Indico - A feature-rich event management system, made @ CERN, the place where the Web was born.
MIT License
Bot releases are visible (Hide)
Published by ThiefMaster over 3 years ago
We published a blog post summarizing the most relevant changes for end users.
This major release starts the new Python-3-only era of Indico. π
Due to the massive changes that come with this, make sure to read the 2.x to 3.0 upgrade guide if you plan to upgrade an existing instance. Also, keep in mind that this is a prerelease, and things may be broken. π₯
While we consider it very stable (it's running in production on the main CERN Indico instance for about a month now), we do not officially encourage you to upgrade your production instances yet.
But if you are going to do it anyway (we know you want to!), please read that guide and have a backup. πΎ
Since this is a prerelease, you need to use pip's --pre
switch to install it, ie pip install --pre indico
(same for indico-plugins
)
themes_legacy
plugin) (#4900, #4899)confId
has been changed to event_id
and the corresponding URL path segments now enforce numeric data (and thus pass the id as a number instead of string)CACHE_BACKEND
has been removed; Indico now always uses Redis for cachingsession.user
now returns the user related to the current request, regardless of whether it's coming from OAuth, a signed url or the actual session (#4803)check_password_secure
signal that can be used to implement additional password security checks (#4817)Published by ThiefMaster over 3 years ago
before_notification_send
signal (#4874, thanks @omegak)Published by ThiefMaster over 3 years ago
BASE_URL
is now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host (#4815, GHSA-wgpj-7c2j-vfjm, CVE-2021-30185)Note: If the webserver is already configured to enforce a canonical host name and redirects or rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires user interaction: they would need to click on a password reset link which they never requested, and which points to a domain that does not match the one where Indico is running.
ical-export
metadata signal when exporting events for a whole categoryprimary_email_changed
signal (#4802, thanks @openprojects)Published by ThiefMaster over 3 years ago
Published by ThiefMaster almost 4 years ago
Published by ThiefMaster almost 4 years ago
read:legacy_api
scope.EXPERIMENTAL_EDITING_SERVICE
setting to enable extending an event's Editing workflow through an OpenReferee server (#4659)registration_form_wtform_created
signal and send form data in registration_created
and registration_updated
signals (#4642, thanks @omegak)logged_in
signalPublished by ThiefMaster about 4 years ago
We published a blog post summarizing the most relevant changes for end users.
LOCAL_GROUPS
setting that can be used to fully disable local groups (#4260)CUSTOM_LANGUAGES
setting to indico.conf
to override the name/territory of a language or disable it altogether (#4620)before-regform
template hook (#4171, thanks @giusedb)registrations
kwarg to the event.designer.print_badge_template
signal (#4297, thanks @giusedb)registration_form_edited
signal (#4421, thanks @omegak)before-registration-summary
template hook (#4495, thanks @omegak)extra-registration-actions
template hook (#4500, thanks @omegak)event-management-after-title
template hook (#4504, thanks @meluru)before-registration-actions
template hook (#4524, thanks @omegak)LinkedDate
and DateRange
form field validators (#4535, thanks @omegak)extra-regform-settings
template hook (#4553, thanks @meluru)filter_selectable_badges
signal (#4557, thanks @omegak)extra-registration-settings
template hook (#4596, thanks @meluru)Published by ThiefMaster over 4 years ago
Published by ThiefMaster over 4 years ago
Published by ThiefMaster almost 5 years ago
Published by ThiefMaster about 5 years ago
While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.
Published by ThiefMaster about 5 years ago
While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.
Published by ThiefMaster about 5 years ago
@
, +
, -
and =
from the beginning of strings when exporting CSV files to avoid security issues when opening the CSV file in ExcelXELATEX_PATH
is explicitly set in indico.conf
.
indico maint fix-event-role-acls
after updating to fix any affected ACLs (#4090)Published by ThiefMaster about 5 years ago
This release is just backporting important security fixes from v2.2.3 in case you are still on v2.1 and cannot upgrade to v2.2.3 quickly.
@
, +
, -
and =
from the beginning of strings when exporting CSV files to avoid security issues when opening the CSV file in ExcelPublished by pferreir about 5 years ago
pyatom
, which has vanished from PyPI (#4045)Published by pferreir about 5 years ago
pyatom
from the project's dependencies. It seems to have vanished from PyPI (maybe discontinued?) but luckily werkzeug already includes it as a contrib module (see #4045).Published by ThiefMaster about 5 years ago
template_prefix
of the designer
modulePublished by ThiefMaster about 5 years ago
<title>
(#3285, thanks @bpedersen2)Published by ThiefMaster over 5 years ago