harden input validation (many commits) Don’t expose immutable values as hidden formfields (03e3f2e7, 31955520) Code Refactoring Replace deprecated API (8e6d01a0, 9cfbf8a1) Streamline idioms (50c5c2d3) Replace handcrafted HTML icons with new adp:icon adp tag (054c46cc, 8bb2cd6f) Replace custom calendar widget implementation with native HTML5 form fields and streamline input validation (6bd30d58, f5118fb4) Miscellaneous Improve spelling in catalog files (258edac5) Pass properties to master template as literal according to best practices (9598e88e) Improve API documentation (d924a307) Cleanup vestigial features/dead code (various commits) Port of downstream localization (90dbfa96) Various typos and formatting improvements Increase test suite of functionalities and cover 100% of public api (various commits) Deprecations calendar::adjust_date -> inlined the one occurrence (fbd97314) calendar::from_sql_datetime, calendar::make_datetime -> not used upstream, superseded by modern clock idioms and HTML5 features (bccd1c3a, 7264a2fe) cal_outlook_gmt_sql -> last usage in the codebase 2002 (1ee22f96) calendar::item::assign_permission. calendar::assign_permissions -> trivial wrappers over the permission api (a1ddaed5, f174fd12) Changes in package "captcha" Features Bot protection for your form implements template::widget::captcha. This can be used in forms exposed to the public to hinder automated bots. Based on the implementation at https://fossil-scm.org/ Scalable a new captcha is generated fast, from scratch and on the fly No external dependencies this package does not require any external commands or libraries Changes in package "categories" Reforms Mark service contract implementations as private (efd3b8e5, 886068d3) Improvements Performance Improvements Create indices on FK constraints (e935a857) Security Improvements Add include contracts where missing (40b5bdc3, 667d9cdf, 5d3fb337) Strengthen page contracts (1ad80ea6) Code Refactoring Replace deprecated template::util::is_true with inline string idiom (f2604994) Replace handcrafted HTML icons with new adp:icon adp tag (035bd73b) Better qualify command invocation (a693a8be) Miscellaneous Cleanup and formatting changes (various commits) Increase test suite of functionalities and reach 80.82% coverage of public api (various commits) Improved documentation of library file and public API (8da391b1) Changes in package "chat" New Features Anonymous chat participants (3a73986c, 214684f3): use newly introduced support for anonymous users built in xowiki to support not logged-in users Chat include (c2ab5967) : Move the main chat rendering in an include to allow reuse in other contexts Bug Fixes Fix typo in datamodel code affecting new installations (98d26cfa) Improve/fix Oracle compatibility (d3e0d69b, cb2e52d0, 04e229f2) Allow for arbitrary arguments to be passed when extending inherited methods (95ca0c0e) Allow to persist chat messages also in the chat sweeper (4bf7bd59) Improvements Performance Improvements (Postgres only) Improve performances when fetching the available chat rooms using recursive permission api (56d47b31, 0b2cff50) Security Improvements Improve SQL quoting (e2146673) Harden page contracts and use new contract features from the core (43955d16, 148be6f4, 7f6b5c92) Code Refactoring Replace :xo::clusterwide -> ::acs::clusterwide for cluster-aware chaching (76fbfe1f) Replace ::xo::db::sql -> ::acs::dc as tcl abstraction for db stored procedures (76fbfe1f) Replace deprecated api (928793ce, cb2e52d0) Replace handcrafted HTML icons with new adp:icon adp tag (054c46cc) Reduce layers of redirection when accessing a chat room (4f57e272) Miscellaneous Prefer message keys from core packages (943daaa3) Cleanup vestigial features/dead code (23fe7d3a, b8d5da6d, d7434cae) Pass properties to master template as literal according to best practices (98a2b1ec) Extend test suite to 100% public API coverage (117c66e3, 210e3f16, b2abc81c, fe60e3d1) Improve configurability and styling of the chat includelet (54bb236f, 289ddee6) Streamline idioms (2b0bd209) Replace legacy message keys (a465cf76) Improve localization (0252ed50) Changes in package "dotlrn" and associated packages Reforms dotlrn: Deactivate obsolete SQL function in creation script (sql/postgresql/dotlrn-create.sql). This complements commit 3a280c7e in acs-kernel (commit 1b845ba0). Use dotlrn-bootstrap3-theme as default theme (commit c6547eb8). theme-zen: Adapt to commit 3a280c7e (acs-kernel) and c6547eb8 (dotlrn) (commit 6d50cb9b). Improvements Performance Improvements dotlrn: Prefer APIs returning cached values before querying the DB using site_node:: (commit 4d025e63) dotlrn-fs: Prefer APIs returning cached values before querying the DB using site_node:: (39bcaf3f) Security Improvements dotlrn: Mitigating potential XSS attacks using NaviServer own ns_quotehtml (commit 4476e815) Code Refactoring dotlrn: Replace deprecated notification::get_interval_id with notification::interval::get_id_from_name (commit 871dd502) Replace deprecated notification::get_delivery_method_id with notification::delivery::get_id (commit a9760fc4) Replace deprecated template::util::is_true with [string is true -strict $value] (commit 38981891) Replace deprecated util_commify_number with lc_numeric (commit 7c14688e) Replace deprecated twt::user::create and twt::user::delete with the respective acs::test::user:: counterparts (commit dea8673e) Cleanup usage of deprecated API template::util::nvl (commit 0775f434, 73b52fba) Cleanup usage of deprecated API acs_privacy:: (commit d31c3b6f, 9ae5aa4a) Replace deprecated bulk_mail::parameter with parameter::get (commit b10c5f26) Replace deprecated forum::new_questions_deny and forum::new_questions_allow with permission::grant (commit 4880f884) Replace custom calendar widget implementation with native HTML5 fields (commit 113b1cb4) dotlrn-bm: Replace deprecated bulk_mail::pretty_name with parameter::get (commit b6b7aec1) dotlrn-calendar: Reform handling of admin permissions (commit ce9e27d4, 6a9ada80) dotlrn-forums: Replace deprecated notification::get_interval_id with notification::interval::get_id_from_name (commit d77b24b7) Replace deprecated notification::get_delivery_method_id with notification::delivery::get_id (commit 075b8adc) dotlrn-fs: Replace Naviserver ns_mktemp with ad_tmpnam (commit f5fd2c96) dotlrn-homework: Alter reference to db-error file in acs-subsite (commit d47e5f2c) Replace deprecated util_commify_number with lc_numeric (commit 990b0b0a) Replace handcrafted HTML icons with adp:icon adp tag (commit 3f1557c2) dotlrn-news: Replace deprecated notification::get_interval_id with notification::interval::get_id_from_name (commit 586cc6ae) Replace deprecated notification::get_delivery_method_id with notification::delivery::get_id (28661484) dotlrn-static: Fix applet mount point (commit 233e0c6c) new-portal: Replace export_ns_set_vars with export_vars (commit e8ab835d) Prefer adp:icon adp tag over handcrafted HTML icons (commit 7afadf3b) Miscellaneous All packages: Cleanup and formatting (various commits) Strengthen page contracts (various commits) Document public API, e.g., in new-portal, dotlrn-dotlrn (e.g., commit 75656f6f, 05540825) Improve test coverage, e.g., in dotlrn-portlet (e.g., commit dcfe916b, 712e8793, 59ec97b0) Changes in package "faq" New Features faq::new API (1fc77330): an API to create an FAQ, also useful for testing Bug Fixes Fixes for Oracle compatibility (3e5418a3) Reforms Mark service contract implementations as private (987ef426) Mark apm callbacks as private (6861af77) Improvements Security Improvements Harden page contract validation (a2904377, 87d05896, a4c9fc52) Code Refactoring Replace deprecated twt::user::create and twt::user::delete with their acs::test::user:: counterpart (27286797) Replace handcrafted HTML icons with new adp:icon adp tag (17acc438, 5a7ce6b6) Replace rp_form_put with plain ns_set idioms (d7deda66) Miscellaneous Cleanup and formatting changes (various commits) Increase test suite of functionalities and cover 100% of public api (various commits) Changes in package "file-storage" Bug Fixes Make fs::get_file_package_id more robust to cases where the package_id is not set on the object itself (bbbbf93b) Fixes for Oracle compatibility (9a5b9cf4, 0d4331cb, de75d648) Fix regression when the files list is rendered in list format (d0eecbe4) Reforms Make oacs-dav an optional, uninstallable dependency (c8e3b5f8) Make Service Contract implementation private and use the abstract api instead (81ef9be7, 6eee7dbd, 846b226b, f56b331a) Improvements Performance Improvements (Postgres only) Improve performances when fetching folder files using recursive permission api (02f64379) Security Improvements Improve server and client-side input validation (various commits) Code Refactoring Reduce divergency between Oracle and Postgres codebase (55e70c4f, 2cf7bbf5) Replace deprecated template::util::tcl_to_sql_list with NaviServer own ns_dbquotelist (8b1a62d0) Replace deprecated twt::user::create and twt::user::delete with their acs::test::user:: counterpart (cbc632d0) Cleanup obsolete error catching (d99eccfb) Replace handcrafted HTML icons with new adp:icon adp tag (602c473d, 651ab668, 53b1248d) Replace ad_tmpnam with ad_opentmpfile and ad_mktmpdir, safer from race conditions (576d51a1, 8a9ac2b9) Miscellaneous Cleanup and formatting (various commits) Improve test suite and cover 100% of public api (various commits) Deprecations fs::add_created_version -> behavior specific to this proc was to fs::add_version, largely similar (815cbaae) fs::torrent::get_hashsum -> superseded by NaviServer ns_md command (aaf2751d) fs::item_editable_p, fs::item_editable_info -> Unused, unclear usefulness (86cd3917) fs::get_archive_extension -> trivial wrapper over the parameter api (aa63e153) fs::get_folder_contents -> Not used in the codebase, same result can be achieved with other api (72e444b8) Changes in package "forums" Bug Fixes Fix broken message key (74cadd4f) Fixes for Oracle compatibility (f5db030e) Rely less on values provided by the connection (f85185af) Reforms Adapt template::element calls after replacing template::util::get_opts (16b22e9e) Mark service contract implementations as private (bb6e3b3b) Use UTF-8 emojis instead of actual images to render supported smileys in forum posts (335f1ede) Improvements Performance Improvements Avoid transaction when unnecessary (aeb4e876) Use cached api when detecting if attachments are supported (83b9a2e8) Security Improvements Improve server response in error situations (b2e833ab) Harden page contract validation (c92794b8, 22c992f2, 655eea7b, 619b2580, c403e313, 189442f8, 0a4c5d1d) Increase permission checking (6ddf512d) Code Refactoring Pass properties in adp consistently with @….;literal@ best practice (dc2b6f8f, 44d3483e) Replace deprecated template::util::is_true with inline string idiom (88c779b5) Replace handcrafted HTML icons with new adp:icon adp tag (1b6adbcb, 0cf9dfe4) Miscellaneous Cleanup and formatting changes (various commits) Increase test suite of functionalities and cover 100% of public api (various commits) Deprecations forum::new_questions_allowed_p -> Trivial shotrhand to forum::get (5e7c3e01) forum::new_questions_allow and forum::new_questions_deny -> Trivial shorthands to forum::edit forum::message::get_attachments -> Unused and repleaceable by other API Changes in package "general-comments" Bug Fixes Fixes for Oracle compatibility (e6fdab8b) Reforms Reimplement add/edit UI to use ad_form and reduce duplication (0842ac32) Improvements Security Improvements Harden page contract validation (a17a883b, 438b62a5, 150c40c4, c08961bd, 993e67b1, 026075fc, b041c11b, b6e063dc, dc08e85c, c34e943b) Code Refactoring Replace deprecated export_ns_set_vars with alternative idioms (4892cc8d) Replace deprecated ad_convert_to_html with ad_html_text_convert (e48e5624) Changes in package "proctoring-support" New Features Support for mock exams (commit 114d489e): introduce parameter record_p in the main proctoring include allowing to turn off artifacts collection. Useful FOR mock exams. Artifacts data model (commit 9acb6bc8, f9206d9e): proctoring artifacts are now stored in actual database tables and not only on the filesystem. Test pages (commit 30ea5f4b): the default proctoring installation provides a fully-functional test environment of the admin and regular user functionalities. Push updates for new artifacts (commit 337d8cb6): the proctoring display UI now uses websockets to receive push updates from the server when new artifacts are available. Artifacts review UI (commit 99cdda4a and various others): the proctoring display UI now enables admin users to review proctoring artifacts via comments or flagging. Red border (commit d20cb434): allow one to display an additional border around the proctored window. Useful to increase the visibility of the proctored session in a classroom. Reforms Proctoring enforcing: captive-portal the proctoring session using a callback mechanism, rather than via includes in the master template (commit 9acb6bc8). Stop the proctoring session from the client side when no artifacts are sent for too long (commit 0b87b9e0). Bug Fixes Be more robust in case of client-side error conditions (commit 64d4dde9, 2c7ff02a, 7dc4239a) Use PiP to circumvent browser powersaving that would shut down MediaStreams when a browser is out of focus. (commit 0b87b9e0, c0d97c91) Relax enforcing of duplicated images for proctored desktops (commit c72ddbb3) Improvements Code Refactoring Replace deprecated api (various commits) Modernize javascript idioms (various commits) Maintain an adequate look and feel using both Bootstrap5 and Bootstrap3 (70a0f52c, f07dfc06, e913ee2b, 54d4f3cc and others) Drop custom implementation of lazy loading for the proctoring display UI and rely on modern native browser features instead (commit 90d2404c) Usability Improve usability of the proctoring display UI on mobile and when using a keyboard (various commits) Miscellaneous Improve integration with master template (9acb6bc8, 44729649) Streamline idioms (various commits) Improved documentation Increase test suite of functionalities and cover 100% of public api (various commits) Extend package localization. Currently English, German, Italian and Spanish are supported. Changes in package "xotcl-core" New Features Added value checker signed (commit 1ce581a) Added value checker oneof (commits 58bc938, 2dbadad, 65575bf, 58bc938). Added value checker cr_item_of_package (commit 6fc46f3) Provided consistent sorting for Database and Tcl sorts (commit 6effe16) Bug Fixes Avoiding double quoting (commit 08386db). Fixed potential memory leaks Free explicitly answer ns_set in database sets method (commit 158a831) Free ns_set storage more eager (when e.g. large queries are used in longer loops) (commit 3d6b05a) Compatibility Fixes for Oracle 19c (commit de4a9a5, 88f8521, 1408e2b) Improvements Security improvements: Support for form_parameter specs with value checkers added (commit 64bb847). harden page contracts (commit b0c282d) Performance improvements: Improved prepared-statement handling (commit fac52ce) Various other changes such as e.g. d22121d Unified package parameter handing between xo* and oacs-core (commit 66ee181) Reduced verbosity of logging for streamlined output (commit 0553811). Stop sending messages to other (potentially stopped) thread to avoid log messages (commit 0aa8c98). Changes in package "xowiki" New Features GUI improvements New abstraction xowiki::CSS to provide portability between different frameworks and version of frameworks (commit 99e3331c) Added xowiki::bootstrap::card for increased configurability (commits 97685004, 4e09efa9, 136edcc5). Use adp:icon for better cross framework compatibility (commits 562e9e48, 19407b34, 71606059) Support for Bootstrap5 (commits 97685004, ddae6214, 701612b7, a073060e, de6f0f48, 694c61b5, 48efaa9e, 57a7e91a, b71aacc0, 07be172b and several more) Added native CSS classes for Tree renderer and made TreeRenderer more configurable, reduce YUI (commit 83eafdcf). Beautify display of CSS tree renderer for deeper trees (commit ab624faa). Chat improvements Reduce server-side guessing of browser capabilities and minimize mode-specific JavaScript code (commit 8d98e9bf). Support for anonymous users in chat class, allowing mixed participation of authenticated and non-authenticated users (commit d929ec45). Drag and Drop improvements Support for drag & drop for reordering items for mobile devices (commit 4489907b). Extended functionality of the DropZone widget (commit d65bd411). Added support for archiving of items (commit 4d17aa0e). Reforms Generalized handling of error pages in disconnected stage (commit b3b677d4). Configuration Changes Update CDN sources where necessary (commit d4d0d85e). Updates of external libraries and CDN providers (commits d4d0d85e, f71db88b, 2986f329, f22f9b0b, e3b9f244, c63f61c9) Improved Parameterization *Ability to parameterize www-delete and www-toggle-publish-status with return_url for workflow-specific behavior (commit abba6cd1). New package parameter: PackageInitParameter for instance-specific package behavior (commit cc5b9959). Added support for passing parameter specs of the form parameter_name:value_constraint to xowiki::Package.get_parameter (commit 9df95cb3). Bug Fixes: Test reproducing a bug in acs::test::xpath::get_form_values proc (commit f495cac3). Fixed test case returned violation on plain instance (commit 78ec506d). Fixed xowiki create_form_with_form_instance automated test (commit a9a37dcc). Handle more gracefully the case of missing files on the filesystem (commit 72c1aeeb). Improvements: Improved autosave support (commit b373091c). Added support to check the file types of uploaded content (commit 80756c4b). Improved portability Added missing Oracle support for Oracle 19c (commit 777eadbc). Fix for Oracle 19c issues (commit 777eadbc). Improved error handling Improved handling of pages with parent_id == 0 (commit 7637ff52). Improved error message clarity and handling (multiple commits). Improved warning message (commit 80c69179). Various small improvements in handling form pages and error messages (commit 1c11ce20). Various API improvements: Updated interface for Page.create_form_page_instance (commit c0ee21d6). Security improvements: Enhanced form and query variable validation (commit d405042d). Improved safety of SQL queries (commit be15be72). Code Maintenance: Cleanup and modernization of code, removal of obsolete and commented code (multiple commits). Extended regression test (commit 8daa654b). Improved comments (commit 9e9a99f5). Improved documentation and cleanup (commit 27609be3). Deprecations: Cleanup of deprecated API references and methods (commit b0a9b875, commit fc1e48d1, commit 2c490318). Logging of deprecated usages unified under ad_log_deprecated (commit 56d4b9d5). Removal of features and scripts no longer in use (commit 726cc0dd, commit c8100365). Added @see to deprecated proc (commit bb2fa23a). Got rid of legacy message key menu-Clipboard-Copy (commit ba901036). Changes in package "xowf" New Features Improved Support E-Learning applications (mostly inclass exam) Support for restricting access to exams based on IP addresses (7fc8473). Drag and Drop interface for feedback files (fd68c22). Support for pool questions in the test-item family (No specific commit hash related to this feature was found in the provided content). Improved support for viewing and downloading exam results (250d5a4). Added Support for viewing/altering all configuration options for inclass exams via modal dialogs (39d5063). Added Parameter to allow/disallow page translation and spell checker for exams (commits 97e383e, 20a2d49). Configuration Changes Turn off production mode by default (363c839). Bug Fixes Fixed achieved points in exam statistics per question (f05631f). Fix for potential loss of statistics for auto-graded exams (fc03d5f). Improvements Improved Maintainability: Added Site-wide admin pages for xowf (cbb3bc8). Improved Performance: Added support for shared workflow definitions (2628b6f). Improved GUI: Improved support for Bootstrap5 (e.g. commits 8623ebd and a5e1f6c). Enhanced usability and styling for inclass exams and workflows (3d33b2a). Changes in package "xotcl-request-monitor" New Features Ability to order by time values in long-calls listing (Commit 031ee35). Support for ordering long-calls by start time or by end time in long-calls listing (Commit 7c9ffe9). Configuration Changes Added configurability to watchdog with parameters like -maxWaiting and -maxRunning (Commit 60ba4e3). Improvements Security Improvements Protect query-parameters against exceptions with empty values (Commit 176a32b). Added safety measures for potential DOS attacks and improved request blocking (Commit ef39b79). Improved strictness of tests (Commit ceb4a88). Improved description of package parameters (Commit ff8c44d) Enhanced the initial population of request-monitor counters for robustness (Commit 622d8f2). Switch from xo::db::sql to acs::dc interface (Commit a2d4688).