CHANGES

Version 1.17.1  (June 2024)

Upgrade Instructions

  If using docker, rebuild the allura image and restart containers.

Security Fix
 * [#8563] CVE 2024-38379 authenticated XSS possible for neighborhood admins

Breaking Changes
 * [#8556] remove has_access(..)() syntax.  Custom extensions using this syntax will need to remove the second ()

For Developers
 * remove #allura irc mentions
 * delete unused jinja file with invalid syntax
 * replace tabs with spaces in jinja html files
 * add jinja linter to pre-commit


Version 1.17.0  (June 2024)

Upgrade Instructions

  Run: `paster ensure_index development.ini` in Allura dir

  To install updated dependencies, run:
    pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed

  If using docker, rebuild the allura image and restart containers.

  To enable OAuth 2 with an existing .ini file, add: auth.oauth2.enabled = true

  To switch to the new session cookie handling:
    - add `session.jwt_secret_keys` to your .ini file, with a value generated by `python -c 'import secrets; print(secrets.token_hex());'`
    - `session.type = cookie` is no longer used
    - optionally `session.read_original_format = true` and rename `session.validate_key` to `session.original_format_validate_key` for backwards compatibility. Remove after a transition period
    - optionally `session.write_original_format = true` if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code.

Critical Security Fix
 * [#8561] CVE 2024-36471 DNS rebinding during imports

Breaking Changes
 * [#8556] deprecate has_access(..)() syntax.  Custom extensions using this syntax will need to remove the second ()

Major Changes
 * [#7272] Support for OAuth 2.0

Security Improvements
 * [#8526] improved session cookie handling security
 * [#8536] improve |safe and Markup usage
 * improve JS syntax and escaping
 * [#8555] check blocked users better
 * Python Package Upgrades

SEO
 * [#8527] discussion app display thread subject in header

Code Repositories
 * [#8529] support unicode in repo branch names

Wiki
 * [#8540] fix wiki page 'recent' sort

Tickets
 * [#8559] tickets API: better type handling
 * fix username hover on ticket search results
 * ticket's app titles should display current summary content

General
 * [#8533] switch python email 'policy' for better line length handling
 * [#8537] a few JS performance improvements
 * [#8558] user email changes not getting into solr
 * keep flash messages more visible
 * Hide activitystream entries whose corresponding object has been deleted
 * fully delete history snapshots when deleting artifacts (incl remove from solr)
 * in password reset, also try lowercasing the email to see if that matches

Admin
 * support overlapping admin urls, if a tool is installed with "groups" mount point
 * make active notifications easier to see in the list

Performance
 * use $regex instead of re.compile in mongo queries, so it uses indexes properly.  Maybe fixed in current mongo versions https://jira.mongodb.org/browse/SERVER-26991
 * add user_id index to oauth collections

For Developers
 * [#8528] improve allura.command_init
 * [#8532] [#8539] improve ruff checks
 * [#8534] set up github codeql
 * [#8538] Slight tweak to timeline helper methods
 * code cleanup using autopep8
 * Ignore .vscode settings folder
 * make it easier to change order of sidebar items w/ the AdminExtension
 * make ldap_conn() be a context manager, so unbind_s can be run automatically
 * add conftest.py that mocks out tg context
 * restore c.project.notifications_disabled after a task (can matter in tests)
 * remove some old six.PY3 checks
 * update RAT config to work with 0.16
 * better --profile behavior for scripts, add option for outputfile
 * remove i18n, only was used a tiny bit in templates


Version 1.16.0  (November 2023)

Upgrade Instructions

  To install updated dependencies, run:
    pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed

  If switching to a new version of Python, you will need to make a completely new python virtual environment,
  and run `pip install ...` in it, and then use it to run Allura.

  If using docker, rebuild the allura image and restart containers.

Critical Security Fix
 * [#8525] CVE-2023-46851 import mechanisms allow local file access

Major Changes
 * [#8519] Drop support for Python 3.7. Python 3.8 through Python 3.11 are officially supported.

SEO
 * [#8521] Do not index empty ticket pages

General
 * package upgrades
 * specify formats supported for screenshots (BMP or GIF could work too, but not recommended)
 * replace deprecated "docker-compose" cmd with "docker compose"
 * fix solr 413 request too big for big batches

For Developers
 * minor improvements to release script
 * update build status icon on readme
 * ignore warnings from inside other pkgs, fix a few warnings
 * [#8524] update node version
 * [#8523] github api improvements


Version 1.15.0  (September 2023)

Upgrade Instructions

  To install updated dependencies, run:
    pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
  Run: `paster ensure_index development.ini` in Allura dir

  If switching to a new version of Python, you will need to make a completely new python virtual environment,
  and run `pip install ...` in it, and then use it to run Allura.

  If using docker, rebuild the allura image and restart containers.

Major New Features
 * added support for Python 3.8 through 3.11
 * introduced Content-Security-Policy headers

Security
 * Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
 * better defaults for CSP to avoid warnings when developing
 * [#8470] Add CSP Headers
 * [#8479] CSP Headers Add Support For script-src
 * [#8510] Add HTTP Header Add Permissions-Policy
 * [#8511] Add HTTP Header Referrer-Policy
 * [#8504] CSP Headers Add Support For script-src-attr

SEO
 * noindex,follow for ticket milestone pages
 * h1 title improvement for wiki sections browse pages and browse labels
 * Make canonical tag on activities pages overridable
 * [#8492] Update noindex Logic for User Profiles
 * [#8464] Add noindex, follow on List Tools
 * [#8469] Add Missing Canonical Tag
 * [#8477] More Canonical Urls

Performance
 * chunked_find: avoid redundant query at end
 * performance optimizations related to anonymous()
 * speedup: private_project for anonymous
 * [#8497] ForgeMarkdown speedup

Tickets
 * fix error on feed url for non-existant ticket
 * remove ticket history records when uninstalling a ticket tool

Wikis
 * fix failing trac wiki tests that were previously unused and apparently wrong
 * [#8471] check for comments when setting wiki noindex

General
 * Move GA snippet down slightly
 * added noindex meta tag to new tickets page
 * use error template for 410 Gone statuses too
 * ignore a pure reformatting change
 * add @ to url autolink pattern
 * avoid unhandled error on bad input to /nf/markdown_to_html
 * improve artifact_feed.author_link index by including field it is sorted on
 * add indexes to Post for update_stats() queries
 * make oauth api_key unique, to match child class that has it unique
 * add --rm to single-use docker-compose commands, so container is cleaned up after
 * remove .travis.yml since ASF isn't using travis any more; we could make a GitHub action instead
 * Escape colons in the registration_ip field for IPv6 addresses
 * Add the r prefix to escape sequence for search fields
 * set c.project during add_artifacts task, like c.app already has been
 * Make sure filenames are interpreted as utf8
 * when a password reset link doesn't work, make the error more obvious and don't show them a login form since that's confusing
 * task command: add another filter option for days
 * fix weird HTTPError issue; details at https://github.com/agronholm/exceptiongroup/issues/39
 * further fix for latin1 in etag headers
 * [#8508] Generate unique id for screenshots
 * [#8484] Add Support For Fediverse Addresses
 * [#8489] support python 3.8
 * [#8483] Markdown: image target URL fails when reaches 100 chars + FIX(?)
 * [#8486] Git should look for 'main' branch
 * [#8475] Return 404 on "Awaiting Moderation" Threads
 * [#8473] use jinja's tojson instead of h.escape_json
 * [#8487] Enable Analytics In Debug Mode
 * [#8481] Commit Activity More Context
 * [#8463] Commit Statuses For Repositories
 * [#8467] support defopt with ScriptTasks
 * [#8498] PEP8 Cleanup
 * [#8482] saved comments (memorable) race condition
 * [#8488] Incorrect name of web docker image in compose files
 * [#8493] Make tracking snippet more self-contained
 * [#8472] Project Activity Delete Issue
 * [#8496] Trove Category Skip Limit for Admins
 * [#8499] Update Deprecated Method Form Validation

For Developers
 * Fix phone.attempts_limit check, if user had surpassed it already
 * autopep8 -i --max-line-length 9999 on many files
 * type hint for chunked_find
 * change [pep8] to [pycodestyle]
 * first substantial test file mostly passing under pytest
 * [#8455] Convert from nosetests to pytest
 * All tests in ./Allura collecting, and test_auth completely passing
 * pytest: ignore other package's namespace warnings
 * update deprecated html unescape function
 * upgrade regex-as-re-globally for py3.11 issue
 * fixes for Python 3.10 & 3.11
 * run pyupgrade (targeting 3.7 still)
 * Fix getiterator() deprecated in Python 3.9
 * restore scripts/ApacheAccessHandler.py to py2 compatible
 * with recent versions of pip but no wheel pkg, "pip install -e .." needs setuptools, so --no-index is a problem.  Remove that, and update folder paths to be clearly folders to ensure they don't get installed from PyPI
 * pytest: short (normal) tracebacks
 * fix "reindex" cmd help string
 * Update copyright year
 * fix rebuild-all.bash SVN replacement to match updated format
 * Add a helper method to TroveCategory to find by fullpath(s)
 * [#8500] upgrade TurboGears
 * [#8501] remove twemoji
 * [#8502] Replace pyflake with ruff
 * [#8490] Fix Failing Parallel Tests
 * [#8461] replace python-oauth2 with oauthlib
 * [#8494] Python Package Upgrades
 * [#8476] Upgrade Underscore Library
 * [#8491] JS Libraries Tablesorter and Sylvester
 * [#8495] fix DeprecationWarnings
 * [#6556] Error on undefined template vars, during development
 * [#8505] python 3.11 - jenkins setup
 * [#8513] Jenkins Buikd Docker Error



Version 1.14.0  (September 2022)

Upgrade Instructions

  To install updated dependencies, run:
    pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
  Run: `./rebuild-all.bash` to get new ForgeFiles app available
  Run: `paster ensure_index development.ini` in Allura dir

  If switching from Python 3.6 to 3.7, you will need to make a completely new python virtual environment,
  and run `pip install ...` in it, and then use it to run Allura.

  If using docker, rebuild the allura image and restart containers.

Breaking Changes
 * [#8413] [#8390] drop support for Python 2.7 and 3.6.  Only Python 3.7 is supported in this release.
 * [#8399] In an effort to update the Docker startup steps to make them as
   easy as possible and compatible across as many OS's as possible, the default
   allura-data location has been moved from `/allura-data` to `./allura-data`.
   This will likely break existing Docker deployments. To fix your deployment,
   Either set the LOCAL_SHARED_DATA_ROOT env variable to /allura-data or change
   the value in the local `.env` file (or move your /allura-data to
   ./allura-data).
 * Remove the `force_ssl.logged_in` config option.  It is recommended to use https for
   all visitors, whether logged in or not.
 * [#8438] gravatar integration is disabled by default, for privacy reasons.  If you wish to enable it, add
   `use_gravatar = true` to your .ini file

Major New Features
 * [#8368] new Files App

Security
 * [#8414] Added a new validator to restrict private/internal ips from being submitted in import forms
 * Many package upgrades

General
 * [#8388] consolidate markdown_syntax and search_help pages
 * [#8402] Remove PreChecked Checkboxes
 * [#8424] Better Error Handling For Wiki And Discussion Pages
 * [#8404] SMTP maximum allowed line length
 * [#8430] improve SMTP retry logic
 * [#8401] Project Icon URL Param Issue
 * [#8454] Prevent Anonymous Github Imports
 * [#8403] Github Importer Enhancements
 * page and limit url params are now being included in threaded comments links
 * underscores in user's mentions parse correctly
 * Remove gittip_button macro; gittip is defunct
 * Avoid occasional errors in cached_convert logging
 * Prevent discussion stats endpoint from 500ing if hit without parameters

Code Repositories
 * [#5593] Create backlink from ticket when commit message contains ticket link
 * [#8060] Commit overview and diff changes are a bit messed up
 * [#8431] handle dir/file/symlink changes better
 * [#8432] diffs - add max file size
 * [#8450] API to list repos
 * Lower SVN import retry count significantly; block imports from plugins.svn.wordpress.org since it has millions of revisions

Wikis
 * [#8246] Set Home dialog validation fix
 * [#8459] Wiki Tool Installation Optional

Tickets
 * [#8434] Tickets Tool Search Better Error Handling
 * [#8457] Tickets Tool Actions Bug

Admin & Accounts
 * [#8393] Password recovery - resend verification mail for pending users
 * [#8391] Unsubscribe from a project when a user is removed from Admin group
 * [#8448] Oauth Authorize Screen Visual Update
 * [#8451] [#8458] record more admin actions in audit log
 * [#8405] added last_access field to save the last access date for OAuth tokens
 * Only activate+enable users exactly when needed
 * Make "enter" do the natural thing when adding an email to an account
 * Added checkbox option that sends message replies to users active email address
 * Ensure audit log email is the same as what was actually used
 * Show multifactor setup key in addition to QR code
 * various TaskCommand improvements triggered by expansions to purge command
 * add filter by age of task to TaskCommands

SEO
 * [#8418] SEO - omit certain empty apps/tools from sitemap
 * [#8420] Add "nofollow" to Markdown Syntax
 * [#8421] SEO - omit certain empty apps/tools from sitemap - pt2
 * [#8423] Wiki Page Versions Improvement
 * [#8429] Add noindex,follow to Authorization Redirects
 * [#8435] Robots Tag For Wiki History Pages
 * [#8437] Do Not Index Empty Blog and Discussion Forums
 * [#8439] Tool Search Add noindex, follow
 * [#8440] Add Canonical Link To Project Activity
 * [#8441] Project Members Page Better Title and H1
 * [#8442] Code Repos Links Should nofollow
 * [#8443] Project Activity And User Profile Link Add nofollow
 * [#8444] Add Canonical Link For Tool Sections
 * [#8446] Link Directly To User Profiles
 * [#8462] 301 to default tool instead of 404 under projects
 * [#8417] Added nofollow to generated links for RSS and Atom feeds
 * Better detection of empty wiki pages
 * noindex, follow on discussion stats page
 * added noindex, follow header tag to project search
 * On forums, use a 404 page instead of redirecting to a "deleted" page
 * added missing trailing slash on stats link
 * rel=nofollow on diff link, lots of them and not very useful content for search indexing
 * 301 instead of 302 for http/https redirects
 * Avoid extra redirect for /p/foo => /p/foo/ since the latter will do its own redir anyway
 * Preserve exact URL in pagination helper

Performance
 * [#4359] Reduce duplicate queries in threaded discussion display
 * [#8409] Speed up anonymous user handling
 * [#8410] Markdown performance mitigation
 * [#8416] Use regex library instead of re
 * [#8422] optimize more discussion thread queries
 * [#8447] restrict thread pre-caching to not be so greedy
 * update timermiddleware with perf improvement
 * post_widget.html has_access() cleanup:
 * make some markdown macros cacheable
 * Disable ming validation measurement since there can be a lot; fix requests Timer
 * Add post/forum_post index

For Developers
 * [#8364] empty ProjectRole cleanup
 * [#8389] CC-BY 4.0 and SIL Open Font License review & clarification
 * [#8392] Allow further downstream customization of SiteNotifications
 * [#8399] Broken Docker Setup Guide and Config + werkzeug upgrade
 * [#8411] Inline Defaults for *.yml Files
 * [#8415] Remove py2/3 bridging code
 * [#8427] Fix tests to work with latest git
 * [#8449] [#8452] [#8453] jQuery Upgrade
 * init Memorable.items sooner, should fix error when sf_markitup.js calls Memorable.add before Memorable.initialize ran (due to jquery upgrade)
 * [#8460] allow sending already-formatted message
 * [#8412] added new method default_redirect
 * fix sphinx documentation issues
 * make "c" a template global too
 * Fix sticky notifications
 * install docs: update Docker/IP wording
 * Remove node-sass npm dep
 * remove some "with context" from template imports
 * has_access() works with == not just is/bool checks
 * Add generic require_method helper, alongside require_post
 * Create a .git-blame-ignore-revs file
 * create .asf.yaml
 * New Relic: keep original transaction name if 500 error page is used
 * Allow memoize_cleanup to work with dicts or objects
 * Change ldap to simple_bind_s (does same thing, lets mockldap be used in tests)
 * Fix LdapUserPreferencesProvider.get_pref return.  Support multi-valued ldap prefs
 * Adds method to fetch multiple troves by their IDs
 * Add block to permit customization of user message notices
 * Include the incoming mail task id in logging
 * Have a field to track user registration date, not just rely on _id
 * switch from npm install -> npm ci
 * Log more details about image failures
 * updated the flash message if the picture upload raises an exception
 * Use default correctly in User.get_tool_data
 * HIBP better exception handling inside function and added basic test
 * Convert document/collection mapping to be like other MappedClass types
 * Special property hinting
 * Add type hints for all mapped classes' query attrs
 * Remove old unused OldProjectRole class
 * Handle historical activities with null icon_url value
 * Configuration improvement to global tooltips
 * fixing icon cache issues by updating the activitystream icon_url with the value from default_avatar_image
 * Remove invalid sourceMappingURL setting
 * Remove ancient IE css & html conditionals
 * Remove pb.transformie.min.js and jquery.browser shim
 * renamed model field and added a datetime field
 * added two new model fields to store additional email information
 * Remove some tool_data.sfx.userid mentions (not part Allura itself)
 * Let really_unicode() preserve Markup types.  Probably faster in most cases too
 * Fix SitemapEntry html attrs being skipped/clobbered in a few places
 * Change the exec call used by paster script cmd, to preserve the filename (helps when running coverage.py on a paster script cmd)
 * [#8394] upgrade pillow dependency
 * [#8396] Upgrade requests.  and more
 * [#8397] upgrade more packages
 * [#8400] Upgrade Ming and dependencies
 * [#8408] Upgrade markdown
 * [#8425] Upgrade Jinja to 3.1.1
 * [#8428] upgrade pip & friends
 * [#8445] Package Upgrades
 * upgrade oauthlib
 * Upgrade waitress
 * new pypeline package which allows <summary> html tag
 * Upgrade requests & urllib3 to latest
 * remove sql-only twophase_transaction helper
 * Update copyright year


Version 1.13.0  (May 2021)

This release supports Python 2.7, 3.6, and 3.7.
It is the last release planned to support Python 2.

Upgrade Instructions

  To install updated dependencies, run:
    pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
  Run `./rebuild-all.bash` to get new ForgeFeedback app available

  If switching from Python 2 to Python 3, we recommend upgrading to Allura 1.13.0 first
  and then switch Python versions as a separate step.  When switching Python versions, you
  will need to make a completely new python virtual environment using Python 3, and run
  `pip install ...` in it, and then use it to run Allura.

  When running on Python 3, newer versions of Pygments and Pillow can be installed which
  include security fixes within those packages.  The versions specified in requirements.txt
  are older versions so that Python 2 can still be supported.

  If you have customizations or extensions for Allura, you will need to port that code to
  Python 3.

.ini file changes:
  If you have customized development.ini or docker-dev.ini for your own site, you will
  need to remove all the stats references after the "Logging configuration" section.
  Remove it from 2 `keys =` lists, and 1 `handlers =` list, and the whole [handler_stats]
  subsection.

  All `%` will need to be escaped as `%%`, for example in bulk_export_filename.
  `%` in logging configurations at the bottom of the file is ok.

  For python 3, comments on the same line like `foo = 123; comments` are no longer
  allowed.  For example, `override_root = task` needs to be its own line only.

  New configuration options are available.  If you have an existing .ini file, defaults
  will be used automatically, or you can set your own values for: phone.attempts_limit,
  scm.view.max_file_bytes, and scm.download.max_file_bytes

Major New Features
 * Added ForgeFeedback app
 * [#8260] textarea inputs work better on mobile devices, and use browser spellchecker
 * [#7935] Forum importer for allura's own export format
 * [#8339] Allow multiple site-wide notices to be active

Security
 * email on primary changed, password recover, email verified
 * email added/removed mail notifications
 * [#8362] Fix cookie lacking secure attribute
 * Publicize information disclosure security bugfix in 1.12.0 changes

General
 * [#8337] Show more helpful errors when username is wrong format
 * [#8383] avoid control chars in rss feeds
 * Help fix messed up multifactor auth sessions
 * Sort by shortlink newest first, in case there are multiple matches the first one will be used
 * Strip leading or trailing dashes when suggesting project shortnames
 * Handle [[embed]] errors specifically, instead of whole markdown text erroring
 * Handle better invalid URLs like /_list/ with no path after
 * added noindex tag to profiles with no activity and no projects
 * Small tweaks to controls around user messaging

Tickets
 * [#7712] Bulk edit with filter on errors
 * fix truncated ticket titles by allowing overflow wrapping

Wiki
 * remove displayname from wiki history/browse
 * show user cards for wiki usernames
 * canonical on wiki pages
 * wiki pages with noindex are omitted from sitemap.xml
 * confirm_btn_align fixed misaligned wiki confirm modal

Code Repositories
 * Don't move the page around when selecting a specific line in a repo page
 * Repo sidebar: no Browse Commits if repo is empty; add Browse Files for SVN
 * improve repo navbar SEO by 302->301
 * [#8357] SVN: fixes for %s in filenames
 * [#8350] non-unicode filenames in hg

Admin
 * [#8372] Misc site admin improvements
 * [#4069] Restrict ACLs that make projects private
 * [#8370] User admin page should drop trailing slash
 * Avoid error if a user blocked by permissions no longer exists
 * Refactor some trove admin bits, add some test coverage
 * Nicer formatting of user audit log details (make message bold)
 * Site admin: only show pwd reset related buttons if user is enabled
 * Allow long audit log messages to wrap
 * Add more functionality to the add_user_to_group.py script
 * Tooltip for youtube url, set type=url
 * allow incomplete URLs without http:// to be entered in browser
 * Remove byte size validator on project description (just validate string length)
 * Add permit_legacy flag to NeighborhoodProjectShortNameValidator in case a site has older names to allow during URL checks
 * Prevent private projects by disallowing access to 'permissions' page

Performance:
 * [#8381] Max file sizes for displaying/downloading from repo
 * [#8360] Misc performance improvements, icon CDN support
 * [#8359] stopforumspam performance improvement
 * [#8343] Improve image thumbnail compression
 * [#8341] Fix slowness on large diffs
 * [#8342] LastCommit & git log follow improvements
 * Github import rate-limit retry improvement
 * Put a general network socket timeout around RSS feed fetching (default otherwise is no timeout)

Deployment & Configuration:
 * [#8348] Support mongo 3.6 - 4.2.  To upgrade Mongo, you must follow mongo upgrade instructions (see ticket for links)
 * Add better gunicorn cmd example to docker-compose-prod.yml
 * [#8384] Enforce login throughout phone verification process
 * Set a limit for phone verification attempts
 * Update favicon.ico and use it in docker; avoids 404 which disrupts session esp. multifactor login
 * Skip spam checks on metadata comments (ticket diff) and imported comments (often ip/ua/referrer/author info is not available)
 * Work around virtualenv 20 issue causing our entry points to not be found
 * renamed topic/categories jabber,audio/conversion,video/conversion

For Developers
 * Update copyright year
 * [#8347] Get all dependencies py3-compatible
 * [#8354] Replace dependencies that aren't py3 compatible
 * Many python package upgrades
 * [#8363] Upgrade ming & pymongo
 * [#8333] support newer mercurial if Forgehg is used
 * Many python 3 related changes
 * [#8340] Increase test coverage
 * upgraded SimpleMDE to EasyMDE
 * [#8380] API to create projects
 * [#8386] review licenses of python dependencies
 * [#8373] Misc code style fixes
 * [#8345] event tasks can start too soon
 * [#3938] Stats logging should not go to the "console" handler; remove it
 * Make my_projects_by_role_name always return a list, even when logged out
 * Misc: avoid errors when invalid page param
 * Misc: avoid errors when sort param doesn't have a direction part
 * misc: avoid filter=foo erroring
 * Misc: check apache config file as part of docker build
 * Handle json (raw data not form encoded) posts better
 * Reformatted code so it matches pep8 guidelines
 * ago_in_past helpers.ago returns 'in ...' if date is in future
 * Send project_menu_updated events from a few other places that can change the menu
 * Handle oauth scope checks better when no access granted at all yet
 * Fix patch_middleware_config context manager error handling
 * Avoid test error if git config from user/system has push.default set to 'nothing'
 * remove old Makefile
 * travis: fix pip cmd; enable py3 testing
 * A bit more logging before phone validation
 * Youtube oembed via https now; handle more status codes and errors better
 * pep8/pycodestyle cleanup
 * store project icon file hash
 * shorter tracebacks on error debug pages
 * Switch web debugger from Backlash (fork of werkzeug) to current werkzeug
 * added new app.sitemap_xml() that is used when generating sitemap.xml
 * Add logging if an index task unexpectedly has "dirty" objects to save back to mongo
 * Fix latest pyflakes violations
 * oauth_begin() to check scopes on an existing token


Version 1.12.0  (October 2019)

Upgrade Instructions

  Run: `pip install -r requirements.txt` to install updated dependencies

  If you wish to opt-in existing users to username notification emails, run:
  `paste script your-ini-file.ini allura/scripts/set_default_user_notifications.py`

Username mentions and profile page changes:
 * [#8284] Implement the notification email sender
 * [#8285] Add a preference area for user mentions notifications
 * [#8323] Trigger notification task per each artifact creation/modification and add tests
 * [#8324] documentation for user mentions feature
 * [#8330] Nicer user-project urls (for underscores) and titles

Security
 * [#8335] Generic search doesn't do permission checks

Performance
 * [#8332] Fix slowness on some large files in code repos
 * [#8334] Python-ombed has no timeout by default
 * [#8313] Make saved search cache expiry configurable, disable-able

Admin
 * [#8318] Admin option to generate password reset link
 * [#8331] Remove export controls settings

For Developers
 * [#8314] @memoize on methods should still allow garbage collection
 * [#8321] Unhandled error in Antispam class
 * [#8320] Upgrade various packages
 * [#8325] Upgrade more packages
 * Update docs to match git/httpd config from [12f1d6]
 * Publicize XSS vulnerability in 1.11.1 changes


Version 1.11.1  (July 2019)

Upgrade Instructions

  Run: `pip install -r requirements.txt` to install updated dependencies
  If using docker, run: `docker-compose up -d --no-deps --build http`

New Features
 * [#8283] Add infotip for user mentions

Bug Fixes:
 * [#8315] XSS vulnerability when adding another user to a project
 * [#8312] Flash message regression due to TG upgrade
 * [#8317] Docker image for git/http not working for pushes
 * [#8316] Award/accolades error if project is removed
 * [#8299] More precise markdown @username regex

For Developers
 * Improve .ini notes about static caching in production
 * [#8300] Update to py3-compatible Pypeline pkg
 * [#8311] Split up and organize requirements.txt
 * Publicize security fix in 1.11.0 changes


Version 1.11.0  (June 2019)

New Features
 * [#5461] Option to subscribe to forums and other types of threads, when posting
 * [#8253] Adding reaction support for comments
 * [#8263] Indicate current reaction of comment
 * [#8274] Add optional HaveIBeenPwned checks for password changes
 * [#8281] Enable user mentions in markdown editor
 * [#8282] Implement autocomplete list to selected users for mentioning

Upgrade Instructions

  Run: `pip install -r requirements.txt` to install updated dependencies
  Run: `python setup.py develop` in the `Allura` subdirectory
  Recommended: `pip uninstall -y WebFlash WebError Pylons Tempita simplejson Routes` to remove old dependencies
  Recommended, after upgrade is complete: in mongo, run `db.repo_commitrun.drop()` to free up storage space
  To enable haveibeenpwned.com password checks:
    Add to your .ini file the `auth.hibp_password_check` and following settings from `development.ini` and set to true.
    Run: `paste script your-ini-file.ini allura/scripts/backfill_previous_login_details.py`

Security
 * [#8303] CVE-2019-10085 Apache Allura XSS vulnerability in ticket user dropdown selector

Code Repositories
 * [#6440] incorrect diff encoding (original in ru_RU.UTF-8)
 * [#8264] AssertionError from git branch lock file
 * Clear localStorage of merge request descriptions after successful create or edit

Discussion Forums
 * [#8237] Moving discussion thread breaks attachments

General
 * [#8261] Embed youtube videos without cookies
 * [#8269] External link redirects should be 302 instead of 301
 * [#8270] External link tool: rel=nofollow, omit from sitemap
 * Track menu mount_point explicitly, fixes [#8270] regression of unconfigurable external links
 * [#8289] Parse error in allura.tasks.mail_tasks.route_email
 * Fix project-wide search with unicode terms
 * Use correct vars in flash error message, when trying to send too many messages
 * For fields like username/email/password fields, set some autocomplete/capitalize hints

Admin
 * [#8302] Screenshot caption inputs not clickable in chrome
 * [#8256] Drag-to-reorder on touch screens
 * [#8280] Faster spam controls in discussions

Performance
 * [#8271] Remove CommitRun usage
 * [#8272] Really big artifact_feed queries
 * [#8298] Use jinja caching settings for EW core widgets
 * Lazy load /tree controller (self._commit.tree can run compute_tree_new and svn info2 for example), and run .ls() only once

For Developers
 * [#8081] Subscriptions page should have the issues' Title column - migration script bugfixes
 * [#8093] Developing Mobile Web View
 * [#8222] TestForumMessageHandling fails occasionally
 * [#8259] Update docker & docs for newer Ubuntu LTS
 * [#8265] Update spam filter plugins
 * [#8268] Make TroveCategory shortname unique per trove type
 * [#8273] Upgrade TurboGears and WebOb partially
 * [#8276] Turbogears 2.3.2 upgrade followup fixes
 * [#8277] UnicodeDecodeErrors with weird url params
 * [#8278] Track previous login details
 * [#8279] Additional login security checks
 * [#8286] Upgrade TG/etc more, remove pylons etc
 * [#8287] Backfill all previous_login_details - NEEDS SCRIPT
 * [#8288] Remove genshi templates, update EasyWidgets to py3-compatible
 * [#8290] Move previous_login_details to a separate collection
 * [#8291] Upgrade timermiddlware
 * [#8295] error with latest EasyWidgets and debug=false
 * [#8296] Regression on branches with "/" in name
 * [#8301] Fix some issues with encoding in urls
 * Release script: sort tags better (like 1.10 after 1.9)
 * Avoid git directory clashes in tests
 * Remove vagrant config
 * Fix linter test when certain number of files are being linted, and files list is empty
 * Upgrade colander and its dependencies
 * Remove unused menus() function
 * Update Node.js 4.x to 10.x
 * Update our git repo URL


Version 1.10.0  (October 2018)

New Features

 * [#8230] Make markdown checklists interactive
 * [#6923] Support emoji shortcodes
 * [#6299] Support attachments on blog posts and new forum topics

Upgrade Instructions

  Run: `pip install -r requirements.txt` to install updated dependencies

  Run: `paster script your-ini-file.ini ../scripts/migrations/034-update_subscriptions_ticket_and_mr_titles.py` in Allura dir

  If you have your own .ini file (recommended), add `disable_entry_points.allura.theme.override = responsive` to it

Security
 * [#8255] Escape html on wiki & blog diff views

Uploads & attachments
 * [#2578] Handle BMP images
 * [#6560] if same filename used, screenshot thumbnail not update
 * [#8043] Animated gif attachment silently converted to static gif
 * [#8238] Delete screenshot doesn't show any confirmation
 * [#8239] Screenshots lightbox
 * Add validation for screenshot file input

Accounts
 * [#7459] Show password requirements on forms
 * [#8244] Warn user if attempting to send messages when messaging is disabled
 * [#8081] Subscriptions page should have the issues' Title column
 * [#8233] Add "title" to envelope icon

Discussion Forums
 * [#8232] DuplicateKeyError can happen on forum thread ids
 * Make forums admin inline editing layout better

Admin
 * [#8225] Component delete everything end up with 404
 * [#8242] When deleting module and user at permissions page still gives 404
 * [#8247] Project Categorization select and button are attached together
 * [#8248] Module rename dialog accepts empty inputs
 * Enforce a format for GA tracking id
 * Fix _id var name (affects user searches where *anonymous/None is in results)

Code Repositories
 * [#8231] Forking a repo doesn't keep the default branch

Wiki
 * [#8246] Set Home dialog validation fix

Blog
 * [#8249] Blog revert gives 405 Method Not Allowed

For Developers
 * [#8093] Developing Mobile Web View
 * [#8240] Personal Dashboard - Add dashboard docs
 * [#8241] SMTP maximum allowed line length
 * [#8243] Template extension point to wrap all content
 * [#8245] Rename "row" and "column" classes
 * Restore srcset support for img tags in HTML
 * Upgrade paster packages to latest versions
 * Allow more admin page customization via some div classes, and jinja block
 * Santize more in paging_sanitizer() to avoid errors on invalid URL params
 * Error handling around invalid pagination limits


Version 1.9.0  (September 2018)


New Features

 * Personal Dashboard, showing your own tickets, merge requests, projects, etc
 * [#8196] Save content before form submission
 * [#8085] Add support for checkboxes to the markdown converter

Upgrade Instructions

  Run `pip install -r requirements.txt` to install updated dependencies

  Run: `paster ensure_index development.ini` in Allura dir

General
 * [#8212] Github import error on deleted users
 * [#8217] Content doesn't get saved when rate limit is hit
 * Improve new external link dialog
 * Fix scrollbar issue in "get link" dialog
 * Add search help about specific fields, to blog, chat, discussion, wiki tools
 * Audit log table fits better
 * Make project status UI more prominent
 * Better project import validation

Accounts
 * [#8199] 2FA recovery codes file - line endings
 * Don't list your own u/username project as going to be orphaned when disabling your account
 * Only float profile project icon to left, avoid possible emoji img like in "Allura™"

Administration
 * [#8186] Make antispam form post expiration configurable
 * [#8197] Site admin searches match better
 * [#8198] Ability to remove activity entries
 * [#8210] Use different tmp dir for code snapshots
 * [#8211] Use different tmp dir for project exports

Wiki
 * [#1699] Fix incoming email for wiki pages with space in the title
 * Show wiki edit link & login prompt, based on actual perms, not just whether user is logged in

Code Repositories
 * [#6070] Make code snapshots based on directory
 * [#8194] Persist the list of commits on Merge requests
 * [#8200] Update GitPython to support git >= 2.15
 * [#8201] Mask/hide email addresses in commit messages
 * [#8214] Compute merge request commits in background
 * Avoid calling _git.heads unnecessarily

Tickets
 * [#6353] Pre-fill "private" using URL param
 * [#8149] Bulk Delete for tickets
 * [#8213] Nested replies don't update ticket timestamp
 * [#8224] Ticket subscriptions orphaned when moving tickets
 * Avoid error when closing a private ticket created by a deleted user

For Developers
 * [#8195] More test coverage for rate limiting
 * Use correct capitalization for solr "OR"
 * Upgrade jinja to 2.10 and avoid bytecode versioning problems
 * wrap export controls area on metadata admin page
 * Don't generate SHA1 files any more, per ASF policy update
 * Provide another master template block to hook in after the "block head" that many individual templates are using (without calling super)
 * Support video_url field in project import
 * Add a note to the debug section about how to do it with docker
 * Make debug pages and post permalinks work correctly when behind a proxy (like docker)
 * refreshrepo.py option to control creating activity, firing webhooks, etc
 * Option in refreshrepo.py to clean commits after certain date
 * Publicize previous security fix in changelog


Version 1.8.1  (March 2018)


New Features
 * [#8192] StopForumSpam filter and moderation+spam update
 * [#8193] Allow rate-limiting of comments

General
 * [#4841] Anonymous updates should be moderated
 * [#8182] Improve category management screens
 * [#8183] Browse Commits graph should support hi-dpi
 * [#8184] Project Importer should include optional icon
 * [#8185] Allow additional domain patterns for inbound email
 * [#8187] Make forum thread subjects editable
 * [#8191] Remove html-only mailing options
 * Adds convenience property for Neighborhood shortname
 * Fix visual style on a modal cancel button
 * Add tool_data field, use ProjectRegistrationProvider shortname validator, cleanup
 * Ensure after a pwd reset, you can still log in.  Test improvements.

Performance:
 * [#8189] Fix slow forum listings
 * [#8188] Config options for some scm limit params

Security:
 * [#8190] HTTP response splitting vulnerability CVE-2018-1319
 * Remove md5 from our release script, per latest ASF dist policy
 * Publicize previous security fix in changelog


Version 1.8.0  (February 2018)

New Features

 * Notify user of password changes, and more login audit logging
 * [#7908] Docker setup for production environment

Upgrade Instructions

  Run `pip install -r requirements.txt` to install updated dependencies

  To subscribe merge request creators to their own merge requests, run:
  paster script config-file.ini ../scripts/migrations/032-subscribe-merge-request-submitters.py

Bug Fixes & Minor Improvements

Security:
 * [#8180] StaticFilesMiddleware allows directory traversal CVE-2018-1299
 * [#8155] Record logins to audit log
 * [#8156] Notify user of password changes
 * [#8158] Add antispam measures to login page
 * [#8159] Loosen ip requirements for antispam checks

General:
 * [#6342] Errors in ForgeLinkPattern parsing
 * [#8160] UnicodeEncodeError processing inbound email
 * [#8169] Updating markdown cache should not affect last_updated
 * [#8172] Markdown dialog shows same text repeatedly
 * [#8176] Don't show related artifacts that user can't view
 * Make Youtube embed work better with different CSS
 * Allow a legacy icon (no original stored) to still be served when a larger width is requested
 * If small icon requested, allow resizing down from old icons even if we don't have newer fullsize original
 * Add a stylized search button to sidebar search boxes
 * When reindexing, set c.app based on current artifact to avoid "Ambiguous link..."
 * Make sure fontawesome never is downloaded twice, since we always provide it
 * Upgrade to pygments 2.2 (includes faster HTML rendering for long lines)

Code Repositories:
 * [#7896] Better plaintext mail for commit notifications
 * [#8048] Better email subjects for merge request updates
 * [#8157] Improvements to multiple commits in single notification
 * [#8164] Merge requests should notify the submitter of changes HAS MIGRATION SCRIPT
 * Handle repo's upstream fork being gone, rather than whole sidebar being blank
 * Fix git merge requests to not update project last_updated when viewed.
 * Show a root directory icon in the repo directory breadcrumbs too
 * If a user can "write" to a MR but not "post" to it, still let them reject their MR
 * Clarify a bit that a repo refresh is different than just refreshing the page
 * Put the disabled attr on the merge button, not the icon within it
 * Handle git 2.x output for last-commit detection
 * Fix url encoding of diff urls
 * Ensure markdown always gets unicode input (e.g. for rendering files from a repo)
 * Fix encoding errors noticed in test.log when running tests with weird-chars.git repo

News:
 * [#8167] errors when updating blog post, if feed item doesn't exist

Activity:
 * [#8171] Changing your name should update your activity records
 * [#8173] Empty activity pages have floating "1"

Wiki:
 * [#8175] Better permission handling for non-existent wiki pages

Tickets:
 * [#8177] Search bin counts include deleted items
 * [#8178] Configurable invalidation delay for bin counts update
 * Don't error on search_feed if ticket has unresolvable reporter
 * Avoid errors on ticket search if filter=123 or =foo instead of json dict

Forum:
 * Better labels & buttons for creating new forum
 * Cache Thread.last_post, which avoids dupe queries when the prop is accessed frequently, e.g. in allura/templates/widgets/threads_table.html
 * Include thread subject on spam check (for first post of forum threads)

Admin:
 * [#8162] When purging a project, admin users missing audit log
 * [#8174] Improve messaging around icon uploads
 * Improve user skills interface:
 * Allow subprojects within User-projects to be removed (since you can create them, after all)
 * Fix positioning of Create project button
 * Add username to admin user detail page title
 * Provide convenience link on admin user detail page to remove all their projects
 * Stronger delete tool messaging (since some people may use it while on an individual thread page)

For Developers:
 * [#8161] Switch from React to Preact - or upgrade to React 16
 * [#8168] Remove TreesDoc usage
 * [#8179] Use PreferencesProvider for contacts and availability fields
 * If an entry point is specified incorrectly, provide helpful error message and continue
 * Flash message positioning moved CSS
 * Add **kw to various @expose'd methods to avoid errors from extra url params
 * Make merge instructions textarea height/width controllable by theme CSS
 * Allow packages to have their own test.ini used automatically from their TestController tests
 * Fix & clean up breadcrumbs link logic (loop scoping changed in jinja 2.9.x)
 * Adds subnav to some account pages, allow explicit selection of current nav item
 * Replace g.url usage with h.absurl; have it always use config.base_url so it works fine behind proxies, etc
 * Adds extra content block for masthead, Adds optional textbox placeholders
 * update jinja version; handle new jinja filter args and loop var scoping
 * Add support for a size param in project_icon_srcs
 * Tests can sometimes convert markdown in "0 seconds" making the caching not work, so use a slightly negative number
 * Provide a AuthProvider hook to do things after login
 * Release script: push single tag instead of all tags

Deployment & Configuration:
 * Better bearer token https check; Unauthorized instead of Forbidden
 * Provide a good index for last_post queries, so mongo won't ever pick the 'timestamp' index which can be very slow
 * Config option to customize the default user avatar image
 * Remove SF branding from default icon (on profile pages), allow overriding
 * Upgrade docker-compose file to v2 format
 * Replace forgemail.url with base_url
 * Include Date header in email, instead of assuming mail service will add it
 * Ticket custom fields that are "number" need to be indexed in solr as double, not int
 * Optional support for much faster cchardet, used in really_unicode()
 * Use nofollow on raw (download) and mode switching links, to reduce crawling within repos a little bit


Version 1.7.0  (June 2017)

New Features

 * [#8143] Support hi-res logos
 * Adds ability for neighborhood home to use Wiki home content

Upgrade Instructions

  Run `pip install -r requirements.txt` to install updated dependencies

Bug Fixes & Minor Improvements

 Security:
 * [#8140] After password change, change current session id
 * update Pypeline for .rst XSS fix
 General:
 * [#5867] Table display too wide, displaying very wide content in comments
 * [#6016] Personal Contacts Remove button not working
 * [#8120] CSS problem in help tooltip
 * Allow for a lot more text in activity entries; do real truncation client-side
 Code Repositories:
 * [#7811] Coloring of long lines in diffs stops too early
 * [#7814] Showing diffs for renamed files
 * [#8144] When pushing multiple commits, email/rss list them backwards
 * [#8142] Allow more configuration of types of checkout commands
 * Remove unneeded broken icon link
 Admin:
 * [#7839] Failed to change permission of discussion
 * [#7232] some unmoderated posts missing from in-line discussion view
 * [#8021] Surface to spammy users to site admins
 * [#8055] Moderate page has wrong params for next/prev page
 * [#8073] Prevent pending users from being added to project ACLs
 * [#8148] Error exporting with certain attachments
 * Remove space in middle of URL that shows where a new tool will be installed at
 * Fix broken export control link
 Tickets:
 * [#8059] Ticket search's dropdown filter choices should not show options from deleted tickets
 * [#8150] Bulk edit change comment not shown as meta
 * [#8154] Ticket searches not matching properly
 * On new ticket page, hide helper text that was showing at bottom of page; regression from [#8145] most likely.  Rules copied from jquery-ui.css which isn't included on that page
 News:
 * [#8112] Filter out comments from rss feeds
 * Fix RSS updates to blog posts, when post has comments.
 For Developers:
 * [#8145] Minimize jquery ui JS
 * [#8146] Index error with mongo 3.4
 * [#8152] UnicodeDecodeError on svn tarball export's cleanup
 * [#8153] Stronger no-cache headers
 * Updates to installation (libffi-dev needed for cffi package if not installing from wheel)
 * Some SVN errors have critical info after the "Unable to connect" lines (e.g. unreadable repo formats from a newer SVN versions), and should not be treated like an empty/missing dir
 * Latest ubuntu requires locales pkg for locale-gen cmd
 * Move "stylistic" rules from navbar.css to site_style.css so that different themes can more easily style the nav bar
 * Remove unneeded backslashes
 * Upgrade jquery.lightbox_me.js so it can work with jQuery 2 (no $.browser)
 * Change the ForgeUserStats tests' git repos to be unique from each other so they can be run in parallel safely
 * Update link to SVN patch for recursive repos
 * Allow spam checks where artifact=None; text fixes; for [ca8b596]
 * Update six to latest, to match with latest setuptools' six requirement
 * Fix inner_grid for right_bar. Closing quote and variable scoping were wrong.  Not used in core allura currently, so hadn't been a problem
 * Removes neighborhood cache
 * Avoid importer requests hanging indefinitely
 * Better debugging with docker


Version 1.6.0  (December 2016)

New Features
 * Multifactor authentication and recovery codes
 * Add git-http docker container
 * Per-thread subscriptions in discussion forums [#7981]

Bug Fixes & Minor Improvements

 General:
 * Specify python 2.7 and ubuntu 16.04 in docs
 * [#6876] Handle revoked OAuth tokens for GitHub import
 * [#8132] Fix comment threading when email In-Reply-To header isn't useful
 * [#8125] Require password when confirming new email address
 * Add rel=nofollow to links in user profiles
 * Includes "seconds" in ago() helper
 * Remove src="#" that was causing extra requests to the same page
 * Fix iframe sanitization so that closing tag is okay, which had been putting closing tags in the wrong place
 * Good text wrapping on project lists
 * Remove weird notch from project list when project has award, and using 2 or 3 column display
 Admin:
 * [#8135] Improve admin categorization page
 Code Repositories:
 * [#5496] Git browse view stalls on "Loading commit details ..."
 * [#8001] Error with git status "T" in a commit
 * [#8131] refresh repo task uses wrong query
 * Remove message about browser not supporting canvas
 * Adds commit id to notification email subject
 For Developers:
 * [#8062] Naming of docker image is incorrect in docker-compose during initial build using git
 * Update docker images, pysolr
 * Update for newer `docker-compose logs` syntax
 * Fix RAML syntax (queryRequired wasn't coming through as bool in the type def), other minor tweaks
 * Split up pylint test into chunks that can be run with nose multiprocess; move pyflakes chunks into parallelized pattern
 * Various other test improvements
 * Remove requirements from setup.py


Version 1.5.0  (August 2016)

New Features
 * [#3593] Add a guided tour after project registration
 * [#8088] Design changes to Discussions
 * Added project count and new design for neighborhood listing
 * Design changes to list attachments. Added lightbox_me to view images
 * Updated design of tool listing
 * Added refresh commits button to merge requests
 * Added emoji rendering via twemoji

Bug Fixes & Minor Improvements

 General:
 * [#4644] Don't whitelist form elements in markdown processing
 * [#8006] Large timeline performance issue in activity stream
 * [#8082] Rate limit artifact creation per-user NEEDS INDEX
 * [#8094] Improve project creation UX
 * [#8110] moderation queue items with long lines break layout
 * Added optional parameter metalink in sendmail function that adds a view button in email clients
 * Move help/fullscreen/preview icons on markdown editor to the right
 * Fix how far lists inside comments can go; a proper fix for [#6248]
 * Compressed PNG images losslessly using OptiPNG (-o6 -zm1-9)
 * No rate limiting for anonymous user; on wiki page edit check perms before rate limit
 * Whitelist posts for members of a project
 Code Repositories:
 * [#6409] CSS & JS on commit view missing
 * [#7949] Better listing of files changed in a certain commit
 * [#7965] Improve git/hg/svn endpoints for rest api
 * [#8048] Better email subjects for merge request updates
 * [#8078] Missing notification when using the one-click merge button
 * [#8090] Show merge requests in sidebar, even if there are 0
 * Added link items of owner column to filter by assigned_to
 * Improve design of merge requests listing filter
 * Fix for scm-ssh-key to be visible only if allow upload ssh key is true
 * Speed up checking of newly forked repo (patterned after tarball, merge request pages)
 * Use authored date instead of committed date in merge requests
 Tickets:
 * [#8087] Make Columns resizable in ticket table and ticket search
 * [#8104] Skip creating metapost if list of changes is empty
 * [#8106] tracker: can't reply to comment which was just moderated Approved
 * [#8108] tracker markdown text editor handles end key incorrectly
 Wiki:
 * [#8071] Create wiki page button should work without admin access
 * [#5194] For newly registered projects, don't send new wiki page email
 Admin:
 * [#7858] /categories URLs needs to use unique ids
 * Don't error out when reindexing a post/thread that has been deleted
 * Specify title for /nf/admin/new_projects page
 API:
 * [#8077] Add author profile picture information to the post inside response from the API
 * [#8092] REST API for User Activity does not work due to missing attribute
 For Developers:
 * [#8040] Upgrade SimpleMDE and contribute our toggleCodeBlock
 * [#8079] ensure_index command should not drop indexes
 * [#8109] Reduce gridfs index creation
 * Update copyright year.
 * Adds a jinja block for specifying css classes on body element
 * Remove modernizr and some unused related classes.
 * Updated readme
 * Minor updates to release script
 * Do not buffer output from gunicorn (or taskd/mail containers that extend this one), useful when using print statements during dev
 * Stop tracking ForgeGit/forgegit/tests/data/testgit.git/FETCH_HEAD file which changes values based on local machine when running tests
 * Add a few helpful notes for Docker installation, move login info to Post-setup section so Docker installers see it too


Version 1.4.0  (April 2016)

Upgrade Instructions

 To show a custom logo, update your .ini file with logo.* settings (see development.ini for examples)
 To show custom header links, set global_nav in the .ini file

New Features
 * [#7919] [#7920] New admin nav bar
 * [#5940] Add options for site logo and links in header
 * [#8023] [#8024] Site notification admin interface
 * [#6662] [#8051] Add attachments to Export
 * [#7987] Standardize fenced blocks in markdown

Bug Fixes & Minor Improvements

 Code Repositories:
 * [#8029] Submitter should be able to reject merge request
 * [#8042] Better handing of tmp dirs during merge
 * [#8072] Change "asked you to merge" text
 * Remove .ts from list of known binary extensions; allow repo settings to override binary blacklist
 * Encode username for git
 Wiki:
 * [#7998] Adding attachment to wiki loses your text changes
 Tickets:
 * [#7929] Enable voting on tickets by default
 * [#8069] Ticket search error: undefined field assigned_to
 * [#8061] Attachments not visible if ticket status is 'pending'
 Blog:
 * [#4153] RSS feed for blog should not show revisions or deleted posts
 * [#8031] Show blog search box
 Admin:
 * [#7145] When deleting a tool, the solr call should be a bg task
 * [#7682] Add confirmation dialog to award/awardgrant delete
 * [#8020] Easy way to view all posts from a certain user, and flag as spam
 * [#8033] create-allura-sitemap.py broken
 * [#8037] Change "Label" admin option to "Rename"
 * [#8057] Handle user-projects better in project delete form
 * When deleting a user project, actually do it - not just disable the user
 General:
 * [#4849] Pages are more printer-friendly
 * [#7978] Activity page fixes
 * [#8003] Bugs in attachments to comments
 * [#8005] Subprojects not checked for 'deleted' flag
 * [#8010] Markdown editor does not load when url hash contains slashes
 * [#8013] New Users should not be displayed in /u/wiki/home until email is verified
 * [#8036] Update modal css (simple-flat-dark)
 * [#8046] Don't duplicate titles on neighborhood pages
 * [#8066] Don't error out on missing users
 * Add login redirect to the nav "Log In" link
 * better tool descriptions
 For Developers:
 * [#7907] Use standardized solr installation
 * [#7921] Remove old tool configuration page
 * [#8032] Set up primary emails for test users (paster setup-app)
 * [#8034] Fire event for any menu changes
 * [#8035] Finalize frontend eslint/jscs setup
 * [#8038] Support mongo 3.x
 * [#8039] Change jslint to use an npm tool instead of java
 * [#8041] Update regexes to match DNS host rules better
 * [#8044] API for current site notification
 * [#8047] Akismet filter needs to send original metadata when reporting spam/ham
 * [#8054] Remove Google Code importers
 * Add audit log messages to disable_users.py script
 * Docker fixes
 * Add clear_user_data and from_username helper methods
 * Add guardfile for livereload of frontend changes
 * Delete bootstrap tasks instead of running them; 30-40% speedup in test run time
 * new admin APIs, new _nav.json param
 * remove AdminModal widgets, use JS directly
 * remove sidebar_menu_widgets and admin_menu_widgets, using JS directly instead
 * upgrade existing react code to 0.14
 * better calculation of tool/subproject ordinal values when installing


Version 1.3.2  (December 2015)

Upgrade Instructions

 To enable faster commit views, by skipping copy detection, update the development.ini file to set
 scm.commit.git.detect_copies and scm.commit.hg.detect_copies to false.

New Features

 * [#6797] Move API docs from sf.net wiki to RAML.  Browse at https://forge-allura.apache.org/p/allura/rest-api-docs
 * [#7922] Add "admin" section to the left sidebar of all tools
 * [#7924] Update icon set to FontAwesome
 * [#7999] Admin page to really delete projects
 * [#8004] Cleaner project nav, tool icons removed
 * [#7955] Add more formatting support to markdown editor

Security

 * [#5694] Set max limit on limit param
 * [#8011] Served SVG images can execute JS

Bug Fixes & Minor Improvements

 Documentation:
 * [#7957] Document how to run allura with gunicorn/uwsgi/mod_wsgi
 * [#7995] Some docker config & doc improvements
 Tickets:
 * [#7911] Remove "bin" terminology from saved searches pages
 Code Repositories:
 * [#7403] [Allura|Bug] - Typo found in initial Git command description.
 * [#7538] If diff is empty, it shouldn't show "empty file" [ss7532]
 * [#7913] Handle parsing of the output from git 2.4.0+
 * [#7925] Speed up diff processing with binary files
 * [#7963] Speed up commit view by disabling copy detection with option
 Blog:
 * [#7822] Should not show draft blog post changes in activity stream
 Wiki:
 * [#7871] Send email notifiction on wiki page delete
 Admin:
 * [#7923] Left sidebar should show appropriate links when viewing tool options
 General:
 * [#7943] Limit the "_discuss" results from the tickets api.
 * [#7948] Cursor position often wrong in new markdown editor
 * [#7950] Markdown editor should have max height
 * [#7970] Expand urlopen retry conditions
 * [#7994] Fix comments split across two threads, not all comments showing
 * [#8016] Dialog 'cancel' link in wrong place
 Other:
 * [#7946] Error setting channel in Chat's options
 * [#7953] API endpoints error when using access_token as URL param
 * [#7984] Fix layout at bottom of subscriptions page
 * [#7990] Change link on new_projects admin page
 * [#7997] image attachments visible on posts (replies) awaiting moderation
 * [#8007] Broken icon images when running under gunicorn
 * [#8014] Bug: removed upsert() method needed by TracWikiImporter
 * [#7959] Need to set focus when phone validation overlay appears
 * [#7960] clean_phone_number function is too eager to prepend 1-
 * [#7969] Option to force phone validation language
 * [#7979] Phone validation interfering with project import
 * [#7991] Option to limit phone validation usage
 For Developers:
 * [#7976] JSX and ES6 support, via Broccoli toolchain
 * [#8026] Remove jquery.file_chooser.js
 * [#8027] Fix licensing of several files
 * [#7964] test_merge_request_detail_view fails (intermittent)
 * [#7980] Fix pep8 and pyflakes violations
 * [#8015] Activitystream needs ming config option
 * [#8028] Use virtualenv inside docker


Version 1.3.1  (August 2015)

Upgrade Instructions

 To enable CORS headers for the rest APIs, use the cors.* settings in the development.ini file.
 If you have your own .ini file, enable git tag & branch caching speedups by setting: repo_refs_cache_threshold = .01

New Features

 * [#5943] Post-setup instructions
 * [#6373] Document administrative commands
 * [#7897] Live syntax highlighting for markdown editing
 * [#7927] Allow CORS access to rest APIs
 * [#7540] Ticket notifications should include links to attachments

Security

 * [#7947] XSS vulnerability in link rewriting
 * [#7942] In project admin - user permissions, removing a custom group needs to use POST
 * [#7685] Subscribe/unsubscribe action should use POST

Bug Fixes & Minor Improvements

 Tickets:
 * [#4020] Date picker in milestone editor doesn't flip between months
 Wiki:
 * [#4802] Wiki edit link is not very discoverable
 * [#7310] "Maximize" should stick
 Code repositories:
 * [#7873] Git branch & tag speedups  -- NEEDS INI
 * [#7894] Don't update merge request timestamps incorrectly
 * [#7932] Fix pagination issue in the commit browser
 * [#7899] Issue with downloading files from repo with spaces in name
 * [#7906] Fix login check on ApacheAccessHandler.py
 Forums:
 * [#7880] Forums mail not getting sent that require moderation
 * [#7930] Bug: viewing a thread updates project mod_date
 Project Admin:
 * [#7884] Move add/edit Features to Metadata section
 * [#7885] Tooltip for project admin
 * [#7898] Icon upload/edit is not clear
 General:
 * [#7803] Fix taskd_cleanup to search for right process name
 * [#7889] Improve markdown logic for cached vs threshold limits
 * [#7890] Neighborhood cache preventing saving admin changes
 * [#7916] Error when handling user-profile URLs of users with invalid names.
 * [#7928] Site admin search tables can overflow the page width
 * [#7903] No mention about small letters in user registration
 * [#7909] Use dashes when suggesting project shortnames
 * [#7915] Move Allura installation instructions into the docs
 For Developers:
 * [#7809] Update install/docker to ubuntu 14.04
 * [#7891] Remove zarkov integration code


Version 1.3.0  (June 2015)

Upgrade Instructions

 * Run: cd Allura; paster script development.ini allura/scripts/trim_emails.py

New Features

 Webhooks:
 * [#4542] Implement webhooks
 * [#7832] APIs to manage webhooks
 * [#7829] Webhooks documentation
 Merge requests:
 * [#7830] One-click merge
 * [#7865] Config options to disable one-click merge requests
 * [#7866] Run can_merge in background, and cache results
 * [#7882] Option to use a tmp dir for git ops on merge request view
 * [#7872] Show markdown preview/help buttons for merge requests
 Phone verification:
 * [#7868] Phone verification system
 * [#7881] Clean up phone numbers before using them
 * [#7887] Better messaging for phone validation
 Other:
 * [#7806] Create a docker image for Allura
 * [#7886] Config options to limit ticket & wiki page creation
 * [#7840] Support Authorization header for OAuth
 * [#7633] API for has_access
 * [#6057] Adding an external link should be one step, not two
 * [#7850] Ability to close discussion on a ticket
 * [#6107] Disable email posting for the forum? [ss3579]

Security

 * [#7786] Invalidate pwd reset tokens after email change
 * [#7893] CSRF checks don't work on login

Bug Fixes & Minor Improvements

 Tickets:
 * [#6017] Should show attachment changelog when ticket gains an attachment
 * [#5467] Create Issue Button Should Always Appear (Only possibly refer to an explanation for why it was disabled).
 * [#7834] Bug: viewing a ticket updates its 'updated' date
 * [#7874] UnicodeEncodeError on ticket attachment diff
 Code Repositories:
 * [#7837] Use repo directly instead of DiffInfoDoc
 * [#7843] Handle quotes in filenames on commit view
 * [#7857] Retry svnsync repo clone failures
 * [#7825] Update "new commits" email template
 * [#7836] Merge request shows 0 commits, if upstream has new commits
 Wiki:
 * [#7841] wiki code to not show delete authors.
 User Profile:
 * [#7072] User can't access personal subscriptions page [ss6565]
 * [#7833] Trim emails before saving them to mongo NEEDS SCRIPT
 Tools Configuration:
 * [#7817] Replace "mount point" field with URL field, on tool creation forms
 * [#7820] Validate URLs when configuring external link tool
 Importers:
 * [#7864] Error on google code import with paginated comments
 * [#7854] Decode html entities in importers; and make taskd easier to debug
 Activity Stream:
 * [#7823] Commit activity is assigned to wrong person
 * [#7082] Filter deleted, unmoderated, or spam artifacts from Activity Stream
 * [#7888] has_activity_access/deleted error
 Administration:
 * [#7892] script/task to disable list users
 For Developers:
 * [#7827] Upgrade jQuery to latest version
 * [#7835] Update theme for the documentation.
 * [#7855] Upgrade docutils, Pygments and Babel, so docs can be built easily
 * [#7869] During tests, apply patches only once
 * [#7870] Clean up .ini files
 Other:
 * [#1731] Cannot delete a post, after deleting its parent
 * [#7852] Don't update mod time when viewing artifact creates a cache
 * [#7856] Error looking up user by email address when email is invalid
 * [#7876] projects macro display_mode=list is missing CSS


Version 1.2.1  (February 2015)

Bug Fixes & Minor Improvements

 * [#5726] RSS feed for discussion stopped 12/13/2012? [ss2637]
 * [#6248] long lines in markdown lists get truncated on the right [ss4073]
 * [#7772] Type text is splitted in more lines if separated by spaces in bulk edit
 * [#7813] Handle uppercase in email address all the time
 * [#7815] KeyError: 'name'
 * [#7808] Check for wiki presence before importing it
 * [#7831] Logout issue
 Administration:
 * [#7816] Show/manage user's pending status
 * [#7821] More accurate audit logs when changing user's status
 Performance:
 * [#7824] Cache neighborhood record
 For developers:
 * [#7516] Timing may case test_set_password_sets_last_updated to fail
 * [#7795] test_version_race fails occassionally
 * [#7819] New email address lookup helpers fail on None


Version 1.2.0  (December 2014)

Upgrade Instructions

 * Edit Allura/development.ini and set: activitystream.enabled = true
 * Run: mongo allura scripts/migrations/030-email-address-_id-to-email--before-upgrade.js
 * Run: mongo allura scripts/migrations/030-email-address-_id-to-email--after-upgrade.js
 * Run (optional): mongo allura scripts/migrations/030-email-address-_id-to-email--cleanup.js
 * Run: cd Allura; paster ensure_index development.ini
 * Run: cd Allura; paster script development.ini ../scripts/migrations/031-set-user-pending-to-false.py
 * Run: cd Allura; paster script development.ini allura/scripts/remove_duplicate_troves.py

New Features

 * [#7097] New profile page design
 * [#7156] Turn on activitystreams by default
 * Admin page to search for projects
 * Admin pages to search, view, and edit user details
 * [#7524] User audit trail, for site admins
 * [#7593] Allow site admins to add user audit entries
 * LDAP improvements
 * [#7409] Configurable max & min password lengths
 * [#7432] Password expiration
 * [#7451] Remember me option on login
 * [#7372] Allow users to disable their own accounts
 * [#2286] Ability to restrict tools per neighborhood
 * [#4019] Add an easy way to filter ticket queries by open/closed without knowing Solr syntax
 * [#4905] button to subscribe to a wiki
 * [#7134] Added option to allow overriding repo clone URL
 * [#7381] Google code importer should handle Apache-Extras/EclipseLabs projects

Removed functionality:

 * [#1687] Remove pre-oauth API keys (use OAuth now)
 * [#7013] Remove broken openid support

Bug Fixes & Minor Improvements:

 * [#4602] Artifact links to closed tickets should have strikethrough
 * [#4987] Artifact links within a tool should match within tool first
 * [#4703] "Related" artifacts should indicate project/tool if referencing other project
 * [#6305] Merge email notifications when possible
 * [#7213] Discussion edit/reply non-functional in IE11 (at least)
 * [#7378] RSS feeds shouldn't include comments held for moderation
 * [#7679] project admin listings should not include disabled users
 Users & Authentication:
 * [#6677] User profile's list of projects is slow to build
 * [#5414] Typo on user prefs page
 * [#3815] return_to field not created in LoginForm
 * [#7085] error on activity rss feed for users
 * [#7164] Make activity widgets show 5 items if possible
 * [#7410] Show more info in password recovery flow
 * [#7436] /auth/preferences cleanup
 * [#7452] Require an email address be verified before it is set as primary
 * [#7480] Track last session info
 * [#7484] OAuth app names don't need to be globally unique NEEDS ENSURE_INDEX
 * [#7492] Clean up incomplete sentence in activity feed
 * [#7523] Better to go to /auth/preferences after email addr verification
 * [#7526] Fix mail headers in email verification email
 * [#7527] Email address associations need better user associations NEEDS MONGO MIGRATION
 * [#7543] Password recovery should not confirm email addr existance
 * [#7545] return_to param should be validated for relative URLs
 * [#7585] Require password entry for changes to email settings
 * [#7635] Add autofocus to login form
 * [#7636] Fix forgotten pwd link on login overlay
 * [#7688] Redirect to password expiration page after login
 * [#7704] Option to require email for user registration NEEDS MIGRATION
 * [#7715] Handle + in email address url params
 * [#7717] Better existing email addr handling
 * [#7732] Be able to use secure cookies and SSLMiddleware
 * [#7756] Ensure user always go to pwd expired form, when expired
 * [#7759] After resetting pwd and logging in, don't redir back to pwd reset form
 * [#7761] Disabling a user does not remove/disable his primary email
 * [#7787] Ldap error when logging in with unicode in username or password
 * [#7794] "Page Size" preference must actually affect pagination
 * [#7799] Changing password should invalidate other sessions
 Admin:
 * [#5939] Missing icons on permission edit page
 * [#6495] Screenshot admin UI improvements
 * [#6834] Inconsistent display of new user in Permissions
 * [#6949] Error on export: artifact ref and cleanup
 * [#7014] Trove category editing improvements
 * [#7075] Screenshot macro incorrectly includes text about sorting
 * [#7275] Add users broken in IE11
 * [#7293] Create Trove Category browse page
 * [#7347] Add URL and comment fields to AwardGrant
 * [#7351] When export control is True, it always records a change in the audit log
 * [#7613] Integrate sortable.js to the new_projects page
 * [#7675] Fix error when deleted permission group is still referenced
 Code Repositories:
 * [#5175] Merge requests should have a good <title>
 * [#5176] Merge requests should show the date
 * [#6164] Ability to edit merge requests
 * [#6301] Track changes to merge requests
 * [#6902] Merge request to branch list commits against master
 * [#7295] Bigger text inputs for merge requests
 * [#5472] JS spinner uses a lot of CPU
 * [#5700] Replace "git branch --set-upstream" with "git branch --set-upstream-to"
 * [#5769] Can't select code via double- or triple-click
 * [#6764] Git test failures on 1.8.3
 * [#7021] Handle pgp-signed git commits
 * [#7051] 500 error with large number of repos
 * [#7069] unable to view/process merge requests when fork is deleted
 * [#7127] "Download snapshot" background too tall
 * [#7207] git repos without master branch behave poorly
 * [#7325] Uninitialized git repo allows forking.
 * [#7333] svn web import tool breaks repos
Tickets:
 * [#5948] Status on individual Milestone view always shows Open
 * [#6019] List current user first in user-drop-downs
 * [#4701] Add current ticket's milestone to email notification
 * [#4981] Ticket voting buttons should only display if you have permission to vote
 * [#7399] JS errors on ticket bulk edit prevent submission
 * [#7495] 'url' missing on MovedTicket models
 * [#7560] Avoid weird permissions when anonymous creates a private ticket
 * [#7566] Milestone admin page can be very slow
 Wiki:
 * [#7528] XSS on wiki page and preview
 * [#7107] Add confirmation to "Revert to Version" button
 * [#7168] Markdown macro to load content from repository
 * [#7202] Use https for youtube embed
 * [#7353] Cannot delete wiki entries
 * [#7294] "related" section header not aligned properly
 * [#7647] Script to clean up, or code to handle, Dupe Key errors on wiki page_history
 Blog:
 * [#6930] Email notification for a blog post rename stating the opposite
 * [#7218] Feedburner doesn't like Blog RSS feed
 URL Shortener:
 * [#7324] Fix incorrect div width on URL shortening tool
 API:
 * [#7208] DOAP API for projects
 * [#7292] User profile API
 * [#7267] Change TroveCategory event API
 * [#7507] Project API errors on unicode screenshot name
 * [#7508] Add project creation date to API
 * [#7659] Allow tools to add fields to project json API
 * [#7722] API for disabled users should 404
 * [#7789] Return more fields in ticket API search results
 Importers:
 * [#7114] Make imports work on user projects
 * [#7124] Validate Trac URLs before importing
 * [#7111] Refactor tool importers to use target_app for g.entry_points
 * [#7160] Trac-Tickets Importer Rejects URL Containing IP Address
 * [#7177] Trac ticket error: astimezone() cannot be applied to a naive datetime
 * [#7580] Ticket attachments aren't imported in Allura importer
 * [#7801] Issues import from GitHub is broken
 Administration:
 * [#6561] Clean up setup-app output
 * [#6701] Integrate allura authorization with Git/SVN (over HTTP)
 * [#7128] Change SVN's browse commits graph to direct SCM access
 * [#7163] Create read perms on ForgeActivity app - NEEDS MONGO CMD
 * [#7214] Fix pytidylib install; admin page when tools not installed
 * [#7224] Timermiddleware should measure mongo write ops too
 * [#7277] Incubator graduation items
 * [#7287] Update docs/scm_host.rst with info about ApacheAuthHandler.py
 * [#7316] Review & update scm_host docs
 * [#7309] add_project form lists all tools, including several that won't work
 * [#7307] Broken handling of InvalidDocument: BSON document too large
 * [#7513] Fixing imported wiki pages with slashes in titles
 * [#7510] Test extracting Allura tickets for Apache move
 * [#7582] Script to set up MovedTicket records for tickets we're moving to Apache
 * [#7628] Clean up dupe trove categories / test_filtering fails occasionally NEEDS CMD
 * [#7683] Make collection of birthdate configurable
 * [#7800] Standardize IP addr lookup
 Performance:
 * [#7027] Cache /nf/tool_icon_css better
 * [#7181] users_with_named_role should query for the name role only
 * [#7185] project list macro makes unnecessary queries
 * [#7186] Need index on artifact_feed (project_id, pubdate) NEEDS ENSURE_INDEX
 * [#7199] filter projects in create-allura-sitemap.py
 * [#7472] Thread view counts shouldn't trigger add_artifact tasks
 * [#7562] Remove unnecessary monq_task 'args' index NEEDS ENSURE_INDEX
 * [#7644] Make /nf/admin/new_projects faster
 For developers:
 * [#7802] Easier to make a custom theme based on main theme
 * [#7401] Allow custom middleware
 * [#7029] AuthProvider should be able to add routes to /auth/
 * [#7154] Expand AdminExtension to support site-admin pages
 * [#7130] Blob.next_commit and prev_commit should be removed
 * [#7142] Better conditional around sending zarkov events
 * [#7173] Improve auth docstrings
 * [#7178] error with parallel tests: 'solr' is None
 * [#7215] Test suite timing out
 * [#7239] Update feedparser
 * [#7260] Tests create trove categories unnecessarily
 * [#7305] Document SCM code and merge repo.py into repository.py
 * [#7329] Update ForeignIdProperty('User') for latest ming
 * [#7579] Use sendsimplemail instead of sendmail in some cases
 * [#7581] TestSVNRepo.test_log fails with svn 1.8
 * [#7804] Use OAuth token for github project validation
 * [#7805] Improve GitHubOAuthMixin


Version 1.1.0  (February 2014)

Upgrade Instructions

 * Run ensure_index command
 * 3rd party tools that do not use EasyWidgets will need {{lib.csrf_token()}} added to each <form>

New Features

 * [#6777] Create a site-wide notification mechanism
 * Improved activity stream display and events
 * [#6694] Form to send message to a user
 * [#6783] Create a process to reset forgotten passwords
 * [#6804] API to install a tool
 * [#6692] API for exports
 * [#6692] Simpler oauth API via bearer tokens
 * [#5475] Javascript not required for most forms any more
 * [#5424] Provide instructions for running git/hg/svn services
 * [#6896] Developer architecture docs
 * [#4808] Factor out SourceForge-specific bits of Allura

Bug Fixes & Minor Improvements:

 * Many fixes and improvements for GitHub, Google Code, Trac and Allura importers
 Code Tools:
 * [#7006] hide misleading message on Browse Commits page
 * [#6796] Render all (not just readme) markdown files in repos
 * [#6801] Options to parallelize last_commit_ids
 * [#6826] Mass edit emails have invalid To: address
 * [#6821] Change hg browser to get "last commit" info from hg instead of mongo (if ForgeHg installed)
 * [#6894] SVN/Git refresh hooks fail for redirects
 * [#6905] better code snapshot status UX
 * [#6938] AttributeError on fork listing page
 * [#6982] SCM views should parse user/email pairs better
 * [#7022] UnicodeDecodeError on side-by-side diff text
 * [#6111] remove markdown rendering of commit messages, keep artifact linking
 * [#4671] Delete old-style LastCommitDoc code
 * [#6603] Certain code snapshots take forever even to queue up
 * [#6686] Change git browser to get "last commit" info from git instead of mongo
 * [#6743] unicode paths in code browser 500 error
 Tickets:
 * [#6852] Maximize view for ticket lists
 * [#6803] Labels should be set without hitting enter
 * [#6893] Former team member unassigned from ticket on metadata update
 * [#2778] Tickets: milestone names are bound once they are equal
 * [#4812] Title field for new tickets mistaken as search bar
 * [#5749] setting to specify a default milestone
 * [#6088] Ticket search help open in new window
 * [#6328] Use In-Reply-To: and References: headers for outgoing ticket emails
 * [#6381] Allura tickets system intermittently discards replies to comments
 * [#7047] ticket bulk_edit task sometimes doesn't call add_artifacts
 * [#4429] ticket bulk-edit forcibly always sets all custom boolean fields to True
 * [#6646] bulk edit to add labels
 * [#6752] bulk edit to change "private" field
 * [#6979] Bulk edit on some milestones with ":" gives empty set
 * [#6906] Fatal error when replying to tracker item
 User profile:
 * [#6833] Choice of social networks should be configurable
 * [#7062] Set first email address as 'primary' automatically
 * [#6676] User profile page should show date joined
 Discussion:
 * [#7063] Add last_edited field to discussion REST API
 * [#7065] Slow post queries happening on invalid URLs
 * [#6864] Add spam button for comments
 * [#6910] Emails with empty or missing From: should be treated as anonymous
 * [#6917] User block list not stopping posts-via-email
 * [#5182] prevent out-of-office replies to allura notifications
 * [#6249] Use a stable Sender: header in email notifications
 Wiki:
 * [#4373] wiki diff incorrectly shows a lot of changes
 Project admin:
 * [#6848] Coalesce scripts/migrations/*trove*.py into command/create_trove_categories.py
 * [#6865] Project admin for categories should be sorted
 * [#6866] Audit trail adds fb & twitter values even if they don't change
 * [#6795] TroveCategory.children is slow
 * [#6889] possible XSS on /p/add_project/
 * [#5502] Prevent adding certain tools multiple times
 System/Misc:
 * Cache markdown rendering results
 * [#6971] Task manager can't set c.project for user-projects
 * [#7009] /nf/tool_icon_css doesn't preserve https for URLs
 * improved smtp_server error handling
 * [#4091] ensure_index takes for ever looping over every single project
 * [#4723] Don't link to user-project when Anonymous
 * [#5330] taskd leaves defunct git processes around
 * [#6713] Slow /auth/bare_openid?url=/user/registration
 * [#6484] Move ForgeWiki mediawiki importer (GPL dep) into standalone importer - NEEDS CONFIGTREE
 * [#7005] allura.tasks.repo_tasks.clone clobbers Project record
 For developers:
 * [#7028] severely stunted landing page html after vagrant install
 * [#6393] Allow plugins to register new markdown macros
 * [#6994] Test improvements/speedups
 * [#6942] Make custom tool icons work properly
 * [#7119] Add config switch to disable template overriding
 * [#6714] Rename & move User.project_role()
 * [#6716] __json__ should return plain dicts
 * [#6388] Tool to inspect performance, particularly between commits


Version 1.0.1  (October 2013)

Upgrade Instructions

 * Run ensure_index command
 * Add bulk export and importer_upload_path INI settings (see development.ini)

New Features

 * [#6422] Added release script and DISCLAIMER, cleaned up NOTICE, LICENSE, and README files
 * Added GitHub importers for Project, Code, Wiki, and Tickets
 * Added Tickets importer for Google Code
 * Added Allura exported Tickets importer
 * [#3154] Allura data export

Bug Fixes & Minor Improvements:

 * Improvements to importer infrastructure
 * Additions to Tracker API
 * Fixes for Trac importer
 * Performance improvements for code snapshots
 * [#5561] Maximize view for wide code files
 * [#5775] Allura Code Viewer: provide "copied from" link in history view
 * [#6284] Allura Code Viewer: show SVN revision in commit browser
 * [#6626] Regression: SVN urls don't default to HEAD revision
 * [#6629] "list index out of range" error on git _iter_commits_with_refs
 * [#6695] timeout & loop detection in LCD logic
 * [#6529] Login overlay
 * [#4595] Revisions to /nf/admin/new_projects
 * [#5966] Script to move wiki
 * [#6100] URL-Redirection for moved tickets
 * [#6392] Per tool user bans
 * [#6431] Upgrade to ming 0.4.x to avoid extraneous count() queries
 * [#6539] Timeouts on approving moderated comments [ss4838]
 * [#6545] Show forum stats graph
 * [#6604] IE9 json parsing vulnerability
 * [#6654] Tracker stats template error
 * [#6685] add faulthandler to smtp_server
 * [#6699] Provide a way to add additional Timers to AlluraTimerMiddleware

Version 1.0.0  (August 2013) (unreleased)

 * Initial ASF Incubation release