These are all the changes for Zope 5, starting with the alpha releases, since the branch point at Zope 4.1.2.
The change log for the previous version, Zope 4, is at https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
- Fix version pin specifications for Python 3.6 compatibility. (#1036)
- Quote all components of a redirect URL (not only the path component) (#1027)
- Drop the convenience script generation from the buildout configuration in order to get rid of a lot of dependency version pins. These were only needed for maintainers who can install them manually. (#1019)
- Update to newest compatible versions of dependencies.
- Modify "manage_access" to allow users to switch from the compact view to the complete matrix view when more than 30 roles are defined. (#1039)
- Update to newest compatible versions of dependencies.
- Update
waitressto version 2.1.1 to mitigate a vulnerability in that package. Aswaitressno longer supports Python 3.6 it is not advised to run Zope on Python 3.6 any longer even though it still supports Python 3.6. Due to this security issue support for Python 3.6 is now officially deprecated. It will be removed with Zope version 5.7. - To run
bin/buildoutinside the Zope project nowzc.buildout >= 2.13.7orzc.buildout >= 3.0.0b1is required.
- Fix several exceptions when calling
ZPublisher.utils.fix_properties. - Update to newest compatible versions of dependencies.
- Enhance cookie support. For details, see #1010
- Use intermediate
strrepresentation for non-bytelike response data unless indicated differently by the content type. (#1006) - Use
zc.buildout 3.0rc2to install Zope to run its tests.
- Audit and fix all hyperlinks in code and documentation
- Change zope.org references to zope.dev due to ongoing domain ownership issues. zope.dev is owned by the Plone Foundation and thus safe from interference. XML/ZCML namespace URLs remain unchanged.
- Remove all links that are completely dead, such as the old zope.org Collectors issue trackers.
- Update all other miscellaneous links to make them work again or remove if the information is gone.
- Improve type guessing for the default WebDAV PUT factory (#997)
- Enable WebDAV PUT factories to change a newly created object's ID (#997)
- Fix potential race condition in
App.version_txt.getZopeVersion(#999) - Don't coerce file upload fields for adding DTML Documents/Methods to string. This makes the Add forms work again with the ZPublisher converter code changes.
- Remove deprecated ulines, utext, utokens, ustring from more code. In the properties form, show a deprecation warning.
- Add function
ZPublisher.utils.fix_properties. You can call this to fix lines properties to only contain strings, not bytes. It also replaces the deprecated property types ulines, utext, utoken, and ustring with their non-unicode variants. (#987) - Add support for Python 3.10.
- Update to newest compatible versions of dependencies.
- Reinstate simple sessioning with
Products.TemporaryFolderbecause the underlying issues withtempstoragehave been fixed. (#985) - Update the
AccessControlversion pin to fix a remote code execution issue (see AccessControl security advisory GHSA-qcx9-j53g-ccgf) - Prevent
DeprecationWarningsfrom moved imports inAccessControl - make sure "Manager" users can always modify proxy roles (see Products.PythonScripts#50)
- Deprecate usage of "unicode" converters. Also, the behavior of
field2linesis now aligned to the other converters and returns a list of strings instead of a list of bytes. (#962) - Update to newest compatible versions of dependencies.
- Prevent unauthorized traversal through authorized Python modules in TAL expressions
- Facelift the Zope logo. (#973)
- Update to newest compatible versions of dependencies.
- Prevent traversal to names starting with
_in TAL expressions and fix path expressions for thechameleon.talesexpression engine. - Provide friendlier ZMI error message for the Transaction Undo form (#964)
- Updated/fixed the poll application tutorial in the Zope Developers Guide (#958)
- Update to newest versions of dependencies.
- Depend on
zope.datetimefor the functionsiso8601_date,rfc850_date, andrfc1123_datewhich used to be inApp.Commonkeeping backwards-compatibility imports in place.
- With the exception of
field2bytes, field converters do no longer try to read file like objects (#558)
- Enforce Zope permissions during recursive XML-RPC data dumps (#954)
- The
compute_sizemethod properly returns None if the content does not have aget_sizemethod but the parent has. (#948) - Fix control panel tab links on all control panel pages
- Update to newest versions of dependencies.
- Replace (in
OFS) the deprecated directidaccess bygetIdcalls. (#903) - Update ZMI dependencies for Font Awesome, jQuery and bootstrap.
- Revise debug info GUI (#937)
- Convert
bytesHTTPResponseheader value tostrviaISO-8859-1(the default encoding ofHTTP/1.1). - Fix rendering of not found resources. (#933)
- Update to newest versions of dependencies.
- Exclude characters special for
chameleon's interpolation syntax (i.e.${}) from use in TALES path expressions to reduce the failure risk for thechameleoninterpolation heuristics (#925)
- Restore the ZMI Debug Information control panel page (#898)
- Fix ZMI visibility of pre elements in error log (Products.SiteErrorLog#26)
- Fix
lengthfor page template repeat variables (#913) - Update isort to version 5. (#892)
- Update to newest versions of dependencies.
- Drop support for Python 3.5 as it will run out of support soon. (#841)
- HTTP header encoding support (#905)
- Add support for Python 3.9.
- New interface
Products.PageTemplates.interfaces.IZopeAwareEngine. It can be used as the "provides" of an adapter registration to adapt a nonZopetales engine to an engine to be used byZopepage templates (#864). Currently, the adaptation is used only when the template is rendered withchameleon; withzope.pagetemplate, the engine is used as is - this may change in the future. - Allow (some) builtins as first element of a (TALES) path expression:
in an untrusted context, the builtins from
AccessControl.safe_builtinsare allowed; in a trusted context, all Python builtins are allowed in addition (and take precedence) (zope.tales#23). - Support the
attrspredefined template variable again (as far aschameleonallows it) (#860). - Use
Chameleon(>= 3.7.2) configuration to get better information for errors detected during template execution (#837).
- Provide a more senseful
OFS.SimpleItem.Item_w__name__.idto avoid bugs by use of deprecated directidaccess (as e.g. (#903). - Update to
zope.interface > 5.1.0to fix a memory leak. - Fix export of files with non-latin-1 compatible names (#890)
- Avoid unsolicited translations (#876)
- Make "chameleon-zope context wrapping" more faithful. (#873)
- Let "unicode conflict resolution" work for all templates (not just
ZopePageTemplate). (#872) - Make "Unicode Conflict Resolution" available for templates
rendered with
chameleon(Products.CMFPlone#3145). - Improve documentation of
CONTEXTSin the "Zope Book". - Decrease cookie size for copy/paste clipboard cookie (#854)
- Fix
defaultkeyword handling in page templates (#846) - Fix parsing of package version and show correct major version in the ZMI
- Improve solidity of the
debugErrormethod. (#829) - Fix that
ZTUtils.LazyFiltercould not be imported inside a restricted Python script. (#901)
- Add
pyupgradeviapre-commit(#859) - Add
tal:switchtest
- Pin
AccessControl4.2 for the Manage WebDAV Locks permission - Fix
HEADrequests on registered views (#816) - Improve
chameleon-->zope.talescontext wrapper (support for template variable injection) (#812). - Require
zope.tales>=5.0.2 - Fix issue 717 by fully honoring the engine returned by
PageTemplate.pt_getEngine(#717). The engine also decides about the use ofzope.tales(engine is an instance ofzope.pagetemplate.engine.ZopeBaseEngine) orchameleon.tales(otherwise) TALES expressions. - Fixed encoding issue of displayname WebDAV property (#797)
- Fixed fallback implementation of
manage_DAVget(#799)
- Update to newest versions of dependencies.
- Drop support for Python 2.7 aka Zope 5 cannot be run on Python 2 any more. If you are still running on Python 2.7 upgrade to the latest Zope 4 version first, migrate to Python 3 and than switch to Zope 5. (#692)
- Remove all backwards-compatibility code marked to go away in Zope 5 (#478)
- Drop support for running Zope with ZServer as it is Python 2 only. (#592)
- Remove deprecated
postProcessInputsrequest method. (#782) - Remove deprecated module
ZPublisher.maybe_lock. (#758) - Remove Help System methods from the product context. (#756)
- Remove more deprecated code. (#757)
- Updated Zope documentation sources for Zope 5. (#659)
- Restore WebDAV support in Zope. (#744)
- Enable WebDAV support independent of
ZServer. (#787) - Clean up and sanitize permissions used for WebDAV-related methods.
- Add
wsgi.file_wrapperimplementation https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling (#719)
- Only use
wsgi.file_wrapperfor response bodies with areadmethod. (#763) - Improve detection of HTTPS requests. (#680)
- Fix several ZMI links so they respect virtual hosting. (#788)
- Fix sort link URLs on
manage_main(#748) - More tests to make sure all
__str__implementations return native strings. (#692) - Fix longstanding test bug by forcing the page template engine.
Many tests in
Products.PageTemplatesused the old Zope page template engine because the correct one was not registered during setup. - Close opened db during shutdown (as ZServer is already doing). (#740)
- The method
unrestrictedTraverseraises an error when the argumentpathis not something it can work with. (#674) - Improve ZMI Security Tab usability for high numbers of roles. (#730)
- Some small ZMI rendering fixes. (#729)
- Fix error when using database minimize in the ZMI. (#726)
- Fix
__getattr__signature inUnauthorizedBinding. (#703) - Fix VirtualHostMonster not being able to set mappings under Python 3. (#708)
- Reduce the danger of acquiring built-in names on the ZMI Find tab. (#712)
- Restore the mistakenly removed Properties ZMI tab on Image objects (#706)
- Fix
OFS.Image.File.__str__forPdatacontents (#711) - Set
REMOTE_USERin wsgi environ using Zope user authentication (#713) - Add
Pasteasextras_requiredependency to pull inPastewhen installing with pip and constraints.txt to prevent startup errors. This requires adding the[wsgi]extra in the egg specification. (#734)
- Move retried request delay handling out of
supports_retry(#474) - Improve documentation for Zope's error logging services.