Tests
- Fix removed unittest.makeSuite in python 3.13. [petschki] (#121)
Bug fixes:
- Fix tinymce patch of tinymce.utils.XHR to not break in TinyMCE 6 where this has been removed. [petschki] (#106)
Internal:
- Update configuration files. [plone devs] (6e36bcc4, 7723aeaf)
New features:
- Drop support for Python <3.8. (5390ebc6)
Bug fixes:
- Do not hard-depend on plone.portlets. Prepare for Plone with portlets optional. @jensens (#99)
Internal:
- Update configuration files. [plone devs] (a9dd65cc)
Bug fixes:
- Testing: explicitly set response content type header to html. [jeromeperrin] (#97)
Bug fixes:
- Add missing z3c.zcmlhook dependency. [icemac] (#96)
Bug fixes:
- Fixed deprecation warning for
webdav.Lockable.LockableItem. [maurits] (#3130)
Bug fixes:
- Minor packaging updates. (#1)
Bug fixes:
- Remove deprecation warnings (#90)
Bug fixes:
- When marking an OOBTree as safe, also mark its buckets as safe. Fixes issues with objects that have many annotations. (#88)
Bug fixes:
- Avoid deprecation warnings. [gforcada] (#87)
Breaking changes:
- Remove five.globalrequest dependency. It has been deprecated upstream (Zope 4). [gforcada]
Breaking changes:
- Adapt to changed visibility of buildfacade in AccessControl.requestmethod. Requires AccessControl >= 4.0b6 [tschorr]
Bug fixes:
- More Python 2 / 3 compatibility [pbauer, MatthewWilkes]
- Fix marmoset monkey patching for Python 3 [jensens]
- Don't patch until zcml loaded [davisagli]
- Put the marmoset on a leash (reset csrf-checks after tests) [davisagli]
Bug fixes:
- Fix package dependencies;
cssselecthas been an extra oflxmlsince 2014 (closes #79). [hvelarde] - Fixed tests to work with merged plone.login [jensens]
Breaking changes:
- Version 3.1.3 introduced a Python 3 compatibility fix that broke some Python 2 versions with a
SyntaxError. Reports are mostly for Python 2.7.8 and lower, but also one for 2.7.14, but only on Travis. So this marks a breaking change. The incompatibility will be reverted on branch 3.x. Version 3.1.4 should be safe to use again. See issue 74. and issue 75. [maurits]
Bug fixes:
- Avoid CSRF warnings due to generating image scales stored in a plone.scale.storage.ScalesDict. [davisagli]
Bug fixes:
- More Python 2 / 3 compatibility. Warning: this gives a SyntaxError on Python 2.7.8 or lower. See issue 74. [pbauer]
Bug fixes:
- Transform does not log a warning for empty responses (Fixes #15) [fRiSi]
- Add Python 2 / 3 compatibility [vincero]
Bug fixes:
- README wording tweaks [tkimnguyen]
New features:
- Log forbidden URLs. Fixes #66 [gforcada]
New features:
- Catch
AttributeErroron transform. [hvelarde]
Bug fixes:
- Fix logging to no longer write traceback to stdout, but include it in the logging message instead. [jone]
Bug fixes:
- Remove unittest2 dependency [kakshay21]
Bug fixes:
- Allow
confirm-actionfor all contexts, instead of only Plone Site root. This avoids an error when calling it on a subsite. Fixes issue #51. [maurits] - Code Style: utf8-headers, import sorting, new style namespace declaration, autopep8 [jensens]
- Fix #57: Html must contain "body", otherwise plone.protect breaks. [jensens]
Bug fixes:
- avoid zope.globalrequest.getRequest() [tschorr]
Bug fixes:
- Avoid regenerating image scale over and over in Plone 4. Avoid (unnoticed) error when refreshing lock in Plone 4, plus a few other cases that were handled by plone4.csrffixes. Fixes #47 [maurits]
Bug fixes:
- Only try the confirm view for urls that are in the portal. This applies PloneHotfix20160830. [maurits]
- Removed
RedirectTopatch. The patch has been merged toProducts.CMFFormController3.0.7 (Plone 4.3 and 5.0) and 3.1.2 (Plone 5.1). Note that we are not requiring those versions in oursetup.py, because the code in this package no longer needs it. [maurits]
New:
- Added protect.js from plone4.csrffixes. This adds an
X-CSRF-TOKENheader to ajax requests. Fixes #42 [maurits]
Fixes:
- Use zope.interface decorator. [gforcada]
Fixes:
- Fixed AttributeError when calling
safeWriteon aTestRequest, because this has noenviron.. [maurits]
Fixes:
- Internationalized button in confirm.pt. [vincentfretin]
Fixes:
- Make sure transforms don't fail on redirects. [lgraf]
- make sure to always compare content type with a string when checking if we should show the confirm-action view. [vangheem]
- Internationalized confirm.pt [vincentfretin]
- Disable editable border for @@confirm-action view. [lgraf]
- Make title and description show up on @@confirm-action view. [lgraf]
- Allow views to override 'X-Frame-Options' by setting the response header manually. [alecm]
- Avoid parsing redirect responses (this avoids a warning on the log files). [gforcada]
- Handle TypeError caused by getToolByName on an invalid context [vangheem]
- You can opt out of clickjacking protection by setting the
environment variable
PLONE_X_FRAME_OPTIONSto an empty string. [maurits] - Be more flexible in parsing the
PLONE_CSRF_DISABLEDenvironment variable. We are no longer case sensitive, and we accepttrue,t,yes,y,1as true values. [maurits] - Avoid TypeError when checking the content-type header. [maurits]
- Always force html serializer as the XHTML variant seems to cause character encoding issues [vangheem]
- Do not check writes to temporary storage like session storage [davisagli]
- play nicer with inline JavaScript [vangheem]
- make imports backward compatible [vangheem]
- patch pluggable auth with marmoset patch because the patch would not apply otherwise depending on somewhat-random import order [vangheem]
- get auto-csrf protection working on the zope root [vangheem]
- conditionally patch Products.PluggableAuthService if needed [vangheem]
- Do not raise ComponentLookupError on transform [vangheem]
- Fix pluggable auth CSRF warnings on zope root. Very difficult to reproduce. Just let plone.protect do it's job also on zope root. [vangheem]
- Just return if the request object is not valid. [vangheem]
- fix pluggable auth CSRF warnings [vangheem]
- fix detecting safe object writes on non-GET requests [vangheem]
- instead of using _v_safe_write users should now use the safeWrite function in plone.protect.auto [vangheem]
- patch locking functions to use _v_safe_write attribute [vangheem]
- Be able to use _v_safe_write attribute to specify objects are safe to write [vangheem]
- handle zope root not having IKeyManager Utility and CRSF protection not being supported on zope root requests yet [vangheem]
- Add ITransform.transformBytes for protect transform to fix compatibility with plone.app.blocks' ESI-rendering [atsoukka]
- auto CSRF protection: check for changes on all the storages [mamico]
- CSRF test fixed [mamico]
- auto-rotate keyrings [vangheem]
- use specific keyring for protected forms [vangheem]
- add automatic clickjacking protection(thanks to Manish Bhattacharya) [vangheem]
- add automatic CSRF protection [vangheem]
- Use constant time comparison to verify the authenticator. This is part of the fix for https://plone.org/products/plone/security/advisories/20121106/23 [davisagli]
- Add MANIFEST.in. [WouterVH]
- Add ability to customize the token created. [vangheem]
- Update license to BSD following board decision. http://lists.plone.org/pipermail/membership/2009-August/001038.html [elro]
- Removed deprecated AuthenticateForm class and zope.deprecation dependency. [hannosch]
- Avoid deprecation warning for the sha module in Python 2.6. [hannosch]
- Specify package dependencies [hannosch]
- Add an optional GenericSetup profile to make it easier to install plone.protect. [mj]
- The protect decorator had a serious design flaw which broke it. Added proper tests for it and fixed the problems. [wichert]
- Rename plone.app.protect to plone.protect: there is nothing Plone-specific about the functionality in this package and it really should be used outside of Plone as well. [wichert]
- Made utils.protect work with Zope >= 2.11. [stefan]
- Refactor the code to offer a generic protect decorator for methods which takes a list of checkers as options. Add checkers for both the authenticator verification and HTTP POST-only. [wichert]
- Initial release [wichert]