Search · Index

Weblog

Showing 1 - 10 of 657 Postings (summary)

Content Security Policy (CSP)

Created by Gustaf Neumann, last modified by Gustaf Neumann 10:32 PM, Friday

Starting with version 5.9.1, OpenACS supports Content Security Policies (CSP), which is a means to secure websites against a range of Cross Side Scripting (XSS) attacks. In short, a CSP allows a developer to deactivate unneeded features in the browser of the client to provide there a sandbox with the minimum required capabilities. The CSP can allow e.g. just to retrieve .js files just form certain sites, or it can disallow script tags within the page, which might be injected by an attacker (for a more detailed introduction and tutorial, see CSP Reference , Google Developer Guide for CSP ).

In general, a CSP defines the rules what should be allowed in a page. This could be done static for the whole page, but this means that the CSP rules must allow everything which is needed on a page with the highest requirements (e.g. a page with a richtext editor needs probably a script-src 'unsafe-eval' directive). This could render CSP pretty useless.

Therefore, OpenACS supports a CSP generator, which generates a CSP rule-set for every page dynamically based on the requirements of the page. A web developer can specify the requirements of a page/proc with the command security::csp::require . For example, the current OpenACS theme uses in its plain-master the following directives.

security::csp::require img-src ipv6-test.com

security::csp::require style-src maxcdn.bootstrapcdn.com
security::csp::require script-src maxcdn.bootstrapcdn.com

security::csp::require font-src 'self'
security::csp::require font-src maxcdn.bootstrapcdn.com

Based on the directives of the pages and the directives of the master templates, the security policy of the pages is built (typically in the blank-master). For example, the content security policy of the start page of OpenACS is

default-src 'self';
font-src 'self' maxcdn.bootstrapcdn.com data:;
img-src ipv6-test.com 'self';
report-uri /SYSTEM/csp-collector.tcl;
script-src maxcdn.bootstrapcdn.com 'self' 'nonce-49DBB4A924EA648C3025F7DD8C2553DC0EC700D1';
style-src maxcdn.bootstrapcdn.com 'self' 'unsafe-inline';

With this CSP, openacs.org gets an A+ rating from securityheaders.io .

Deactivating CSP for a Site

Per default, the content security policies are turned on. All packages of the oacs-5-9 branch can be used with the enabled content security policies. However, when a website contains legacy code using JavaScript, for which no content security policies are defined, this will result into non-functioning pages. Therefore, a website administrator can set the package parameter CSPEnabledP (in the package parameters of ACS Kernel in "security" section) to "0" to deactivate the CSP.

For Developers

In order to make old packages (not included in the oacs-5-9 branch) or newly developed packages CSP compliant, one should be aware that all inline code is considered harmful. This includes <script> elements, but also "javascript:" URIs or on* event handlers.

<script> Elements

The CSP guidelines recommend to replace the such elements in favor of JavaScript files obtained from the same source as the page itself. However, this is not always practical, especially, when JavaScript is generated dynamically. In such cases, two approaches are possible to make the script tag acceptable (without allowing all scripts on the page). CSP 2 offers the ability to add nonces or cryptographic hashes to secure this elements. OpenACS supports the first approach.

A nonce value is essentially a one-time value which can't be predicted by an attacker. OpenACS generates by its security-procs such as value and saves it in a global variable ::__csp_nonce. This can be used in the Tcl code or in an ADP page like in the following example:

<script language="JavaScript" 
   type="text/javascript"
   <if @::__csp_nonce@ not nil> nonce="@::__csp_nonce;literal@"</if>
>
...
</script>

Event handlers and "javascript:" URI

Most work are probably changes concerning event handlers (e.g. onclick, onblur, ...) and "javascript:" URIs (having "javascript" in the protocol part of the URI). In general, such code pieces must be refactored (see e.g. 1  or 2  for examples).

OpenACS 5.9.1 offers to ease this process the function template::add_event_listener , which can be used to register event handlers in a compliant fashion either per HTML ID or per CSS class (see cal-item-new.tcl  or in forums/lib/message/row2.tcl  for examples, how add_event_listener can be used).

 

 

 

Installing OpenACS on Windows

Created by Maurizio Martignano, last modified by Maurizio Martignano 04:34 PM, Friday

Windows-OpenACS (vers. 4.0.1 - August 2017) is a  Windows 64 port of OpenACS 5.9.0 and the latest snapshot of NaviServer and is available here.

This port installs and runs on the following systems:

  • Windows 8.1,
  • Windows 10,
  • Windows Server 2012 R2, and
  • Windows Server 2016 TP.

 

Richtext CKEditor 4

Created by Gustaf Neumann, last modified by Gustaf Neumann 15 Aug 2017, at 09:09 PM

Package specification Summary for package richtext-ckeditor4

Summary: Richtext editor plugin for integrating CKeditor 4 with acs-templating
Description:
Maturity: Mature
This package depends on: acs-templating acs-tcl
Packages that depend on richtext-ckeditor4: xowiki

Bug Tracker Summary for package richtext-ckeditor4

There is no package with the name "richtext-ckeditor4" known to bug-tracker.


Code Metrics Summary for package richtext-ckeditor4

# Tcl Procs 5
# Tcl Lines 261
# Automated Tests 0
# Stored Procedures PG: 0 ORA: 0
# SQL Lines PG: 0 ORA: 0
# ADP pages 1
# ADP lines 20
# Include pages (richtext-ckeditor4/lib/) 0
# Documentation pages 0
# Documentation lines 0
Source API-browser

In general, the CKEditor can be used via CDN (zero configuration, default) or via local files. One can use /acs-admin/ (section Site-wide Service Administration to download a version to your local site to reduce latency or to use local modifications. By default, the "standard" preset is downloaded. By altering the variable "ck_package" in packages/richtext-ckeditor4/tcl/richtext-procs, one can download other presets as well (see https://ckeditor.com/presets-all ).

The CKEditor widget can be used at least in two scenarios: (a) as a richtext-widget or (b) within xowiki as a class of a form-field.

(a) Here is an example for the use of the richtext widget configured for ckeditor4, showing some options:

    text:richtext(richtext),nospell,optional 
    {label "CKEditor"}
    {html {rows 15 cols 50}}
    {options {
        editor ckeditor4
        plugins wsc
        extraAllowedContent "u;span{color}"}
    }

This minimal example should work with the "standard" distribution of CKEditor and adds the "wsc" (Web Spell Checker) plugin, and allows the tag <u>u and <span style="color:...">...</span> to be used in the content. Otherwise, these flags are removed by the context filter of the editor (for details, see CKEditor documentation ). Additional "options" are "skin" and "customConfig", where the latter refers to a JavaScript file which can be used for detailed configuration (for more details, see https://docs.ckeditor.com/#!/guide/dev_configuration ).

b) when used as a form-field within xowiki forms, there are detailed config options available: mode, displayMode, skin, toolbar, CSSclass, uiColor, allowedContent, customConfig, extraPlugins, extraAllowedContent, templatesFiles, templates, contentsCss, imageSelectorDialog, and additionalConfigOptions. A short introduction to form-fields is in http://alice.wu-wien.ac.at:8000/xowiki-doc/#forms . One should set the PreferredRichtextEditor (xowiki global parameter) to ckeditor4.

Books and publications about OpenACS

Created by Benjamin Brink, last modified by Gustaf Neumann 08 Aug 2017, at 09:39 AM

Listed in chronological order, newest first.

Aram, Koch, Neumann. "Long-Term Analysis of the Development of the Open ACS Community Framework: Open Source Solutions for Knowledge Management and Technological Ecosystems" c2017 http://www.igi-global.com/chapter/long-term-analysis-of-the-development-of-the-open-acs-community-framework/168981 

Demetriou, Koch, Neumann. "The Development of the OpenACS Community" http://nm.wu-wien.ac.at/research/publications/b608.pdf   A chapter from: Miltiadis Lytra, Ambjorn Naeve (eds): Open Source for Knowledge and Learning Management: Strategies Beyond Tools, Idea Group Publishing, Hershey, PA, 2006.

Andersson, Greenspun, Grumet. "Software Engineering for Internet Applications" c2006 http://philip.greenspun.com/seia/  "A 2002 textbook for MIT students learning how to build things like amazon.com"

Abelson, Greenspun, Sandon. "Tcl for Web Nerds" http://philip.greenspun.com/tcl/  "We hope that a professional programmer or MIT student can breeze through it in one evening. By the end of the evening, that person should have learned Tcl, learned a little something about the Web, and not have been bored."

Philip Greenspun. "SQL for Web Nerds" http://philip.greenspun.com/sql/ : ..we keep our readers in the world of Web services. Most often they are working within the data model for online communities.. ..our examples are all drawn from real production Web sites that get close to 1 million requests per day. This should make the examples more interesting.. ..we assume that our readers are bright and accustomed to formal languages. We don't assume any experience with declarative languages, database query languages, or any specific programming language. But once we can assume that the reader has written code, it is possible to use more sophisticated examples and get to the interesting stuff more quickly. ..we hope that ..[its].. a great choice for the MIT student or the working programmer.

Philip Greenspun. "Philip and Alex's Guide to Web Publishing"; c1998 http://philip.greenspun.com/panda/  A historical classic that introduced some early developers to the components and thinking behind OpenACS

OpenACS TODO List

Created by Dave Bauer, last modified by Gustaf Neumann 08 Aug 2017, at 01:54 AM

Release Status

See openacs-release-status

Development is taking place in the HEAD branch.

OpenACS Version 5.10.0 Agenda/wish list

  • registry for .js and .css libraries: allow besides classical URLs symbolic names for loading external resources (e.g. jquery), this would make it easier to upgrade  libraries in multiple packages (without running into problems with duplicate versions) or switching between CDN and local paths
  • dynamic reloading reform, including support for scheduled procedures
  • implement subsite-singleton (in addition to the classical singleton)
  • better exception handling, should be based on Tcl 8.6 exception handlers (/"try" and "throw")
  • say farewell to CVS
  • Data bloat hygiene:
    • rethink package parameter and portlet parameter data models
    • parameters: include "subsite-parameters" in parameter resolution (package->subsite->global)
  • require Tcl 8.6, XOTcl 2.1, PostgreSQL 9.2

 

OpenACS Version 5.9.1 Agenda

Refactoring of rich-text editor integration

  • Driving force: Debian packaging (e.g. js minified code is not allowed)
  • Moved out code from acs-templating, provided interfaces to add many different richtext editors as separate packages
  • New OpenACS packages:
    • richtext-xinha
    • richtext-tinymce
    • richtext-ckeditor4 (has ability to choose between CDN and local installation via web interface)

Improving admin interface

  • New theme manager:
    • Goals:
      • Make it easier to keep track of themes with local modifications
      • Make it easier to create local modification a new themes and to update these
      • Show differences between default theme parameter (in DB) and actual settings (in subsite parameters)
      • Allow to delete unused themes
      • Give site admin hints, which theme is used at which subsite
      • Ease theme switching
    • Added a subsite::theme_changed callback to be able to handle theme changes in custom themes (was also necessary for proper integration with DotLRN theming)
    • Added support for these features under subsite admin (/admin/)
    • Improved support for themed templates via [template::themed_template]

       

  • Improved (broken) interface to define/manage groups over web interface
  • Allow to send as well mail, when membership was rejected
  • New functions [membership_rel::get_user_id], [membership_rel::get] and [membership_rel::get_group_id] to avoid code duplication
  • Added support to let user include %forgotten_password_url% in self-registration emails (e.g. in message key acs-subsite.email_body_Registration_password)

     

  • Improved subsite/www/members
    • Make it possible to manage members of arbitrary groups
    • Improved performance for large groups
    • Improved configurability: when ShowMembersListTo is set to "3", show list to members only, when this is not the whole subsite

       

  • Improved user interface for /admin/applications for large number of applications
  • Various fixes for sitewide-admin pages (under /acs-admin)
  • Update blueprint in "install from repository" (currently just working in NaviServer)

SQL

  • Further cleanup of .xql files (like what as done for acs-subsite in OpenACS 5.9.0):
    • 36 files deleted
    • Removed more than 100 obsolete named queries
    • Stripped misleading SQL statements

       

  • Marked redundant / uncalled sql functions as deprecated
  • Replaced usages of obsolete view "all_object_party_privilege_map" by "acs_object_party_privilege_map"

     

  • Removed type discrepancy introduced in 2002:
    • acs_object_types.object_type has type varchar(1000), while
    • acs_object_types.supertype has type varchar(100)
    • ... several more data types are involved, using acs_object_types.object_type as foreign key

       

  • Simplified core sql functions by using defaults:
    • Number of functions reduced by a factor of 2 compared to OpenACS 5.9.0 (while providing compatibility for clients using old versions),
    • Reduced code redundancy
    • Affected functions:
      • Reduced content_item__new from 12 versions to 6,
      • Reduce content_revision__new from 7 to 4
      • Similar in image__new, image__new_revision, content_item__copy, content_item__get_title, content_item__move
    • PostgreSQL 9.5 supports named parameter in the same syntax as in Oracle. Further reduction of variants will be possible, once OpenACS requires at least PostgreSQL 9.5

       

  • Reduced usage of deprecated versions of SQL functions (mostly content repository calls)
  • Reduced generation of dead tuples by combining multiple DML statements to one (reduces costs of checkpoint cleanups in PostgreSQL)

     

  • Permission queries:
    • Improved performance
    • Support PACKAGE.FUNCTION notation for PostgreSQL to allow calls permission queries exactly the same way as in Oracle (e.g. "acs_permission.permission_p()"). This helps to reduce the number of postgres specific .xql files.
  • Modernize SQL:
    • Use real Boolean types instead of character(1)
      (done for new-portal, forums, faq, attachments, categories, dotlrn, dotlrn-forums, evaluation)
    • Use real enumeration types rather than check constraints (done for storage_type text/file/lob)

CR hygienics (reduce cr bloat)

  • Provided means to avoid insert/update/delete operations in the search queue:

    OpenACS adds for every new revision often multiple entries to the search_queue, without providing any means to prevent this. This requires for busy sites very short intervals between queue sweeps (otherwise too many entries pile up). Another consequence is that this behavior keeps the PostgreSQL auto-vacuum daemons permanently active. Many of these operations are useless in cases where the content repository is used for content that should not be provided via search. The changed behavior should honors a publish-date set to the future, since it will not add any content with future publish dates to the search-queue.

     

  • Reduced number of insert cr_child_rels operations, just when needed:

    cr_child_rels provide only little benefit (allow to use roles in a child-rel), but the common operation is a well available in cr_items via the parent_id. cr_child_rels do not help for recursive queries either. One option would be to add an additional argument for content_item__new to omit child-rel creation (default is old behavior) and adapt the other cases.

Security improvements

  • Added support against CSRF (cross site request forgery)
    • OpenACS maintains a per-request CSRF token that ensures that form replies are coming just from sites that received the form
    • CSRF support is optional for packages where CSRF is less dangerous, and such requests are wanted (e.g. search and api-browser)
  • Added Support for W3C "Upgrade-Insecure-Headers" (see https://www.w3.org/TR/upgrade-insecure-requests/):
    For standard compliant upgrade for requests from HTTP to HTTPS

  • Added support for W3C "Subresource Integrity" (SRI; see https://www.w3.org/TR/SRI/)

  • Added support for W3C "Content Security Policy" (CSP; see https://www.w3.org/TR/CSP/)

    • Removed "javascript:*" links (all such urls are removed from the 90 packages in oacs-5-9, excluding js libraries (ajaxhelper) and richtext code)
    • Removed "onclick", "onfocus", "onblur", "onchange" handlers from all .adp and .tcl files in the 90 packages in oacs-5-9 (excluding js libraries (ajaxhelper) and richtext code)
    • Added optional nonces to all <script> elements with literal JavaScript content

       

  • Removed "generic downloader", which allowed to download arbitrary content items, when item_id was known (bug-fix)
  • Improved protection against XSS and SQL-injection (strengthen page contracts, add validators, added page_contract_filter "localurl", improve HTML escaping, and URI encoding)
  • Fixed for potential traversal attack (acs-api-documentation-procs)

Improvements for "host-node mapped" subsites

  • Fixed links from host-node mapped subsite pages to swa-functions (must be always on main subsite)
  • Made "util_current_directory" aware of host-node-mapped subsites
  • Added ability to pass "-cookie_domain" to make it possible to use the same cookie for different domains
  • Fixed result of affected commands "util_current_location", "ad_return_url", "ad_get_login_url" and "ad_get_logout_url" for HTTP and HTTPS, when UseHostnameDomainforReg is 0 or 1.
  • Improved UI for host-node maps when a large number of site nodes exists

Reform of acs-rels

  • Made acs-rels configurable to give the developer the option to specify, whether these are composable or not (default fully backward compatible). This is required to control transitivity in rel-segments
  • The code changes are based on a patch provided by Michael Steigman.
    For details, see:
    • http://openacs.org/forums/message-view?message_id=4031049
    • http://openacs.org/forums/message-view?message_id=5330734

Improved status code handlers for AJAX scenarios

  • Don't report data source errors with status code 200 (use 422 instead)
  • Let "permission::require_permission" return forbidden (403) in AJAX calls (determined via [ad_conn ajaxp])

Improved Internationalization

  • Extended language catalogs for
    • Russian (thanks to v v)
    • Italian (thanks to Antonio Pisano)
    • Spanish (thanks to Hector Romojaro)
    • German (thanks to Markus Moser)

       

  • Added (missing) message keys
  • Improved wording of entries
  • Added message keys for member_state changes, provide API via group::get_member_state_pretty

Improved online documentation (/doc)

  • Fixed many broken links
  • Removed fully obsolete sections
  • Improved markup (modernize HTML)
  • Updated various sections

Misc code improvements:

  • 18 issues from the OpenACS-bug-tracker fixed
  • Made code more robust against invalid/incorrect input (page_contracts, validators, values obtained from header fields such as Accept-Language)
  • Fixed quoting of message keys on many places
  • Improved exception handling (often, a "catch" swallows to much, e.g. script_aborts), introducing "ad_exception".
  • Generalized handling of leading zeros:

    • Fixed cases where leading zeros could lead to unwanted octal interpretations
    • Switch to use of " util::trim_leading_zeros" instead of "template::util::leadingTrim", "dt_trim_leading_zeros" and "template::util::leadingTrim", marked the latter as deprecated
  • URL encoding

    • "ad_urlencode_folder_path": new function to perform an urlencode operation on the segments of the provided folder path
    • "export_vars": encode path always correctly, except -no_base_encode is specified
    • Fixed encoding of the URL path in "ad_returnredirect"
  • Improvements for "ad_conn":

    • Added [ad_conn behind_proxy_p] to check, whether the request is coming from behind a proxy server
    • Added [ad_conn behind_secure_proxy_p] to check, whether the request is coming from behind a secure proxy server
    • Added [ad_conn ajax_p] to check, whether the request is an AJAX requests (assumption: AJAX request sets header-field Requested-With: XMLHttpRequest")
    • Added [ad_conn vhost_url] to obtain the url of host-node-mapped subsites

       

  • Added various missing upgrade scripts (missing since many years) of changes that were implemented for new installs to reduce differences between "new"-and "old" (upgraded) installations
  • Templating

    • Get rid of various pesky "MISSING FORMWIDGET: ...formbutton:ok" messages
    • Improved support for javascript event handlers in template::head
    • New functions "template::add_event_listener" and "template::add_confirm_handler"
    • Fix handling, when "page_size_variable_p" is set (was broken since ages)
  • Improved location and URL handling:

    • Refactored and commented "util_current_location" to address security issues, handle IPv6 addresses, IP literal notation, multiple drivers, "
    • Improved "security::get_secure_location" (align with documentation)

       

    • New functions:
      • "util::configured_location"
      • "util::join_location", "util::split_location"
      for working on HTTP locations to reduce scattered regexps handling URL components
    • Improved IPv6 support
    • Use native "ns_parseurl" when available, provide backward compatible version for AOLserver
  • MIME types:

    • Added more Open XML formats for MS-Office to allowed content types
    • Modernized entries to IANA recommendations
    • New function "cr_check_mime_type" centralizing the retrieval of the mime_type from uploaded content
  • Finalized cleanup of permissions (started in OpenACS 5.9.0):

    • Get rid of "acs_object_context_index " (and therefore on "acs_object_party_privilege_map " as well) on PostgreSQL.
      Reasons:
      • huge table,
      • expensive maintenance, used only in a few places,
  • Misc new functions:

    • "lang::util::message_key_regexp": factor out scattered regexp for detecting message keys
    • "ns_md5" and "ns_parseurl": improve compatibility between AOLserver and NaviServer
    • "ad_dom_sanitize_html": allow to specify different sets of tags, attributes and protocols and "ad_dom_fix_html", which is a light weight tidy variant.

       

  • Improved HTML rendering (acs-api-browser), provide width and height to speed up rendering
  • Improved ADP files (e.g. missing doc(title))
  • Added usage of "ad_include_contract" on more occasions
  • Modernize Tcl and HTML coding
  • Reduced dependency on external programs (use Tcl functions instead)
  • Improved robustness of "file delete" operations all over the code
  • Improved documentation, fix demo pages
  • Aligned usages of log notification levels (distinction between "error", "warning" and "notice") with coding-standards

     

  • Cleaned up deprecated calls:
    • Removed usage of deprecated API functions (e.g. "cc_lookup_email_user", "cc_email_from_party", "util_unlist", ...)
    • Moved more deprecated procs to acs-outdated
    • Marked remaining (and unused) "cc_*" functions as well as deprecated.

       

  • Improved Oracle and windows support
  • Fixed common spelling errors and standardize spelling of product names all over the code (comments, documentation, ...)
  • Many more small bug fixes

 

Packages:

 

  • New Package Parameters

    • acs-kernel:

      • MaxUrlLength: remove hard-coded constant in request processor for max accepted url paths
      • SecureSessionCookie: Let site admin determine, whether or not to use secured session cookies (useful, when not all requests are over HTTPS)
      • CSPEnabledP: activate/deactivate CSP
    • acs-kernel (recommended to be set via config file in section "ns/server/${server}/>acs"

      • NsShutdownWithNonZeroExitCode: tell NaviServer to return with a non-zero return code to cause restart (important under windows)
      • LogIncludeUserId: include user_id in access log
    • acs-api-browser:

      • ValidateCSRFP: make checking of CSRF optional (default 1)
    • acs-content-repository:

      • AllowMimeTypeCreationP: Decides whether we allow unknown mime types to be automatically registered (default: 0}
    • news-portlet:

      • display_item_lead_p: Should we display news leads in the portlet? (default 0)
    • search:

      • ValidateCSRFP: make checking of CSRF optional (default 1)
    • xotcl-request-monitor:

      • do_track_activity: turn activity monitoring on or off (default 0)
         
  • New OpenACS packages:

    • richtext-xinha
    • richtext-tinymce
    • richtext-ckeditor4 (has ability to choose between CDN and local installation via GUI)
    • openacs-bootstrap3-theme (as used on openacs.org)
    • dotlrn-bootstrap3-theme
  • xotcl-core:

    • Improved XOTcl 2.0 and NX support (e.g. api-browser)
    • Added "-debug", "-deprecated" to ad_* defined methods (such as e.g. "ad_instproc")
    • Make use of explicit "create" statements when creating XOTcl/NX objects (makes it easier to grab intentions and to detect typos)
    • Added parameter to "get_instance_from_db" to specify, whether the loaded objects should be initialized
    • Added support for PostgreSQL prepared statements of SQL interface in ::xo::dc (nsdb driver)
  • xowiki:

    • Named all web-callable methods www-NAME (to make it clear, what is called, what has to be checked especially carefully)
    • Moved templates from www into xowiki/resources to avoid naming conflicts
    • Improved ckeditor support
    • Added usage of prepared statements for common queries
    • Improved error handling
    • Better value checking for query parameter, error reporting via ad_return_complaint
    • Added option "-path_encode" to methods "pretty_link" and "folder_path" to allow to control, whether the result should be encoded or not (default true)

       

    • Form fields:
      • Improved repeatable form fields (esp. composite cases), don't require preallocation (can be costly in composite cases)
      • Added signing of form-fields
      • Added HTML5 attributes such as "multiple" (for "file") or "autocomplete"
      • Fixed generation of "orderby" attribute based on form-field names
      • richtext: allow to specify "extraAllowedContent" via options
      • Improved layout of horizontal check boxes

         

    • Menu bar:
      • Added dropzone (requires bootstrap): drag and drop file upload
      • Added mode toggle (requires bootstrap)
      • Extended default policies for handling e.g. dropzone (file-upload method)
      • Distinguish between "startpage" (menu.Package.Startpage) and "table of contents" (menu.Package.Toc)

         

    • Notifications:
      • Added support for better tailorable notifications: introduced method "notification_render" (similar to "search_render")
      • Added support for tailorable subject lines (method "notification_subject")

         

    • Improved bootstrap support, use "bootstrap" as PreferredCSSToolkit
    • Switched to ckeditor4 as PreferredRichtextEditor
    • Improved handling of script-abort from within the payload of ::xowiki::Object payloads
    • Added parameter to "get_all_children" to specify, whether the child objects should be initialized
  • xowf:

    • Added property "payload" to "WorkflowConstruct" in order to simplify customized workflow "allocate" actions
    • Internationalized more menu buttons
  • xotcl-request-monitor

    • Added class "BanUser" (use. e.g. ip address to disallow requests from a user via request monitor)
    • Added support for optional user tracking in database
    • Added support for monitoring response-time for certain urls via munin
    • Increased usage of XOTcl 2.0 variable resolver (potentially speed improvement 4x)
    • Performed some refactoring of response-time handling to allow site-admin to make e.g. use of NaviServer's dynamic connection pool management (not included in CVS)
    • Added support for partial times in long-calls.tcl to ease interpretation of unexpected slow calls
    • last100.tcl: Don't report hrefs to URLs, except to SWAs
  • chat:

    • Introduced new options to set chat rooms so login and/or logout message are not issued every time a user enters/exits a chat-room (important for chats with huge number of participants)
    • Parameterized viewing of chat-logs
    • Fixed cases of over-/under-quoting
    • Fixed JavaScript for IE, where innerHTML can cause problems
  • file-storage:

    • Don't show action keys, when user has no permissions
    • Added support for copying of same-named files into a folder (adding suffix)
    • Fixed old bugs in connection with "views" package

OpenACS Version 5.9.0 Agenda

  • Slimming pg SQL core:
     
    • Part 1: improve performance of object deletion
      • remove manual delete operations from acs_object__delete()
         
    • Part 2: content-repository - manual referential integrity management
      • handle referential integrity via pg's integrity constraints rather by functions cr_revision_del_ri_tr, cr_revision_ins_ri_tr, cr_revision_up_ri_tr, cr_revision_del_rev_ri_tr, and cr_revision_del_rev_ri_tr
      • fix broken/missing upgrade scripts from earlier updates
         
    • Part 3: content-repository - manual deletions and nulling
      • Removed manual nulling of live_revision and latest_revision
      • Removed manual deletion of old_revision and new_revision in cr_item_publish_audit
      • Removed manual deletion of item_id in cr_item_publish_audit, cr_release_periods, cr_item_template_map, and cr_item_keyword_map
      • Removed manual deletion of direct permissions
      • Added missing index for child_id to cr_child_rels.
         
    • Part 4: get rid of tree_sortkey in acs-objects
      • Check/fix dependencies in oacs-5-8 packages
      • Get rid of broken/uncalled functions using the column
      • Check/fix dependencies in other packages
      • Remove tree_sortkey and max_child_sortkey
  • Web interface:
    • Improve client performance
      • moving core.js from head to body
      • provide kernel parameter to control expiration date for /resources/
    • Protect against more XSS attacks
    • Improved HTML validity (see oacs-5-9-html-validity for the checklist)
    • Add lightweight support for ckeditor4 for templating::richtext widget (configurable via package parameter "RichTextEditor" of acs-templating. ckeditor4 supports mobile devices (such as iPad, ...).
    • New kernel parameter ResourcesExpireInterval to control expiration dates of resources
       
  • Templating:
    • Improve theme-ability
      • Move more information into theme packages in order to create responsive designs
      • Reduce hard-coding of paths, HTML etc.
    • Dimensional slider reform (ad_dimensional):
      • Remove hard-coded table layout from dimensional slider
      • Add backwards compatible templates
      • Move hard-coded styles into theme styling
      • Remove obsolete comments from ad_dimensional
    • Complete template variable controls (adding noi18n, addressing bug #2692):
      • @foo@: perform html quoting and internationalization
      • @foo;noquote@: perform internationalization
      • @foo;noi18n@: perform html quoting
      • @foo;literal@: perform neither html quoting nor internationalization
    • Improved Russian nationalization
    • Support of expiration dates and passwords for signed variables
       
  • Documentation:
    • Use ACS templating for the (static) OpenACS documentation to provide a more consistent layout and user experience.
    • Make pretty-naming of acs-core packages more consistent.
       
  • Misc improvements:
    • Mark unused functions of acs-tcl/tcl/table-display-procs.tcl as deprecated
    • Reduce number of muxtex locks by pre-request and per-thread caching
    • Improved development und debugging aids:
      • use "ad_log error|warning  .... " instead of "ns_log" to include information of request and callstack in error.log
      • ability to display ns_log entries caused by a request in ds-footer
      • ability to save delivered web pages in file-system for testing HTML validity (especially for admin pages, which are unaccessible for external validity testers)
    • More bug fixes
       
  • Version numbers:
    * require PG 9.0 (End Of Life of PostgreSQL 8.4 was July 2014)
    * require XOTcl 2.0 (presented at the Tcl conference in 2011).
     

OpenACS Version 5.8 Agenda

  • PostgreSQL 9.2+:
    • Get rid of nonstandard backslash escapes in function definitions
    • Change quote syntax in sql files (single quotes around the functions) to recommended PostgreSQL quoting using (recommended since pg8.0, jan 2005). li>Drop aliases in favor of named function arguments (recommended since pg8.0)
    • Fix wrong function_args, add missing function_args, align default semantics with the defaults in pg (providing "null" as default means the argument is optional)
    • Make OpenACS loadable without any tweaks in the pg config files
  • Use recursive queries for e.g. permission lookup to avoid performance problems in pg 8.4 and newer)
  • ADP: Use byte-compiled function wherever possible in compiled adp-code, support "@var;literal@" when neither quotes nor localization is needed in compiled adp-code
  • Improve support of NaviServer
  • Switch to Tcl 8.5 (TIP #143)
  • Improve scalability: Reduce mutex-stress on util-memoize cache and for cache maintenance in general
  • Code cleanup:
    • Get rid of calls to deprecated code (e.g. ad_tables, ad_parameter, ... in acs-core and main packages)
    • Improve awareness of usage of deprecated code (complain to error.log)
    • Use Tcl 8.5 idioms
    • cleanup of various http-client approaches and introduce a common implementation util::http::get and util::http::post; get rid of other usages, mark these as deprecated
    • page-contracts: Perform checking of all ids in acs-core and main packages to improve error messages and to improve security
  • OpenACS 5.8.1 should be released with main packages

OpenACS Version 5.7 Agenda

  • Support for object management in core 
  • Postgresql 9.0
  • TinyMCE update (fix for random JS injection issue, affecting Safari)
  • Fix for "remember me" issue
  • WCAG2-AA

OpenACS Version 5.6 Agenda

  • global parameters
  • package "embeds" 
  • fix search by package_id
  • core works on Postgresql 8.4

OpenACS Version 5.5 Agenda

  • DONE: Postgresql 8.3 support: especially regarding tsearch2
  • DONE: acs-authentication:
    • fix upgrade, add conditional logic into site wide tcl library so that you can login to perform the rest of the upgrade
  • DONE: tinymce:
    • upgrade to 3.1.1 + language packs
    • HTML Strict cleanup
    • create appropriate parameters for its config in acs-templating
  • acs-mail-lite:
    • DONE: cleanup duplicated procs (bounce)
    • review the parsing of bouncing messages (case user_id 0)
    • DONE: rollout support
  • Documentation improvements as discussed at the Guatemala conference:
    • Make current openacs.org/test-doc source for static files included in the release and provide ease means to achieve this for the release manager
      • DONE (CVS HEAD): Provide in XoWiki an alternative table of contents by nested UL/LI (without JavaScript) for static output
      • DONE (CVS HEAD): Provide in XoWiki a prototype page similar to "book" without edit-buttons etc., using the new table of contents
    • Update openacs.org/test-doc where necessary (incomplete list):
      • DONE: Fix the page ordering for the higher chapters (the original document  had no 3rd. level numbering)
      • update pages in /test-doc which are more recent in openacs/xowiki
      • bump version numbers of OpenACS, where appropriate (some places talk about openacs-5-0, others about openacs-5-1, oacs-5-2-3rc1 or 5-3) 
      • some version numbers of the required components are quite a mess. e.g. some parts say that Postgres 7.3 is required,  some examples talks about postgres 7.4.7 and 8.2.4 in the same listing.
      • also the dotlrn version numbers are old dotrln-2.0
      • Tcl version numbers should be 8.4.19
      • The install section for XOTcl is missing in II.3.4
      • remove ChangeLog from documentation
      • find some other prominent place for the ChangeLog
      • Fix indenting in examples  (e.g. in Rocael's robust web    development framework)
      • overthink Win2000 guidelines.  There are the native compiled packages from Maurizio, including everything from postgres, xotcl ....
    • It is desired to find a single person responsible for overworking the documentation, however, funding is unclear.

OpenACS Version 5.4 Agenda

  • DONE: HTML Strict (openacs core)
  • DONE: finish template::head (daveb)
  • DONE: test acs-mail-lite (complex send)
  • DONE: test notifications (complex send)
  • DONE: new XinHA release, get rid of RTE & HTMLarea, test on Safari
  • DONE: Form builder: add the ID attribute  to the form tag
  • DONE: acs-lang - keepLocalTranslationP to be removed
  • DONE search and intermedia-driver: move intermedia specific stuff to its package
  • DONE: acs-mail-lite - patch for mime::qp_encode bug

Future

  • Split Xinha and TinyMCE into separate packages see: http://openacs.org/forums/message-view?message_id=2750958
  • Usability ("my account" page)
  • XHTML ?
  • Testing and documentation for recording automated tests using the firefox plugin and the upload feature for it new in automated testing. Probably needs some polishing and should be talked to with Quest who are getting into this.
  • Parameter Scope Patch http://openacs.org/bugtracker/openacs/patch?patch%5fnumber=845 
  • Remove obsolete master template stuff (default and site master template in openacs-4/www, acs-subsite's group-master, and related CSS and images).  Probably in the version which follows 5.5 (probably 5.6).  Also remove the compat master stuff at the same time.

Things to merge into this page

Old 5.0 Roadmap  discussion 

Roadmap discussion 1 

 [Ideas for Boston 2006 Future of OpenACS discussion]

My previous attempt at collaborative roadmap 

A .LRN Roadmap 

Another .LRN Roadmap discussion 

 

What's on this page?

This page should include work that is planned on and has someone committed to working on it.

Upgrade to OpenACS 5.9

Created by Gustaf Neumann, last modified by Gustaf Neumann 08 Aug 2017, at 12:18 AM

Upgrades from earlier version than OpenACS 5.8 should read upgrade-oacs-5-8.

OpenACS 5.9 requires  PostgreSQL 9.0 or newer and XOTcl 2.0 or newer (part of the nsf package). XOTcl 2.0 can be installed e.g. via install-ns, or from debian sid https://packages.debian.org/sid/ , or from sources https://next-scripting.org/ . In order to check the versions of these packages already installed in your OpenACS installation, check the output of /xotcl/version-numbers in your installation.

Before upgrading to OpenACS 5.9, upgrade all packages in your current installation to recent versions in your OpenACS 5.8 installation (i.e. in the oacs-5-8 channel, especially if you are using edit-this-page, which has bugs in its data model that can complicate the oacs-5-9 installation).

In general it is always recommended to backup your current installation before overwriting it. Make e.g. a tar archive of all files of the OpenACS tree and a database dump.

After upgrading the packages in the oacs-5-8 channel,  the following steps are recommended:

  • Restart the server with OpenACS 5.8
  • Install newest version of the source files (e.g. from the OpenACS 5.9 tar distributions, or install/upgrade from the oacs-5-9 branch from cvs),
  • Upgrade the acs-core packages via package manager, restart server
  • Upgrade/install application packages via package manager as needed (from file-system or from repository)

To upgrade from OpenACS 5.9.0 to OpenACS 5.9.1 it is recommended to upgrade via tar ball or via CVS. Upgrade from repository works for NaviServer, but leads to an error after the install steps with AOLserver (the installation is ok, after a restart, everything is ok).

 

 

OpenACS Release Status

Created by Dave Bauer, last modified by Gustaf Neumann 08 Aug 2017, at 12:13 AM

Current Stable Release

5.9.1 Released 2017-08-08

Download OpenACS 5.9.1 Core 

Download OpenACS 5.9.1 Full 

Previous Releases

5.9.0 Released 2015-12-01

Download OpenACS 5.9.0 

5.8.1 Released 2014-10-25

Download OpenACS 5.8.1 

5.8.0 Released 2013-08-30 

Download OpenACS 5.8.0 

5.7.0 Released 2013-07-17 

Download OpenACS 5.7.0 

5.6.0 Released 2010-09-22 

Download OpenACS 5.6.0 

5.5.0 Released 2009-06-22 

Download OpenACS 5.5.0 

5.4.3 Released  2008-11-26 (No more releases on the 5.4 branch)

Download OpenACS 5.4.3 

5.4.2 Released  2008-06-08

Download OpenACS 5.4.2 

5.4.1 Released  2008-04-07

Download OpenACS 5.4.1 

5.4.0 Released  2008-02-07

Download OpenACS 5.4.0 

5.3.2 Released  2007-07-18 (No more releases on the 5.3 branch)

Download OpenACS 5.3.2 

Next Bugfix Release 

undecided

Next Major Release

undecided

TODO list for next release

Commit Messages

Created by Gustaf Neumann, last modified by Benjamin Brink 06 Aug 2017, at 03:42 PM

  • Write your commit message in the imperative present tense: Use "Fix bug" and not "Fixed bug" or "Fixes bug." This convention matches up with commit messages generated by commands like git merge and git revert. It should start with a verb like "Fix", "Add" or "Change".
  • Commit message should contain a title and an optional body.
  • The title of the commit message should be a capitalized, short (50 chars or less) summary, not ending with a period.
  • The title can be followed by the body, an explanatory text, if necessary. Title and body are separated by an empty line. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together.
  • The body should be wrapped to 72 characters.  The body can contain multiple paragraphs, containing plain text or bullet points. The bullet points should be typed as a hyphen or asterisk with blank lines in between. Use a hanging indent for longer bullet points
  • Make white-space changes separately

See also:

Coding Standards - Index

Created by Rocael Hernández Rizzardini, last modified by Gustaf Neumann 06 Aug 2017, at 02:11 PM

A coding style is always important to maintain quality of the code and in this case, the OpenACS project. Here you'll find a set of links that will guide through our most common standards.

The definitive guide on coding standards can be found at OpenACS Style Guide .

Many stuff has been gathered from many post or guides other openacs community members have done, such as:

    Available OpenACS Packages

    Created by Gustaf Neumann, last modified by Gustaf Neumann 27 Jul 2017, at 11:23 AM

    Wiki pages for the packages available in the OpenACS code repository :

    Packages in the oacs-5-9 channel.

    Next Page
    Previous Month August 2017
    Sun Mon Tue Wed Thu Fri Sat
    30 31 1 2 (1) 3 4 5
    (2) 6 7 (4) 8 9 10 11 12
    13 14 (1) 15 16 17 (2) 18 19
    20 21 22 23 24 25 26
    27 28 29 30 31 1 2

    Popular tags

    17 , 5.9.0 , 5.9.1 , ad_form , ADP , ajax , aolserver , asynchronous , bgdelivery , bootstrap , bugtracker , CentOS , COMET , CSP , CSRF , cvs , debian , emacs , engineering-standards , fedora , FreeBSD , guidelines , host-node-map , hstore , includelets , install , installation , installers , install-ns , javascript
    No registered users in community xowiki
    in last 30 minutes
    Contributors

    OpenACS.org