From d3bbfbc163d5ea5ca999197f32319131009ee2cd Mon Sep 17 00:00:00 2001 From: "Mr. Senko" Date: Sun, 23 Aug 2020 01:25:18 +0300 Subject: [PATCH] Changelog for v8.6 --- CHANGELOG.rst | 165 +++++++++++++++++++++++++++++++++++++++++- docs/source/admin.rst | 3 + tcms/__init__.py | 2 +- 3 files changed, 166 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5c002efe72..125220c535 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,14 +1,173 @@ Change Log ========== -Next (unreleased) ------------------ +Kiwi TCMS 8.6 (23 Aug 2020) +--------------------------- + +**IMPORTANT:** this is a high severity security update which includes +improvements, database migrations, API changes, translation updates and +new tests. It is the fourth release to include contributions via our +`open source bounty program`_. + + +Supported upgrade paths:: + + 5.3 (or older) -> 5.3.1 + 5.3.1 (or newer) -> 6.0.1 + 6.0.1 -> 6.1 + 6.1 -> 6.1.1 + 6.1.1 -> 6.2 (or newer) + +After upgrade don't forget to:: + + ./manage.py migrate + + +Security +~~~~~~~~ + +- A high severity vulnerability which allows unprivileged data access + via JSON-RPC endpoints has been fixed: + + - Affects all previous versions of Kiwi TCMS + - Instances on public networks, such as Amazon EC2, are at higher risk + - Instances on private networks are still vulnerable to anyone who can + access the same network + - This vulnerability has been disclosed by Michael Longmire (ShastaQA) + and Stone Pack (ShastaQA) + +- Update marked from 0.8.2 to 1.1.1 for a medium severity vulnerability, see + `SNYK-JS-MARKED-584281 `_ + + +Improvements +~~~~~~~~~~~~ + +- Update django from 3.0.8 to 3.0.9 +- Update django-attachments from 1.5 to 1.6 +- Update prismjs from 1.20.0 to 1.21.0 +- Update pygithub from 1.51 to 1.53 +- Replace deprecated bleach-whitelist with bleach-allowlist +- Make django-extensions a production dependency because it provides + many useful manage.py commands +- Enable syntax highlight for code blocks +- Remove file attachments when related objects are deleted +- Add image and file upload buttons to text editor. Fixes + `Issue #977 `_ +- Require ``auth.view_user`` permission when trying to view user profiles. + Fixes `Issue #1685 `_ +- Multiple pages now explicitly require view permissions before displaying read-only + information. This gives administrators a finer grained control: + + - ``/bugs//`` -> ``bugs.view_bug`` + - ``/bugs/search/`` -> ``bugs.view_bug`` + - ``/cases/search/`` -> ``testcases.view_testcase`` + - ``/case//`` -> ``testcases.view_testcase`` + - ``/plans/search/`` -> ``testplans.view_testplan`` + - ``/plan//*`` -> ``testplans.view_testplan`` + - ``/runs/search/`` -> ``testruns.view_testrun`` + - ``/runs//`` -> ``testruns.view_testrun`` + + Previously these pages only required the user to be logged in + + +.. warning:: + + The ``auth.view_user`` permission is not granted by default because the + profile page contains personal information like names and email address, see + :ref:`managing-permissions`. + + +Database +~~~~~~~~ + +- Migrations which manipulate data (contain ``RunPython``) can now be + rollbacked. See ``./manage.py migrate --plan`` for the order in which + migrations are applied (Bryan Mutai) +- Increase ``Product.name`` size from 64 to 255 characters + + +API +~~~ + +- Remove method ``TestExecution.create()`` in favor of ``TestRun.add_case()`` +- Add method ``User.add_attachment()`` +- Multiple API methods now explicitly require view permissions before returning + read-only information. This is in-sync with the per-page changes listed above: + + - ``Bug.filter()`` -> ``bugs.view_bug`` + - ``Bug.report()`` -> ``testruns.view_testexecution`` + - ``Build.filter()`` -> ``management.view_build`` + - ``Category.filter()`` -> ``testcases.view_category`` + - ``Classification.filter()`` -> ``management.view_classification`` + - ``Component.filter()`` -> ``management.view_component`` + - ``PlanType.filter()`` -> ``testplans.view_plantype`` + - ``Priority.filter()`` -> ``management.view_priority`` + - ``Product.filter()`` -> ``management.view_product`` + - ``Tag.filter()`` -> ``management.view_tag`` + - ``TestCase.get_components()`` -> ``testcases.view_testcase`` + - ``TestCase.get_notification_cc()`` -> ``testcases.view_testcase`` + - ``TestCase.filter()`` -> ``testcases.view_testcase`` + - ``TestCaseStatus.filter()`` -> ``testcases.view_testcasestatus`` + - ``TestExecution.filter()`` -> ``testruns.view_testexecution`` + - ``TestExecution.get_links()`` -> ``linkreference.view_linkreference`` + - ``TestExecutionStatus.filter()`` -> ``testruns.view_testexecutionstatus`` + - ``TestPlan.filter()`` -> ``testplans.view_testplan`` + - ``TestRun.get_cases()`` -> ``testruns.view_testrun`` + - ``TestRun.filter()`` -> ``testruns.view_testrun`` + - ``User.filter()`` -> ``auth.view_user`` + - ``Version.filter()`` -> ``management.view_version`` + Bug fixes ~~~~~~~~~ -- Incorrect code formatting for 
 HTML tags. Closes
+- Update documentation to reflect that test cases cannot be rearranged from
+  within a TestRun but only from a TestPlan. Fixes
+  `Issue #1805 `_ (@Prome88)
+- Incorrect code formatting for HTML 
 tags. Closes
   `Issue #1300 `_
+- Fix a bug with the history handler when importing objects with ID field set.
+  Resolves a crash when trying to restore backup data
+- Delete comments when Bug is removed
+
+
+Refactoring & testing
+~~~~~~~~~~~~~~~~~~~~~
+
+- Add linter to warn about missing backwards migrations callable in ``RunPython``
+  and fix all pylint offenses. Fixes
+  `Issue #1774 `_ (Bryan Mutai)
+- Teach linter to check API for ``@permissions_required``. Fixes
+  `Issue #1089 `_
+- Refactor ``NewExecutionForm`` to use ModelForm (Rosen Sasov)
+- Refactor ``UpdateExecutionForm`` to use ModelForm (Rosen Sasov)
+- Add tests for ``tcms.bugs.api``. Closes
+  `Issue #1597 `_ (Mfon Eti-mfon)
+- Add tests for ``tcms.bugs.views.New``. Closes
+  `Issue #1598 `_ (Mfon Eti-mfon)
+- Add tests for ``tcms.rpc.api.testplan``. Closes
+  `Issue #1627 `_ (@lcmtwn)
+- Add tests for ``percentage()`` function References
+  `Issue #1602 `_ (Mariyan Garvanski)
+- Add the ``migrations_order`` command to help test rollbacks
+- Adjust code for deprecation warnings from Django 3.1
+- Use Python 3 style ``super()`` without arguments
+- Update login page to match our new website design
+
+
+Translations
+~~~~~~~~~~~~
+
+- Updated `Chinese Simplified translation `_
+- Updated `Czech translation `_
+- Updated `French translation `_
+- Updated `German translation `_
+- Updated `Hungarian translation `_
+- Updated `Japanese translation `_
+- Updated `Portuguese, Brazilian translation `_
+- Updated `Slovenian translation `_
+
 
 
 Kiwi TCMS 8.5 (10 Jul 2020)
diff --git a/docs/source/admin.rst b/docs/source/admin.rst
index b27e312fa2..bd574e4d6a 100644
--- a/docs/source/admin.rst
+++ b/docs/source/admin.rst
@@ -54,6 +54,9 @@ in :mod:`tcms.issuetracker`.
 
     .. versionadded:: 8.4
 
+
+.. _managing-permissions:
+
 Managing permissions
 --------------------
 
diff --git a/tcms/__init__.py b/tcms/__init__.py
index 55e6fcd5b2..135af0a343 100644
--- a/tcms/__init__.py
+++ b/tcms/__init__.py
@@ -1,2 +1,2 @@
 # -*- coding: utf-8 -*-
-__version__ = '8.5'
+__version__ = '8.6'