This file contains change information for the current Zope release. Change information for previous versions of Zope can be found at

2.13.31 (unreleased)

  • TBD

2.13.30 (2020-02-14)

2.13.29 (2019-02-09)

Security related fixes

  • HTTPRequest.text() now obscures values of fields those name contain the string passw in the same way HTTPRequest.__str__ already did. (#375)

Backwards incompatible changes

  • Drop support for Python 2.6. This means it is no longer tested from now on. (#475)


  • Add support for IPv6 hosts in VirtualHostMonster. (#395)
  • Enable ZMI History tab for OFS.Image.File. (#396)

2.13.28 (2018-04-23)

  • Add OFS.CopySupport.CopyContainer._pasteObjects() to be able to paste objects no matter how many objects where cut or copied. (#217)

2.13.27 (2018-01-27)

  • Test that str.format checks security for accessed keys and items. The real fix is in the AccessControl package. Part of PloneHotfix20171128.
  • Made Redirect unavailable as URL. Part of PloneHotfix20171128.
  • Skip IPv6 tests on Travis, as it is not supported.
  • Add tox test configuration.
  • Set explicit PyPI index URL, the old zc.buildout defaults no longer work.
  • Pin pytz to prevent unit test failures from DateTime.
  • Fix virtualenv based installation docs.
  • Explicitly require Manager role for AltDatabaseManager. [maurits]

2.13.26 (2017-02-20)

  • In str.format, check the security for attributes that are accessed. Part of PloneHotfix20170117. [maurits]
  • Fixed reflective XSS in findResult. This applies PloneHotfix20170117. [maurits]

2.13.25 (2017-01-13)

  • Add a dependency on the empty ZServer project.
  • Patch zope.interface to remove docstrings and avoid publishing. From Products.PloneHotfix20161129. [maurits]
  • Don’t copy items the user is not allowed to view. From Products.PloneHotfix20161129. [maurits]
  • Quote variables in manage_tabs and manage_container to avoid XSS. From Products.PloneHotfix20160830. [maurits]
  • Add a dependency on the empty Products.TemporaryFolder project.
  • Add a dependency on the empty Products.Sessions project.
  • Removed docstrings from some methods to avoid publishing them. From Products.PloneHotfix20160419. [maurits]
  • Add support to SameSite cookie in ZPublisher.HTTPResponse:

2.13.24 (2016-02-29)

  • Issue #44: Ensure that iterators declared as implementing IUnboundStreamIterator are handled properly.
  • Issue #43: Fix Zope failing to start if a zoperunner is configured.
  • PR #51: Harden debug control panel’s module-crawling against trickery performed by six.
  • Issue #34: Fix NameError exception for WindowsError which could happen on non-windows systems.
  • Updated distributions:
    • AccessControl = 2.13.14

2.13.23 (2015-06-29)

  • Provide a pip-compatible requirements.txt file for the release. E.g.:

    $ /path/to/venv/bin/pip install -r \
  • LP #789863: Ensure that Request objects cannot be published / traversed directly via a URL.

  • Issue #27: Fix publishing of ZPublisher.Iterators.IStreamIterator under WSGI. This interface does not have seek or tell. Introduce ZPublisher.Iterators.IUnboundStreamIterator to support publishing iterators of unknown length under WSGI.

  • Document running Zope as a WSGI application. See

  • LP #1465432: Ensure that WSGIPublisher starts / ends interaction at request boundaries (analogous to ZPublisher). Backport from master.

  • Fix: Queue additional warning filters at the beginning of the queue in order to allow overrides.

  • Issue #16: prevent leaked connections when broken EndRequestEvent subscribers raise exceptions.

  • LP #1387225: Zope 2.13.x w/ zope.browserpage 4.x doesn’t start.

  • LP #1387138: Zope 2.13.x w/ zope.pagetemplate 4.x doesn’t start.

  • LP #1386795: Fix zopectl start with zdaemon 3 and newer.

  • Updated distributions:

    • Acquisition = 2.13.9
    • DateTime = 2.12.8
    • Products.BTreeFolder2 = 2.13.5
    • Products.ExternalMethod = 2.13.1
    • Products.Mailhost = 2.13.2
    • Products.StandardCacheManagers = 2.13.1
    • ZConfig = 2.9.3
    • zLOG = 2.11.2
    • zope.dublincore = 3.7.1
    • zope.mkzeoinstance = 3.9.6

2.13.22 (2014-02-19)

  • Merge hotfixes from
  • LP #143352: Logging of client IP rather than the IP of the Proxy. Please be aware that this only logs the real client ips to Z2.log, if you set you proxy as a trusted-proxy in zope.conf.
  • Updated distributions:
    • Products.ZCatalog = 2.13.27
    • Products.ZCTextIndex = 2.13.5

2.13.21 (2013-07-16)

  • LP #1095343: Prevent sandbox escape via BaseRequest.traverseName.
  • LP #1094144: Prevent arbitrary redirections via faked “CANCEL” buttons.
  • LP #1094221: Add permissions to some unprotected methods of OFS.ObjectManager.
  • LP #1094049: Prevent zlib-based DoS when parsing the cookie containing paste tokens.
  • Updated distributions:
    • AccessControl = 2.13.13

2.13.20 (2013-05-01)

  • LP #1114688: Defend against minidom-based DoS in webdav. (Patch from Christian Heimes).
  • LP #978980: Protect views of ZPT source with ‘View Management Screens’ permision.
  • Make sure the generated classes for simple browser pages (SimpleViewClasses) have a str __name__. See LP #1129030.
  • In PageTemplate.pt_errors accept the check_macro_expansion argument. This is added for compatibility with zope.pagetemplate 4.0.0. The argument is ignored. See LP #732972.
  • Updated to Zope Toolkit 1.0.8.
  • Updated distributions:
    • Products.ZCTextIndex = 2.13.4
    • ZConfig = 2.9.1

2.13.19 (2012-10-31)

  • Updated distributions:
    • AccessControl = 2.13.12
    • distribute = 0.6.29
    • mr.developer = 1.22
    • pytz = 2012g
    • repoze.retry = 1.2
    • repoze.tm2 = 1.0
    • tempstorage = 2.12.2
  • LP #1071067: Use a stronger random number generator and a constant time comparison function.
  • LP #1061247: Fix ZMI properties edit form for properties named method.
  • LP #1058049: Fix support for zoperunner section in zope.conf.
  • Explicitly close all databases on shutdown, which ensures Data.fs.index gets written to the file system.
  • LP #930812: Scrub headers a bit more.
  • Fix lock and pid file handling on Windows. On other platforms starting Zope tolerated existing or locked files, this now also works on Windows.

2.13.18 (2012-09-18)

  • Explicitly declared ZTUtils APIs as public (repairs breakages in apps following fix for LP #1047318).

2.13.17 (2012-09-09)

  • Updated distributions:
    • AccessControl = 2.13.10
    • Products.PythonScripts = 2.13.2

2.13.16 (2012-08-11)

  • Updated distributions:
    • AccessControl = 2.13.8
    • DateTime = 2.12.7
  • OFS: Fixed TypeError handling in unrestrictedTraverse.
  • ZPublisher: Do not assume that you can iterate over a publishable object.
  • ZPublisher: Do not guess it is a webdav request if the HTTP method is purge.

2.13.15 (2012-06-22)

  • Fix lock file cleanup if there’s an error early in startup.
  • Updated distributions:
    • zdaemon = 2.0.7

2.13.14 (2012-05-31)

  • LP #950689: Fix HTTPS detection under mod_wsgi.
  • LP #975039: Don’t translate interface names in edit_markers ZMI view.
  • LP #838978: Fixed TypeError in cache_detail ZMI view.
  • Cleanup lock and pid files if the process dies early in startup.
  • Added PubStart, PubBeforeCommit and PubAfterTraversal events to the WSGI publisher.
  • ZPublisher: Fixed a traversal regression introduced in 2.13.12.
  • Updated to Zope Toolkit 1.0.7.
  • Updated distributions:
    • Products.ZCatalog = 2.13.23

2.13.13 (2012-02-20)

  • LP #933307: Fixed ++skin++ namespace handling. Ported the shiftNameToApplication implementation from zope.publisher to ZPublisher.HTTPRequest.HTTPRequest.
  • Ensure that the WSGIPublisher begins and ends an interaction at the request/response barrier. This is required for instance for the checkPermission call to function without an explicit interaction parameter.
  • Ensure that ObjectManager’s get and __getitem__ methods return only “items” (no attributes / methods from the class or from acquisition). Thanks to Richard Mitchell at Netsight for the report.
  • Updated to Zope Toolkit 1.0.6.
  • Removed HTML tags from exception text of Unauthorized exception because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed.

2.13.12 (2012-01-18)

  • Prevent a cross-site-scripting attack against the default standard error message handling. (CVE-2010-1104).
  • Use in operator instead of deprecated has_key method (which is not implemented by OFS.ObjectManager). This fixes an issue with WebDAV requests for skin objects.
  • Updated distributions:
    • Products.ZCatalog = 2.13.22

2.13.11 (2011-12-12)

  • LP #1079238: Turn UndoSupport.get_request_var_or_attr helper into a private API.
  • LP #902068: Fixed missing security declaration for ObjectManager class.
  • Avoid conflicting signal registrations when run under mod_wsgi. Allows the use of WSGIRestrictSignal Off (LP #681853).
  • Make it possible to use WSGI without repoze.who.
  • Fixed serious authentication vulnerability in stock configuration.
  • Updated distributions:
    • AccessControl = 2.13.7
    • DocumentTemplate = 2.13.2
    • Products.BTreeFolder2 = 2.13.4
    • python-gettext = 1.2
    • repoze.who = 2.0
    • ZODB3 = 3.10.5
    • Zope Toolkit 1.0.5

2.13.10 (2011-10-04)

  • Fixed serious arbitrary code execution issue (CVE 2011-3587)
  • Fixed a regression of 2.13.9 in webdav support that broke external editor feature.
  • undoMultiple was still broken as transactions were not undone in the proper order : tids were stored and retrieved as dictionary keys.
  • Updated distributions:
    • Products.ZCatalog = 2.13.20

2.13.9 (2011-08-20)

Bugs Fixed

  • Restore ability to undo multiple transactions from the ZMI by using the undoMultiple API. Backported from trunk (r122087).
  • Fixed Chameleon compatibility in templates.
  • Updated distributions:
    • Products.ZCatalog = 2.13.19
    • Products.ZCTextIndex = 2.13.3
    • repoze.tm2 = 1.0b2
    • Zope Toolkit 1.0.4

2.13.8 (2011-06-28)

Bugs Fixed

  • Fixed a serious privilege escalation issue. For more information see:
  • Ensure __name__ is not None as well as __name__ existing. For example, object could be a widget within a z3c.form MultiWidget, which do not have __name__ set.
  • Testing: Re-added ‘extra’ argument to Functional.publish. Removing it in Zope 2.13.0a1 did break backwards compatibility.
  • LP #787541: Fix WSGIPublisher to close requests on abort unconditionally. Previously an addAfterCommitHook was used, but this is not run on transaction aborts. Now a Synchronizer is used which unconditionally closes the request after a transaction is finished.

Features Added

  • Updated distributions:
    • Acquisition = 2.13.8
    • Products.ZCatalog = 2.13.14
    • repoze.who = 2.0b1
    • ZODB3 = 3.10.3
    • Zope Toolkit 1.0.3

2.13.7 (2011-05-08)

Features Added

  • Added forward compatibility with DateTime 3.
  • ZPublisher: HTTPResponse.appendHeader now keeps header values to a single line by default to avoid causing problems for proxy servers which do not correctly handle multi-line headers.
  • Updated distributions:
    • Products.ZCatalog = 2.13.13
    • Products.ZCTextIndex = 2.13.2

2.13.6 (2011-04-03)

Bugs Fixed

  • Fix WSGIResponse and publish_module functions such that they support the IStreamIterator interface in addition to file (as supported by ZServer.HTTPResponse).
  • Corrected copyright information shown in the ZMI.
  • OFS: Fixed editing offset-naive ‘date’ properties in the ZMI. The “Properties” tab no longer shows the time zone of offset-naive dates.

Features Added

  • Add preliminary IPv6 support to ZServer.
  • Updated to Zope Toolkit 1.0.2.
  • Updated distributions:
    • Acquisition = 2.13.7
    • mechanize = 0.2.5
    • Products.BTreeFolder2 = 2.13.3
    • Products.ZCatalog = 2.13.8
    • python-gettext = 1.1.1
    • pytz = 2011e
    • repoze.tm2 = 1.0b1
    • repoze.who = 2.0a4
    • ZConfig = 2.9.0
    • zope.testbrowser = 3.11.1

2.13.5 (2011-02-23)

Bugs Fixed

  • Five: Corrected a method name in the IReadInterface interface.

Features Added

  • Updated distributions:
    • Acquisition = 2.13.6
    • Products.ZCatalog = 2.13.6
    • ZODB3 = 3.10.2

2.13.4 (2011-02-06)

Bugs Fixed

  • Applied missing bit of the code merge for LP #713253.

2.13.3 (2011-02-06)

Features Added

  • Updated distributions:
    • Products.ZCatalog = 2.13.5

Bugs Fixed

  • LP #713253: Prevent publication of acquired attributes, where the acquired object does not have a docstring.

2.13.2 (2011-01-19)

Bugs Fixed

  • HelpSys: Fixed some permission checks.
  • OFS: Fixed permission check in ObjectManager.
  • webdav: Fixed permission check and error handling in DeleteCollection.
  • LP 686664: WebDAV Lock Manager ZMI view wasn’t accessible.

Features Added

  • Report success or failure (when known) of creating a new user with the addzope2user script.
  • Added addzope2user script, suitable for adding an admin user directly to the root acl_users folder.
  • Updated distributions:
    • AccessControl = 2.13.4
    • Products.ZCatalog = 2.13.3


  • Factored out the Products.ZCatalog and Products.PluginIndexes packages into a new Products.ZCatalog distribution.

2.13.1 (2010-12-07)

Bugs Fixed

  • Fixed argument parsing for entrypoint based zopectl commands.
  • Fixed the usage of pstats.Stats() output stream. The Control_Panel/DebugInfo/manage_profile ZMI view was broken in Python 2.5+.

Features Added

  • Report success or failure (when known) of creating a new user with the addzope2user script.
  • Moved subset id calculation in OFS.OrderSupport.moveObjectsByDelta to a new helper method, patch by Tom Gross.
  • Updated to Zope Toolkit 1.0.1.
  • Use cProfile where possible for the Control_Panel/DebugInfo/manage_profile ZMI view.


  • Stopped testing non-overridden ZTK eggs in bin/alltests.

2.13.0 (2010-11-05)

  • No changes.

2.13.0c1 (2010-10-28)

Bugs Fixed

  • LP #628448: Fix zopectl start on non-Windows platforms.

Features Added

  • Updated to Zope Toolkit 1.0.
  • Updated distributions:
    • DateTime = 2.12.6
    • mechanize = 0.2.3
    • ZODB3 = 3.10.1
    • zope.sendmail = 3.7.4
    • zope.testbrowser = 3.10.3

2.13.0b1 (2010-10-09)

Bugs Fixed

  • Avoid iterating over the list of packages to initialize while it is being mutated, which was skipping some packages.
  • Fixed two unit tests that failed on fast Windows machines.
  • Fixed OverflowError in Products.ZCatalog.Lazy on 64bit Python on Windows.
  • Fixed testZODBCompat tests in ZopeTestCase to match modern ZODB semantics.
  • LP #634942: Only require nt_svcutils on Windows.

Features Added

  • Avoid conflict error hotspot in PluginIndexes’ Unindex class by using IITreeSets instead of simple ints from the start. Idea taken from enfold.fixes.
  • Added date range index improvements from experimental.catalogqueryplan.
  • Changed policy on handling exceptions during ZCML parsing in Products. We no longer catch any exceptions in non-debug mode.
  • Added a new BooleanIndex to the standard PluginIndexes.
  • Update to Zope Toolkit 1.0c3.
  • Add ability to define extra zopectl commands via setuptools entrypoints.
  • Updated distributions:
    • Acquisition = 2.13.5
    • Products.MailHost = 2.13.1
    • Products.ZCTextIndex = 2.13.1
    • repoze.retry = 1.0
    • tempstorage = 2.12.1
    • ZODB3 = 3.10.0
    • zope.testbrowser = 3.10.1

2.13.0a4 (2010-09-09)


  • Removed deprecated event handler. Its code was moved into the Zope 2 version of the permission directive in

Features Added

  • LP #193122: New method getVirtualRoot added to the Request class.
  • Updated test assertions to use unittest’s assert* methods in favor of their deprecated fail* aliases.
  • Update to Zope Toolkit 1.0a3.
  • Updated distributions:
    • AccessControl = 2.13.3
    • Acquisition = 2.13.4
    • ZODB3 = 3.10.0b6

2.13.0a3 (2010-08-04)

Bugs Fixed

  • Adjusted overflow logic in DateIndex and DateRangeIndex to work with latest ZODB 3.10.0b4.
  • Made sure to exclude a number of meta ZCML handlers from zope.* packages where Zope2 provides its own implementations.
  • LP #599378: Fixed accumulated_headers not appending to headers correctly.
  • Fix support for non-public permission attributes in the browser:view directive so that attributes which are not included in allowed_interface or allowed_attributes but which have declarations from a base class’s security info don’t get their security overwritten to be private.
  • LP #143755: Also catch TypeError when trying to determine an indexable value for an object in PluginIndexes.common.UnIndex
  • LP #143533: Instead of showing “” as the SERVER_NAME request variable when no specific listening IP is configured for the HTTP server, do a socket lookup to show the current server’s fully qualified name.
  • LP #143722: Added missing permission to ObjectManager.manage_hasId, which prevented renaming files and folders via FTP.
  • LP #143564: Request.resolve_url did not correctly re-raise exceptions encountered during path traversal.


  • Removed catalog length migration code. You can no longer directly upgrade a Zope 2.7 or earlier database to Zope 2.13. Please upgrade to an earlier release first.
  • Deprecated the Products.ZCatalog.CatalogAwareness and CatalogPathAwareness modules.
  • Removed deprecated catalog-getObject-raises zope.conf option.
  • Removed unmaintained HelpSys documents from ZCatalog and PluginIndexes. Useful explanations are given inside the form templates.
  • Deprecate Products.ZCatalog’s current behavior of returning the entire catalog content if no query restriction applied. In Zope 2.14 this will result in an empty LazyCat to be returned instead.
  • Deprecate acquiring the request inside Products.ZCatalog’s searchResults method if no explicit query argument is given.
  • Cleaned up the Products.ZCatalog search API’s. The deprecated support for using <index id>_usage arguments in the request has been removed. Support for overriding operators via the <index id>_operator syntax has been limited to the query value for each index and no longer works directly on the request. The query is now brought into a canonical form before being passed into the _apply_index method of each index.
  • Factored out the Products.MailHost package into its own distributions. It will no longer be included by default in Zope 2.14 but live on as an independent add-on.

Features Added

  • Merged the query plan support from both unimr.catalogqueryplan and experimental.catalogqueryplan into ZCatalog. On sites with large number of objects in a catalog (in the 100000+ range) this can significantly speed up catalog queries. A query plan monitors catalog queries and keeps detailed statistics about their execution. Currently the plan keeps track of execution time, result set length and support for the ILimitedResultIndex per index for each query. It uses this information to devise a better query execution plan the next time the same query is run. Statistics and the resulting plan are continuously updated. The plan is per running Zope process and not persisted. You can inspect the plan using the Query Plan ZMI tab on each catalog instance. The representation can be put into a Python module and the Zope process be instructed to load this query plan on startup. The location of the query plan is specified by providing the dotted name to the query plan dictionary in an environment variable called ZCATALOGQUERYPLAN.
  • Various optimizations to indexes _apply_index and the catalog’s search method inspired by experimental.catalogqueryplan.
  • Added a new ILimitedResultIndex to Products.PluginIndexes and made most built-in indexes compatible with it. This allows indexes to consider the already calculated result set inside their own calculations.
  • Changed the internals of the DateRangeIndex to always use IITreeSet and do an inline migration from IISet. Some datum tend to have large number of documents, for example when using default floor or ceiling dates.
  • Added a new reporting tab to Products.ZCatalog instances. You can use this to get an overview of slow catalog queries, as specified by a configurable threshold value.
  • Warn when App.ImageFile.ImageFile receives a relative path with no prefix, and then has to assume the path to be relative to “software home”. This behaviour is deprecated as packages can be factored out to their own distribution, making the “software home” relative path meaningless.
  • Updated distributions:
    • AccessControl = 2.13.2
    • DateTime = 2.12.5
    • DocumentTemplate = 2.13.1
    • Products.BTreeFolder2 = 2.13.1
    • Products.OFSP = 2.13.2
    • ZODB3 = 3.10.0b4

2.13.0a2 (2010-07-13)

Bugs Fixed

  • Made ZPublisher tests compatible with Python 2.7.
  • LP #143531: Fix broken object so they give access to their state.
  • LP #578326: Add support for non-public permission attributes in the browser:view directive.


  • No longer use HelpSys pages from Products.OFSP in core Zope 2.
  • No longer create an Extensions folder in the standard instance skeleton. External methods will become entirely optional in Zope 2.14.
  • Avoid using the Products.PythonScripts.standard module inside the database manager ZMI.
  • Factored out the Products.BTreeFolder2, Products.ExternalMethod, Products.MIMETools, Products.OFSP, Products.PythonScripts and Products.StandardCacheManagers packages into their own distributions. They will no longer be included by default in Zope 2.14 but live on as independent add-ons.
  • Factored out the Products.ZSQLMethods into its own distribution. The distribution also includes the Shared.DC.ZRDB code. The Zope2 distribution no longer includes the code automatically. Please depend on the new distribution yourself, if you use the functionality. To make the transition easier this change has been backported to Zope 2.12.9, so you can depend on the new distribution already in packages requiring at least that version of Zope 2.
  • Made both Shared and Shared.DC namespace packages.
  • Removed fallback code for old Python versions from ZServer.FTPServer.zope_ftp_channel.push.
  • Removed fallback code for old ZCatalog.catalog_object function signatures from Products.ZCatalog.ZCatalog.reindexIndex.

Features Added

  • Added official support for Python 2.7.
  • Added a new API get_packages_to_initialize to OFS.metaconfigure. This replaces any direct access to Products._packages_to_initialize. The OFS.Application.install_package function takes care of removing entries from this list now.
  • Added notification of IDatabaseOpenedWithRoot.
  • Added a new API’s get_registered_packages, set_registered_packages to OFS.metaconfigure which replace any direct access to Products._registered_packages.
  • Changed product install so it won’t write persistent changes only to abort them. Instead we don’t make any database changes in the first place.
  • Disabled persistent product installation in the default test configuration.
  • Directly extend and use the Zope Toolkit KGS release 1.0a2 from
  • Updated distributions:
    • DateTime = 2.12.4
    • nt_svcutils = 2.13.0

2.13.0a1 (2010-06-25)

This release includes all bug fixes and features of the Zope 2.12.8 release.

Distribution changes

  • Moved AccessControl, DocumentTemplate (incl. TreeDisplay) and Products.ZCTextIndex to their own distributions. This removes the last direct C extensions from the Zope2 distribution.
  • Moved the zExceptions package into its own distribution.
  • Drop the dependency on the ThreadLock distribution, by using Python’s thread module instead.
  • Integrated the Products.signalstack / z3c.deadlockdebugger packages. You can now send a SIGUSR1 signal to a Zope process and get a stack trace of all threads printed out on the console. This works even if all threads are stuck.

Instance skeleton

  • Changed the default for enable-product-installation to off. This matches the default behavior of buildout installs via plone.recipe.zope2instance. Disabling the persistent product installation also disabled the ZMI help system.
  • Removed Zope2’s own mkzeoinstance script. If you want to set up ZEO instances please install the zope.mkzeoinstance and use its script.
  • Removed deprecated read-only-database option from zope.conf.
  • LP #143232: Added option to ‘zope.conf’ to specify an additional directory to be searched for ‘App.Extensions’ lookups. Thanks to Rodrigo Senra for the patch.
  • LP #143604: Removed top-level database-quota-size from zope.conf, some storages support a quota option instead.
  • LP #143089: Removed the top-level zeo-client-name option from zope.conf, as it had no effect since ZODB 3.2.
  • Removed no longer maintained configure, make, make install related installation files. Zope2 can only be installed via its
  • Removed the unmaintained and no longer functioning ZopeTutorialExamples from the instance skeleton.

Deprecated and Removed

  • Finished the move of five.formlib to an extra package and removed it from Zope 2 itself. Upgrade notes have been added to the news section of the release notes.
  • ZPublisher: Removed ‘Main’ and ‘Zope’ wrappers for Test.publish. If anybody really used them, he can easily use ZPublisher.test instead. In the long run ZPublisher.test and ZPublisher.Test might also be removed.
  • ZPublisherExceptionHook: Removed ancient backwards compatibility code. Customized raise_standardErrorMessage methods have to implement the signature introduced in Zope 2.6.
  • Removed ancient App.HotFixes module.
  • Removed the deprecated hasRole method from user objects.
  • Removed deprecated support for specifying __ac_permissions__, meta_types and methods in a product’s __init__.
  • Remove remaining support classes for defining permissions TTW.
  • Removed the deprecated five:containerEvents directive, which had been a no-op for quite a while.
  • Removed Products.Five.fivedirectives.IBridgeDirective - a leftover from the Interface to zope.interface bridging code.
  • Marked the <five:implements /> as officially deprecated. The standard <class /> directive allows the same.


  • Completely refactored ZPublisher.WSGIResponse in order to provide non-broken support for running Zope under arbitrary WSGI servers. In this (alternate) scenario, transaction handling, request retry, error handling, etc. are removed from the publisher, and become the responsibility of middleware.
  • Moved the code handling ZCML loading into the Zope2.App package. The component architecture is now setup before the application object is created or any database connections are opened. So far the CA was setup somewhat randomly in the startup process, when the Five product was initialized.
  • Moved Products.Sessions APIs from SessionInterfaces to interfaces, leaving behind the old module / names for backward compatibility.
  • Centralize interfaces defined in Products.ZCTextIndex, leaving BBB imports behind in old locations.
  • Moved cmf.* permissions into Products.CMFCore.
  • Moved TaintedString into the new AccessControl.tainted module.
  • Testing: Functional.publish now uses the real publish_module function instead of that from ZPublisher.Test. The ‘extra’ argument of the publish method is no longer supported.
  • Moved testbrowser module into the Testing package.
  • Moved general OFS related ZCML directives from Products.Five into the OFS package.
  • Moved the absoluteurl views into the OFS package.
  • Moved Products/Five/event.zcml into the OFS package.
  • Moved Products/Five/ and security related ZCML configuration into the AccessControl package.
  • Moved Products/Five/traversing.zcml directly into the configure.zcml.
  • Moved Products/Five/i18n.zcml into the ZPublisher package.
  • Moved Products/Five/publisher.zcml into the ZPublisher package.
  • Ported the lazy expression into zope.tales and require a new version of it.


  • Updated copyright and license information to conform with repository policy.
  • LP #143410: Removed unnecessary color definition in ZMI CSS.
  • LP #374810: __bobo_traverse__ implementation can raise ZPublisher.interfaces.UseTraversalDefault to indicate that there is no special casing for the given name and that standard traversal logic should be applied.
  • LP #142464: Make undo log easier to read. Thanks to Toby Dickinson for the patch.
  • LP #142401: Added a link in the ZMI tree pane to make the tree state persistent. Thanks to Lalo Martins for the patch.
  • LP #142502: Added a knob to the Debug control panel for resetting profile data. Thanks to Vladimir Patukhov for the patch.
  • ZCTextIndex query parser treats fullwidth space characters defined in Unicode as valid white space.

Updated distributions

  • Jinja2 = 2.5.0
  • RestrictedPython = 3.6.0a1
  • Sphinx = 1.0b2
  • transaction = 1.1.0
  • ZConfig = 2.8.0
  • ZODB3 = 3.10.0b1
  • zope.annotation = 3.5.0
  • zope.broken = 3.6.0
  • zope.browsermenu = 3.9.0
  • zope.browserpage = 3.12.2
  • zope.browserresource = 3.10.3
  • zope.component = 3.9.4
  • zope.configuration = 3.7.2
  • zope.container = 3.11.1
  • zope.contentprovider = 3.7.2
  • zope.contenttype = 3.5.1
  • zope.event = 3.5.0-1
  • zope.exceptions = 3.6.0
  • zope.filerepresentation = 3.6.0
  • zope.i18nmessageid = 3.5.0
  • zope.interface = 3.6.1
  • zope.location = 3.9.0
  • zope.lifecycleevent = 3.6.0
  • zope.ptresource = 3.9.0
  • zope.publisher = 3.12.3
  • zope.schema = 3.6.4
  • zope.sendmail = 3.7.2
  • = 3.9.1
  • zope.structuredtext = 3.5.0
  • zope.tales = 3.5.1
  • zope.testbrowser = 3.9.0
  • zope.testing = 3.9.3
  • zope.traversing = 3.12.1
  • zope.viewlet = 3.7.2

Bugs Fixed

  • LP #143391: Protect against missing acl_users.hasUsers on quick start page.