Zope Changes This file contains change information for the current Zope release. Change information for previous versions of Zope can be found in the file HISTORY.txt. Zope 2.6.0 Bugs Fixed - Caused many places throughout the code base to use calls to user.getId() rather than user.getUserName(). With most (all?) user folder implementations today, this will have no behavioral change, as getId is always alised to getUserName. However, this makes it possible to write user folder implementations which make the distinction between the user's id and the user's name. These user folders will allow users to change names independent of their identity. - WebDAV Lock Manager actually gives the user a chance to specify a starting path **before** searching for locks, shortening query times and memory usage in large Zope instances. - PageTemplateFiles were previously owned by whatever object contained them. This resulted in very hard bugs if the user who owned the container was removed. Since PageTemplateFiles come from the filesystem, they are now "unowned", similar to DTMLFiles. Security is still applied, but now it is applied correctly. - Collector #411: DateTime.rfc822 is not rfc822 compliant Zope 2.6.0 beta 2 Bugs Fixed - The ability to add multiple select properties to PropertyManagers was broken (issue 612). - Removed the signal handler hung off USR1 for packing the database. This feature proved dangerous as the pack operation would happen in the main thread, causing all asyncore operations to stop until it was finished. - Collector #372: tal:attributes failed when combined with tal:replace. - Don't try to close network connections in the signal handler for shutdown. This hosed ZEO clients. - Collector #292: PythonScript.write() didn't properly refresh bindings. - Dumb bug in zdaemon fixed in which it would try to kill process numbers 1, 2, 3, 10, 12, and 15 when it caught a signal related to any of these signal numbers. Instead, it actually tries now to kill its child process with the same signal. - Write pidfiles out with trailing newlines. - Fix setVirtualRoot in the face of unicode paths (such as occur during an XML-RPC request. - Collector #539: Fixed rendering of TAL namespace tags with an 'on-error' statement. - Collector #586: Generated 'start' scripts had a nonsensical export of an "INST_HOME" environment variable. - Collector #580: TALES evaluateBoolean() was squishing 'default'. - Collector #581: TALES Path traversal should not special-case a blank string in the second element position. It now skips directly to item access when a path element is blank or has a leading '_'. - Fixed inconsistent attribute access in TALES Paths. - Deprecated hasRole alias failed to return result. - Collector #538: Hybrid path expressions no longer attempt to call a value returned by the final, non-path alternate. - Collector #573: ZTUtils Iterator didn't catch AttributeError. - Collector #517: The properties page incorrectly rendered properties with non-latin1 values if there were no unicode properties defined, and incorrectly processed properties with non-ascii names. - ZTUtils.SimpleTree could not build a tree with a root other than the ZODB root object. Also, filter functions didn't work at all, let alone in accordance with the documentation in the code. - Collector #603: ZTUtils.Tree.encodeExpansion encoded depth with '.' characters, but decodeExpansion could possibly see an encoded node id as an encoded depth when that encoded id started with a '.'. - Collector #605: ZTUtils.Tree.decodeExpansion set no limits on the string to be decoded, allowing for a DoS attack with very large strings. - The fix for issue #144 broke the ability to create an empty Image or File object. This functionality is now reenabled again. - ZTUtils.Zope.TreeSkipMixin allows you to skip unauthorized objects in the tree, but the filter wasn't applied when trying to filter candidate child nodes through a custom setChildAccess filter. - Emails sent through MailHost now automatically include a Date header if not already present, in compliance with RFC822 and RFC2822. Features Added - Add optional 'relative' argument to getURL the method in CatalogBrains. This allows it to generate site relative URLs like absolute_url can. - ZTUtils.Tree.encodeExpansion now will use zlib compression by default, allowing for a far larger number of open tree states to be encoded. decodeExpansion handles compressed expansion states automatically. - ZTUtils.Tree.TreeMaker now has additional methods for setting various flags and attributes that influence how the tree is built, making these aspects accessible to PythonScripts. - ZTUtils.Tree.TreeMaker has a new method setStateFunction, which allows you to set a callback function that can influence the state (open, closed, leaf) of each node in the tree. - Pidfile handling improved. When Zope is started under zdaemon, it no longer writes its own pidfile. Instead, it passes in the path to Z2.pid to zdaemon as its pidfile name. The 'zProcessManager.pid' file is no longer ever written. This caused a change to the -Z option of z2.py which should be mostly backwards-compatible (unless people were relying on zProcessManager.pid to be written). Now the -Z option is a boolean. -Z1 means use a daemon. -Z0 means dont. The default is -Z1. Zope 2.6.0 beta 1 Bugs Fixed - Collector #587: fixed wrong migration to string methods in DTMLMethod.py - Collector #583: Searching for '/' with PathIndexes failed. - Fixed bug in manage_editProperties which used an incorrect default for several types of property when they were not found in the REQUEST. - Collector #574: Fixed write on HEAD requests caused by overzealous ETag support. - Fixed bug in z2.py where it would eat certain socket error exceptions at startup. - Collector #550: Exceptions in XML-RPC requests no longer envoke standard_error_message. Plain text error messages are instead added to the fault string. In debug mode, a full traceback is also included since access to the error log is not a given for XML-RPC developers. - Collector #512,541: Fixed broken WebDAV compatiblity with Cadaver 0.20.X due to a missing Lock-Token header. - Zope Page Templates set a 'content-type' header even if the result of their execution was not rendered to the browser. We now check to make sure a content-type header is not already set before allowing a page template to set its own. - The title_or_id attribute of browser id managers and session data managers is now accessible publically. - Collector #510: When Python scripts and other "Script" objects were acquired during URL traversal, the __before_publishing_traverse__ code did not properly stop traversal at the script and populate traverse_subpath with the remaining url path elements. - Collector #238: Version Save and Discard buttons were too close to each other in Version management screens. - The "Add Browser ID Manager" permission was renamed to "Add Browser Id Manager". - Collector #437: dtml-sqltest now renders 'v not in (b,c)' when used as . Previously, a sqltest for inequality would render 'v <> b' when a single value was submitted, but would render 'a in (b,c)' when multiple values were present and the 'multiple' switch was set. - Collector #478: Z Search Interfaces with no parameters are now generating correct HTML. - Collector #448: Z Search Interfaces created as PageTemplates have a correct title, not a fragment of dtml. - Fixed brokenness of session data manager hasSessionData method. The old method created a session data object as a result of the call; it does not now. - Collector #458: Fixed broken reindex_all in CatalogAwareness classes. - The default "start" script now causes the event log to be sent to standard output unless the "EVENT_LOG_FILE" or "STUPID_LOG_FILE" environment variable is found in the environment. - The much-hated name "STUPID_LOG_FILE" now has a preferred alias: "EVENT_LOG_FILE". - Collector #454: The "default" session_data transient object container was not created if an object named "session_data" existed in the root. - Restored behavior of ZCatalog when arguments with empty string are passed in to searchResults. These values are now ignored. If only empty string values are passed to searchResults, then it returns all results (it is assuming what was passed is essentially an empty filter). - Collector #160: Allow TemporaryStorages to participate when a version is active. - Collector #446: Fixed management security assertions on ZCatalogIndexes class. - The BTree module functions weightedIntersection() and weightedUnion() now treat negative weights as documented. It's hard to explain what their effects were before this fix, as the sign bits were getting confused with an internal distinction between whether the result should be a set or a mapping. - New "Transience" (session data storage) implementation. More reliable under high load. - Collector #402: PythonScript recompile utility should only be usable by Manager to prevent abuse. - Collector #433: Fixed broken Splitter backwards compatiblity issue caused by code cleanup. - Collector #151: The Python 2.1 / 2.2 fcntl compatibility hacks were bypassed when using medusa directly without importing ZServer first (as when using monitor_client.py). - Collector #72: Start on Windows 95 machines with no network devices installed. - Collector #79: Don't swallow App.FindHomes exceptions. - The set operation difference(X, None) was returning None instead of returning X, contradicting the docs and common sense. difference(None, X) continues to return None. - Fix bug in ISO_8859_1 splitter which corruped storage on initialization. - Collector #421: Storage leak in cAccessControl - FileLibrary and GuestBook example applications gave anonymous users the Manager proxy role when uploading files - a potential vulnerability on production servers. - Exceptions that use untrusted information from a REQUEST object in the exception message now html-quote that information. - Stop leaking FastCGI Authorization header in environment to prevent password compromise - #178: Don't compile PythonScripts in skins directories - Fixed the help registration system and Zope tutorial to honor the environment variables, FORCE_PRODUCT_LOAD, and ZEO_CACHE, that affect whether products are installed in the database at application startup. - Collector #547: xmlrpclib SlowParser should also handle CDATA sections. - Collector #525: Don't mask Unautorized exceptions as XML-RPC faults. Fix based on patch from Brad Clements. - Collector #465: Allow XML-RPC requests with no tag. - Collector #528: Don't clear REQUEST_METHOD for XML-RPC requests; instead check for an XML-RPC Response objetc in BaseRequest.traverse. Features Added - Browser ids can now be encoded in the URL and Zope can be instructed to automatically include the browser id in its generated URLs. - Browser Id Managers now provide a saner way to obtain a hidden form element which encodes the browser id name and browser id. An interface method named "getHiddenFormField" on browser id managers now exists which returns a snippet of HTML as a hidden form field that encodes these values. - A Site Error Log object is now created in the root at Zope startup time. - Added 'url_unquote' and 'url_unquote_plus' modifiers to DTML (also fmt=url-unquote and fmt=url-unquote-plus), and made the same functions available in the PythonScripts.standard module. - Collector #186: Added urlencode to the standard importables for Python scripts. - and &dtml.-name; will now automatically HTML-quote unsafe data taken implictly from the REQUEST object. Data taken explicitly from the REQUEST object is not affected, as well as any other data not originating from REQUEST. This can be disabled (at your own risk!) by setting the environment variable ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled'. - ZCatalog index management ui is now integrated into ZCatalog rather than being a subobject managment screen with different tabs. - ZCTextIndexes can now be instantiated without constructing a silly "extra" record object if desired. - SimpleItem class now passes a new argument "error_log_url" to the standard_error_message template on error. If the site contains an error log object, this will contain the url to the applicable log entry for the error. - The IOBTree module also supports multiunion() now. - BTrees and TreeSets are complex objects, with parent->child pointers, sibling pointers, and multi-level parent->descendant pointers. About half the pointers are formally redundant, but speed operations. BTrees and TreeSets now support a ._check() method, which does a thorough job of examining all these pointers for consistency. It raises AssertionError if it finds any problems, else returns None. In Zope 2.5, in rare cases a key deletion could leave these internal pointers in an inconsistent state (what was supposed to be redundant information became conflicting information). The most likely symptom was that tree.keys() would yield an object that disgreed with the tree about how many keys there are. tree._check() can be used if you suspect such a problem (and if you find one, rebuilding the tree is the best solution for now). - Added support for the ZOPE_HOME environment variable, which points to the Zope root, where the ZServer package and default imports may be found. - Collector #516 -- "title" property on image tags - Collector #117 -- change External Method DTML to name="id" vs unquoted id - Collector #61 -- now manage_PasteObjects return a list of dictionaries containing {'id':original_id,'new_id':newly_pasted_obj_id} when called with REQUEST=None - Changed FORCE_PRODUCT_LOAD so that if it is set, it determines whether products are installed regardless of whether ZEO_CACHE is set. This means that you can disable product installation by setting FORCE_PRODUCT_LOAD to an empty string even if you are not using a ZEO persistent cache. Documented FORCE_PRODUCT_LOAD - xmlrpclib has been updated to the Python 2.2 version, which includes support for the Expat parser for unmarshalling data, which speeds up things considerably. - Binary builds for Linux are now built against glibc 2.1.3 with large file support enabled. - Binary builds for Solaris are now built against Solaris 8 with large file support enabled. - Added i18n support in TAL processing Zope 2.6.0 alpha 1 Features Added - The IIBTree module has a new multiunion function. It accepts a sequence of sets, treesets, etc, and returns the union of the keys of these objects, as an IISet. It's designed for peak speed when the input sequence contains many objects. - Set the default sys checkinterval to a higher value (500) to take better advantage of faster processors. Since there is no way to scientifically determine a number that works best for everyone, this at least should err on the side of better performance "out of the box" for higher-end production systems. Note that you can always use the -i argument to z2 to change the check interval. - Added support for gzip content compression for clients that support it. See lib/python/ZPublisher/HTTPResponse.py for more details. - Added ZCTextIndex plug-in index product. A replacement for TextIndex. - Removed the venerable but senile QuickStart folder from the default FileStorage. "Alas, poor Yorick! I knew him, Horatio." - Signal handling and log rotation All Zope process will respond to signals in the specified manner: SIGHUP - close open database connections and sockets, then restart the process SIGTERM - close open database connections and sockets, then shut down. SIGINT - same as SIGTERM SIGUSR2 - rotate all Zope log files (z2.log, event log, detailed log) The common idiom for doing automated logfile rotation will become: kill -USR2 `cat /path/to/var/z2.pid` The common idiom for doing "prophylactic" restarts will become: kill -HUP `cat /path/to/var/z2.pid` When a process is interrupted via ctrl-C or via a TERM signal (INT, TERM), all open database connections and sockets will be closed before the process dies. This will speed up restart time for sites that use a FileStorage as its index will be written to the filesystem before shutdown. Unspecified signals kill the process without doing cleanup. - ZCatalog no longer has a hand in managing text index vocabularies. The cruft associated with this functionality has been exorcised. No default indexes or metadata elements are defined for you when you create a new ZCatalog. Since we now have many new kinds of plug-in indexes it no longer made sense to do this anymore. - A new permission "Copy or Move" was added. This permission may be used respective to an object to prevent objects from being copyable or movable while within the management interface. The "old" behavior stipulated that users whom possessed the "View management screens" permission to an object's container could copy or move the object arbitrarily, even if they had limited access to the object itself. Once the object was moved or copied, the user became the owner of the new object, allowing them to see potentially sensitive information in the management interface for the object itself. This permission is granted to Manager and Anonymous by default, and must be revoked on an object-by-object basis if site managers intend to provide management screen access to folders which contain sensitive subobjects. This patch came as a result of Collector #376 (thanks to Chris Deckard). - Structured Text's "DocumentWithImages" class did not recognize image filenames with underscores. - The getElementsByTagName method of STDOM (used by Structured Text) would croak on most documents, especially those containing unwrapped text nodes. Fixed. - FileUpload objects now evaluate false when the have an empty file name. Making it easier to check for omitted file upload form fields. - ZClasses now use a python script as their constructor method instead of a DTML method. Also, ZClasses inherit from CatalogPathAwareness now instead of CatalogAwareness. - added browser_default hook to ZPublisher. This allows objects to specify the path to the default method that the publisher calls when the object is published. The default for objects not defining browser_default is still 'index_html' for bw compatibility. A ZMI configurable browser_default implementation has been added to ObjectManager. You can configure browser_default for OMs via a new "settings" management tab. - added TopicIndexes: a TopicIndex is a container for so-called FilteredSet. A FilteredSet consists of an expression and a set of internal ZCatalog document identifiers that represent a pre-calculated result list for performance reasons. Instead of executing the same query on a ZCatalog multiple times it is much faster to use a TopicIndex instead. - requestprofiler: added new --daysago option and added support for reading gzipped detailed logfiles - DateTime: new functions JulianDay() and week() to perform calculation of the week number based on the Julian calendar. - WebDAV: the new environment variable WEBDAV_SOURCE_PORT_CLIENTS enables retrieval of the document source for dedicated WebDAV clients (see ENVIRONMENT.txt for usage) - Collector #272: Optimizations for RESPONSE.write - Collector #271: New environment variables are now used to send the access log into syslog. ZSYSLOG_ACCESS, ZSYSLOG_ACCESS_FACILITY, and SYSLOG_ACCESS_SERVER now do the same job as the old environment variables without _ACCESS in their name. Those old environment variables still do the same job of sending the event log to syslog. - When run as a daemon on Unix, Zope will now redirect stdin/stdout/stderr to /dev/null - Nicer formatting for the increasingly tall permissions table. - TextIndex: Enhanced splitter functionality now allows the TextIndex to index numbers, single characters. It is also possible to enable case-sensitive indexing. The new configuration options are available through the addForm of the Vocabulary object. - ICP server support. For more information see http://www.zope.org/Members/htrd/icp/intro - STXNG: added new env. variable STX_DEFAULT_LEVEL to change the default level for elements (see doc/ENVIRONMENT.txt) - Collector #304: several catalog optimisations - New implementation of ZODB object cache. The new implemenation is more likely to keep the size of the object cache close to the target size. This change means that memory consumption may be reduced. Some users will need to increase the default cache size, because a too small setting is more likely to hurt performance than it did in the past. Third-party C extensions that use the persistence API must be recompiled, and may need to be updated to work correctly with the new cache; see PER_GHOSTIFY(). - The ZODB Connection is now resposible for registering changed objects with the current transaction. - Implementation of RestrictedCreation fishbowl proposal; Product registration can now include a function used to determine whether that product constructor want to allow objects to be created in the specified container object. - Collector 196: manage_page_style.css is now cacheable. Added freshness information to ImageFile, to improve cacheability of management interface - Collector 358: added a new parameter no_push_item to dtml-in, to inhibit automatically pushing sequence-item onto the namespace stack. - STXNG: Structured Text now supports images by default by using the HTMLWithImages class (has been disabled prior to Zope 2.6) - new option --force-http-connection-close for z2.py to prevent clients from maintaing pipelined connections to the Zope server (Collector #412) - Updated the Interface package to be compatible with Zope 3 Interfaces. This included changing some interface APIs that may affect existing products. - Added a database activity monitoring graph to the control panel, making it easier to tune the ZODB cache size. Bugs Fixed - External methods didn't properly setup func_defaults and func_code when they were first loaded. This meant mapply couldn't properly map arguments on the first try. - Fixed bug #96: Narrower/Wider buttons now work on both CSS and non-CSS compliant browsers. This allows better control for browsers that have a hard time knowing what 100% means. - Fix for Collector #319: filtered_manage_options didn't correctly filter tabs based on permission. - Made repr of an HTTPRequest.record eval'able as a dict (Collector #89). - Fixed bug #144: Upload button on dtml, py scripts, images, files and pts now raises an error if the file is not specified rather than clearing the source. - Fixed bug #275: setPermissionDefault didn't actually set the right permission -> role mappings. - Fixed bug reported on maillist during EWOULDBLOCK when using FTP server (http:// lists.zope.org/pipermail/zope/2002-March/111521.html). - App/FindHomes.py now computes the "real" path for SOFTWARE_HOME and INSTANCE_HOME, resolving any symlinks in any element within paths passed in via the INSTANCE_HOME or SOFTWARE_HOME envvars. Paths that are computed by "dead reckoning" from os.getcwd and module paths are also "realpathed". So for instance, if you use '/home/chrism/Instance' as your INSTANCE_HOME, and '/home/chrism' is a symlink to '/other/home/chrism', your INSTANCE_HOME will be computed as '/other/home/chrism/Instance'. This is necessary to avoid weirdnesses while using "dead reckoning" from INSTANCE_HOME and SOFTWARE_HOME in other parts of the code. POSIX systems only. - Fixed PropertyManager/PropertySheets so that you can safely add a property named 'ids' without breaking your properties page. - Removed spurious 'self' from scarecrow interfaces; updated method-generation in Interface package to ignore self when source is a method (rather than a function). - Collector #32: Use difflib instead of ndiff - Fixed long standing bug in PythonScript where get_size returned the incorrect length. This broke editing using EMACS via FTP or WebDAV. Thanks to John Glavin at South River Technologies for help finding the bug. - Collector #207: fixed problem with inner links in STXNG - Collector #210: HTML() function of StructuredText produced wrong tags. - Collector #166: ObjectManger.all_meta_types() implemented only an incomplete filter based on interfaces. - FTP: Downloading files through FTP has been broken since 2.4.0 because the downloaded file has been stored with a HTTP header at the beginning of the file. Fixed! - FTP: Spaces in usernames inside a FTP file listing are now replaced by underscores to avoid confusion with some FTP clients. - Collector #227: improved handling of unicode string in TextIndex.py with unmodified default encoding in site.py. - Collector #227: z2.py, TextIndex/dtml/manage_vocab.dtml modified to display unicode strings in the vocabulary properly (now using UTF-8 encoding for display purposes) - Collector #250: applied several patches for TextIndex for better unicode support for the GlobbingLexicon - Collector #254: return owner object from getOwner wrapped in its context - Collector #259: walkandscrub.py did not delete all .pyc and .pyo files during installation. Fixed. - Collector #231: BTrees ignoring errors from comparison function - Collector #278: DocumentWithImages could not handle URLs with underscores - Collector #279: changed exception handling for safegmtime() to provide a more intuitive traceback for operating systems with a limited gmtime() implementations - Collector #285: Zope changes its working directory to the var directory at startup - WebDAV: removing an non-existing property now returns a HTTP 200-OK response instead of 404 (now compliant with RFC 2518) - Fixed a bug in TM.py that would cause database adapters to hang on errors in the second phase of the two-phase commit. - Collector #291: ZCatalog not unindexing deleted properties - Collector #266: Retried requests losing track of http request headers, causing Connection:Close requests to stall - Collector #17: Fixed broken links in StandardCacheManagers help - Collector #1: UNIX security fixes: make starting Zope as 'root' secure, stop using 'nobody', warn of insecure umasks - Collector #303: Properties of type 'long' got truncated - Collector #325: adding a new TextIndex to an existing Catalog cleared the standard Vocabulary. - Collector #373: content_type property for Image objects are no longer deletable to prevent malfunction. - Collector #343: The ZCatalogs 'Indexes' view showed the wrong number of indexed objects for FieldIndexes. - FTP server: replaced 'System_Process' by 'Sysproc' to avoid breaking some FTP clients and the output format with overlong usernames. - Fixed a potential bug with cAccessControl's permission role deallocator which would try to decref things which may not have been set, due to a change in the initializer (which will bail out if it doesnt get called with a tuple argument) - Collector #185, 341: PCGIServer and FCGIServer logs corrected and now output extended information like HTTPServer does. - Propertysheets: Ids like 'values' and 'items' are now forbidden as they break WebDAV functionality. Existing Propertysheets are not affected - Collector #348: decapitate() now recognizes both \r\n and \n\n to be compliant with the HTTP RFC - Collector #386: workaround for hanging FTP connections with NcFTP - Collector #419: repaired off-by-1 errors and IndexErrors when slicing BTree-based data structures. For example, an_IIBTree.items()[0:0] had length 1 (should be empty) if the tree wsan't empty.