Changelog ========= This file contains change information for the current Zope release. Change information for previous versions of Zope can be found at http://docs.zope.org/zope2/ 2.13.27 (unreleased) -------------------- - Skip IPv6 tests on Travis, as it is not supported. - add ``tox`` test configuration - set explicit PyPI index, the old ``zc.buildout`` defaults no longer work - Pin ``pytz`` to prevent unit test failures from ``DateTime`` - Update virtualenv based installation docs to mention pip<8.0 requirement. - Explicitly require Manager role for ``AltDatabaseManager``. [maurits] 2.13.26 (2017-02-20) -------------------- - In ``str.format``, check the security for attributes that are accessed. Part of PloneHotfix20170117. [maurits] - Fixed reflective XSS in findResult. This applies PloneHotfix20170117. [maurits] 2.13.25 (2017-01-13) -------------------- - Add a dependency on the empty `ZServer` project. - Patch zope.interface to remove docstrings and avoid publishing. From Products.PloneHotfix20161129. [maurits] - Don't copy items the user is not allowed to view. From Products.PloneHotfix20161129. [maurits] - Quote variables in manage_tabs and manage_container to avoid XSS. From Products.PloneHotfix20160830. [maurits] - Add a dependency on the empty `Products.TemporaryFolder` project. - Add a dependency on the empty `Products.Sessions` project. - Removed docstrings from some methods to avoid publishing them. From Products.PloneHotfix20160419. [maurits] - Add support to SameSite cookie in ``ZPublisher.HTTPResponse``: https://tools.ietf.org/html/draft-west-first-party-cookies-07 2.13.24 (2016-02-29) -------------------- - Issue #44: Ensure that iterators declared as implementing ``IUnboundStreamIterator`` are handled properly. - Issue #43: Fix Zope failing to start if a zoperunner is configured. - PR #51: Harden debug control panel's module-crawling against trickery performed by ``six``. - Issue #34: Fix ``NameError`` exception for ``WindowsError`` which could happen on non-windows systems. - Updated distributions: - AccessControl = 2.13.14 2.13.23 (2015-06-29) -------------------- - Provide a pip-compatible ``requirements.txt`` file for the release. E.g.:: $ /path/to/venv/bin/pip install -r \ https://raw.githubusercontent.com/zopefoundation/Zope/2.13.23/requirements.txt - LP #789863: Ensure that Request objects cannot be published / traversed directly via a URL. - Issue #27: Fix publishing of ``ZPublisher.Iterators.IStreamIterator`` under WSGI. This interface does not have ``seek`` or ``tell``. Introduce ``ZPublisher.Iterators.IUnboundStreamIterator`` to support publishing iterators of unknown length under WSGI. - Document running Zope as a WSGI application. See https://github.com/zopefoundation/Zope/issues/30 - LP #1465432: Ensure that WSGIPublisher starts / ends interaction at request boundaries (analogous to ZPublisher). Backport from master. - Fix: Queue additional warning filters at the beginning of the queue in order to allow overrides. - Issue #16: prevent leaked connections when broken ``EndRequestEvent`` subscribers raise exceptions. - LP #1387225: Zope 2.13.x w/ zope.browserpage 4.x doesn't start. - LP #1387138: Zope 2.13.x w/ zope.pagetemplate 4.x doesn't start. - LP #1386795: Fix ``zopectl start`` with zdaemon 3 and newer. - Updated distributions: - Acquisition = 2.13.9 - DateTime = 2.12.8 - Products.BTreeFolder2 = 2.13.5 - Products.ExternalMethod = 2.13.1 - Products.Mailhost = 2.13.2 - Products.StandardCacheManagers = 2.13.1 - ZConfig = 2.9.3 - zLOG = 2.11.2 - zope.dublincore = 3.7.1 - zope.mkzeoinstance = 3.9.6 2.13.22 (2014-02-19) -------------------- - Merge hotfixes from https://pypi.python.org/pypi/Products.PloneHotfix20131210 - LP #143352: Logging of client IP rather than the IP of the Proxy. Please be aware that this only logs the real client ips to Z2.log, if you set you proxy as a trusted-proxy in zope.conf. - Updated distributions: - Products.ZCatalog = 2.13.27 - Products.ZCTextIndex = 2.13.5 2.13.21 (2013-07-16) -------------------- - LP #1095343: Prevent sandbox escape via ``BaseRequest.traverseName``. - LP #1094144: Prevent arbitrary redirections via faked "CANCEL" buttons. - LP #1094221: Add permissions to some unprotected methods of ``OFS.ObjectManager``. - LP #1094049: Prevent zlib-based DoS when parsing the cookie containing paste tokens. - Updated distributions: - AccessControl = 2.13.13 2.13.20 (2013-05-01) -------------------- - LP #1114688: Defend against minidom-based DoS in webdav. (Patch from Christian Heimes). - LP #978980: Protect views of ZPT source with 'View Management Screens' permision. - Make sure the generated classes for simple browser pages (SimpleViewClasses) have a str ``__name__``. See LP #1129030. - In PageTemplate.pt_errors accept the check_macro_expansion argument. This is added for compatibility with zope.pagetemplate 4.0.0. The argument is ignored. See LP #732972. - Updated to Zope Toolkit 1.0.8. - Updated distributions: - Products.ZCTextIndex = 2.13.4 - ZConfig = 2.9.1 2.13.19 (2012-10-31) -------------------- - Updated distributions: - AccessControl = 2.13.12 - distribute = 0.6.29 - mr.developer = 1.22 - pytz = 2012g - repoze.retry = 1.2 - repoze.tm2 = 1.0 - tempstorage = 2.12.2 - LP #1071067: Use a stronger random number generator and a constant time comparison function. - LP #1061247: Fix ZMI properties edit form for properties named `method`. - LP #1058049: Fix support for zoperunner section in zope.conf. - Explicitly close all databases on shutdown, which ensures `Data.fs.index` gets written to the file system. - LP #930812: Scrub headers a bit more. - Fix lock and pid file handling on Windows. On other platforms starting Zope tolerated existing or locked files, this now also works on Windows. 2.13.18 (2012-09-18) -------------------- - Explicitly declared ZTUtils APIs as public (repairs breakages in apps following fix for LP #1047318). 2.13.17 (2012-09-09) -------------------- - Updated distributions: - AccessControl = 2.13.10 - Products.PythonScripts = 2.13.2 2.13.16 (2012-08-11) -------------------- - Updated distributions: - AccessControl = 2.13.8 - DateTime = 2.12.7 - OFS: Fixed TypeError handling in unrestrictedTraverse. - ZPublisher: Do not assume that you can iterate over a publishable object. - ZPublisher: Do not guess it is a webdav request if the HTTP method is purge. 2.13.15 (2012-06-22) -------------------- - Fix lock file cleanup if there's an error early in startup. - Updated distributions: - zdaemon = 2.0.7 2.13.14 (2012-05-31) -------------------- - LP #950689: Fix HTTPS detection under mod_wsgi. - LP #975039: Don't translate interface names in edit_markers ZMI view. - LP #838978: Fixed TypeError in cache_detail ZMI view. - Cleanup lock and pid files if the process dies early in startup. - Added PubStart, PubBeforeCommit and PubAfterTraversal events to the WSGI publisher. - ZPublisher: Fixed a traversal regression introduced in 2.13.12. - Updated to Zope Toolkit 1.0.7. - Updated distributions: - Products.ZCatalog = 2.13.23 2.13.13 (2012-02-20) -------------------- - LP #933307: Fixed ++skin++ namespace handling. Ported the ``shiftNameToApplication`` implementation from zope.publisher to ZPublisher.HTTPRequest.HTTPRequest. - Ensure that the ``WSGIPublisher`` begins and ends an *interaction* at the request/response barrier. This is required for instance for the ``checkPermission`` call to function without an explicit ``interaction`` parameter. - Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only "items" (no attributes / methods from the class or from acquisition). Thanks to Richard Mitchell at Netsight for the report. - Updated to Zope Toolkit 1.0.6. - Removed HTML tags from exception text of ``Unauthorized`` exception because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed. 2.13.12 (2012-01-18) -------------------- - Prevent a cross-site-scripting attack against the default standard error message handling. (CVE-2010-1104). - Use ``in`` operator instead of deprecated ``has_key`` method (which is not implemented by ``OFS.ObjectManager``). This fixes an issue with WebDAV requests for skin objects. - Updated distributions: - Products.ZCatalog = 2.13.22 2.13.11 (2011-12-12) -------------------- - LP #1079238: Turn `UndoSupport.get_request_var_or_attr` helper into a private API. - LP #902068: Fixed missing security declaration for `ObjectManager` class. - Avoid conflicting signal registrations when run under mod_wsgi. Allows the use of `WSGIRestrictSignal Off` (LP #681853). - Make it possible to use WSGI without repoze.who. - Fixed serious authentication vulnerability in stock configuration. - Updated distributions: - AccessControl = 2.13.7 - DocumentTemplate = 2.13.2 - Products.BTreeFolder2 = 2.13.4 - python-gettext = 1.2 - repoze.who = 2.0 - ZODB3 = 3.10.5 - Zope Toolkit 1.0.5 2.13.10 (2011-10-04) -------------------- - Fixed serious arbitrary code execution issue (CVE 2011-3587) http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587 - Fixed a regression of 2.13.9 in webdav support that broke external editor feature. - `undoMultiple` was still broken as transactions were not undone in the proper order : tids were stored and retrieved as dictionary keys. - Updated distributions: - Products.ZCatalog = 2.13.20 2.13.9 (2011-08-20) ------------------- Bugs Fixed ++++++++++ - Restore ability to undo multiple transactions from the ZMI by using the `undoMultiple` API. Backported from trunk (r122087). - Fixed Chameleon compatibility in templates. - Updated distributions: - Products.ZCatalog = 2.13.19 - Products.ZCTextIndex = 2.13.3 - repoze.tm2 = 1.0b2 - Zope Toolkit 1.0.4 2.13.8 (2011-06-28) ------------------- Bugs Fixed ++++++++++ - Fixed a serious privilege escalation issue. For more information see: http://plone.org/products/plone/security/advisories/20110622 - Ensure __name__ is not None as well as __name__ existing. For example, object could be a widget within a z3c.form MultiWidget, which do not have __name__ set. - Testing: Re-added 'extra' argument to Functional.publish. Removing it in Zope 2.13.0a1 did break backwards compatibility. - LP #787541: Fix WSGIPublisher to close requests on abort unconditionally. Previously an addAfterCommitHook was used, but this is not run on transaction aborts. Now a Synchronizer is used which unconditionally closes the request after a transaction is finished. Features Added ++++++++++++++ - Updated distributions: - Acquisition = 2.13.8 - Products.ZCatalog = 2.13.14 - repoze.who = 2.0b1 - ZODB3 = 3.10.3 - Zope Toolkit 1.0.3 2.13.7 (2011-05-08) ------------------- Features Added ++++++++++++++ - Added forward compatibility with DateTime 3. - ZPublisher: HTTPResponse.appendHeader now keeps header values to a single line by default to avoid causing problems for proxy servers which do not correctly handle multi-line headers. - Updated distributions: - Products.ZCatalog = 2.13.13 - Products.ZCTextIndex = 2.13.2 2.13.6 (2011-04-03) ------------------- Bugs Fixed ++++++++++ - Fix `WSGIResponse` and `publish_module` functions such that they support the `IStreamIterator` interface in addition to `file` (as supported by `ZServer.HTTPResponse`). - Corrected copyright information shown in the ZMI. - OFS: Fixed editing offset-naive 'date' properties in the ZMI. The "Properties" tab no longer shows the time zone of offset-naive dates. Features Added ++++++++++++++ - Add preliminary IPv6 support to ZServer. - Updated to Zope Toolkit 1.0.2. - Updated distributions: - Acquisition = 2.13.7 - mechanize = 0.2.5 - Products.BTreeFolder2 = 2.13.3 - Products.ZCatalog = 2.13.8 - python-gettext = 1.1.1 - pytz = 2011e - repoze.tm2 = 1.0b1 - repoze.who = 2.0a4 - ZConfig = 2.9.0 - zope.testbrowser = 3.11.1 2.13.5 (2011-02-23) ------------------- Bugs Fixed ++++++++++ - Five: Corrected a method name in the IReadInterface interface. Features Added ++++++++++++++ - Updated distributions: - Acquisition = 2.13.6 - Products.ZCatalog = 2.13.6 - ZODB3 = 3.10.2 2.13.4 (2011-02-06) ------------------- Bugs Fixed ++++++++++ - Applied missing bit of the code merge for LP #713253. 2.13.3 (2011-02-06) ------------------- Features Added ++++++++++++++ - Updated distributions: - Products.ZCatalog = 2.13.5 Bugs Fixed ++++++++++ - LP #713253: Prevent publication of acquired attributes, where the acquired object does not have a docstring. 2.13.2 (2011-01-19) ------------------- Bugs Fixed ++++++++++ - HelpSys: Fixed some permission checks. - OFS: Fixed permission check in ObjectManager. - webdav: Fixed permission check and error handling in DeleteCollection. - LP 686664: WebDAV Lock Manager ZMI view wasn't accessible. Features Added ++++++++++++++ - Report success or failure (when known) of creating a new user with the `addzope2user` script. - Added `addzope2user` script, suitable for adding an admin user directly to the root acl_users folder. - Updated distributions: - AccessControl = 2.13.4 - Products.ZCatalog = 2.13.3 Restructuring +++++++++++++ - Factored out the `Products.ZCatalog` and `Products.PluginIndexes` packages into a new `Products.ZCatalog` distribution. 2.13.1 (2010-12-07) ------------------- Bugs Fixed ++++++++++ - Fixed argument parsing for entrypoint based zopectl commands. - Fixed the usage of ``pstats.Stats()`` output stream. The `Control_Panel/DebugInfo/manage_profile` ZMI view was broken in Python 2.5+. Features Added ++++++++++++++ - Report success or failure (when known) of creating a new user with the addzope2user script. - Moved subset id calculation in `OFS.OrderSupport.moveObjectsByDelta` to a new helper method, patch by Tom Gross. - Updated to Zope Toolkit 1.0.1. - Use cProfile where possible for the `Control_Panel/DebugInfo/manage_profile` ZMI view. Restructuring +++++++++++++ - Stopped testing non-overridden ZTK eggs in ``bin/alltests``. 2.13.0 (2010-11-05) ------------------- - No changes. 2.13.0c1 (2010-10-28) --------------------- Bugs Fixed ++++++++++ - LP #628448: Fix ``zopectl start`` on non-Windows platforms. Features Added ++++++++++++++ - Updated to Zope Toolkit 1.0. - Updated distributions: - DateTime = 2.12.6 - mechanize = 0.2.3 - ZODB3 = 3.10.1 - zope.sendmail = 3.7.4 - zope.testbrowser = 3.10.3 2.13.0b1 (2010-10-09) --------------------- Bugs Fixed ++++++++++ - Avoid iterating over the list of packages to initialize while it is being mutated, which was skipping some packages. - Fixed two unit tests that failed on fast Windows machines. - Fixed OverflowError in Products.ZCatalog.Lazy on 64bit Python on Windows. - Fixed ``testZODBCompat`` tests in ZopeTestCase to match modern ZODB semantics. - LP #634942: Only require ``nt_svcutils`` on Windows. Features Added ++++++++++++++ - Avoid conflict error hotspot in PluginIndexes' Unindex class by using IITreeSets instead of simple ints from the start. Idea taken from ``enfold.fixes``. - Added date range index improvements from ``experimental.catalogqueryplan``. - Changed policy on handling exceptions during ZCML parsing in ``Products``. We no longer catch any exceptions in non-debug mode. - Added a new BooleanIndex to the standard PluginIndexes. - Update to Zope Toolkit 1.0c3. - Add ability to define extra zopectl commands via setuptools entrypoints. - Updated distributions: - Acquisition = 2.13.5 - Products.MailHost = 2.13.1 - Products.ZCTextIndex = 2.13.1 - repoze.retry = 1.0 - tempstorage = 2.12.1 - ZODB3 = 3.10.0 - zope.testbrowser = 3.10.1 2.13.0a4 (2010-09-09) --------------------- Restructuring +++++++++++++ - Removed deprecated ``Products.Five.security.create_permission_from_permission_directive`` event handler. Its code was moved into the Zope 2 version of the permission directive in ``AccessControl.security``. Features Added ++++++++++++++ - LP #193122: New method getVirtualRoot added to the Request class. - Updated test assertions to use unittest's ``assert*`` methods in favor of their deprecated `fail*` aliases. - Update to Zope Toolkit 1.0a3. - Updated distributions: - AccessControl = 2.13.3 - Acquisition = 2.13.4 - ZODB3 = 3.10.0b6 2.13.0a3 (2010-08-04) --------------------- Bugs Fixed ++++++++++ - Adjusted overflow logic in DateIndex and DateRangeIndex to work with latest ZODB 3.10.0b4. - Made sure to exclude a number of meta ZCML handlers from ``zope.*`` packages where Zope2 provides its own implementations. - LP #599378: Fixed accumulated_headers not appending to headers correctly. - Fix support for non-public permission attributes in the browser:view directive so that attributes which are not included in allowed_interface or allowed_attributes but which have declarations from a base class's security info don't get their security overwritten to be private. - LP #143755: Also catch TypeError when trying to determine an indexable value for an object in PluginIndexes.common.UnIndex - LP #143533: Instead of showing "0.0.0.0" as the SERVER_NAME request variable when no specific listening IP is configured for the HTTP server, do a socket lookup to show the current server's fully qualified name. - LP #143722: Added missing permission to ObjectManager.manage_hasId, which prevented renaming files and folders via FTP. - LP #143564: Request.resolve_url did not correctly re-raise exceptions encountered during path traversal. Restructuring +++++++++++++ - Removed catalog length migration code. You can no longer directly upgrade a Zope 2.7 or earlier database to Zope 2.13. Please upgrade to an earlier release first. - Deprecated the ``Products.ZCatalog.CatalogAwareness`` and ``CatalogPathAwareness`` modules. - Removed deprecated ``catalog-getObject-raises`` zope.conf option. - Removed unmaintained HelpSys documents from ZCatalog and PluginIndexes. Useful explanations are given inside the form templates. - Deprecate Products.ZCatalog's current behavior of returning the entire catalog content if no query restriction applied. In Zope 2.14 this will result in an empty LazyCat to be returned instead. - Deprecate acquiring the request inside Products.ZCatalog's searchResults method if no explicit query argument is given. - Cleaned up the Products.ZCatalog search API's. The deprecated support for using `<index id>_usage` arguments in the request has been removed. Support for overriding operators via the `<index id>_operator` syntax has been limited to the query value for each index and no longer works directly on the request. The query is now brought into a canonical form before being passed into the `_apply_index` method of each index. - Factored out the `Products.MailHost` package into its own distributions. It will no longer be included by default in Zope 2.14 but live on as an independent add-on. Features Added ++++++++++++++ - Merged the query plan support from both ``unimr.catalogqueryplan`` and ``experimental.catalogqueryplan`` into ZCatalog. On sites with large number of objects in a catalog (in the 100000+ range) this can significantly speed up catalog queries. A query plan monitors catalog queries and keeps detailed statistics about their execution. Currently the plan keeps track of execution time, result set length and support for the ILimitedResultIndex per index for each query. It uses this information to devise a better query execution plan the next time the same query is run. Statistics and the resulting plan are continuously updated. The plan is per running Zope process and not persisted. You can inspect the plan using the ``Query Plan`` ZMI tab on each catalog instance. The representation can be put into a Python module and the Zope process be instructed to load this query plan on startup. The location of the query plan is specified by providing the dotted name to the query plan dictionary in an environment variable called ``ZCATALOGQUERYPLAN``. - Various optimizations to indexes _apply_index and the catalog's search method inspired by experimental.catalogqueryplan. - Added a new ILimitedResultIndex to Products.PluginIndexes and made most built-in indexes compatible with it. This allows indexes to consider the already calculated result set inside their own calculations. - Changed the internals of the DateRangeIndex to always use IITreeSet and do an inline migration from IISet. Some datum tend to have large number of documents, for example when using default floor or ceiling dates. - Added a new reporting tab to `Products.ZCatalog` instances. You can use this to get an overview of slow catalog queries, as specified by a configurable threshold value. - Warn when App.ImageFile.ImageFile receives a relative path with no prefix, and then has to assume the path to be relative to "software home". This behaviour is deprecated as packages can be factored out to their own distribution, making the "software home" relative path meaningless. - Updated distributions: - AccessControl = 2.13.2 - DateTime = 2.12.5 - DocumentTemplate = 2.13.1 - Products.BTreeFolder2 = 2.13.1 - Products.OFSP = 2.13.2 - ZODB3 = 3.10.0b4 2.13.0a2 (2010-07-13) --------------------- Bugs Fixed ++++++++++ - Made ZPublisher tests compatible with Python 2.7. - LP #143531: Fix broken object so they give access to their state. - LP #578326: Add support for non-public permission attributes in the browser:view directive. Restructuring +++++++++++++ - No longer use HelpSys pages from ``Products.OFSP`` in core Zope 2. - No longer create an `Extensions` folder in the standard instance skeleton. External methods will become entirely optional in Zope 2.14. - Avoid using the ``Products.PythonScripts.standard`` module inside the database manager ZMI. - Factored out the `Products.BTreeFolder2`, `Products.ExternalMethod`, `Products.MIMETools`, `Products.OFSP`, `Products.PythonScripts` and `Products.StandardCacheManagers` packages into their own distributions. They will no longer be included by default in Zope 2.14 but live on as independent add-ons. - Factored out the `Products.ZSQLMethods` into its own distribution. The distribution also includes the `Shared.DC.ZRDB` code. The Zope2 distribution no longer includes the code automatically. Please depend on the new distribution yourself, if you use the functionality. To make the transition easier this change has been backported to Zope 2.12.9, so you can depend on the new distribution already in packages requiring at least that version of Zope 2. - Made both `Shared` and `Shared.DC` namespace packages. - Removed fallback code for old Python versions from `ZServer.FTPServer.zope_ftp_channel.push`. - Removed fallback code for old `ZCatalog.catalog_object` function signatures from `Products.ZCatalog.ZCatalog.reindexIndex`. Features Added ++++++++++++++ - Added official support for Python 2.7. - Added a new API ``get_packages_to_initialize`` to ``OFS.metaconfigure``. This replaces any direct access to ``Products._packages_to_initialize``. The OFS.Application.install_package function takes care of removing entries from this list now. - Added notification of ``IDatabaseOpenedWithRoot``. - Added a new API's ``get_registered_packages, set_registered_packages`` to ``OFS.metaconfigure`` which replace any direct access to ``Products._registered_packages``. - Changed product install so it won't write persistent changes only to abort them. Instead we don't make any database changes in the first place. - Disabled persistent product installation in the default test configuration. - Directly extend and use the Zope Toolkit KGS release 1.0a2 from http://download.zope.org/zopetoolkit/index/. - Updated distributions: - DateTime = 2.12.4 - nt_svcutils = 2.13.0 2.13.0a1 (2010-06-25) --------------------- This release includes all bug fixes and features of the `Zope 2.12.8 <http://pypi.python.org/pypi/Zope2/2.12.8>`_ release. Distribution changes ++++++++++++++++++++ - Moved AccessControl, DocumentTemplate (incl. TreeDisplay) and Products.ZCTextIndex to their own distributions. This removes the last direct C extensions from the Zope2 distribution. - Moved the ``zExceptions`` package into its own distribution. - Drop the dependency on the ThreadLock distribution, by using Python's thread module instead. - Integrated the Products.signalstack / z3c.deadlockdebugger packages. You can now send a SIGUSR1 signal to a Zope process and get a stack trace of all threads printed out on the console. This works even if all threads are stuck. Instance skeleton +++++++++++++++++ - Changed the default for ``enable-product-installation`` to off. This matches the default behavior of buildout installs via plone.recipe.zope2instance. Disabling the persistent product installation also disabled the ZMI help system. - Removed Zope2's own mkzeoinstance script. If you want to set up ZEO instances please install the zope.mkzeoinstance and use its script. - Removed deprecated ``read-only-database`` option from zope.conf. - LP #143232: Added option to 'zope.conf' to specify an additional directory to be searched for 'App.Extensions' lookups. Thanks to Rodrigo Senra for the patch. - LP #143604: Removed top-level database-quota-size from zope.conf, some storages support a quota option instead. - LP #143089: Removed the top-level zeo-client-name option from zope.conf, as it had no effect since ZODB 3.2. - Removed no longer maintained ``configure, make, make install`` related installation files. Zope2 can only be installed via its setup.py. - Removed the unmaintained and no longer functioning ZopeTutorialExamples from the instance skeleton. Deprecated and Removed ++++++++++++++++++++++ - Finished the move of five.formlib to an extra package and removed it from Zope 2 itself. Upgrade notes have been added to the news section of the release notes. - ZPublisher: Removed 'Main' and 'Zope' wrappers for Test.publish. If anybody really used them, he can easily use ZPublisher.test instead. In the long run ZPublisher.test and ZPublisher.Test might also be removed. - ZPublisherExceptionHook: Removed ancient backwards compatibility code. Customized raise_standardErrorMessage methods have to implement the signature introduced in Zope 2.6. - Removed ancient App.HotFixes module. - Removed the deprecated ``hasRole`` method from user objects. - Removed deprecated support for specifying ``__ac_permissions__``, ``meta_types`` and ``methods`` in a product's ``__init__``. - Remove remaining support classes for defining permissions TTW. - Removed the deprecated ``five:containerEvents`` directive, which had been a no-op for quite a while. - Removed Products.Five.fivedirectives.IBridgeDirective - a leftover from the Interface to zope.interface bridging code. - Marked the ``<five:implements />`` as officially deprecated. The standard ``<class />`` directive allows the same. Refactoring +++++++++++ - Completely refactored ``ZPublisher.WSGIResponse`` in order to provide non-broken support for running Zope under arbitrary WSGI servers. In this (alternate) scenario, transaction handling, request retry, error handling, etc. are removed from the publisher, and become the responsibility of middleware. - Moved the code handling ZCML loading into the ``Zope2.App`` package. The component architecture is now setup before the application object is created or any database connections are opened. So far the CA was setup somewhat randomly in the startup process, when the ``Five`` product was initialized. - Moved Products.Sessions APIs from ``SessionInterfaces`` to ``interfaces``, leaving behind the old module / names for backward compatibility. - Centralize interfaces defined in Products.ZCTextIndex, leaving BBB imports behind in old locations. - Moved ``cmf.*`` permissions into Products.CMFCore. - Moved ``TaintedString`` into the new AccessControl.tainted module. - Testing: Functional.publish now uses the real publish_module function instead of that from ZPublisher.Test. The 'extra' argument of the publish method is no longer supported. - Moved ``testbrowser`` module into the Testing package. - Moved general OFS related ZCML directives from Products.Five into the OFS package. - Moved the ``absoluteurl`` views into the OFS package. - Moved ``Products/Five/event.zcml`` into the OFS package. - Moved ``Products/Five/security.py`` and security related ZCML configuration into the AccessControl package. - Moved ``Products/Five/traversing.zcml`` directly into the configure.zcml. - Moved ``Products/Five/i18n.zcml`` into the ZPublisher package. - Moved ``Products/Five/publisher.zcml`` into the ZPublisher package. - Ported the lazy expression into zope.tales and require a new version of it. General +++++++ - Updated copyright and license information to conform with repository policy. - LP #143410: Removed unnecessary color definition in ZMI CSS. - LP #374810: ``__bobo_traverse__`` implementation can raise ``ZPublisher.interfaces.UseTraversalDefault`` to indicate that there is no special casing for the given name and that standard traversal logic should be applied. - LP #142464: Make undo log easier to read. Thanks to Toby Dickinson for the patch. - LP #142401: Added a link in the ZMI tree pane to make the tree state persistent. Thanks to Lalo Martins for the patch. - LP #142502: Added a knob to the Debug control panel for resetting profile data. Thanks to Vladimir Patukhov for the patch. - ZCTextIndex query parser treats fullwidth space characters defined in Unicode as valid white space. Updated distributions +++++++++++++++++++++ - Jinja2 = 2.5.0 - RestrictedPython = 3.6.0a1 - Sphinx = 1.0b2 - transaction = 1.1.0 - ZConfig = 2.8.0 - ZODB3 = 3.10.0b1 - zope.annotation = 3.5.0 - zope.broken = 3.6.0 - zope.browsermenu = 3.9.0 - zope.browserpage = 3.12.2 - zope.browserresource = 3.10.3 - zope.component = 3.9.4 - zope.configuration = 3.7.2 - zope.container = 3.11.1 - zope.contentprovider = 3.7.2 - zope.contenttype = 3.5.1 - zope.event = 3.5.0-1 - zope.exceptions = 3.6.0 - zope.filerepresentation = 3.6.0 - zope.i18nmessageid = 3.5.0 - zope.interface = 3.6.1 - zope.location = 3.9.0 - zope.lifecycleevent = 3.6.0 - zope.ptresource = 3.9.0 - zope.publisher = 3.12.3 - zope.schema = 3.6.4 - zope.sendmail = 3.7.2 - zope.site = 3.9.1 - zope.structuredtext = 3.5.0 - zope.tales = 3.5.1 - zope.testbrowser = 3.9.0 - zope.testing = 3.9.3 - zope.traversing = 3.12.1 - zope.viewlet = 3.7.2 Bugs Fixed ++++++++++ - LP #143391: Protect against missing acl_users.hasUsers on quick start page.