| Prev | Chapter 1. High level information: What is OpenACS? | Next |
|---|
- The release of OpenACS 5.10.1 contains the 97 packages of the oacs-5-10 - branch. These packages include the OpenACS core packages, the major - application packages (e.g. most the ones used on OpenACS.org), and - DotLRN 2.10.1. -
Improved templating -
Client-side double click prevention
Support for generic icon names, which can be mapped differently depending on the installed packages and themes: The generic names are supported via <adp:icon name="NAME" title=....>. By using this feature, one can use font-based icons (like e.g. glyphicons of Bootstrap5, bootstrap-icons, fa-icons, ...) instead of the old-style .gif and .png images. This makes the appearance more uniform, has better resizing behavior, and works more efficiently (fewer requests for embedded resources). Most of the occurrences of the old-style images in standard core and non-core packages in oacs-5-10 are already replaced.
Support for listing registered URNs
-
Security improvements -
Stronger password hashes (scram-sha-256 hash in addition to the classical salted-sha1)
Added optional CSP rules based on MIME types. This is important for user-contributed content. When users upload e.g. SVG-files to the file storage, and the content is served from there, it poses a potential security hole. One can now define an additional parameter called StaticCSP in the section ns/server/$server/acs of the OpenACS configuration file to deactivate execution of script files from static content.
- ns_param StaticCSP {
- image/svg+xml "script-src 'none'"
- }
- Cookie-Namespace: When multiple OpenACS instances are served from the same domain name, the same cookies (e.g. ad_session_id, ad_login, ...) are set to all servers. For sensible cases, a cookie-namespace can be used, which can be used as a replacement of the traditional ad_ prefix. This can be as well set in the section ns/server/$server/acs of the OpenACS configuration file:
- # Provide optionally a different cookie namespace - # (used for prefixing OpenACS cookies) - ns_param CookieNamespace "ad_" -
-
Further reduce divergence between Oracle and Postgres SQL. Target version of Oracle could be 12.*, as Extended support ends in 2022 (see https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf) -
limit / rownum -> fetch first
use Postgres schemas for stored procedures so that they can be invoked with the same Oracle idiom
-
Deprecated commands -
acs_message_id contract filter
acs_privacy::*
acs_tcl_vars_list_to_ns_set
acs_tcl_vars_to_ns_set
ad_apply
ad_approval_system_inuse_p
ad_dateentrywidget
ad_db_select_widget
ad_decorate_top
ad_ns_set_to_tcl_vars
ad_package_admin_home
ad_parameter_all_values_as_list
ad_user_class_description
apm_file_type_keys
application_group::child_application_groups
attachments::root_folder_map_p
bulk_mail::parameter
bulk_mail::pretty_name
calendar_portlet_display::get_url_stub
calendar::adjust_date
calendar::assign_permissions
calendar::from_sql_datetime
calendar::item::assign_permission
calendar::make_datetime
content::revision::update_attribute_index
dotlrn_chat::add_portlet_helper
dt_widget_*
export_entire_form
export_entire_form_as_url_vars
export_ns_set_vars
f::* API that cannot be replaced by a drop-in alternative
forum::new_questions_allowed_p
forum::new_questions_allow
forum::new_questions_deny
fs::add_created_version
fs::get_archive_extension
fs::get_folder_contents
fs::item_editable_info
fs::torrent::get_hashsum
notification::get_delivery_method_id
notification::get_interval_id
oacs_util::vars_to_ns_set
template::adp_levels
template::form::export
template::util::array_to_vars
template::util::is_true
template::util::list_to_array
template::util::list_opts
template::util::nvl
template::util::tcl_to_sql_list
template::util::set_to_list
template::util::set_to_vars
template::util::vars_to_array
twt::server_url
twt::user::create
twt::user::delete
util_AnsiDatetoPrettyDate
util_commify_number
util_get_current_url
util_list_to_ns_set
util_ns_set_to_list
util_report_successful_library_load
util_report_library_entry
util::string_check_urlsafe
Color widget API
...
New proc ad_log_deprecated: unified interface for logging deprecated usages The existing code used a larger variety of different messages to denote invocations of deprecated procs and other artifacts. ad_log_deprecated provides a unified interface, and provides a usage hint what to use instead based on the API-doc definitions in the log-file.
Move deprecated code into separate files
Give people the chance to use OpenACS with WithDeprecatedCode set to 0. When OpenACS is configured to omit loading of long deprecated code (WithDeprecatedCode set to 0) files like deprecated-procs.tcl are not loaded. Therefore, these files should only contain code, which was deprecated at LEAST ONE RELEASE EARLIER, such that site admins have one release time to fix calls to deprecated code. This is especially important for public procs.
-
General cleanup/maintenance -
Modernization of Tcl idioms.
Compliance of files, proc names, ... to the naming conventions.
White space cleanup, indentation changes.
Improvement of public API documentation
Adjustment of proc protection levels (public, private)
Adjustment of log severity
Cleanup of obsolete files
Replacement of handcrafted forms by ad_form
Typo fixing
Editor hints
Replacement of deprecated calls
Addition of missing contracts
...
-
New Packages: -
openacs-bootstrap5: Bootstrap 5 theme for OpenACS
bootstrap-icons: Free, high-quality, open-source icon library with over 1,600 icons. Include them anyway you like—SVGs, SVG sprite, or web fonts. Use them with or without Bootstrap in any project
fa-icons: Free, high-quality, open-source icon library with over 2,000 free icons. As of 2020, Font Awesome was used by 38% of sites that use third-party font scripts, placing Font Awesome in second place after Google Fonts
highcharts: The Highcharts library is a JavaScript and TypeScript package for producing data visualizations (line/bar/pie charts etc.). The OpenACS package offers support to load this library either via CDN or from a local installation (via acs-admin and global administration UI)
-
Migrate to bootstrap 5. Bootstrap 3 reached EOL in 2019, Bootstrap 4 had EOL 2022. See https://github.com/twbs/release
Potential incompatibility with OpenACS 5.10.0: "permission::permission_p" returns Boolean values as "t" and "f" and not "1" and "0". Avoid literal comparisons of the result and use boolean tests available in Tcl/OpenACS.
Support for fresh installations on Oracle 19c.
Require NaviServer (i.e. drop AOLserver support). AOLserver cannot be compiled with the required modules with recent Tcl versions. Trying to backport NaviServer compatibility functions seems to be an overkill for the OpenACS project.
Require Tcl 8.6, XOTcl 2.1, PostgreSQL 11 (PostgreSQL 10 EOL: November 2022), tdom 0.9
Altogether, OpenACS 5.10.1 differs from OpenACS 5.10.0 by the +
+ The release of OpenACS 5.10.1 contains the 94 packages of the + oacs-5-10 branch. These packages include the OpenACS core packages, + the major application packages (e.g. most the ones used on + OpenACS.org), and DotLRN 2.10.1. +
Altogether, OpenACS 5.10.1 differs from OpenACS 5.10.0 by the following statistics
- 2886 files changed, 197060 insertions(+), 182613 deletions(-) -
- contributed by 6 committers (Antonio Pisano, Gustaf Neumann, Günter Ernst, Héctor Romojaro, Raúl Rodríguez, Thomas Renner) and additional 7 patch/bugfix providers (Felix Mödritscher, Frank Bergmann, Franz Penz, Markus Moser, Marty Israelsen, Monika Andergassen, Sebastian Scheder). + 3027 files changed, 428212 insertions(+), 219697 deletions(-)
- All packages of - the release were tested with PostgreSQL 13.* and Tcl 8.6.*. + contributed by 8 committers (Antonio Pisano, + Gustaf Neumann, + Günter Ernst, + Héctor Romojaro, + Michael Aram, + Raúl Rodríguez, + Sebastian Scheder, and + Thomas Renner) + and additional 8 patch/bugfix providers (Felix Mödritscher, + Frank Bergmann, + Franz Penz, + Josue Cardona, + Keith Paskett, + Markus Moser, + Marty Israelsen, and + Monika Andergassen) - all sorted by the first names.
- For more details, consult the + In terms of changes, this is the largest amount of changes at + least since the release of OpenACS 5.9.0. + Below is a summary of the most important changes, often + together with the commit references in Git. The summary was + made on subjective criteria, to get an overview of the + changes. +
+ For all details, consult the raw ChangeLog. -
+
+ Security and Privacy Posture + Overview: As expressed as a wish from OpenACS users + at the last OpenACS conference, a “Security and Privacy + Posture Overview” was added that offers a quick + overview of the state of the system and eases access to the + parameters scattered over different packages in the system. + The page offers: +
/acs-admin).
+ +
+ Stronger Password Hashes for + OpenACS (commit fe2bdb547, 8eee6a932, 52d2c997e, + 62d969c85): Introduction of new password hash functions + alongside the pre-existing “salted-sha1”. The new + algorithms are named “scram-sha-256”, + “scrypt-16384-8-1”, + “argon2-argon2-12288-3-1”, + “argon2-rfc9106-high-mem”, and + “argon2-rfc9106-low-mem”. These algorithms can be + specified via the kernel package parameter + “PasswordHashAlgorithm”. The algorithms require a + recent version of NaviServer and a recent version of OpenSSL, + which serves as a crypto library. This feature enhances + security against brute-force attacks on password hashes (when + db is compromised). Preferences of the password hash + algorithms can be set via kernel package parameter + “PasswordHashAlgorithm”, the first available + algorithm is taken from the preference list, hash re-coding + happens automatically at the next login. +
+ Setting of CSP rules based on MIME
+ types (commit 6bc253f1e, commit 94b8513ae). This is
+ necessary to mitigate certain attacks on static SVG files
+ uploaded to, e.g., the content repository. For example, set
+ the following to the ns/server/$server/acs
+ section of your NaviServer configuration file:
+
+ ns_param StaticCSP {
+ image/svg+xml "script-src 'none'"
+ }
+
+ Support for generic icon
+ names Support for generic icon names, which can
+ be mapped differently depending on the installed packages
+ and themes. The support provides a mapping from a set of
+ generic names to the names provided by different libraries
+ sich as Glyph Icons, Bootstrap Icons, Font-Awsome. The
+ provided support can be inspected on the site-wide page of
+ acs-templating.
+
The generic names can be used via the special tag <adp:icon
+ name="NAME" title=....> in .adp-files. By
+ using this feature, one can use font-based icons (like
+ e.g. glyphicons of Bootstrap5, bootstrap-icons, fa-icons,
+ ...) instead of the old-style .gif and .png images. This
+ makes the appearance more uniform, has better resizing
+ behavior, and works more efficiently (fewer requests for
+ embedded resources). Most of the occurrences of the
+ old-style images in standard core and non-core packages in
+ oacs-5-10 are already replaced. (commit c129c89ec,
+ 996740672, e9cae22dc, c7705c68b, a85ea7301, 58ad43055,
+ 737da5514, a05813ec7, 110b2f5d6, 7011c8fd9, 286fd9e58,
+ 927d9d5ef)
+
+
+ Better Automated Site
+ Configurability: Support for installing themes from
+ install.xml (commit 2f9761160).
+
+ Dynamic Cluster Nodes and Cluster + Infrastructure (commit 5738761db, 7cbc3e63c, + 1a7a7656c, 3faceddc4, 5fba13c0f, 7cbc3e63c, 3faceddc4, + 1a7a7656c): Added support for dynamically adding and removal + of nodes in an OpenACS cluster. In contrast to static cluster + nodes, the IP addresses of dynamic cluster nodes do not have + to be provided at startup time. The changes introduce new + admin pages and further configuration options. +
+ Optional Caching Deactivation
+ (commit 75c3f2b25): It is possible to deactivate caching via
+ the ns_cache infrastructure when the
+ NaviServer configuration variable
+ cachingmode is set to
+ none. The change modifies
+ per_thread_cache to behave like a
+ per_connection_cache. This option is useful
+ for cluster configurations, when legacy components do not
+ handle cache coherency (e.g. via
+ acs::clusterwide)
+
+ Support for Cloud Identity
+ Providers (commit e506dee05, fd7af8d17, 06954d83b).
+ Additional Identity providers can be added as secondary
+ registries (e.g., MS Azure via oauth2), to support e.g. logins
+ via the classical register page and via a
+ cloud registry (requires package xooauth for full
+ functionality)
+
+ Client-side double click + prevention: This change makes it possible to + provide a double click prevention for HTML elements via the + CSS class “prevent-double-click”. The double + click prevention deactivates a button or an anchor element + after clicking for a short time (per default for 1s) and + ignores in this time window further clicks. The time window + can be specified via the data element oacs-timeout. (commit + 5f2edeec2a9a831, 916d365aa11f2d) +
+ Cookie Namespaces (commit + ce1573ed8): Important, when multiple OpenACS instances are + served from the same domain name, but different cookies have + to be used. +
lc_time_tz_convert: Enforce ISO format for
+ dates and other changes (commit 9a5b5cd97).
+ template::element validation reform to
+ improve validation on fields (commit 87919f923).
+ + Streamlined resource_info handling by adding versioning and + better management of external library dependencies. External + libraries can be used from CDN or downloaded, the versions are + checked for vulnerabilities, which are reported via posture + overview and package-specific site-wide admin pages. +
CSSToolkit and
+ IconSet for acs-subsite
+ (commit fc56a275b).
+ ad_html_security_check configurable
+ (commit bc63ee424).
+ update_content-lob.set_content (commit
+ a3effac23, 4ce8e9fae).
+ ad_acs_admin_node
+ (commit 34a823c51).
+ ad_approval_system_inuse_p
+ implementation (commit bd8afdeeb).
+ db_multirow_group_last_row_p
+ (commit aafd1db58).
+ ns_parseurl in
+ util::split_location (commit aee571ad1).
+ db_driverkey when OpenACS
+ connects to multiple databases, involving the removal of
+ per-thread caching (commit 18e656b00).
+ version_dir handling
+ for download of external resources (commit 8e9a6a5c8).
+ db_foreach with
+ -column_set flag (commit 95e8970d7).
+ ad_mktmpdir and
+ ad_opentmpfile (commit a10b55d3d).
+ parametersecret is
+ not set (commit 0ec8f0183).
+ ad_html_security_check
+ based on ns_parsehtml (commit
+ 387f3de3e).
+ ns_trim -prefix (commit 500099e0).
+ ad_page_contract filter
+ object type (commit 2f9d127a0).
+ clock page contract
+ filter (commit 5544faffc).
+ tmpfile page contract
+ filter (commit 1a179e9bc).
+ ad_log_deprecated
+ for unified logging of deprecated usages (commit
+ 0e03b3358).
+ util::join_location usable for UDP
+ and SMTP (commit 01b5c0d61).
+ ad_unless_script_abort,
+ aa_silence_log_entries, and
+ util::json2dict to enhance error
+ handling and logging cleanliness (commit aeb027aeb,
+ f455d60c6, e9298cf02).
+ + For a description of all packages, see: + https://openacs.org/repository/5-10/ + +
util_commify_number, with
+ lc_numeric (518e1b34)
+ calendar::adjust_date -> inlined the
+ one occurrence (fbd97314)
+ calendar::from_sql_datetime,
+ calendar::make_datetime -> not used
+ upstream, superseded by modern clock idioms and HTML5
+ features (bccd1c3a, 7264a2fe)
+ cal_outlook_gmt_sql -> last usage in
+ the codebase 2002 (1ee22f96)
+ calendar::item::assign_permission.
+ calendar::assign_permissions ->
+ trivial wrappers over the permission api (a1ddaed5,
+ f174fd12)
+ template::util::is_true with inline
+ string idiom (f2604994)
+
+ +
site_node:: (commit 4d025e63)
+
+ site_node:: (39bcaf3f)
+
+ ns_quotehtml (commit 4476e815)
+
+ notification::get_interval_id
+ with
+ notification::interval::get_id_from_name
+ (commit 871dd502)
+
+ notification::get_delivery_method_id
+ with
+ notification::delivery::get_id
+ (commit a9760fc4)
+
+ template::util::is_true with
+ [string is true -strict $value]
+ (commit 38981891)
+
+ util_commify_number with
+ lc_numeric (commit 7c14688e)
+
+ twt::user::create and
+ twt::user::delete with the
+ respective acs::test::user::
+ counterparts (commit dea8673e)
+
+ template::util::nvl (commit
+ 0775f434, 73b52fba)
+
+ acs_privacy:: (commit d31c3b6f,
+ 9ae5aa4a)
+
+ bulk_mail::parameter with
+ parameter::get (commit b10c5f26)
+
+ forum::new_questions_deny and
+ forum::new_questions_allow with
+ permission::grant (commit
+ 4880f884)
+
+ bulk_mail::pretty_name
+ with parameter::get (commit b6b7aec1)
+
+ notification::get_interval_id
+ with
+ notification::interval::get_id_from_name
+ (commit d77b24b7)
+
+ notification::get_delivery_method_id
+ with
+ notification::delivery::get_id
+ (commit 075b8adc)
+
+ ns_mktemp with
+ ad_tmpnam (commit f5fd2c96)
+
+ util_commify_number with
+ lc_numeric (commit 990b0b0a)
+
+ notification::get_interval_id
+ with
+ notification::interval::get_id_from_name
+ (commit 586cc6ae)
+
+ notification::get_delivery_method_id
+ with
+ notification::delivery::get_id
+ (28661484)
+
+ export_ns_set_vars with
+ export_vars (commit e8ab835d)
+
+ dotlrn-portlet (e.g., commit
+ dcfe916b, 712e8793, 59ec97b0)
+
+ twt::user::create
+ and twt::user::delete with their
+ acs::test::user:: counterpart (27286797)
+
+ rp_form_put with plain ns_set
+ idioms (d7deda66)
+
+ fs::get_file_package_id more robust
+ to cases where the package_id is not set on the object
+ itself (bbbbf93b)
+
+ template::util::tcl_to_sql_list with
+ NaviServer own ns_dbquotelist
+ (8b1a62d0)
+
+ twt::user::create
+ and twt::user::delete with their
+ acs::test::user:: counterpart (cbc632d0)
+
+ ad_tmpnam with
+ ad_opentmpfile and
+ ad_mktmpdir, safer from race
+ conditions (576d51a1, 8a9ac2b9)
+
+ fs::add_created_version -> behavior
+ specific to this proc was to
+ fs::add_version, largely similar
+ (815cbaae)
+
+ fs::torrent::get_hashsum -> superseded
+ by NaviServer ns_md command (aaf2751d)
+
+ fs::item_editable_p,
+ fs::item_editable_info -> Unused,
+ unclear usefulness (86cd3917)
+
+ fs::get_archive_extension -> trivial
+ wrapper over the parameter api (aa63e153)
+
+ fs::get_folder_contents -> Not used in
+ the codebase, same result can be achieved with other api
+ (72e444b8)
+
+ template::util::get_opts (16b22e9e)
+
+ template::util::is_true with inline
+ string idiom (88c779b5)
+
+ export_ns_set_vars
+ with alternative idioms (4892cc8d)
+
+ ad_convert_to_html
+ with ad_html_text_convert (e48e5624)
+
+ signed (commit
+ 1ce581a)
+
+ oneof (commits
+ 58bc938, 2dbadad, 65575bf, 58bc938).
+
+ cr_item_of_package
+ (commit 6fc46f3)
+
+ ns_set in
+ database “sets” method (commit 158a831)
+
+ ns_set storage more eager (when
+ e.g. large queries are used in longer loops) (commit
+ 3d6b05a)
+
+ form_parameter specs with
+ value checkers added (commit 64bb847).
+
+ xowiki::bootstrap::card for
+ increased configurability (commits 97685004, 4e09efa9,
+ 136edcc5).
+
+ www-delete and
+ www-toggle-publish-status with
+ return_url for workflow-specific behavior
+ (commit abba6cd1).
+
+ PackageInitParameter for
+ instance-specific package behavior (commit cc5b9959).
+
+ parameter_name:value_constraint to
+ xowiki::Package.get_parameter (commit
+ 9df95cb3).
+
+ acs::test::xpath::get_form_values proc
+ (commit f495cac3).
+
+ create_form_with_form_instance automated
+ test (commit a9a37dcc).
+
+ parent_id == 0 (commit 7637ff52).
+
+ Page.create_form_page_instance
+ (commit c0ee21d6).
+
+ ad_log_deprecated (commit 56d4b9d5).
+
+ menu-Clipboard-Copy (commit ba901036).
+
+ xo::db::sql to
+ acs::dc interface (Commit a2d4688).
+
+