rt-3.8.7

We are happy to announce that RT 3.8.7 is now available. You can
download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.7.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.7.tar.gz.sig

SHA1 sums

9de5860c5c58d40c5f6914cdde807ecc66a68f20  rt-3.8.7.tar.gz
3088fb66f6ecbf57f04cd5aba3684645406c120f  rt-3.8.7.tar.gz.sig

This is primarily a bugfix release of RT.
Some important fixes are listed here:

• Stop old DateTime or DateTime::Locales from exploding in Preferences
• Move all JS for hierarchical CFs onto derivative field; remove DerivativeCFs method
  Fix bug on Oracle when selecting against a CLOB
• Call the method on the object, not the username string (Reported by Philip Shore)
  Fix error when using WebExternalAuth and setting user info
• When using WebExternalAuth don't issue a new session cookie on each request
  Fix lost attachments when using WebExternalAuth. WebExternalAuthContinuous can be set back to 1
• Mention missing index that was only added to upgrade scripts
• fixes for PlainTextMono config option introduced in 3.8.6
• fixes for updating charts and dashboards
• delete links from Bulk Update

A more complete commit list is available below

-kevin

BUGFIXES AND CLEANUPS

• We want to capture the results
  When Bulk Updating, indicate that a comment or correspondence has been recorded
• adjust test level so failures reported in the right place
• clean cought emails on END
• move standalone related code into start_standalone_server
• Fix URL used for CF of type autocomplete.
• Remove dated comment
• * show_customize -> ShowCustomize
• detect browser lang in LocalizedDateTime in Date.pm too
• in error message we were using static value, when it's dynamic
• refactor StripContent: make it return empty string as long as the content does not have any real data, i.e. \S but without
  and  
• remove needless lines
• url path fix in /Admin/Elements/ToolTabs
• update Query str in Tabs in Chart.html
• do not show the old saved search in /Search/Build.html if one loaded a saved search in /Search/Chart.html
• use $ARGS{Query} instead of $Query because we may change $ARGS{Query} later in /Search/Chart.html
• my %o = keys %$changes; is indeed wrong
• refactor a little
• make sure $PrimaryGroupBy is not undef in /Search/Elements/Chart
• more saved chart search tests
• only when SaveSearchLoad, we can update Query,ChartType,PrimaryGroupBy,etc.
• we should save all the info when SavedSearchSave, not just Query
• test PrimaryGroupBy and ChartStyle too in saved_search_chart.t
• clean a bit: file input's value attr is useless
• show Update botton when a dashboard contains deleted searches
• tiny typo fix
• DisplayName is translated string
• better way to compare pane in @panes and @deleted in /Dashboards/Queries.html
• use get_ok() so we do not need to test the status stuff for new added tests
• erase the leading space in FormatType
• tweak BulkLinks a bit
• remove misleading comment
• remove "use bytes;" in CreateTickets
• Perltidy
• Only set time values on clone if they are non-zero
• check $container to see if $ARGS{'SavedSearchLoad'} can be loaded
• we can't use @actions to store query's parse results: we should use another variable to do this
• Feed ticket information to MakeClicky when we're clicky-fying attachments
  • Thanks to Salih Goenuellue at SWITCH
• Pluck Ticket and Transaction out of %args sooner
• Use spaces for indentation not tabs
• More cleanup
• Clean up some double-negative logic
• Tidy
• Fix warning message
• sort of typo, ContentType was passed twice
• Fix Postgres ACL script to work with usernames that need quoting
  (inspired by patch to RTFM)
• Skip the richtext editor for android and iphone devices
• we shouldn't escape selected="selected"
• We should be using the same index on 4.0 and 4.1+
  Originally added in 5c5dec3
• Fix URL thanks to Jason A. Smith [rt3.fsck.com #14000]
• there is no div around rtname anymore
• Code indent
• Remove a double negative to clarify logic slightly
• Don't include these files in tarballs
  (cherry picked from commit 6dfb39e)
• add monospace font to .plain-text-white-space: .mono is merged to it
• use err_headers_out instead of headers_out
• RT was accidentally injecting too many newlines when rendering plaintext messages without

  .

• Stop people with old DateTime or DateTime::Locales from exploding in Preferences
• Move all JS for hierarchical CFs onto derivative field; remove DerivativeCFs method
• Call the method on the object, not the username string (Reported by Philip Shore)
• When using WebExternalAuth don't issue a new session cookie on each request
• Mention missing index that was only added to upgrade scripts

DOCUMENTATION

• Fixes rt3.fsck.com#13490 - confusing instructions for the mysql 4.1->5 upgrade commands

  Also fixes Debian Bug #550278
  Thanks to Marcus Better.

• comment one confusing code

• Slightly more clear --all explanation for rt-email-dashboards

• Fix perldoc for Queue object

  • remove =testing that make perldoc stop just after it
  • add description like other RT objects

• Fix shredder documentation typo

• Documentation tweaks for new OutgoingMailFrom config

• Add doc about @Plugins configuration variable.

• We only have this index in the schema and upgrade scripts for mysql and oracle
  (cherry picked from commit 4f0d3e6)

FEATURES

• Add a MassageDashboards callback for the dashboard homepage

• Callback for massaging the dashboard tabs on the homepage and dashboards

• refactor validation of transactions CFs on ticket update

• Add a systemwide plugin directory at the request of the Debian RT maintainers

• Fold hardcoded SelfService search format into a config option

• make people can update saved chart search easily

• we should try to decode uploaded template for offline

• append plugin lib path to @inc if local lib path is not in @inc: see also ticket #13944

• implement "Current Links" section in bulk update

• If there is no ticket for outgoing mail, check a new configuration option for the From address

• Document the Default key

• Add CustomFieldValuesAsString method

  If you are using a multiple value custom field, FirstCustomFieldValue
  doesn't help because you actually want all the values. This is a simple
  wrapper function to save you writing the map.

• Add ability to skip QuickCreate ticket creation in the Initial callback
  (consistent with Ticket/Create.html and SelfService/Create.html)

• allow to change page title via callback on Create

• another place where title is used on Create

• pass QueueObj into callback, we already loaded object

• add simple search on Admin/Queues page

• a callback in Elements/Logout

• $SendTo argument in SimpleSearch widget

TESTS

• tiny url fix: we do not need 2 leading /
• Avoid redefine warnings
• Ignore t/tmp/
• Begin a new test file for testing dashboard permissions
• Refactor run_mailgate into run_and_capture
• add t/web/offline_messages_utf8.t
• minor changes in t/
• refactor tests: new tmp dir, Cfg->Set updates file and more
  • new central tmp dir under t/tmp
  • tmp dir is not deleted on failures
  • centrall %tmp hash in RT::Test to hold names
    of files
  • set_config_wrapper that wraps RT->Config->Set calls and
    append changes into the test config file, so we can
    catch them in UI by restarting server
• added t/web/ticket_update_without_content.t
• add t/web/saved_search_chart.t
• add t/web/command_line_with_unknown_field
• add t/web/offline_utf8.t
• add t/web/dashboard_with_deleted_saved_search.t
• added t/web/search_bulk_update_links.t
• add t/web/saved_search_permissions.t
• Split on the same string we actually join on
• refactor catching mails in tests

TRANSLATION

• fixed a typo in fr.po. thanks, JeanBenoit++
• [fsck.com #14092] Fixes a typo in the Norwegian Bokmal translation
• Danish translation fix from jonasbn. [fsck.com #14132]
• missing localization

rt-3.6.10

This is a security release of RT.
It includes a fix for the session fixation vulnerability detailed in the following announcements:
http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html
http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html

You can download it here:

http://download.bestpractical.com/pub/rt/release/rt-3.6.10.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.6.10.tar.gz.sig

SHA1 sums

145124d3ce7dcae76a935f9ce373825ca5fb6e7d  rt-3.6.10.tar.gz
4322f23057c14296ece60dc9f8e242ba5ea2a155  rt-3.6.10.tar.gz.sig

A complete list of changes since 3.6.9 is included below.

-kevin

commit 81f0759
Author: Alex Vandiver [email protected]
Date: Wed Sep 30 17:07:24 2009 -0400

Remove references to .svn

commit e28bfab
Author: Alex Vandiver [email protected]
Date: Wed Sep 30 17:08:29 2009 -0400

Remove old and incorrect releng.cnf

commit e82d5f9
Author: Alex Vandiver [email protected]
Date: Tue Oct 6 14:18:44 2009 -0400

Use spaces instead of tabs in commands, otherwise copy-and-paste in the terminal can fail

commit b157bae
Author: Alex Vandiver [email protected]
Date: Tue Oct 6 14:27:26 2009 -0400

Add .gitignore from 3.8-trunk

commit a8f7dcc
Author: Kevin Falcone [email protected]
Date: Mon Nov 30 13:45:26 2009 -0500

Apply patch for session fixation vulnerability (CVE-2009-3585)

rt-3.8.4

We are happy to announce that RT 3.8.4 is now available. You can
download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.4.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.4.tar.gz.sig

SHA1 sums

c786eb78dd6c8374da3bc0dd10414e040d69864f  rt-3.8.4.tar.gz
7af1be26513b2b26390a456a3360e5cda7d63008  rt-3.8.4.tar.gz.sig

This is primarily a bugfix and security release of RT.

The most important fix is that RT now requires the SuperUser
right to edit global RT at a Glance. In all previous 3.8
releases, the "ShowConfigTab" right unintentionally enabled this.

A more complete list of bugs and features can be found below.
Please note that there is a change to database content in this
release, see UPGRADING for more.

-kevin

FEATURES

• Clean up NotifyGroup action
  • obsolete old storable format in NotifyGroup action
  • add support for group name, user name, user's email address
    and just an email address in NotifyGroup action.
    This will make easier to use it in crontool
  • add upgrade script for RT 3.8.4
  • use new format and obsolete old format, we have upgrade script
    for conversion
• add support to rt-crontool for --template argument that allows
  you to specify the name of a template. Template overridings will
  work for names. Hide --template-id from help, but don't disable it.
• use RT::Plugin in RT->PluginDirs, so we can override only one place in our tests

FIXES AND CLEANUPS

• Force some widgets to fit at max parent box.
• Use true arrow (html entities) in button for SelectionBox Widget
  (closes: #13481).
• Add ability to change graph groupby and type once the graph is displayed.
  (closes: #13479)
• Add a link in search tickets tab to jump easily to Chart when a query exist.
• Be more consistent in Create/Save Changes buttons across objects.
• Be more consistent in Select/New links (most don't list the object name so
  do this everywhere).
• Fix overlapping of password file by login button on login page (closes: #13496).
• Show difference in Dashboard queries between saved searches and graphs (like in
  RT at a glance pref) (closes: #13497).
• Don't show empty value in ticket edit basics queue dropdown, as a ticket must
  be in a queue.
• in RT::Plugin->Path don't add trailing slash when requested
  subdir is not defined or empty
• Typo in IsCc|IsAdminCc documentations.
• Don't show "deleted" status in cerate ticket page as it doesn't make sense to
  create deleted tickets... (closes: #13500).
• use GET for firefox2 in ahah (fixes Bookmarks on FF2)
• allow the creation of tickets in disabled Queues
  This is how Approvals work
• Factor out the quickbar-personal div into its own template
• fix failing tests caused by wording changes
• Avoid undef warning if this is the first time a dashboard has been sent
• Pull out the value of Counter only once
• perl.org is a better canonical URL for Perl than .com (in README)
• pass more context into callbacks when editing custom fields
• localize custom field name on edit
• Don't update watcher in queue watcher edit page when we search for people and
  one or more current watchers are selected (closes: #13425).
• Require SuperUser for editing global RT at a Glance
• Add a ReadOnly mode for SelectionBox widgets
• Show the RT at a Glance selection boxes as ReadOnly if there's no
  permission to edit them

rt-3.6.8

We are happy to announce that RT 3.6.8 is now available. You can
download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.6.8.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.6.8.tar.gz.sig

SHA1 sums

c7b4fac30b5b91a1c7f64bc05ecf63f40aaec50d  rt-3.6.8.tar.gz
cb80cca50254127362a8ff8d9af71ff66881f300  rt-3.6.8.tar.gz.sig

This is a bugfix and security release of RT.

The most important fix is that RT now requires the SuperUser
right to edit global RT at a Glance. In all versions since
3.6.2, the "ShowConfigTab" right unintentionally enabled this.

A more complete list of fixes can be found below.

-kevin

FIXES AND CLEANUPS

• Updated italian translation from Nicola Murino
• validate CFs in SelfService
• Fix: On comment/correspond, attached files are not recorded if comment/response
  content is empty.
• add HasAttribute and HasNoAttribute to the tisql
• Allow only SuperUser to edit RT at a Glance
• copyright updates

rt-3.8.3

We are happy to announce that RT 3.8.3 is now available.

You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.3.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.3.tar.gz.sig

SHA1 sums

6fe0187408104e9a5a9f0832f1f11ed24b6df10a  rt-3.8.3.tar.gz
e87623b4a958b13d5ce1474ca6d8d4024fa13920  rt-3.8.3.tar.gz.sig

A longer changelog is available at the bottom of this announcement.
Some highlighted changes include:

• Bug fixes for IE support with the RichText editor
• Improvements in parsing and validating gpg-signed messages
• Improved config loading, errors and improved messages
  about where Config overrides originated.
• Fix for rewriting Ticket subjects when using Queue Subject tags
• Fixes to searching for NULL Custom Fields
• New User level config options for HomePage and Search Result Refresh
• Multiple new callbacks
• Updated Scrip descriptions to mention that a Notify All includes
  the Owner
• Dashboard improvements, including the ability to nest Dashboards,
  new access links for dashboards, callbacks and a new Mon-Fri
  subscription

Changelog for RT 3.8.3, generated 2009-05-27T19:42:52

FIXES AND CLEANUPS

• Indent cleanup.
• doc updates for mysql upgrades from jmoseley
• Tell explicitely that $DayBeforeMonth is only for parsing, not for displaying
  dates.
• Remove blank Values since the magic field will take care of this. Sometimes
  the browser gives you a blank value which causes CFs to be processed twice
  Thanks to Philip Kime
• better support situations when CF's LookupType is not complex,
  for example 'RT::Queue'. Thanks to Philip Kime and Emmanuel Lacour
• Factor out a ShowParents template
• Show the correct side of the link
• RT/Config.pm
  minor pod changes
  delete empty functions
• store extension name in META{Option}{Source}{Extension}
  instead of boolean value
• Fix incorrect Queue->SetDisabled introduced in r17674.
• Don't leave attachments in session after ProcessUpdateMessage to remove them
  from WebUI for next update.
• Formatting cleanup (thanks to Richard Hartmann, closes: #12457)
• Fix WebFallbackToInternalAuth (thanks to David Chandek-Stark, closes: #12478)
• RT::Test sets ENV{RT_SITE_CONFIG} to a tempfile that doesn't
  look like SiteConfig.pm so we need to force _LoadConfig to
  treat it as a SiteConfig, otherwise it won't let you override
  DatabaseName or MailCommand and running tests will drop your
  real database.
• use a little bit proper fix for site config thing
• Reduce list of owners from SelectOwner in Search to queues the current user can
  see (or see tickets in).
• Reduce the list of owners from SelectOwner in bulk update to queues where
  current user can create or modify tickets.
• update ru.po
  reuse some loc strings that we have already
• Revert commits that tried to fix the count of Owners displayed in Build.html/Bulk.html as it needs more discuss.
• in RT we use [_1] instead of %1
• use WebPath when invoking the Autocompleter
• upgrade scriptaculous from 1.8.0 to 1.8.2
  upgrade prototype from 1.6.0 to 1.6.0.3
  mainly bugfixes and browser compatibility nits
• local modification to avoid browser jumping when you try to use
  the keyboard to move up and down in an autocompleted list
• fix reporting by owner, created by and last updated by
• tiny html fix: an extra in Dashboards/Queries.html
• make words consistent in Install pages
• handle mails with nested inline signatures in old-style gpg format
• Correct test count for gnupg-reverification
• Rename schema.mysql to schema.mysql-4.0 to avoid confusion without reading
  Handle.pm (closes: #12665)
• Use friendly name for customfields in title of chart page (closes: #13144).
• add tests for validator
• schema.mysql was renamed
• use RT->Config instead of direct option variable access
• {Add,Del}Watcher references principals as a group can be added as watchers
• fix checking and recovering CGMs
• Grammar nit
• RT-Ticket: 13047
  Hide transaction custom fields from users who can't edit them
• quiet test warnings
• if you say JOIN you need to say ON or Pg will bail
• RT-Ticket: 13174
  There's a small typo in RT::Interface::Email that causes emails to be sent to
  the first To address only, ignoring the other recipients such as Cc.
  Requestors: [email protected]
• When we open a div, we should close a div, not a span
• Comboboxes weren't rendering properly on IE7. This appears to fix it
• LoadByValues returns detailed message on errors
• don't check right in GrantRight as ACE->Create does better job
• Pg 8.3 requires explicit casting of date types to text
  for substring and other functions
• Don't rewrite sub language name in preference if the variant is already
  enclosed by parenthesis.
• post check only when we're not in install mode
• localize $@ as we don't rethrow it
• on some systems gpg --version exits with code 2 even when it's 100% functional
• don't detect and decrypt blocks which contains GPG header
  in the middle of a string instead of the beginning
• use a local function to render attachments
  make difference between large text and not text
  show additional information when displaying named texts is disabled
  loc strings have been changed
• fix verifying of old style signed attachments: we must decode bodies first
• do better job at detecting attachments with signatures for them in another MIME part
• if we load all attachments then update %ARGS as we pass it through
• don't show GPG status for top most record, we'll handle it per attachment
• store status on the message by default on decrypt/verify and only on related parts
• we have status on all parts
• show gpg status per attachment
• adjust tests
• there is no $Config but RT->Config
• move WebDomain and WebPort above WebPath, these
  three are only options you usually need to setup paths
  calculate scheme in WebBaseURL using WebPort value
  don't add port to WebBaseURL if it's standard
• fix debug message
• add new option --skip-user
  use over/item/back for options in pod so usage actually outputs them
• Removed doc for a nonexistent option in testdeps
• RT-Ticket: 13125
  exit with positive code on errors, not all errors are handled,
  but this is beginning
• update es.po, thanks to Margarita Manterola
• not sure why, but on some systems without explicit status change mason doesn't
  set status to 302, but 200 instead and people see blank pages
• Set a default text color (closes: #13197)
• Add a test for the "On Reject" scrip condition (closes: #13181)
• add a bunch of tests, searches by CFs
• LoadByNameAndQueue should treat numbers the same way other methods do
• treat number specially in _CustomFieldDecipher, the way we treat it other places around
• wrap things we usually do with operations into a method
• fix searches by CFs
• Give verbose output when --debug is specified
• Log::Dispatch 2.22 began implicitly requiring Sys::Syslog 0.16
  If you're installing on a RH box, you probably only have Sys::Syslog 0.13
• Take care of RT-Attach-Message value so we don't add attachments if the value
  is "no" for example (closes: #13259).
  Thanks to Paul Vlaar.
• Add checks for user email address syntax, and cover bad syntaxes by tests
  (closes: #12726).
  Reported by Richard Hartmann.
• Don't assume that people were using "yes" for RT-Attach-Message until now,
  rather don't attach if it's set to n|no|0|off|false.
• Make syntax check of user email addresses configurable with a default of "no"
  to avoid breaking existing setups.
• Fix test so it uses our new 'ValidateUserEmailAddresses' option.
• make ExtractSubjectTag.pm aware of queue Subject Tags so it doesn't
  assume a Queue Subject Tag is a remote RT's subject tag
• Localize system groups
• Make approval passed rule close other approvals in the same level.
• remove an obsolete comment
• Test ticket creation with REST using non ascii subject.
• return 0 in a bunch of places so we exit with 0 rather than
  having warnings when we exit(undef)
• return 0 rather than undef to signal succesful completion
  to avoid warnings about calling exit(undef)
• clean up a warning when you have empty OCFVs
• use tmp dir as mason data_dir in rt-email-dashboards
• notify action with argument equal to 'All' sends notifications
  to owner as well, let's clear descriptions
• Linkify the dashboard portlet header
• Mason whines about getting an object argument; it won't stringify
• Set default DBA based on databvase type
• fix UseSQLForACLChecks: if user is direct watcher of a queue,
  however right is granted to global role then he didn't get that
  permission there is no global watchers, only queues and tickes, if at
  some point we will add global roles then it's gonna blow
  the idea here is that if the right is set globaly for a role
  and user plays this role for a queue directly not a ticket
  then we have to check in advance
• better recovery for corrupt owner groups on ticket owner change
• minor bin/rt doc fixes
• check ordering of custom fields
• we should not only check cache indicator, but also update it :)
• revert plural/single forms magic for rights, it's too unstable for 3.8
• Remove now-unneeded dependency on Lingua::EN::Inflect::Number
• cfs -> custom fields
• Make the path of the homepage index.html
• Factor out ListOfDashboards
• Add a callback for munging the list of dashboards
• Limit to seven dashboards
• Use the localized More instead of more
• Surround dashboard names with quotes
• Add a tab to go back to the homepage
• Factor out building a list of dashboard tabs
• Pass along $actions in Tools/Elements/Tabs
• Display other dashboards as tabs, basics/queries/subscription as actions
• Use the old interface for tempdir
• clean a bit
• t/shredder/utils.pl
• Fixing mistaken siteconfig commit, adding example of second item in list
• Fix failing dashboard tests
• Quieting an uninitialized warning
• Remove duplicate dependency in same group.
• error message typo fix
• Remove the quotes from dashboa...