This file contains change information for the current Zope release. Change information for previous versions of Zope can be found at https://zope.readthedocs.io/en/2.13/CHANGES.html
For the change log of the alpha versions see https://github.com/zopefoundation/Zope/blob/4.0a6/CHANGES.rst
- Improve ZMI Security Tab usability for high numbers of roles (#730)
- Some small ZMI rendering fixes (#729)
- Fix error when using database minimize in the ZMI (#726)
REMOTE_USERin wsgi environ using Zope user authentication (#713)
wsgi.file_wrapperimplementation https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling (#719)
- Fix VirtualHostMonster not being able to set mappings under Python 3. (#708)
- Reduce the danger of acquiring built-in names on the ZMI Find tab (#712)
- Restore the mistakenly removed Properties ZMI tab on Image objects (#706)
- Update to current releases of the dependencies.
- Resurrect ZMI History tab and functionality.
- Remove commented out configuration for
tempstorage(and server side sessions) as that was known not working for ages. This was removed so we do not lead unsuspecting developers to think that this is the right way to do session data. See (#679) (tempstorage#8) (tempstorage#12)
zope.publisher.http.splitportinstead of defining our own (#683)
- Update to current releases of the dependencies.
- allowed_attributes and allowed_interface work again for BrowserViews. (#397)
- Prevent encoding issues in existing DTML Method and DTML Document objects.
- Fixed logic error in exceptions handling during publishing. This error would prevent correct Unauthorized handling when exceptions debug mode was set.
- Do not cache (implicit) request access to form data and cookies in
- Bring request lookup order related documentation in line with the
Minor clean-up of
- Fix missing
Pastedistribution on installation using
- Fixed usability on ZMI Security tab forms for sites with many roles.
- Update to current releases of most dependencies.
- Make sure new object IDs don’t clash with the views lookup mechanism. (#591)
- Be more careful when guessing at encoding for document template types.
- Ensure a redirect path does not get URL-encoded twice.
- Prevent inability to log into the ZMI due to failing exception views.
RESPONSE.redirectto deal with any unencoded or encoded input. (#435)
- Fix broken
- Fix broken ZMI DTML rendering for mixed unicode/bytes content. (#271)
- Fix wrong Content-Length set by
App.ImageFileon 304 responses. (#513)
- Make the ZMI Find tab work for searching HTML tags
by adding support for Tainted strings in
mkwsgiinstancefrom blowing up parsing
ZPublisher.HTTPResponse.HTTPBaseResponse.isHTMLfor binary data on Python 3. (#577)
- Add a configuration flag to show bookmarkable URLs in the ZMI. (#580)
- Add a flag for suppressing object events during file import. (#42)
- Add a Configuration details tab to the Control_Panel.
- Resurrect the Interfaces ZMI tab. (#450)
- Better default logging configuration for simple waitress WSGI setups. (#526)
- Replace usage of
urllib.parse.splittypewhich are deprecated in Python 3.8. (#476)
- Update ZODB migration documentation.
- Expand the Zope 4 migration documentation.
- Change the WSGI configuration template so those annoying waitress queue messages only go into the event log, but not onto the console.
- Change naming for the generated WSGI configurations to
zope.inito match existing documentation for Zope configurations. (#571)
- Make Zope write a PID file again under WSGI.
This makes interaction with sysadmin tools easier.
The PID file path can be set in the Zope configuration with
pid-filename, just like in
- Exceptions during publishing are now re-raised in a new exceptions debug mode to allow WSGI middleware to handle/debug it. See the debug documentation for examples. (#562)
- Remove hardcoded list of factories that don’t want an add dialog. (#540)
- Increase link visibility in old ZMI forms. (#530)
- Always keep action buttons visible on the content list for large folders. (#537)
- Make showing the ZMI modal add dialog configurable per product. (#535)
- Added a few Zope 4 ZMI screenshots to the documentation. (#378)
- Refresh Sphinx configuration and switched to the ReadTheDocs theme.
- Rename/move the Zope 2 Book to Zope Book. (#443)
- Show item icons on ZMI Find tab results. (#534)
- Full PEP-8 compliance.
- Fix ZMI font rendering on macOS. (#531)
- Provide a method to get breadcrumb length to prevent ZMI errors. (#533)
- Fix import file drop down on import export page. (#524)
- Resurrect copyright and license page. (#482)
- Fix FindSupport binary value handling. (#406)
- Fix remove double quoting in
- Fix subscript access on Page Template
OFS.interfacesattribute declarations to match reality. (#498)
- Fix handling of DTML in Ace editor. (#489)
- Fix error when not selecting a file for upload in Files and Images. (#492)
- Fix ZMI add handling of
len(filtered_meta_types()) == 1. (#505)
- Fix ZMI add handling of
- Don’t always flag
PubBeforeAbortas retry. (#502)
- Add preliminary support for Python 3.8. as of 3.8.0a1 is released.
- Fix display of ZMI breadcrumbs with non-ASCII path elements (#401)
- Make sure conflicts are always retried and not masked by exception views (#413)
- Fix faulty ZMI links due to missing URL-quoting (#391)
- Fix configuring the maximum number of conflict retries (#413)
- Show the content add widget again on ZCatalogs (ZCatalog#45)
- Improve showing/hiding of the left-hand tree pane (#457)
- Restore the View ZMI tab on folders and their subclasses (#449)
- Don’t error out when showing permissions for a non-existent user (#437)
- Fix ZMI listing view for narrow displays. (#471)
- Restore missing Properties tab for DTML Documents (#409)
- Add some CSS fixes for ZMI.
- Sanitize file handling for uploading and adding DTML methods and documents.
- Add a note about the
apptoplevel object in the debugger.
- Show a message instead of an exception for empty file upload on PageTemplate. (#357)
- Update cookie expiration method in a way Firefox 63+ understands. (#405)
- Fix closing newly created request before processing it after a retryable error has occurred. (#413)
- Fix bin/mkwsgiinstance on Python 3 when Zope was installed via
- Fix a bug with scopes in scripts with zconsole, which made it impossible to reach global imports in the script within a function.
- Fix handling of non-ASCII characters in URLs on Python 2 introduced on 4.0b5. (#380)
- Fix zodbupdate conversion of
- Install the ipaddress package only on Python 2.7 as it is part of the stdlib in Python 3. (#368)
- Fix KeyError on releasing resources of a Connection when closing the DB. This requires at least version 2.4 of the transaction package. (See ZODB#208.)
- Fix rendering of ordered folder icon in ZMI.
- Remove the
OFS.Historymodule which contained only BBB code since 4.0a2.
- Remove bootstrap.py. To install Zope via zc.buildout install the zc.buildout package in a virtual environment at first.
- Style the ZMI using Bootstrap. (#249 and #307)
- Add zconsole module for running scripts and interactive mode. See the document Running Zope.
- Add support for Python 3.7.
- Restore support for XML-RPC when using the WSGI publisher - dropped in 4.0a2.
- Add a minimum
buildout.cfgsuggestion in the docs for creating
- Render an error message when trying to save DTML code containing a SyntaxError in ZMI of a DTMLMethod or DTMLDocument.
- Render an error message when trying to upload a file without choosing one in ZMI of a DTMLMethod or DTMLDocument.
- Update dependencies to newest versions.
- Restore controls for reordering items in an Ordered Folder and list them according to the internal order by default in ZMI. (#344)
- Call exception view before triggering _unauthorized. (#304)
- Fix XML Page template files in Python 3 (#319)
- Fix ZMI upload of DTMLMethod and DTMLDocument to store the DTML as a
stron both Python versions. (#265)
- Fix upload and rendering of text files. (#240)
- Work around Python bug (https://bugs.python.org/issue27777) when reading request bodies not encoded as application/x-www-form-urlencoded or multipart/form-data.
- Show navigation in
manage_menuin case the databases cannot be retrieved. (#309)
- Prevent breaking page rendering when setting default-zpublisher-encoding in zope.conf on Python 2. (#308)
- Fix HTTPResponse.setBody when the published object returns a tuple. (#340)
Products.Five.browser.ObjectManagerSiteView.makeSiteto interact well with plone.testing’s patching of the global site manager. (#361)
- Add a backwards compatible shim for
AccessRulewhich was removed in 4.0a1 but can exist in legacy databases. (#321)
- The ProductContext handed to a product’s initialize() method now has a getApplication() method which a product can use to, e.g., add an object to the Application during startup (as used by Products.Sessions). (#277)
- Update dependencies to newest versions.
- Fix comparison against non-ints in ZCacheable_getModTime.
- Allow unicode in ids. (#181)
- Use log.warning to avoid deprecation warning for log.warn
- Keep existing loggers (#276)
- Accept bytes and text as cookie value. (#263)
- Always raise InternalError when using WSGI and let the WSGI server decide how to handle the request. (#280 <https://github.com/zopefoundation/Zope/pull/280>)
- Make ZODB mount points in Python 2 compatible with ZConfig >= 3.2. (#281)
__str__of an Image object now returns the image HTML tag in Python 3 as it already did on Python 2. (#282)
- Drop support for Python 3.4 because it was dropped by AccessControl on which Zope depends.
- Update dependencies to newest versions.
- Test that
str.formatchecks security for accessed keys and items. The real fix is in the AccessControl package, version 4.0b1. Part of PloneHotfix20171128.
- Made Redirect unavailable as url. Part of PloneHotfix20171128.
- Fix ZMI navtree error by using DocumentTemplate version 3.0b2. (#179)
- Re-add a link to refresh the ZMI menu tree on the left.
- Install a default page for the root view in new installations again.
- Re-raise app exceptions if x-wsgiorg.throw_errors is True in the request environ.
- Fix path expressions trying to call views that do not implement __call__.
- Move _html to HTTPBaseResponse since it is shared by HTTPResponse and WSGIResponse.
- Fix unpickling of instances created before 4.0b2 those classes changed from old-style classes to new-style classes.
- Prevent UnicodeDecodeError when publishing image (bytes) responses without content-type
- Move Products.SiteAccess back here from ZServer distribution.
- Update dependencies to current versions.
- Add support for IPv6 addresses for the trusted-proxy zope.conf setting.
- Fix special double under methods on HTTPRequest.record class.
- Add missing version pin for Zope2 in versions-prod.cfg.
HTTPExceptionHandlerto be usable as part of the WSGI pipeline in testbrowser tests.
- Explicitly make all classes new-style classes.
With this release the egg of the project is named Zope instead of Zope2. There is a meta package named Zope2 which depends on Zope.
See https://zope.readthedocs.io/en/latest/WHATSNEW.html for a higher level description of the changes.
- Add support for Python 3.4, 3.5 and 3.6.
- Drop support for Python 2.6.
- Removed the old help system, in favor of the current Sphinx documentation hosted at https://zope.readthedocs.io/. For backwards compatibility the registerHelp and registerHelpTitle methods are still available on the ProductContext used during the initialize function.
- Remove ZMI re-ordering features.
- Retired icons from the Zope Management Interface and various smaller cleanups of ZMI screens.
- Remove xml-export.
- Remove Globals package, opened database are now found in Zope2.opened next to Zope2.DB.
- Remove proxy role support from DTML documents and methods.
- Removed AccessRule and SiteRoot from Products.SiteAccess.
- Remove Products.ZReST and the reStructuredText wrapper, you can use docutils directly to gain reST support.
- Stop setting
CLIENT_HOMEas a builtin, get it via
OFS.DefaultObservable- an early predecessor of zope.event.
OFS.ZDOM. OFS.SimpleItem.Item now implements getParentNode().
- Removed special code to create user folders and page templates while creating
- Removed the App.version_txt.getZopeVersion API, you can use
- On the application object, removed PrincipiaTime in favor of ZopeTime and PrincipiaRedirect in favor of Redirect or ZopeRedirect.
- Removed bobobase_modification_time from Persistence.Persistent, you can use DateTime(object._p_mtime) instead.
- Removed the special handling of Set-Cookie headers in HTTPResponse.setHeader. Use the setCookie/appendCookie/expireCookie methods instead, or if low-level control is needed, use addHeader instead to get the exact same effect.
BadRequestinstead of returning MessageDialog.
- Update available HTTP response code, 302 is now called
browser:pagedirectives. This makes their implementation more similar to that in
zope.browserpageand adds allowed_interface support for the
browser:viewdirective. By default the aq_* attributes are no longer available on those views/pages.
- Removed the last remaining code to support SOFTWARE_HOME and ZOPE_HOME.
- Simplified instance skeleton, removing old Extensions, import, lib/python and Products from the default. You can continue to manually add these back. (Products requires ZServer to be usable.)
- Remove the zopectl script.
- Document running Zope as a WSGI application.
- Remove Connection and Transfer-Encoding headers from WSGI responses. According to PEP 333 WSGI applications must not emit hop-by-hop headers.
- Ensure that the
WSGIPublisherbegins and ends an interaction at the request/response barrier. This is required for instance for the
checkPermissioncall to function without an explicit
- Make the WSGIPublisher normalize HTTP exception classes based on name (for example, any exception named NotFound will be converted into zExceptions.NotFound). This restores compatibility with similar behavior of the old publisher.
- Change the WSGIResponse exception methods to raise exceptions instead
of returning responses. This includes
- Add support for exception views to WSGIPublisher.
- Add support for
TransientErrorretry logic directly into WSGIPublisher, thus repoze.tm2 and repoze.retry are no longer needed and no longer supported.
- Change Testing to use the WSGI publisher for functional and testbrowser
based tests incl. functional doctests. Alternatives are available
- Split a WSGI part out of Zope2.Startup.ZopeStarter.
waitressas a default WSGI app server.
- Add egg:Zope#httpexceptions WSGI middleware.
- Add a new runwsgi script to serve PasteDeploy files.
- Support ZODB 5.
- Removed persistent default content like standard_error_message, error_log, temp_folder and index_html.
- Removed ZMI controls for restarting the process, these no longer apply when managed as a WSGI application.
- Remove DebugInfo and DavLocks from control panel.
- Move the undo management to Control Panel -> Databases -> Database -> Undo.
- Simplify ZMI control panel and globally available management screens.
- Remove control panel object from the ZODB, it is no longer persistent.
- Split out
ZServerpackages into a ZServer project.
ZPublisher.Publishmodule into ZServer distribution.
Products.SiteAccessinto ZServer distribution.
- Move ZServer related testing support into
- Always configure a blob-dir in the default skeleton.
- Removed mime-types option from zope.conf. You can use the add_files API from zope.contenttype instead.
- Removed various persistent product related code and options.
- Split a WSGI part out of zopeschema.xml. This reduces the supported zope.conf directives when run under WSGI. If a directive is now unkown it might have been moved to the ZServer package. See https://github.com/zopefoundation/ZServer/blob/master/src/ZServer/Zope2/Startup/zopeschema.xml for the directives which are supported via ZServer.
- Remove profiling support via publisher-profile-file directive.
- Changed the value for
utf-8. If you set a different value for
- Removed the
enable-ms-author-viadirective which was only required for very old web folder implementations from before 2007.
- Changed zope.conf default settings for
Integrate code from and drop dependency on five.globalrequest.
Integrate five.pt code directly into Products.PageTemplates.
Drop ZopeUndo dependency.
Remove Products.StandardCacheManagers dependency.
Remove dependency on initgroups. Use the standard libraries
Merge Products.OFSP project back in.
Products.SiteErrorLog is now a separated package and Zope no longer depends on it.
Split Products.TemporaryFolder and Products.ZODBMountPoint into one new project called Products.TemporaryFolder.
Create new Products.Sessions distribution including
Dropped the direct dependencies on packages that have been factored out of the main Zope 2 tree. Make sure you declare a dependency in your own distribution if you still use one of these:
- Five.browser: Marked processInputs and setPageEncoding as deprecated. processInputs was replaced by the postProcessInputs request method and the charset negotiation done by setPageEncoding was never fully supported.
- Add support to SameSite cookie in
- Optimized the OFS.ObjectManager.__contains__ method to do the least amount of work necessary.
- Optimized the OFS.Traversable.getPhysicalPath method to avoid excessive amounts of method calls.
- During startup open a connection to every configured database, to ensure all of them can indeed be accessed. This avoids surprises during runtime when traversal to some database mountpoint could fail as the underlying storage cannot be opened at all.
- Explicitly close all databases on shutdown, which ensures Data.fs.index gets written to the file system.
- ZPublisher: If IBrowserPage is provided by a view, form input is decoded.
This makes it easier to use
z3c.formin Zope 2.
- Fix reflective XSS in findResult.
- Patch zope.interface to remove docstrings and avoid publishing.
- Don’t copy items the user is not allowed to view.
- Quote variable in manage_tabs to avoid XSS.
- Removed docstrings from some methods to avoid publishing them.
- Ensure that Request objects cannot be published / traversed directly via a URL. (LP #789863)
- Port tests for
str.formatsecurity fix from Zope 2.13.
- PropertyManagers and PropertySheets now correctly accept all forms of strings as property values.
- Allow handling of multipart requests in functional doctests using
- Fix Content-Length header for non-ascii responses incl. a base tag.
- bobo_traverse of ProductDispatcher did not correctly invalidate cache when a product was not initializes after first access of the cache. Types that were added in test-profiles were not useable.
- Prevent leaked connections when broken
EndRequestEventsubscribers raise exceptions. (#16)
- Made sure
getConfiguration().default_zpublisher_encodingis set correctly.
- Fix publishing of
IStreamIterator. This interface does not have seek or tell. Introduce
IUnboundStreamIteratorto support publishing iterators of unknown length. (#28)
- Removed the (very obsolete) thread lock around the cookie parsing code in HTTPRequest.py; the python re module is thread-safe, unlike the ancient regex module that was once used here.