Redmine

h1. Changelog 4.2.x

h2. version:4.2.9 (2022-12-01)

h3. [Activity view]

* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page

h3. [Documentation]

* Defect #37983: Duplicate vertical-align property in wiki_syntax.css

h3. [Gems support]

* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities"

* Patch #37867: Limit puma < 6.0.0 to avoid system test error

* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error

h3. [Issues workflow]

* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects

h3. [Projects]

* Defect #37925: Do not allow unkown display_type for query

h3. [Rails support]

* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception

h3. [Security]

* Defect #37751: Persistent XSS in textile formatting due to blockquote citation

* Defect #37767: Redmine contains a cross-site scripting vulnerability

* Defect #37880: Open Redirect in attachments#download_all

h2. version:4.2.8 (2022-10-02)

h3. [Code cleanup/refactoring]

* Defect #37449: Passing a wrong parameter to `with_settings` in UserTest::test_random_password_include_required_characters

h3. [Filters]

* Defect #36940: Chained custom field filter doesn't work for User fields

* Defect #37349: Chained custom field filter for User fields returns 500 internal server error when filtering after a float value

h3. [Issues]

* Defect #37473: Focus IssueId not working when linking issues

h3. [Issues list]

* Defect #37268: Performance problem with Redmine 4.2.7 and 5.0.2

h3. [Rails support]

* Patch #37465: Update Rails to 5.2.8.1

h3. [Security]

* Defect #37492: Update jQuery UI to 1.13.2

h3. [SCM]

* Defect #37718: Repository browser does not show "+" (plus sign) in filename

h3. [Text formatting]

* Defect #37379: Thumbnail macro does not work when a file is attached and preview is displayed immediately

h3. [Translations]

* Patch #37698: Persian translation update for 4.2-stable

h3. [UI]

* Defect #36901: Jump to project is misaligned in Safari 15.4 and later

* Defect #37282: Subtask isn't displayed correctly since 4.2.7

* Defect #37481: Fix the unintentional selection of rows with the context menu

* Defect #37566: The number of the ordered list in the project description is not displayed and the indentation does not match the unordered list

h2. version:4.2.7 (2022-06-21)

h3. [Email notifications]

* Defect #37162: Missing space between notification sentence and author name when edit a wiki page

h3. [Email receiving]

* Defect #37187: no-permission-check allows issue creation in closed/archived projects

h3. [Issues]

* Patch #37155: Issue#last_notes fallback does not respect notes visibility

* Defect #37171: Ability to change the issue category or issue target version with nonexistent value for the specific project

h3. [Security]

* Defect #37255: Information Leak in QueryAssociationColumn/QueryAssociationCustomFieldColumn

* Defect #37256: Medium severity XSS security vulnerabilities (3x) in jQuery UI v1.12.1

h3. [Time tracking]

* Defect #33914: Even if the default value of Activities (time tracking) is set, it may not be reflected.

h3. [UI - Responsive]

* Defect #36453: Issue subject overflow in subtasks and relations tables

h2. version:4.2.6 (2022-05-16)

h3. [Attachments]

* Defect #36887: copyImageFromClipboard function failed to generate a unique file name

* Patch #36817: copyImageFromClipboard function targets the first file input of the page and may conflict with other plugins

h3. [Rails support]

* Patch #36918: Update Rails to 5.2.8

h3. [Security]

* Patch #36912: Update Nokogiri versions to fix two critical CVE's

h3. [Translations]

* Patch #37002: Czech translation update for 4.2-stable

h2. version:4.2.5 (2022-03-28)

h3. [Attachments]

* Defect #36013: Paste image mixed with other DataTransferItem

h3. [Database]

* Defect #36766: Database migration from Redmine 0.8.7 or earlier fails

h3. [Documents]

* Defect #36686: Allow pasting screenshots from clipboard in documents

h3. [Gems support]

* Patch #36795: Set the minimum required version of ROTP gem to 5.0.0

h3. [Issues filter]

* Defect #30924: Filter on Target version's Status in subproject doesn't work on version from top project

h3. [Projects]

* Defect #36593: User without permissions to view required project custom fields cannot create new projects

h3. [Rails support]

* Patch #36757: Update Rails to 5.2.6.3

h2. version:4.2.4 (2022-02-20)

h3. [Gantt]

* Defect #35027: Gantt PNG export ignores imagemagick_convert_command

h3. [Gems support]

* Defect #35435: Psych 4: aliases in database.yml cause Psych::BadAlias exception

* Defect #36226: Psych 4: Psych::DisallowedClass exception when unserializing a setting value

h3. [Importers]

* Defect #35656: When importing issue relations, the validation messages are not shown in the UI

h3. [Issues]

* Defect #36455: Text custom field values are not aligned with their labels when text formatting is enabled

h3. [Rails support]

* Patch #36633: Update Rails to 5.2.6.2

h3. [Time tracking]

* Defect #20018: Duplicate activities in time entry report when project-specific activies exist

* Defect #36248: Time entries of sub-projects are not listed when activity is specified in filters

h3. [Translations]

* Defect #36517: Label error_can_not_execute_macro_html in Russian translation is broken

h3. [UI]

* Defect #36446: Watchers autocomplete fails with 403 error when the search is made from multiple objects with different projects

* Patch #35215: Don't display "No Match Found!" when the inline autocomplete doesn't return any result

* Defect #35090: Permission check of the setting button on the issues page mismatches button semantics

* Defect #36363: Cannot select text in a table with a context menu available

* Patch #36378: Update copyright year in the footer to 2022

h3. [Wiki]

* Defect #36494: WikiContentVersion API returns 500 if author is nil

* Defect #36561: Wiki revision page does not return 404 if revision does not exist

h2. version:4.2.3 (2021-10-10)

h3.  [Administration]

* Defect #35731: Password and Confirmation fields are marked as required when editing a user

h3.  [Attachments]

* Defect #35642: Long text custom field values are not aligned with their labels

* Defect #35715: File upload fails when run with uWSGI

h3.  [Issues]

* Defect #35655: Create duplicated follows relations fails with 500 internal error

h3.  [Issues planning]

* Defect #35669: Prints of Issues Report details are messed-up due to the size of the graphs

h3.  [Permissions and roles]

* Defect #35634: Attachments deletable even though issue edit not permitted

h3.  [Projects]

* Defect #35827: Deleting a closed or archived project returns 403

h3.  [Roadmap]

* Feature #35758: Add some space around the versions on the Roadmap

h3.  [Security]

* Defect #35789: Redmine is leaking usernames on activities index view

* Patch #35463: Enforce stricter class filtering in WatchersController

h3.  [Translations]

* Patch #35662: Mongolian translation update for "Notes", "Totals", and "% Done"

* Patch #35766: Galician translation update for 4.2-stable

h3.  [UI]

* Defect #34834: Line breaks in the description of a custom field are ignored in a tooltip

h2. version:4.2.2 (2021-08-01)

h3. [Accounts / authentication]

* Patch #35372: Better presentation for 2FA recovery codes

* Defect #35226: Add SameSite=Lax to cookies to fix warnings in web browsers

h3. [Attachments]

* Defect #33752: Uploading a big file fails with NoMemoryError

h3. [Documentation]

* Patch #35375: German translation of wiki syntax help file

h3. [Gantt]

* Defect #34694: Progress bar for a shared version on gantt disappears when the tree is collapsed and then expanded

h3. [Gems support]

* Defect #35621: Bundler fails to install globalid when using Ruby < 2.6.0

h3. [Issues]

* Defect #35134: Change total spent time link to global time entries when issue has subtasks that can be on non descendent projects

h3. [Issues filter]

* Defect #35201: Duplicate entries in issue filter values

h3. [News]

* Defect #35308: "Add news" button on global news index is displayed for users without permissions

h3. [Projects]

* Defect #35606: Locked users should not be displayed in the members box of the project overview page

h3. [Rails support]

* Patch #35214: Update Rails to 5.2.6

h3. [Security]

* Defect #35417: User sessions not reset after 2FA activation

h3. [Text formatting]

* Defect #35036: Markdown text sections broken by thematic breaks (horizontal rules)

* Defect #35441: Inline image in Textile is not displayed if the image URL contains ampersands

h3. [Time tracking]

* Defect #34856: Time entry error on private issue

h3. [Translations]

* Defect #35319: Wrong Japanese translation for permission_delete_message_watchers

* Patch #34979: French translation update for 4.2-stable

* Patch #35016: French translations for two-factor authentication

* Patch #35051: German translation update for 4.2-stable

* Patch #35110: Lithuanian translation update for 4.2-stable

* Patch #35111: Russian translation update for 4.2-stable

* Patch #35267: German translation update (jstoolbar-de.js)

h2. version:4.2.1 (2021-04-26)

h3. [Accounts / authentication]

* Defect #35087: Users without two-factor authentication enabled cannot sign out when two-factor authentication is required

* Defect #35135: FrozenError when new LDAP users try to login

h3. [Activity view]

* Defect #34933: Atom feed of the activity page does not contain items after the second page

h3. [Attachments]

* Defect #34999: The result of Attachment.latest_attach is unstable if attachments have the same timestamp

h3. [Custom fields]

* Defect #35115: Time entries are broken if grouped by project and issue custom fields

h3. [Email receiving]

* Defect #35100: MailHandler raises NameError exception when generating error message

h3. [Importers]

* Defect #35131: Issue import - allow auto mapping for Unique ID and relation type fields

h3. [Issues]

* Defect #34921: Do not journalize attachments that are added during a "Copy Issue" operation

* Defect #34982: Cannot change the default version and default assignee under settings

h3. [Performance]

* Patch #35034: Improve loading speed of workflow page

h3. [REST API]

* Defect #35039: API create issue relation method returns undefined method `split' when issue id is sent as integer

h3. [Roadmap]

* Defect #34983: Roadmap tab is missing if there are only inherited from parent project versions

h3. [Security]

* Defect #34367: Allowed filename extensions of attachments can be circumvented

* Defect #35045: Mail handler bypasses add_issue_notes permission

* Defect #35085: Arbitrary file read in Git adapter

h3. [Text formatting]

* Defect #34894: User link using @ not working at the end of line

h3. [UI]

* Defect #34998: Cannot open journal dropdown menu after editing note

h2. version:4.2.0 (2021-03-28)

h3. [Accounts / authentication]

* Defect #33601: Additional email addresses are not displayed in user profile page

* Feature #1237: Add support for two-factor authentication

* Feature #3369: Allowed/Disallowed email domains settings to restrict users' email addresses

* Feature #32998: Change the default value for "Default Gravatar image" to "Identicons"

* Feature #33126: Support custom fields when exporting users to CSV

* Feature #33347: Include updated_on and passwd_changed_on columns when exporting users to CSV

* Feature #34241: Include twofa_scheme (two-factor scheme) column when exporting users to CSV

* Patch #34071: handle AuthSourceExceptions in User.try_to_login

h3. [Activity view]

* Feature #1422: Date selection for Activity Page

* Feature #32248: Change the default value for "Days displayed on project activity" setting to 10

* Feature #33602: Add an interface to filter activities by user

* Feature #33692: Improved view of the activity page

h3. [Administration]

* Feature #32672: Add Check all / Uncheck all button to filters in permissions report

* Feature #34258: Create tracker by copy

* Feature #34307: Create custom field by copy

h3. [Attachments]

* Defect #33357: rendering extra "--" footer of git patch attachment

* Feature #7056: Download all attachments at once

* Feature #18555: Show warning when attempting to attach more than the allowed number of attachments

h3. [Calendar]

* Defect #32194: Calendar page lacks buttons to manage custom queries

h3. [Code cleanup/refactoring]

* Defect #33392: Fix invalid selector in function displayTabsButtons()

* Defect #33562: Some tests in ApplicationHelperTest are declared as private

* Patch #32054: Add test for 4 byte characters (emoji) support

* Patch #32653: Fix random test failure due to missing call to set_tmp_attachments_directory in WikiControllerTest

* Patch #32813: Clean up toggleMultiSelect js function

* Patch #32888: Use stylelint to avoid errors and enforce conventions in CSS files

* Patch #32890: Fix violations reported by Stylelint

* Patch #32924: tmp/pdf directory is no longer necessary

* Patch #32927: CSS selector in test_index_should_show_warning_when_no_workflow_is_defined is too specific

* Patch #32929: Add missing fixtures to AttachmentsControllerTest

* Patch #32937: test_revisions_latin_1_identifier should be skipped on Windows

* Patch #33069: Update copyright year in source files to 2021

* Patch #33226: Skip thumbnail tests if ImageMagick convert command is not available

* Patch #33268: Add missing test: ProjectCustomField creation

* Patch #33315: IssuesSystemTest#test_bulk_watch_issues_via_context_menu randomly fails due to Capybara clicks out out of context menu

* Patch #33342: Remove unused i18n key "label_overall_activity" and "label_overall_spent_time"

* Patch #33367: Use more efficient "exists?" instead of "first" in tests when checking the existence of rows

* Patch #33376: Add missing fixtures to VersionsHelperTest

* Patch #33384: jQuery: replace deprecated size() method with length

* Patch #33393: Remove unused i18n key "notice_no_issue_selected"

* Patch #33567: Fix typo in watchers_controller.rb

* Patch #33700: Add missing fixture to Redmine::ApiTest::ProjectsTest

* Patch #33728: Remove an unused variable in Query#add_chained_custom_field_filters

* Patch #33785: Add missing fixture to TimelogControllerTest

* Patch #33786: Add missing fixture to UsersControllerTest

* Patch #34119: Fix selenium chrome options so files are downloaded to tmp/downloads in system tests

* Patch #34122: Store inline autocomplete data sources in a JS variable

* Patch #34166: Fix wrong comment for Mailer.deliver_lost_password

* Patch #34169: MessagesControllerTest#test_post_new randomly fails

* Patch #34269: Allow system tests to run on remote Selenium hub (eg: Docker)

* Patch #34321: Add missing fixtures to AttachmentsControllerTest

* Patch #34444: Remove unused key :preview from Redmine::AccessKeys::ACCESSKEYS

* Patch #34492: Fix passing a wrong parameter to assert_select in API test for 'GET /users/:id'

* Patch #34745: Remove unused i18n key "text_min_max_length_info"

* Patch #34750: Remove unsupported encodings ISO-2022-KR and ISCII91 from Setting::ENCODINGS

* Patch #34789: Fix misplaced comment in config/settings.yml

h3. [Custom fields]

* Defect #5354: Updating custom fields does not trigger update to "updated_on" field in the customized object

* Defect #33930: 500 error when attempting to create custom field enumeration with empty name

* Feature #30776: Drag and drop file upload to file type custom field

* Feature #32783: Redirect to index page instead of edit page after creating a new custom field

h3. [Documentation]

* Defect #32795: Remove RubyGems from Requirements in doc/INSTALL

* Patch #33208: `--without rmagick` option for bundle command is no longer necessary

h3. [Email notifications]

* Feature #16006: Include attachments in forum post notifications

* Feature #32628: Notify users about high issues (only)

* Feature #33002: Include attachments in news post notifications

* Feature #33099: Add a link to the issues list in reminder email

* Feature #33834: Show open/closed badge in email notifications

* Feature #34787: Ability to set default value for  "I don't want to be notified of changes that I make myself"

h3. [Email receiving]

* Feature #34794: Allow newlines and quote characters within mail body delimiters

h3. [Feeds]

* Feature #15212: Atom feed on project with subprojects should show in article title the name of the project

h3. [Filters]

* Feature #33296: Load default custom queries when running redmine:load_default_data rake task

h3. [Forums]

* Defect #32156: No left padding for first level entries in discussion board list

* Feature #3390: Ability to add watchers to forum threads

h3. [Gems support]

* Patch #32453: Update capybara (~> 3.31.0)

* Patch #32468: Update Rouge to 3.26.0

* Patch #32530: Update RuboCop to 1.12

* Patch #32531: Update RuboCop Rails to 2.9

* Patch #32763: Update mini_magick to 4.11

* Patch #32782: Update pg gem (~> 1.2.2)

* Patch #32805: Update request_store to 1.5

* Patch #32841: Drop support for Bundler prior to 1.12.0

* Patch #32906: Update i18n (~> 1.8.2)

* Patch #32950: Update simplecov to 0.18

* Patch #34159: Update RuboCop Performance to 1.10

* Patch #34339: Update net-ldap to  0.17

* Patch #34443: Update roadie-rails to 2.2

* Patch #34579: Use 'webdrivers' gem to manage the Chrome driver for system tests

* Patch #34969: Remove dependency on MimeMagic

h3. [Hook requests]

* Patch #34072: Hook after plugins were loaded

h3. [I18n]

* Defect #33186: field_activity should be used rather than label_activity in the context of time tracking

* Defect #33232: Hard-coded error messages in ApplicationController

* Defect #33426: Error messages for Wiki macros are not internationalized

* Patch #33741: Decimal separator for Dutch locale should be a comma

h3. [Importers]

* Feature #22913: Auto-select fields mapping in Importing

* Feature #28198: Support issue relations when importing issues

* Feature #33102: Import user accounts from CSV file

* Feature #34762: Display more detailed error message when attempting to import malformed CSV file

h3. [Issues]

* Defect #10084: Disabled trackers of subprojects are listed in project overview

* Defect #32125: Issues autocomplete may not find issues with a subject longer than 60 characters

* Defect #32471: Layout of the custom field edit page is different between the single edit page and the batch edit page

* Defect #33255: Issue auto complete doesn't work for custom fields with text formatting enabled on issue bulk edit page

* Defect #33419: Show only valid projects on issue form when the issue is a subtask

* Defect #34185: Trackers of subprojects are not displayed in the Issue summary page

* Feature #4511: Allow adding user groups as watchers for issues

* Feature #28471: Query links for subtasks on issue page

* Feature #31881: Add "behind-schedule" CSS class to issues

* Feature #33254: Show open/closed badge on issue page

* Feature #33418: Bulk addition of related issues

* Feature #33832: Move the "Private" badge next to the "Open/Closed" badge

* Feature #34303: Allow to add subtask from context menu

* Feature #34798: Show project tree instead of subprojects in the project selector when you create a new issue

* Patch #33329: Improve watchers functionality to mark the users that are watching a non visible object and to not return watchers that cannot see the object

* Patch #33437: Add missing icon class to items with icon-checked class in the context menu

h3. [Issues filter]

* Feature #34700: Allow to use watch_by filter in the global issues list

h3. [Issues list]

* Feature #32240: Add download buttons in Files columns of the issues list

h3. [Performance]

* Defect #33289: Updating time tracking activities in project setting may take too long time

* Patch #33244: Replace "**" method with bitwise left shift in Tracker#disabled_core_fields and Tracker#core_fields

* Patch #33664: evaluate acts_as_activity_provider's scope lazily

* Patch #34150: Use match? instead of =~ when MatchData is not used

* Patch #34153: Use sum instead of inject(0, :+)

* Patch #34160: Replace Hash#merge! with Hash#[]=

* Patch #34161: Replace gsub with tr, delete, or squeeze

* Patch #34399: Use sum { ... } instead of map { ... }.sum

h3. [Permissions and roles]

* Feature #13767: Export permissions report to CSV

* Feature #33945: Allow normal users to delete projects with permission

h3. [Plugin API]

* Defect #33290: Unnecessary database access when IssueQuery class is defined

* Patch #33453: Add plugin CSS classes to plugin settings views

h3. [Project settings]

* Defect #34032: Project settings tab contains two items with the same id

h3. [Projects]

* Defect #33733: No trackers are selected for new projects

* Feature #32818: Add a system setting for default results display format of project query

* Feature #32944: Always preserve the tree structure in the project jump box

* Feature #33174: Show groups in members box on project overview page

h3. [Rails support]

* Patch #34966: Update Rails to 5.2.5

h3. [REST API]

* Defect #11870: Users can delete their own accounts unconditionally via REST API

* Defect #30121: Projects API should not return invisible trackers

* Feature #22008: Associated Revision API

* Feature #33301: Add option to include enabled issue custom fields in projects#show API response

* Feature #33592: Include updated_on and passwd_changed_on columns in users API response

* Feature #34242: Include two-factor authentication scheme in users API response

h3. [Rails support]

* Patch #32886: Rails 6: Use #media_type instead of #content_type to test the MIME type of a response

* Patch #32887: Rails 6: Use "render template:" instead of "render file:" in app/views/layouts/admin.html.erb

* Patch #32911: Rails 6: Fix deprecation warning "Class level methods will no longer inherit scoping"

h3. [Roadmap]

* Defect #32860: Invalid links to versions with sharing in project tree

* Feature #7956: Show Roadmap tab when subprojects have defined versions

h3. [Ruby support]

* Feature #31500: Ruby 2.7 support

* Feature #34142: Drop Ruby 2.3 support

h3. [Security]

* Defect #34950: SysController and MailHandlerController are vulnerable to timing attack

h3. [SCM]

* Defect #23055: Error with Fetch commits with Mercurial repository when log has invalid char

* Defect #27790: mercurial: error of double quotes in branch and tag names

* Defect #32153: Repository browser does not render previews for audio/video files

* Feature #8875: Allow manually fetching changesets

* Feature #34942: Support for Git repositories with default branch "main"

* Patch #32835: Make breadcrumbs of repository browser copy-paste friendly

h3. [SEO]

* Feature #31617: robots.txt: disallow crawling dynamically generated PDF documents

* Feature #33658: robots.txt: disallow crawling login, register, and lost password form

h3. [Text formatting]

* Defect #27780: Case-insensitive matching fails for Unicode filenames when referring to attachments in text formatting

* Feature #1575: Toolbar button to insert a table

* Feature #1718: Table column sorting

* Feature #32528: Make languages in Highlighted code button in toolbar customizable

h3. [Third-party libraries]

* Feature #33383: Update jQuery to 3.5.1

* Patch #33424: Update Tribute to 5.1.3

h3. [Time tracking]

* Defect #29838: Time logging via commit message does not work when the configured activity has been overridden on the project level

* Defect #33952: Spent time details are displayed in incorrect order when sorted by week and date

* Feature #32436: Add support for grouping by issue on timelog view

* Feature #33256: Show wiki toolbar for spent time custom fields with text formatting enabled

h3. [Translations]

* Defect #32828: Fix typos in Russian translation

* Defect #32857: Fix grammatical agreement in translation for "parent issue" in pt and pt-BR

* Defect #34456: Fix Japanese translation for less_than_x_seconds and less_than_x_minutes

* Patch #32238: Improvement of the German translation

* Patch #32380: Change Italian translation for "news"

* Patch #33403: Change Japanese translation for text_file_repository_writable

* Patch #33763: Change Japanese translation for field_onthefly

* Patch #34418: Unify the translation of the word "relation" in Czech

* Patch #34659: Change Traditional Chinese translation for "watch" and "watcher"

h3. [UI]

* Defect #33116: Successful deletion notice is not displayed after deleting some types of content

* Defect #33234: Vertical scroll bar in some browsers hide content

* Defect #34580: Custom field labels do not contain class "error" when the field value is invalid

* Defect #34805: Activity tab in cross-project menu is sometimes broken

* Feature #28392: Improve wiki headings style

* Feature #29285: Add "Assign to me" shortcut to issue edit form

* Feature #29473: Submit a form with Ctrl+Enter / Command+Return

* Feature #30459: Switch edit/preview tabs with keyboard shortcuts

* Feature #31589: Show warning and the reason when the issue cannot be closed because of open subtasks or blocking open issue(s)

* Feature #31887: Update jQuery UI to 1.12.1

* Feature #32764: Make form validation errors more obvious for users

* Feature #32976: Display avatar on add watcher dialog

* Feature #33167: "Add news" button in cross-project News tab

* Feature #33820: Auto complete wiki page links

* Feature #33908: Show an icon for a bookmarked project in the projects list

* Feature #34340: Make archived projects visually distinguishable in nested projects lists

* Feature #34417: Require explicit confirmation when deleting a user or a project

* Feature #34549: Add keyboard shortcuts for wiki toolbar buttons

* Feature #34703: "Copy link" feature for issue and issue journal

* Feature #34714: Move delete button for issues and journals to the dropdown menu

* Patch #34955: Update copyright year in the footer to 2021

h3. [UI - Responsive]

* Defect #33913: Input fields of the login form are too small in height on mobile

h3. [Wiki]

* Defect #31287: Ordering wiki pages should not be case sensitive

* Feature #32629: Add edit button to Wiki sidebar