Indico - A feature-rich event management system, made @ CERN, the place where the Web was born.
MIT License
Bot releases are hidden (Show)
Published by ThiefMaster over 1 year ago
\href
macro when rendering it client-side. Previously, it was possible to embed arbitrary JavaScript there using the javascript:
protocol. The underlying MathJax library has now been updated to version 3 which allows blacklisting certain protocols, thus allowing only http
, https
and mailto
links in \href
macros (#5818)Published by ThiefMaster over 1 year ago
Vary: Cookie
header when session data is present and used. This ensures that data linked to a (logged-in) session cannot leak between requests even in case of a poorly-configured caching proxy in front of Indico (#5753)0
for a required registration form numbe field (unless a higher minimum value is set) (#5781)Published by ThiefMaster over 1 year ago
Note: The risk of malicious HTML (e.g. scripts) in the global announcement is minimal as only Indico administrators can set such an announcement anyway. However, in the unlikely case that an administrator becomes malicious or is compromised, they would have been be able to perform XSS against their Indico instance.
locked_fields
to the identity provider settings in indico.conf
to prevent non-admin users from turning off their profile's personal data synchronization (#5648)rh.before-check-access
signal (#5639, thanks @omegak)indico celery --watchman ...
to run Celery with the Watchman reloader (#5667)Published by ThiefMaster almost 2 years ago
Published by ThiefMaster almost 2 years ago
Note: We do not think that Indico is affected by those vulnerabilities as it does not use the cryptography library itself, and the dependency that uses it is only used during SSO (OAuth) logins and most likely in a way that is not vulnerable. It is nonetheless recommended to update as soon as possible.
"
) in ckeditor output correctly (#5487)registration_deleted
signal whether it's a permanent deletion from the database or just a soft-deletion (#5559)Published by ThiefMaster about 2 years ago
We published a blog post summarizing the most relevant changes for end users.
regform-container-attrs
template hook to pass additional (data-)attributes to the React registration form containers (#5271)EMAIL_BACKEND
configuration variable to support different email sending backends e.g. during development (#5375, #5376, thanks @Moist-Cat)signal_query
method in the IndicoBaseQuery
class and the db_query
signal, allowing to intercept and modify queries by signal handlers (#4981, thanks @omegak).Indico 3.2 supports both Python 3.9 and 3.10
Published by ThiefMaster over 2 years ago
category-sidebar
template hook and blocks around category sidebar sections (#5237, thanks @omegak)event.reminder.before_reminder_make_email
signal (#5242, thanks @vasantvohra)plugin.interceptable_function
signal to intercept selected function calls (#5254)Published by ThiefMaster almost 3 years ago
We published a blog post summarizing the most relevant changes for end users.
SMTP_ALLOWED_SENDERS
and SMTP_SENDER_FALLBACK
config settings (#4837, #2224, #1877, #5179)CUSTOM_COUNTRIES
not overriding names of existing countries (#5183)Published by ThiefMaster almost 3 years ago
Published by ThiefMaster about 3 years ago
Published by ThiefMaster about 3 years ago
event.before_check_registration_email
signal (#5021, thanks @omegak)event.registration.after_registration_form_clone
signal (#5037, thanks @vasantvohra)registration-invite-options
template hook (#5045, thanks @vasantvohra)Published by ThiefMaster over 3 years ago
Note that we only list the changes since 3.0rc2 here. Please make sure to also check the changelogs for 3.0rc1 and 3.0rc2.
SYSTEM_NOTICES_URL = None
in indico.conf
(#5004)signals.foo
now need to be accessed using their explicit name, i.e. signals.core.foo
(#5007)category.extra_events
signal (#5005, thanks @omegak)Published by ThiefMaster over 3 years ago
Since this is a prerelease, you need to use pip's --pre
switch to install it, ie pip install --pre indico
(same for indico-plugins
)
Published by ThiefMaster over 3 years ago
We published a blog post summarizing the most relevant changes for end users.
This major release starts the new Python-3-only era of Indico. π
Due to the massive changes that come with this, make sure to read the 2.x to 3.0 upgrade guide if you plan to upgrade an existing instance. Also, keep in mind that this is a prerelease, and things may be broken. π₯
While we consider it very stable (it's running in production on the main CERN Indico instance for about a month now), we do not officially encourage you to upgrade your production instances yet.
But if you are going to do it anyway (we know you want to!), please read that guide and have a backup. πΎ
Since this is a prerelease, you need to use pip's --pre
switch to install it, ie pip install --pre indico
(same for indico-plugins
)
themes_legacy
plugin) (#4900, #4899)confId
has been changed to event_id
and the corresponding URL path segments now enforce numeric data (and thus pass the id as a number instead of string)CACHE_BACKEND
has been removed; Indico now always uses Redis for cachingsession.user
now returns the user related to the current request, regardless of whether it's coming from OAuth, a signed url or the actual session (#4803)check_password_secure
signal that can be used to implement additional password security checks (#4817)Published by ThiefMaster over 3 years ago
before_notification_send
signal (#4874, thanks @omegak)Published by ThiefMaster over 3 years ago
BASE_URL
is now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host (#4815, GHSA-wgpj-7c2j-vfjm, CVE-2021-30185)Note: If the webserver is already configured to enforce a canonical host name and redirects or rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires user interaction: they would need to click on a password reset link which they never requested, and which points to a domain that does not match the one where Indico is running.
ical-export
metadata signal when exporting events for a whole categoryprimary_email_changed
signal (#4802, thanks @openprojects)Published by ThiefMaster over 3 years ago
Published by ThiefMaster almost 4 years ago
Published by ThiefMaster almost 4 years ago
read:legacy_api
scope.EXPERIMENTAL_EDITING_SERVICE
setting to enable extending an event's Editing workflow through an OpenReferee server (#4659)registration_form_wtform_created
signal and send form data in registration_created
and registration_updated
signals (#4642, thanks @omegak)logged_in
signalPublished by ThiefMaster about 4 years ago
We published a blog post summarizing the most relevant changes for end users.
LOCAL_GROUPS
setting that can be used to fully disable local groups (#4260)CUSTOM_LANGUAGES
setting to indico.conf
to override the name/territory of a language or disable it altogether (#4620)before-regform
template hook (#4171, thanks @giusedb)registrations
kwarg to the event.designer.print_badge_template
signal (#4297, thanks @giusedb)registration_form_edited
signal (#4421, thanks @omegak)before-registration-summary
template hook (#4495, thanks @omegak)extra-registration-actions
template hook (#4500, thanks @omegak)event-management-after-title
template hook (#4504, thanks @meluru)before-registration-actions
template hook (#4524, thanks @omegak)LinkedDate
and DateRange
form field validators (#4535, thanks @omegak)extra-regform-settings
template hook (#4553, thanks @meluru)filter_selectable_badges
signal (#4557, thanks @omegak)extra-registration-settings
template hook (#4596, thanks @meluru)