The release of OpenACS 5.10.1 contains the 94 packages of the +oacs-5-10 branch. These packages include the OpenACS core packages, +the major application packages (e.g., most of the ones used on +OpenACS.org), and DotLRN 2.10.1. The release is probably the most +secure and with the most tested code since ever.
Altogether, OpenACS 5.10.1 differs from OpenACS 5.10.0 by the +following statistics
+ 3038 files changed, 1291141 insertions(+), 354533 deletions(-)
These changes were contributed by 8 committers (Antonio Pisano, +Gustaf Neumann, Günter Ernst, Héctor Romojaro, Michael Aram, Raúl +Rodríguez, Sebastian Scheder, and Thomas Renner) and additional 8 +patch/bugfix providers (Felix Mödritscher, Frank Bergmann, Franz +Penz, Josue Cardona, Keith Paskett, Markus Moser, Marty Israelsen, +and Monika Andergassen) - all sorted by the first names.
In terms of changes, the release contains the largest amount of
+changes of the releases in the last 10 years. The packages with the
+most changes are acs-tcl, acs-templating, xowiki, xowf,
+acs-automated-testing, acs-admin, and xotcl-core.
Below is a summary of the most important changes, often together +with the commit references in Git. The summary was made on +subjective criteria. For all details, consult the raw ChangeLog.
+Security and Privacy Posture +Overview: As expressed as a wish from OpenACS users +at the last OpenACS conference, a “Security and Privacy Posture Overview” was +added that offers a quick overview of the state of the system and +eases access to the parameters scattered over different packages in +the system. The page offers:
/acs-admin).+Stronger Password Hashes for +OpenACS (commit fe2bdb547, 8eee6a932, 52d2c997e, +62d969c85): Introduction of new password hash functions alongside +the pre-existing “salted-sha1”. The new algorithms are named +“scram-sha-256”, “scrypt-16384-8-1”, +“argon2-argon2-12288-3-1”, “argon2-rfc9106-high-mem”, and “argon2-rfc9106-low-mem”. +These algorithms can be specified via the kernel package parameter +“PasswordHashAlgorithm”. The algorithms +require a recent version of NaviServer and a recent version of +OpenSSL, which serves as a crypto library. This feature enhances +security against brute-force attacks on password hashes (when db is +compromised). Preferences of the password hash algorithms can be +set via kernel package parameter “PasswordHashAlgorithm”, the first available +algorithm is taken from the preference list, hash re-coding happens +automatically at the next login.
+Setting of CSP rules based on MIME
+types (commit 6bc253f1e, commit 94b8513ae). This is
+necessary to mitigate certain attacks on static SVG files uploaded
+to, e.g., the content repository. For example, set the following to
+the ns/server/$server/acs section of
+your NaviServer configuration file:
+ ns_param StaticCSP {
+ image/svg+xml "script-src 'none'"
+ }
+
+Support for generic icon
+names Support for generic icon names, which can be
+mapped differently depending on the installed packages and themes.
+The support provides a mapping from a set of generic names to the
+names provided by different libraries sich as Glyph Icons,
+Bootstrap Icons, Font-Awsome. The provided support can be inspected
+on the site-wide page of acs-templating.
The generic names can be used via the special tag <adp:icon name="NAME"
+title=....> in .adp-files. By using this feature, one can
+use font-based icons (like e.g. glyphicons of Bootstrap5,
+bootstrap-icons, fa-icons, ...) instead of the old-style .gif and
+.png images. This makes the appearance more uniform, has better
+resizing behavior, and works more efficiently (fewer requests for
+embedded resources). Most of the occurrences of the old-style
+images in standard core and non-core packages in oacs-5-10 are
+already replaced. (commit c129c89ec, 996740672, e9cae22dc,
+c7705c68b, a85ea7301, 58ad43055, 737da5514, a05813ec7, 110b2f5d6,
+7011c8fd9, 286fd9e58, 927d9d5ef)
+Better Automated Site
+Configurability: Support for installing themes from
+install.xml (commit 2f9761160).
+Dynamic Cluster Nodes and Cluster +Infrastructure (commit 5738761db, 7cbc3e63c, +1a7a7656c, 3faceddc4, 5fba13c0f, 7cbc3e63c, 3faceddc4, 1a7a7656c): +Added support for dynamically adding and removal of nodes in an +OpenACS cluster. In contrast to static cluster nodes, the IP +addresses of dynamic cluster nodes do not have to be provided at +startup time. The changes introduce new admin pages and further +configuration options.
+Optional Caching
+Deactivation (commit 75c3f2b25): It is possible to
+deactivate caching via the ns_cache
+infrastructure when the NaviServer configuration variable
+cachingmode is set to none. The change modifies per_thread_cache to behave like a per_connection_cache. This option is useful for
+cluster configurations, when legacy components do not handle cache
+coherency (e.g. via acs::clusterwide)
+Support for Cloud Identity
+Providers (commit e506dee05, fd7af8d17, 06954d83b).
+Additional Identity providers can be added as secondary registries
+(e.g., MS Azure via oauth2), to support e.g. logins via the
+classical register page and via a
+cloud registry (requires package xooauth for full
+functionality)
+Client-side double click +prevention: This change makes it possible to +provide a double click prevention for HTML elements via the CSS +class “prevent-double-click”. The double click +prevention deactivates a button or an anchor element after clicking +for a short time (per default for 1s) and ignores in this time +window further clicks. The time window can be specified via the +data element oacs-timeout. (commit 5f2edeec2a9a831, +916d365aa11f2d)
+Cookie Namespaces +(commit ce1573ed8): Important, when multiple OpenACS instances are +served from the same domain name, but different cookies have to be +used.
lc_time_tz_convert: Enforce ISO format for dates
+and other changes (commit 9a5b5cd97).template::element
+validation reform to improve validation on fields (commit
+87919f923).Streamlined resource_info handling by adding versioning and +better management of external library dependencies. External +libraries can be used from CDN or downloaded, the versions are +checked for vulnerabilities, which are reported via posture +overview and package-specific site-wide admin pages.
CSSToolkit and IconSet for acs-subsite (commit fc56a275b).ad_html_security_check configurable (commit
+bc63ee424).update_content-lob.set_content (commit a3effac23,
+4ce8e9fae).ad_acs_admin_node (commit 34a823c51).ad_approval_system_inuse_p implementation (commit
+bd8afdeeb).db_multirow_group_last_row_p (commit
+aafd1db58).ns_parseurl in util::split_location (commit aee571ad1).db_driverkey when OpenACS connects to multiple
+databases, involving the removal of per-thread caching (commit
+18e656b00).version_dir handling for download of external
+resources (commit 8e9a6a5c8).db_foreach with -column_set flag (commit 95e8970d7).ad_mktmpdir and ad_opentmpfile (commit a10b55d3d).parametersecret is not set (commit
+0ec8f0183).ad_html_security_check based on ns_parsehtml (commit 387f3de3e).ns_trim -prefix (commit
+500099e0).ad_page_contract filter object type (commit
+2f9d127a0).clock page contract filter (commit
+5544faffc).tmpfile page contract filter (commit
+1a179e9bc).ad_log_deprecated for unified logging of
+deprecated usages (commit 0e03b3358).util::join_location usable for UDP and SMTP
+(commit 01b5c0d61).ad_unless_script_abort,
+aa_silence_log_entries, and
+util::json2dict to enhance error
+handling and logging cleanliness (commit aeb027aeb, f455d60c6,
+e9298cf02).For a description of all packages, see: https://openacs.org/repository/5-10/ +
util_commify_number, with lc_numeric (518e1b34)calendar::adjust_date -> inlined the one
+occurrence (fbd97314)calendar::from_sql_datetime, calendar::make_datetime -> not used upstream,
+superseded by modern clock idioms and HTML5 features (bccd1c3a,
+7264a2fe)cal_outlook_gmt_sql -> last usage in the
+codebase 2002 (1ee22f96)calendar::item::assign_permission. calendar::assign_permissions -> trivial
+wrappers over the permission api (a1ddaed5, f174fd12)template::util::is_true with inline string idiom
+(f2604994)site_node:: (commit 4d025e63)site_node:: (39bcaf3f)ns_quotehtml (commit 4476e815)notification::get_interval_id with notification::interval::get_id_from_name (commit
+871dd502)notification::get_delivery_method_id with
+notification::delivery::get_id (commit
+a9760fc4)template::util::is_true with [string is true -strict $value] (commit
+38981891)util_commify_number with lc_numeric (commit 7c14688e)twt::user::create and twt::user::delete with the respective acs::test::user:: counterparts (commit
+dea8673e)template::util::nvl (commit 0775f434,
+73b52fba)acs_privacy:: (commit d31c3b6f, 9ae5aa4a)bulk_mail::parameter with parameter::get (commit b10c5f26)forum::new_questions_deny and forum::new_questions_allow with permission::grant (commit 4880f884)bulk_mail::pretty_name with
+parameter::get (commit b6b7aec1)notification::get_interval_id with notification::interval::get_id_from_name (commit
+d77b24b7)notification::get_delivery_method_id with
+notification::delivery::get_id (commit
+075b8adc)ns_mktemp with ad_tmpnam (commit f5fd2c96)util_commify_number with lc_numeric (commit 990b0b0a)notification::get_interval_id with notification::interval::get_id_from_name (commit
+586cc6ae)notification::get_delivery_method_id with
+notification::delivery::get_id
+(28661484)export_ns_set_vars with export_vars (commit e8ab835d)dotlrn-portlet (e.g., commit dcfe916b, 712e8793,
+59ec97b0)twt::user::create and twt::user::delete with their acs::test::user::
+counterpart (27286797)rp_form_put with plain ns_set idioms
+(d7deda66)fs::get_file_package_id more robust to cases where
+the package_id is not set on the object itself (bbbbf93b)template::util::tcl_to_sql_list with NaviServer
+own ns_dbquotelist (8b1a62d0)twt::user::create and twt::user::delete with their acs::test::user::
+counterpart (cbc632d0)ad_tmpnam
+with ad_opentmpfile and ad_mktmpdir, safer from race conditions (576d51a1,
+8a9ac2b9)fs::add_created_version -> behavior specific to
+this proc was to fs::add_version,
+largely similar (815cbaae)fs::torrent::get_hashsum -> superseded by
+NaviServer ns_md command
+(aaf2751d)fs::item_editable_p, fs::item_editable_info -> Unused, unclear
+usefulness (86cd3917)fs::get_archive_extension -> trivial wrapper
+over the parameter api (aa63e153)fs::get_folder_contents -> Not used in the
+codebase, same result can be achieved with other api
+(72e444b8)template::util::get_opts
+(16b22e9e)template::util::is_true with inline string idiom
+(88c779b5)export_ns_set_vars with alternative idioms
+(4892cc8d)ad_convert_to_html with ad_html_text_convert (e48e5624)signed (commit 1ce581a)oneof (commits 58bc938, 2dbadad, 65575bf,
+58bc938).cr_item_of_package (commit 6fc46f3)ns_set in database “sets” method (commit
+158a831)ns_set
+storage more eager (when e.g. large queries are used in longer
+loops) (commit 3d6b05a)form_parameter specs with value checkers added
+(commit 64bb847).xowiki::bootstrap::card for increased
+configurability (commits 97685004, 4e09efa9, 136edcc5).www-delete and
+www-toggle-publish-status with
+return_url for workflow-specific
+behavior (commit abba6cd1).
+PackageInitParameter for instance-specific package
+behavior (commit cc5b9959).parameter_name:value_constraint to xowiki::Package.get_parameter (commit
+9df95cb3).acs::test::xpath::get_form_values proc (commit
+f495cac3).create_form_with_form_instance automated test
+(commit a9a37dcc).parent_id == 0 (commit 7637ff52).Page.create_form_page_instance (commit
+c0ee21d6).ad_log_deprecated (commit
+56d4b9d5).menu-Clipboard-Copy (commit ba901036).xo::db::sql to acs::dc interface (Commit a2d4688).The release of OpenACS 5.10.0 contains the 93 packages of the +oacs-5-10 branch. These packages include the OpenACS core packages, +the major application packages (e.g. most the ones used on +OpenACS.org), and DotLRN 2.10.0.
Functional improvements
Features:
Support for range types in .xql files:
PostgreSQL supports range types since 9.5. When using range
+types, square braces have to be used in SQL statements. Since
+OpenACS uses always Tcl substitution in .xql files, and OpenACS
+does NOT allow backslash substitution in these files, square
+brackets could not be escaped and therefore not be used in .xql
+files so far. This change allows now a developer to deactivate the
+substitution by passing e.g. -subst
+none to the db_* command using the .xql file. Valid values
+for -subst are all, none, vars, and commands, default is all which is exactly the behavior of
+previous releases. Therefore, this change is fully backward
+compatible.
Registry for .js and .css libraries: allow besides classical
+URLs symbolic names for loading external resources (e.g. jquery),
+this makes it easier to upgrade libraries in multiple packages
+(without running into problems with duplicate versions) and
+supports switching between CDN and local pathsURN. The existing
+implementation is based on URNs and extends the existing
+template-head API to support registration for URNs. A URN provides
+an abstraction and a single place for e.g. updating references to
+external resources when switching between a CDN and a locally
+stored resource, or when a resource should be updated. Instead of
+adding e.g. a CDN URL via template::head::add_script, one can add
+an URN and control its content from a single place. Use common
+namespaces for OpenACS such as urn:ad:css:* and urn:ad:js:*.
Register URNs:
Example provider (e.g. in some theme):
+ template::register_urn \ + -urn urn:ad:js:jquery \ + -resource /resources/xowiki/jquery/jquery.min.js ++
The registered URN can be used like classical URL after +registration.
Example consumer:
+ template::head::add_javascript -src urn:ad:js:jquery+
Declare composite files: Provide an interface to define that a +.js file or a .css file contains multiple other .js/.css files in +order to reduce the number of requests.
+ template::head::includes -container urn:js::style.js -parts {urn:ad:js:jquery ...}
+Improved API browser: Visualization for code dependencies (which +procs calls what, from where is a proc being called) and +test-coverage
Warn site administrators about expiring certificates
Added text/markdown to the accepted text formats or rich-text +widget
Additional input types (and widgets) for ad_form:
checkbox_text
color
tel
url
number
file (multiple)
h5date and h5time: date and time fields using native HTML5 +visualization and input normalization
Added additional page_contract filter: oneof(red|green|blue)
+template::add_event_listener
+and template::add_confirm_handler now can
+target elements by CSS selector
Improved support for streaming HTML: The new API function
+template::collect_body_scripts
+can be used to get the content of template::script or CSP calls
+(template::add_body_script,
+template::add_event_listener,
+template::add_body_handler,
+template::add_script) when
+streaming HTML (incremental HTML) is used. Before, these call could
+bot be used for streaming HTML.
Reforms:
Login:
Get rid of bugging "login page expired" messages. The
+17 years old construct was replaced by newer means to avoid caching
+of form values from the login form. Admins of existing sites should
+set the kernel parameter LoginPageExpirationTime to 0
Forums:
Removed hard-coded dependency with registered_users group when +checking forum permissions
Don't rely so heavily on acs_permissions to model forum +configuration, as this can have unexpected consequences in +convoluted multi-group/multi-subsite scenarios. Prefer simpler +table attributes instead
New style of attachments to the forums, allowing multiple +attachments to a single message directly from the message post +page, using the multiple file input widget. Retain compatibility +with old style attachments, using the new 'AttachmentStyle' +package instance parameter. Currently, this supports two values: +'simple' (new behavior) and 'complex' previous +behavior.
Chat:
Revamping of the GUI
Responsiveness
Full screen mode
Skins support (minimal, classic and bubbles, included): Skins +are located in the new /packages/xowiki/www/resources/chat-skins/ +directory. New skins can be created by just adding the css and js +files in the skins directory, and naming them accordingly +(chat-$SKIN_NAME.{js|css}).
Avatars (can be enabled per room)
Number of active users in chat
Tab notifications of new messages
Web Notifications:
https://www.w3.org/TR/notifications/
+https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API/Using_the_Notifications_API
acs-lang:
admin pages:
Added the option to unregister (delete permanently the message +key from all locales) a message key that has been already marked as +deleted. Useful for cleaning up old message keys.
Added the option to undelete, using the new ::message::undelete +proc.
Made number and category (untranslated/deleted/...) of messages +coherent in all pages.
Added the columns 'total' and 'deleted' to the +index page.
object_id reference: it is now possible to associate a message +key to an object_id in a way that e.g. when the object is deleted, +so is the message key. This addresses cases such as the message +keys generated by group creation or by the new XoWiki localized +fields
Notifications:
Improved scalability for notifications: One of the most
+expensive operations in large site is the cleanup for
+notification_requests in situations, where the user has lost
+permissions on an object, on which the user wanted to receive
+notifications. This check was performed previously in notification::sweep::cleanup_notifications
+via a permission check over all notification requests, which can be
+very costly on large sites. This change moves this cleanup into the
+actual notification sending, where the permissions have to be sent
+anyhow.
When sending a notification on behalf of a person, if the system +is not configured to process replies to notification, do not set +the reply-to address to anything different than the sender
Notifications: proper cleanup of acs_objects resulting from the +deletion of dynamic notification requests
User/Person/Party API: rework and rationalize caching of all +party, person and user API, create separate caches for each of +these types, make the API and return dicts. acs_user::get will not +fail anymore with non-existing user.
User Portrait: created API to retrieve and create, store and +delete the user's portrait. Also address leftover child +relationships from the past and delete them properly.
Non-functional Changes
Improved automated regression test infrastructure and test +coverage
All packages in the oacs-5-10 branch pass regression test
Web testing was separated from non-maintained tcltest and was +built on the standard OpenACS infrastructure
Include web testing per default in standard regression +testing
Introduced new test authentication authority, allowing to run +many user administration tests outside the context of a "real +authority": in cases where the real authority depends on +external services to proof identity, (e.g. Kerberos), those tests +would just fail.
Introduce the display of warnings in the UI of automated +testing
Added test coverage information in the automated testing pages, +using the new proc-coverage API and providing test coverage +information for packages and system wide.
Increased overall coverage of public API
New tests checking various data-model properties and smells
Improved scalability:
Provided lock-free implementation of ad_page_contract_filters and ad_page_contract_filter_rules. This change
+improves parallel processing of requests and is primarily
+interesting for sites with a few mio page views per days. These
+locks were among the most frequent nsv locks
Reduced locks on util_memoize_cache my more invariants values
+into per-thread caching (acs_lookup_magic_object, ad_acs_version, .... ) and by avoiding
+specialized calls, which can be realized by already optimized ones
+(apm_package_installed_p_not_cached
+ref-timezones was most frequently used util_memoize_cache
+entry). These changes are necessary to avoid full still-stand on
+the unfortunate long-time locks on util_memoize_cache stemming from
+permission and user management with wild-card flush operations,
+which require to iterate over all cache entries (which might be on
+a busy server several hundred thousands)
Added new interface for cache partitioning to reduce lock +latencies on high load websites
Added new interface for lock-free per-thread and per-request +caching to avoid scattered ad-hoc implementations
Better reuse of DB handles (reduced expiring/reopen/etc.), +faster access to handles
Improved startup time:
When the package acs-automated-testing is disabled, startup time +is reduced by avoiding loading of support functions and tests; the +size of the blueprint is reduced
xowf: loading of at-jobs is significantly improved.
Security improvements:
Strengthened page contracts
CSP support for application packages
CSP fine tuning
Better exception handling based on Tcl 8.6 exception handlers
+(try and throw, also available in Tcl 8.5)
Provided a new ad_try
+implementation based on Tcl's try replaces now the old ad_try, with_catch and with_finally, which are marked as
+deprecated
The new ad_try is in essence
+Tcl's try but with
+predefined handling of ad_script_abort and should be also used
+instead of catch, when the
+OpenACS API is used (which might use script aborts)
All core packages use the new ad_try instead of the deprecated
+versions.
Connection close reform:
NaviServer/AOLserver continue after connection closing commands +to execute a script. This is in many situations not desired, +especially, when for the page as well a .adp file exists, which +will try to deliver this on the already closed connection. This can +lead to errors in the error.log file, which are sometimes hard to +analyze
Due to this cleanup, developers should use in most such cases
+cases ad_script_abort
+
Connection closing commands are e.g. ad_returnredirect, ad_redirect_for_registration, cr_write_content, ad_page_contract_handle_datasource_error,
+ad_return_string_as_file,
+ad_return_complaint,
+ad_return_error, ad_return_forbidden, ad_return_warning, ad_return_exception_page, ns_returnredirect, ns_return, ns_returnerror
+
The new version has made on most occasions explicit, when the +script should abort.
API changes (new and extended API calls):
New API call category::get
+to obtain category description for a category_id and locale
New utility ad_pad emulating
+both lpad and rpad typically available in DBMSs
New proc lc_content_size_pretty, prettify data size given in +bytes. It supports three different standards (SI base-10, IEC +base-2 and the old JEDEC base-2), default is SI base-10.
New flag -export for
+ad_form: this flag uses
+export_vars under the hood and
+supports all of this API's features (e.g. :multiple, :sign,
+:array). This addresses a long standing TODO
+util::pdfinfo: simple
+poppler-utils wrapper to extract pdf information
util::http: leverage new ns_http features such as request file +spooling. Native implementation will now be used only on NaviServer +>= 4.99.15.
Database API:
+db_foreach: queries executed
+inside of a db_foreach will not be issued using a different handle
+and will therefore be safe to use in a transaction
+db_list_of_lists: new
+-with_headers flag, which will
+make the first element of the returned list to be the column names
+as defined in the query
Groups API:
Logics to delete a group type have now been included in the +API
Allow to filter group members by member_state in the API
Deprecated commands:
Many deprecated API calls were included in the code (and +sometimes still in use) sometimes more than 10 years after these +calls have been deprecated. In case a site modification still uses +deprecated code, the user is warned about this. The OpenACS 5.10 +code base does not depend on deprecated code.
Move deprecated code into separate files
Made loading of deprecated code optional (can be controlled via +parameter "WithDeprecatedCode" in section +"ns_section ns/server/${server}/acs" of the config file. +By default, deprecated procs are still loaded
When deprecated code is not loaded, the blueprint of the +interpreter is smaller. The following number of lines of code can +be omitted when loading without the deprecated procs:
acs-tcl: 3178
acs-templating: 450
xotcl-core http-client-procs: 830
acs-content-repository: 1717 (including .xql files)
Bugfix and Code Maintenance:
Made sure all party emails are stored as lowercase through the +API
Fixed long standing regression in template::list: we were
+looping through the list "elements", rather than the
+"display_elements". This prevents specifying different
+sets of columns to be returned depending on the -formats and -selected_format options in
+template::list::create.
acs-content-repository: New HEIC and HEIF mimetypes
acs-mail-lite: handle to_addr specified as "DisplayName
+<email>" without errors
Fixed invalidating of all existing user logins, (aka) +"Logout from everywhere" feature, useful e.g. to make +sure no device still holds a valid login when we change our +password on a device
Don't lose the return URL when one tries to join a subsite +before being logged in
Added doc(base_href) and
+doc(base_target) for setting
+<base> element via blank-baster (see issue #3435)
Groups:
When a new group is created, flush all the group::get_id caches +with the same name so that the new group can be fetched correctly +in case it replaces a previously deleted one
Cleanup message keys coming from groups in acs-translations when +a group is deleted
acs-lang:
+lang::util::convert_to_i18n:
+do not always register a en_US translation, which would be always
+overridden. Instead, let lang::message::register make sure that a
+en_US message exists and create one only as a fallback.
+lc_time_fmt: leverage Tcl
+clock to address shortcomings such as handling of dates in
+Julian/Gregorian calendar and impossible dates such as 1999-02-29,
+implement missing formats, support previously undocumented formats
+explicitly
search: make sure objects in the search indexer queue still +exist by the time they are swept by the indexer (e.g. items deleted +before the indexer could sweep them)
+attribute::delete: fix proc
+so it leverages stored procedure capability of dropping the
+database table as well
+util::http: fix UTF-8
+encoding issues for some cornercases
Localization: Complete Italian and Spanish localization for the +whole .LRN set of packages (including themes). Message keys for new +and previously localized packages have also been updated
General cleanup/maintenance
Improved handling of server implementation-specific code:
+server-specific code can be optionally loaded via specifying the
+server family in the filename. Provided *-procs-aolserver.tcl and *-procs-naviserver.tcl similar to
+*.postgresql.xql and *.oracle.xql where appropriate
Modernization of Tcl idioms.
Compliance of files, proc names, ... to the naming +conventions.
White space cleanup, indentation changes.
Improvement of public API documentation
Adjustment of proc protection levels (public, private)
Adjustment of log severity
Cleanup of obsolete files
Replacement of handcrafted forms by ad_form
Typo fixing
Editor hints
Replacement of deprecated calls
Addition of missing contracts
...
SQL cleanup:
Cleanup of obsolete nonportable SQL constructs in a way Oracle +and PostgreSQL code base divergency is reduced:
"nvl" -> "coalesce"
"sysdate" / "now()" -> standard +"current_date" or "current_timestamp"
Use standard-compliant "dual" table where appropriate +(required by Oracle, supported by PostgreSQL)
Use non-dialectal cast idioms when appropriate
Adopt CTE idioms in Oracle codebase as well (e.g. connect -> +with recursive)
... (reference Oracle version will be 11gr2 as is oldest version +officially supported by Oracle (See here and here)
Reduced superfluous .xql queries
acs-subsite: delete 21 files with un-referenced .xql queries
acs-tcl: delete 4 files
news: 3 files
file-storage: 1 file
dotlrn: 9 files
New Packages:
cookie-consent: alerting users about the use of cookies on a +website
boomerang: performance of your website from your end user’s +point of view
xooauth: OAuth implementation, including LTI (Learning Tools +Interoperability)
dotlrn-bootstrap3-theme: Bootstrap 3 theme for DotLRN
xowf-monaco-plugin: Integration of Monaco editor with for code +exercise types in xowf
proctoring-support: utilities and user interfaces to implement +proctoring of the user session, mainly intended in the context of +distance education and online exams. The main proctoring feature +relies only on web technologies and does not require any plugin or +additional software. Optional support for the Safe Exam Browser has +also been introduced. The package is currently at the core of WU +Online Exam infrastructure and is integrated in the inclass exam +implementation for xowf
Require Tcl 8.6, XOTcl 2.1, PostgreSQL 9.6 (PostgreSQL 9.5 EOL: +February 2021), tdom 0.9
Altogether, OpenACS 5.10.0 differs from OpenACS 5.9.1 by the +following statistics
+ 3445 files changed, 215464 insertions(+), 193642 deletions(-) +
contributed by 7 committers (Antonio Pisano, Gustaf Neumann, +Günter Ernst, Hector Romojaro, Michael Aram, Stefan Sobernig, +Thomas Renner) and additional 13 patch/bugfix providers (Felix +Mödritscher, Florian Mosböck, Frank Bergmann, Franz Penz, Hanifa +Hasan, Keith Paskett, Markus Moser, Maurizio Martignano, Monika +Andergassen, Nathan Coulter, Rainer Bachleitner, Stephan +Adelsberger, Tony Kirkham). All packages of the release were tested +with PostgreSQL 13.* and Tcl 8.6.*.
For more details, consult the raw +ChangeLog.
+The release of OpenACS 5.9.1 contains the 88 packages of the oacs-5-9 branch. These packages include the OpenACS core packages, the major application packages (e.g. most the ones used on @@ -67,15 +1578,15 @@ in OpenACS 5.9.0):
36 files deleted
Removed more than 100 obsolete named queries
Stripped misleading SQL statements
Marked redundant / uncalled sql functions as deprecated
Replaced usages of obsolete view +
Marked redundant / uncalled SQL functions as deprecated
Replaced usages of obsolete view "all_object_party_privilege_map" by "acs_object_party_privilege_map"
Removed type discrepancy introduced in 2002:
acs_object_types.object_type has type varchar(1000), while
acs_object_types.supertype has type varchar(100)
... several more data types are involved, using acs_object_types.object_type as foreign key
Simplified core sql functions by using defaults:
Simplified core SQL functions by using defaults:
Number of functions reduced by a factor of 2 compared to OpenACS 5.9.0 (while providing compatibility for clients using old versions),
Reduced code redundancy
Reduced number of insert cr_child_rels operations, just when -needed:
cr_child_rels provide only little benefit (allow one to use roles in -a child-rel), but the common operation is a well available in -cr_items via the parent_id. cr_child_rels do not help for recursive -queries either. One option would be to add an additional argument -for content_item__new to omit child-rel creation (default is old -behavior) and adapt the other cases.
+needed:cr_child_rels provide only little benefit (allow one to use +roles in a child-rel), but the common operation is a well available +in cr_items via the parent_id. cr_child_rels do not help for +recursive queries either. One option would be to add an additional +argument for content_item__new to omit child-rel creation (default +is old behavior) and adapt the other cases.
Added support against CSRF (cross site request forgery)
OpenACS maintains a per-request CSRF token that ensures that form replies are coming just from sites that received the form
CSRF support is optional for packages where CSRF is less -dangerous, and such requests are wanted (e.g. search and API-browser)
Added Support for W3C "Upgrade-Insecure-Headers" (see @@ -147,7 +1659,7 @@
Added support for W3C "Content Security Policy" (CSP; see https://www.w3.org/TR/CSP/)
Removed "javascript:*" links (all such urls are +
Removed "javascript:*" links (all such URLs are removed from the 90 packages in oacs-5-9, excluding js libraries (ajaxhelper) and richtext code)
Removed "onclick", "onfocus", "onblur", "onchange" handlers from all .adp and @@ -208,7 +1720,8 @@
Misc code improvements:
18 issues from the OpenACS-bug-tracker fixed
Made code more robust against invalid/incorrect input (page_contracts, validators, values obtained from header fields -such as Accept-Language)
Fixed quoting of message keys on many places
Improved exception handling (often, a "catch" swallows one to much, e.g. script_aborts), introducing +such as Accept-Language)
Fixed quoting of message keys on many places
Improved exception handling (often, a "catch" swallows +one too much, e.g. script_aborts), introducing "ad_exception".
Generalized handling of leading zeros:
Fixed cases where leading zeros could lead to unwanted octal @@ -240,7 +1753,7 @@ installations
Templating
Get rid of various pesky "MISSING FORMWIDGET: -...formbutton:ok" messages
Improved support for javascript event handlers in +...formbutton:ok" messages
Improved support for JavaScript event handlers in template::head
New functions "template::add_event_listener" and "template::add_confirm_handler"
Fix handling, when "page_size_variable_p" is set (was broken since ages)
acs-kernel (recommended to be set via config file in section "ns/server/${server}/>acs"
NsShutdownWithNonZeroExitCode: tell NaviServer to return with a -non-zero return code to cause restart (important under windows)
LogIncludeUserId: include user_id in access log
LogIncludeUserId: include user_id in access log
acs-api-browser:
ValidateCSRFP: make checking of CSRF optional (default 1)
Added signing of form-fields
Added HTML5 attributes such as "multiple" (for "file") or "autocomplete"
Fixed generation of "orderby" attribute based on -form-field names
richtext: allow one to specify "extraAllowedContent" via -options
Improved layout of horizontal check boxes
richtext: allow one to specify "extraAllowedContent" +via options
Improved layout of horizontal check boxes
Menu bar:
xotcl-request-monitor
Added class "BanUser" (use. e.g. ip address to -disallow requests from a user via request monitor)
Added support for optional user tracking in database
Added support for monitoring response-time for certain urls via +disallow requests from a user via request monitor)
Added support for optional user tracking in database
Added support for monitoring response-time for certain URLs via munin
Increased usage of XOTcl 2.0 variable resolver (potentially speed improvement 4x)
Performed some refactoring of response-time handling to allow site-admin to make e.g. use of NaviServer's dynamic connection @@ -441,7 +1954,7 @@
Cleanup of .xql files in acs-subsite:
Some cleanup of .xql files: removed misleading sql-statements from db_* calls, which were ignored due .xql files
Removed bug where same query-name was used in different branches -of an if-statement for different sql statements, but the query-name +of an if-statement for different SQL statements, but the query-name lead to the wrong result.
Removed multiple entries of same query name from .xql files (e.g. the entry "package_create_attribute_list.select_type_info" was 7 @@ -472,7 +1985,7 @@ of paths, HTML etc.
Improved include-handling: All includes are now theme-able, interfaces of includes can be defined with "ad_include_contract" (similar to ad_page_contract).
Improved them-ability for display_templates. One can now provide -a display_template_name (similar to the sql statement name) to +a display_template_name (similar to the SQL statement name) to refer to display templates. This enables reusability and is theme-able.
Dimensional slider reform (ad_dimensional): Removed hard-coded table layout from dimensional slider. Add backwards compatible @@ -494,14 +2007,14 @@ (controlled via package parameter "TclTraceLogServerities" in the acs-tcl package parameters)
Added ability to save data sent by ns_return in files on the -file system. This can be used to validate HTML content also for +filesystem. This can be used to validate HTML content also for password protected pages (controlled via package parameter "TclTraceSaveNsReturn" in the acs-tcl package parameters)
New API function "ad_log" having the same interface as ns_log, but which logs the calling information (like URL and call-stack) to ease tracking of errors.
Use per-thread caching to reduce number of mutex lock operations and lock contention on various caches (util-memoize, xo_site_nodes, -xotcl_object_types) and nsvs (e.g ds_properties)
Improved templating of OpenACS core documentation
Improved Russian Internationalization
Make pretty-names of acs-core packages more consistent
Mark unused functions of acs-tcl/tcl/table-display-procs.tcl as +xotcl_object_types) and nsvs (e.g. ds_properties)
Improved templating of OpenACS core documentation
Improved Russian Internationalization
Make pretty-names of acs-core packages more consistent
Mark unused functions of acs-tcl/tcl/table-display-procs.tcl as deprecated
Many more bug fixes (from bug tracker and extra) and performance improvements.
Version numbers:
contributed by 4 committers (Michael Aram, Victor Guerra, Gustaf Neumann, Antonio Pisano) and patch/bugfix providers (Frank -Bergmann, Andrew Helsley, Felix Mödritscher, Marcos Moser, Franz +Bergmann, Andrew Helsley, Felix Mödritscher, Markus Moser, Franz Penz, Thomas Renner). These are significantly more changes as the differences in the last releases. All packages of the release were tested with PostgreSQL 9.4.* and Tcl 8.5.*.
For more details, consult the raw ChangeLog.
@@ -554,7 +2067,7 @@ "outdated" package in the 5.9 or 6.0 release)General overhaul of package management
Install-from-local and install-from-repository can be used to install the provided packages based on a acs-core installation. This means that also DotLRN can be installed from repository or -from local into an existing OpenACS instance.
Install-from-repository offers filtering functions, allows one to +from local into an existing OpenACS instance.
Install-from-repository offers filtering functions, allows to install optionally from head-channel (for packages not in the base channel of the installed instance). Install-from-repository works more like an app-store, showing as well vendor information
Packages can be equipped with xml-based configuration files @@ -592,7 +2105,7 @@
Made changes that extend acs-kernel's create_type and create_attribute procs, so they're optionally able to create -sql tables and columns. Optional metadata params allow for the +SQL tables and columns. Optional metadata params allow for the automatic generation of foreign key references, check exprs, etc.
($Id: release-notes.xml,v 1.34 2018/04/18 -09:09:12 hectorr Exp $)
+