Release Notes For Version 8.4
Table Of Contents
- Upgrading to 8.4
- New Features
- Updates
- 8.4.0 August 12th, 2018
- 8.4.1 August 14th, 2018
- 8.4.2 August 17th, 2018
- 8.4.3 August 23rd, 2018
- 8.4.4 September 7th, 2018
- 8.4.5 September 21, 2018
- 8.4.6 November 6, 2018
- 8.4.7 November 13, 2018
- 8.4.8 November 14, 2018
- 8.4.9 November 26, 2018
- 8.4.10 November 28, 2018
- 8.4.11 November 29th, 2018
- 8.4.12 November 30th, 2018
- 8.4.13 December 8th, 2018
- 8.4.14 December 11th, 2018
- 8.4.15 December 17th, 2018
- 8.4.16 December 20th, 2018
- 8.4.17 December 21st, 2018
- 8.4.18 January 7th, 2019
- 8.4.19 January 21st, 2019
- 8.4.20 January 22nd, 2019
- 8.4.21 January 23rd, 2019
- 8.4.22 February 4th, 2019
- 8.4.23 February 5th, 2019
- 8.4.24 February 8th, 2019
- 8.4.25 February 14th, 2019
- 8.4.26 February 19th, 2019
- 8.4.27 February 28th, 2019
- 8.4.28 March 7th, 2019
- 8.4.29 March 15th, 2019
- 8.4.30 March 20th, 2019
- 8.4.31 March 21st, 2019
- 8.4.32 March 22nd, 2019
- 8.4.33 April 11th, 2019
- 8.4.34 April 18th, 2019
- 8.4.35 April 26th, 2019
- 8.4.36 May 2nd, 2019
- 8.4.37 May 8th, 2019
- 8.4.38 May 10th, 2019
- 8.4.39 May 15th, 2019
- 8.4.40 May 16th, 2019
- 8.4.41 May 21st, 2019
- 8.4.42 June 21st, 2019
Upgrading to 8.4
You can upgrade directly to 8.4 from any earlier version. If you are upgrading
to 8.4 from 8.2.x or earlier, then please take note of the upgrade instructions
for 8.3. In particular, the 8.3 upgrade can take up to two hours.
Upgrading from 8.3.x to 8.4 is very quick and is considered a small upgrade.
Upgrading from any version to the latest (including applying bug fix updates)
should be done with the following procedure:
Stop tomcat
For major upgrades, you must create a backup of your database before
proceeding. For minor upgrades, it is recommended to create a backup, but
it is less important. After having stopped tomcat, the typical command
required is:
mysqldump -u USERNAME -p calpendo > calpendo.sql
or, depending on your system:
sudo mysqldump calpendo > calpendo.sql
Save the hibernate.cfg.xml and log4j.properties files from your existing
webapps/Calpendo/WEB-INF/classes directory
Take the Calpendo directory from the tar.gz download, and replace your
existing webapps/Calpendo with it.
Put the saved hibernate.cfg.xml and log4j.properties files into the new
directory.
Make sure you do not have both old and new versions in the webapps
directory at the same time, unless they point to a different database.
Booting multiple versions of Calpendo that point to the same database will
cause problems and is best avoided.
Restart tomcat
New Features
Authentication
Additional authentication options are available that can delegate the
authentication to a separate server. This is supported in two new ways:
- a new Exprodo Authentication Method in which a user gives their login name
and password to Calpendo, and this is validated by a separate Calpendo
or other Exprodo server.
- an External Proxy Authentication Method in which we never see your password
at all, but we delegate the authentication to a proxy server. In this
configuration, a central Exprodo Software ID server is used for the
authentication, and that central ID server is configured for Shibboleth.
The end result of these new options is that we can delegate authentication to
proxy servers, and that we can add support for Shibboleth authentication
much more easily than we could previously.
Also, External Proxy Authentication Method and the existing
External Authentication Method can use attributes taken from Shibboleth, or
any other system you may be using for authentication, and pre-populate the
details on the New User Registration page with them. That means, for example,
that when a new user registers, their email address and name can be filled in
automatically. For this to work, your institution's identity provider will
need to expose these attributes to Calpendo.
Finally, authentication methods can now be partiallly hidden from users. This
allows you to set up authentication methods that are rarely used (perhaps only
for a small subset of users) and not to have them visible in the login page.
There's a small button in the top-left corner of the login box to show or hide
the hidden authentication methods.
User Management
We have added support for suspending users:
- Set a user's status to SUSPENDED
- They will no longer receive emails
- They no longer count towards your licensed number of users
- If they try to log in, then their status will be changed to NORMAL and
they will be allowed to log in
- If you have run out of licensed users, then a suspended user will not
be allowed to log in or convert to a normal user
Calendar
The button bar that appeared in the "Resources" section on the left of the
bookings calendar has changed. In 8.3, the functionality of the old
"Bookmarks" section moved from the calendar to be in the "Resources" section,
and it became a row of icon buttons.
Some people were confused about the buttons and what they did, and it was
also difficult to explain to somebody which button to press.
So we've changed it again. This time, there's a single button, labelled
"Bookmarks", for everything related to bookmarks and choosing the displayed
resources, and when clicked, it shows a drop-down menu with the selectable
options. This means it now provides both the icons and text that describes
what they do.
Also, when your mouse hovers over the name of a resource at the top of a
column of bookings or templates, or on the resource selector on the left, it
now shows a picture of the resource. An admin must have set up the picture
on the resource for this to work.
Summary Report
The summary report now lets you break down the summaries by multiple rows as
well as by a column. This brings it closer to what you can do in a
spreadsheet with a pivot table.
Bakery
- Add support for MappedInt, MappedString and StringEnumDef groups in the bakery
- This means that you can now group related items in the bakery so that
they can be seen to be related.
- Add database analysis tool to bakery
- This is a new tool that lets you analyse the tables and columns to
see what they are used for, and whether any of them are unused.
- It is currently only visible to root users. This may be extended to
admins later.
- It currently only shows a read-only view of the system, but will
eventually allow unused columns and tables to be removed.
Templates
We have added support for messages directly on templates in the template
calendar. This will allow for custom messages delivered to users just for that
particular period on the calendar.
When cancelling bookings, there will now be the option to provide free-text
comments to explain why it is being cancelled, as well as the existing facility
for choosing from a customisable drop-down of reasons.
Tag Properties
Calpendo now has support for "tags". These are either string properties or
properties that store a set of strings, and you can choose any value for the
string, but you will automatically be offered values that have previously been
used for the same tag.
An administrator might want to prevent certain values being offered as
suggestions, and to do this you would search for "Tag" biskits, and modify the
relevant one to mark it as deprecated. Alternatively, you can just delete it.
To use this, in the bakery there is now a new top-level item labelled "Tag Def"
where you can define the flavour of tags that exist.
To have a single tag property, you would add a string property in the bakery
and set the string type to "Tag", and then choose the type of tag it is, which
will be one of those you created in the "Tag Def" section.
To add a property to store multiple tags, add a "set" property, and specify the
set contains items of type "string", and you will be forced to choose "Tag"
as the type of string. Again, here you must choose the type of tag it is, which
will be one of those you created in the "Tag Def" section.
New Workflow Features
Add support for workflows to send emails and choose the to/cc/bcc recipients
separately. Previously, all recipients were in the "to" section of the email.
- Add support for being able to listen to database events after they have
completed.
- Currently, you can only have workflows that run while the event is in
progress, which means you can veto the original event.
- Sometimes this is useful, such as being able to prevent a booking, but
it's also sometimes undesirable if you don't want the chance of an error
in your workflow preventing something being saved.
- With this new option, it means you are guaranteed that your workflow
cannot impact the change you're listening to (which is in some cases
desirable).
- It also means you won't be able to veto a change using this mechanism.
- Add support for a new User Login Workflow Event, triggered when a user logs
in.
- This will allow you to customise things about the user's settings at
login time.
- In particular, you can modify the menu a user will use, so that you can
ensure that those with the admin role always get the admin menu.
- You could also run a VetoWorkflowAction to prevent the user from
logging in.
- You may also choose which layouts the user will see. Do this by calling
the new workflow function addUserLayout, passing in a layout you want
them to use, and the layouts given on the UserLoginWorkflowEvent.
- You can also modify the workflow buttons the user will see.
- There's a list of buttons in a property called buttons on the
event, and it contains all the buttons the user would normally see
after taking permissions into account.
- You can add to the list, remove from the list, or modify the buttons
in the list.
- Modifying buttons makes sense if you want to disable them for some
users. If you do this, then you should make sure the Biskit Update
action when you modify the button is marked as temporary so that
the change is not persisted to the database where it could affect
other users.
- Add support for TemplatedTextWorkflowAction to parse FreeMarker templates
The template you provide to a TemplatedTextWorkflowAction lets you
provide values that are replaced by references to particular values
from the workflow's context.
That still happens, and is the first step towards converting the template
to the output text.
There's now an additional step, which is that if there are any
FreeMarker directives in the template, then the template is now also run
through FreeMarker.
There are values provided for the FreeMarker data model, which can all
be accessed using standard FreeMarker syntax. You don't need to remember
how to do this though - the UI's "Insert" button has a new item that
appears in the drop-down. One for selecting a value that FreeMarker will
parse, and another for creating a FreeMarker loop through a list of
biskits.
For example, this is a valid FreeMarker template, where event #1 is a
database event for a booking being created:
Hello there ${METAPROPERTIES.user.userIdentity.loginName}, booking made for ${source1.biskit.resource.name}
Add support to expression workflow action for logical combinations of
booleans. This means you can use expressions like:
Logical AND:
a && b
a AND b
a and b
Logical OR:
a || b
a OR b
a or b
Logical Exclusive OR:
a ^ b
a XOR b
z xor b
Logical NOR:
a NOR b
a nor b
The help icon (that shows when you hover your mouse over a workflow function)
is now displayed permanently rather than only appearing when your mouse is
in the right place.
Add new "output" tab that shows on all events and actions, and shows details
about the data output from the event/action that later actions can use.
- Add new "References" tab to the display for each workflow event and action
- This shows which other events/actions reference this one (the inbound
references) and which other events/actions we reference (the outbound
references).
- When your mouse hovers over each reference, the item is highlighted in
the tree of actions and items.
- You can click on a reference to take you directly to that item.
New Workflow Functions
addUserLayout can only be used as part of a UserLoginWorkflowEvent, and
the function will add a layout to those that the user will see. You can use
this to specify particular layouts for a user so that you can control the
way data is presented. For example, you might want to hide the existence of
some properties from some users, rather than only hiding the value of those
properties.
- expandRepeats takes a repeating item (template, booking etc), or a list of
them, and returns a list of the repeating instances.
- You can specify either the start and end dates, or the start date and
a number of days.
intersect was a function that takes two DateRange values and works out the
DateRange representing the period they have in common. There are now two more
versions of this method. One takes a DateRange and two date/times, and the
other takes four date/times.
createDateRange creates a new DateRange value. There are two versions of it,
one that takes no arguments and gives you a range from now to December 2999
and one that takes two date-time values.
subList extracts a subset of a list.
sum taking a list of integers to add them up. There was already a version
that added up a list of doubles.
biskitDef to find a BiskitDef from a string biskit type, or given a
biskit whose type indicates the BiskitDef you want
propertyDef for finding a PropertyDef from a BiskitDef and a path string,
or from a string biskit type and a path string.
- sum to calculate sum of a list of integers
- This is both where you provide a list of integers, and also where
you provide a list of biskits and path that leads to an integer from
each of the biskits.
- sum to calculate sum of a list of doubles
- There was already a function where you provide a list of biskits and
a path that leads to an integer from each biskit.
- This new version just takes a list of doubles.
timeDiffSeconds to calculate the number of seconds between two date-times
timeDiffMilliseconds to calculate the number of milliseconds between two
date-times
- getBookingTemplates has a new overloaded version
- The new version doesn't take a booking as an argument, but all the
details that it would need from a booking.
- That means resource, booker, project, start and finish
createList has a new overloaded version to create a list of doubles.
- generateUserWorkflowEventURL creates a string that is a URL which, when
executed, will run a user workflow event.
- Specify the event to be executed in the function arguments.
- You can also specify a string and/or a biskit whose values will be
encoded into the URL and will then be available from within the
user workflow event's workflow.
- This is intended to be used in emails where you can send somebody links
that can let them run particular workflows.
- Note that this mechanism requires the user activating the URL to log in
so that the workflow knows who they are.
Workflow Changes
- The name of the function added for a CustomFunctionWorkflowEvent that
declares that its function can only be called from within its own workflow
will now be limited in scope to that workflow.
- It was already callable only from that workflow.
- Now it will not be considered to clash with a function defined outside
the workflow that has the same name.
- A reference to a function will now look for something scoped within the
workflow where you're defining the call to the function, and then if it
doesn't find it there, it will look in the global scope.
- This means you should now be able to copy-and-paste a workflow that
contains a CustomFunctionWorkflowEvent, where previously the save was
rejected because you would be creating a new function of the samke name
as before.
- This copy-and-paste will only work where the
CustomFunctionWorkflowEvent declares its function can only be called
from within the workflow. Otherwise, you will have to modify the name
of the function before you will be allowed to save it.
- Note this means you can provide an alternative implementation of a
global function, even one provided with the system, but in order to do
that, you must create a CustomFunctionWorkflowEvent with both a
matching function name and also matching input and output names
as well. In other words, the names of the inputs and outputs are
seen as an integral part of the function-matching system.
- Aside: Doing it this way is a design choice made because it
allows us to automatically modify any actions that call a function
when that function's signature is modified by adding, removing or
reordering the parameters. For this to work, the names of the
arguments are used to detect the detail of the underlying change
and how to modify things accordingly. We take the view that it is
better to support automatic modification of user workflows when we
make changes to built-in functions than it is to allow custom
functions to override functions without a care for input or output
names.
- Add support for expression workflow action to create a system event with
details of every partial expression evaluated when in verbose mode
- Turn on verbose mode for EvaluateExpressionActionHandler and you get
an event as each part of an expression is evaluated.
- Biskit update actions can now request that the changes they make are temporary
so they are not saved to the database.
- This can be useful in response to a User Login Event where you might
want to modify some information sent to a user without having it be
persisted.
- Perform validation of a workflow and trigger every time they are rendered
- This means that if there are any inconsistencies within a workflow,
event or trigger, just clicking on it or saving it will display an
error message.
Read Only Calendar
You've been able to display a read-only bookings calendar for quite some
time now, but we haven't made it easy for people to turn this on because it
needed a suitable workflow creating.
Version 8.4 now comes with a default workflow that provides anonymous http
access to display a read-only calendar. That means it can be seen without
logging in to Calpendo.
The workflow is disabled by default. The minimum require to get it working
is:
Go to the Workflow Manager
Find the workflow, under "Booking" and called "Weekly Calendar"
Edit it and enable the workflow, and save it
Point a web browser at:
https://yourcalpendo/anon/bookings.html?title=Your Title&pks=1,2,3,4
where you can change the arguments in the URL to control the displayed
title and the IDs of the resources whose bookings should be displayed.
You can see an example of this by going here:
https://demo.calpendo.com/anon/bookings.html?title=Custom%20Calendar&pks=1,2,3,5,6
The displayed data will reflect the permissions of a particular configured
user, and that user is by default "admin". This may not be what you want, so if
you turn this on, you should play with it to make sure it's not leaking
information you don't want to leak.
Miscellaneous
Some requests between the browser and the server are handled in pure JSON
formatted messages. This is a partial step towards 9.0 in which all messages
will be handled this way.
- Allow project owners to make bookings for their projects
- Non-admins can now select projects they own in the booking pop-up,
even if they are not in the users for that project.
- Add support for choosing which user roles mean you can book for any project
- Historically, those with the admin role have been able to select
any project when making a booking.
- Global preferences now has an option to choose which roles provide this
ability.
- This means you can set up any role as meaning that users with that role
can select any project in the booking pop-up.
- Add support for an auto-expanding menu item showing bookings by location
- When you have a cascading selection of locations, possibly with many
such locations, then you can now add a single menu item that will
automatically expand out into a cascading set of menu items for users.
- Each menu item will let user display a bookings calendar with the
resources in the location they select from the menu.
- Remove light yellow background from menu editor for custom menu page items
- This was inconsistently applied.
- Add tool to bakery to find references to property paths
- This is found in two places:
- on each PropertyDef there's a new "References" button that finds
all references to this PropertyDef or any reference to a string
property path that might refer to properties with the same name
as this PropertyDef.
- Under the "Tools" option at the top-level of the bakery, there's
a tool to let you locate references to any property path. That means
you can type in the name of a property (or something that used to
be a property) or the name of a path that might have been used
somewhere, such as in conditions. This could be something like
"New.owner" or other things with a period in them as well as a simple
property name.
- Display only authorised projects when admin/resource manager makes booking
- When an admin makes a booking for a resource that is marked as requiring
authorised projects only, we used to show ALL projects.
- This made it difficult for admins who had to pick one that was authorised.
- It now only shows those that are authorised, when the resource says
it requires it.
- It was already working this way for non-admins.
- Auto-populate database if it is blank on boot
- When first installing Calpendo, you now only need to create an empty
database.
- The default tables and data are now automatically populated on first
boot instead of having to be loaded manually first.
Add organizer to ical feed as each booking's owner
- Add support for users to hide the page banner
- When a system displays a page banner at the top of every page, there's
now a small button in the top left corner that you can click to hide it.
- A cookie remembers whether you want it hidden or not, so it will stay
hidden after refreshing your browser until you click the button again.
Back to Top
Updates
8.4.0 prerelease update 1
- Biskit update workflow action now lets you choose whether the update is
temporary as well as biskit create.
- Biskit update workflow action has changed the label for "Temporary Change"
to "Temporary Biskit" so that it is consistent with the biskit update action.
- Added buttons to the user login event output
- BUGFIX: Cancellation comments weren't displaying when viewing booking
- BUGFIX: StringWidget NPE when the text value evaluates to null
- This affected setting cancellation reason without first typing comment
- BUGFIX I2185: Exception checking teferences to user, user type & user group
- The email changes to workflows to support to/cc/bcc recipients did not set
up unions properly and so checking references gave a hibernate exception.
- BUGFIX: Cancellation comments has inconsistency in defined column type
- varchar(255) defined in hbm.xml and longtext in the database upgrade.
- All bugs fixed in 8.3.31
8.4.0 August 12th, 2018
First released version.
8.4.1 August 14th, 2018
Bug Fixes
- BUGFIX: New user registration page refusing all new registrations
- BUGFIX: BookingPopup exception creating booking from month view
- BUGFIX: Non-admins can't log in after create UserWorkflowBiskitTypeButton
- If you create a workflow button, then non-admins can't log in
- This is a problem with applying permissions to cleaning the data in
the buttons, which caused a problem preventing login from working
Back to Top
8.4.2 August 17th, 2018
Bug Fixes
Back to Top
8.4.3 August 23rd, 2018
Bug Fixes From 8.3.32
- BUGFIX: Read-only calendar BookingsWeekView function fails when no bookings
- If no bookings exist (in the desired time frame) then the read-only
calendar does not work.
- BUGFIX: create booking ending at midnight using mouse drag and it shows the
end time as 23.59 instead of 24.00
- BUGFIX: A time slot ending at midnight causes Calpendo to try to create a
booking with the end time before the start time
- BUGFIX: Only last change in addToGroup/removeFromGroup took effect
- If you call addToGroup or removeFromGroup multiple times in response
to one workflow event, then only the last call would take effect.
Security Bug Fixes From 8.3.33
- SECURITY BUGFIX: Remote activity recorder passwords stored clear text
- If you are using CAR or pGina to record activity on a remote system, and
using Calpendo as an authentication method, then the password the user
enters was being stored in the data when we keep a record of the JSON
being sent to the server.
- We don't know of any customers this affects, but this update fixes it
by removing the passwords before saving, and also removes all JSON
records already in the database for messages of type AUTHENTICATION.
Bug Fixes From 8.3.33
- BUGFIX: MappedInt with spaces in the name causes custom function problem
- A custom function event in the workflow manager that has an input or
output with an integer that is a mapped int, where the mapped int's name
has a space in it, causes the workflow to fail and the UI to show
exceptions when you view it.
8.4.4 September 7th, 2018
Changes
Change calendar bookmark button bar to a single menu button
The help icon (that shows when you hover your mouse over a workflow function)
is now displayed permanently rather than only appearing when your mouse is
in the right place.
Add new "output" tab that shows on all events and actions, and shows details
about the data output from the event/action that later actions can use.
- Improvements to tag sets
Add new workflow function "subList" that extracts a subset of a list.
Add new workflow function "biskitDef" to find a BiskitDef from a string
biskit type, or given a biskit whose type indicates the BiskitDef you want
Add new workflow function "propertyDef" for finding a PropertyDef from a
BiskitDef and a path string, or from a string biskit type and a path string.
- Add workflow function to calculate sum of a list of integers
- This is both where you provide a list of integers, and also where
you provide a list of biskits and path that leads to an integer from
each of the biskits.
- Add workflow function to calculate sum of a list of doubles
- There was already a function where you provide a list of biskits and
a path that leads to an integer from each biskit.
- This new version just takes a list of doubles.
- Prevent properties being created with some special keywords as names.
Property names that are no longer allowed are:
- class
- create
- delete
- insert
- update
- distinct
- on
- Prevent passwords from containing personally identifying information.
Specifically, we prevent passwords from containing:
- given name
- family name
- middle name
- login name
- login identifier
- "exprodo"
- "calpendo"
Avoid sending exception emails when a workflow action issues a veto
Changes from 8.3.35
- Log system events when authenticating via LDAP gives an error
- This should help to dignose issues in which the LDAP authentication
method is not configured consistently with the LDAP server.
Bug Fixes
- BUGFIX: Read only calendar ignored multi-day bookings starting before today
- BUGFIX: Selecting tag suggestion with mouse inserts wrong text
- If you type something (eg "H") and then get a suggestion (eg "Hello")
and click on the suggestion, you expect to get the suggestion added to
the tags.
- Instead, you get the text you type (the "H" in this example).
- BUGFIX: Extraneous min/max workflow functions taking list
- There are workflow functions calculating a min/max of integers,
longs, doubles, dates and date-times.
- For the integer and double variety, there were two overloaded functions
with slightly different signatures.
- This fix removes that ambiguity.
Bug Fixes from 8.3.34
- BUGFIX: NPE (in development only, not production) on create report
- Create a report from the resource usage search page, then go to that
report in the report manager, and then click the Create button.
That gives an exception, but only in development mode.
- The semantics are slightly different in production because the compiler has
done optimisations to work out which virtual method to call, so it
doesn't notice when calling a method on a null object.
BUGFIX: Refining a previous search applied no limit nor set first/last
BUGFIX: Create a copy of a BiskitDef in bakery and the group is not copied
- BUGFIX: System events don't show correct CRUD for workflow events
- Instead of the system event showing the value for the CRUD property as
something like "Create" or "Update", it would show "UnknownType#0"
BUGFIX: Sort workflow action randomly and it shows weight path et al
- BUGFIX: Remote activity recorder logout triggered user identification event
- There should be no need to trigger a RemoteUserIdentificationEvent when
somebody logs out; we are given their primary key, or not, and should just
rely on that instead.
- BUGFIX: Workflow func getBookingTemplates misses repeats ending same day
- The function getBookingTemplates is given a booking, and returns the
templates that apply to it.
- However, if a template repeats and the last repeat is on the same day as
the booking, then that template is not returned by the function.
- BUGFIX: Cancel a middle repeat booking this-and-later left extra booking
If you have a repeating sequence of bookings, and you cancel one of the
repeats (but not one of the first two) and choose "This and later" as the
option for which to change, then you would end up with:
- A repeating sequence for everything from before the instance you
asked to be cancelled (this part is correct).
- A non-repeating booking at the date/time of the instance you asked
to be cancelled. This is clearly wrong, and this booking should not
have been retained.
Bug Fixes from 8.3.35
- BUGFIX I2196: updating a report with checked editing gives an exception
- BUGFIX I2197: Error showing list of biskits with no props visible in list
- If you define a biskit to have no properties visible in a biskit list,
then by default, we can't show a list of them.
- This wasn't handled very well, and now shows a good error message.
8.4.5 September 21, 2018
Changes
Bug Fixes
- BUGFIX: Sets of tags cause a problem to biskit validation
- BUGFIX: Adding an input/ouput to custom function action gave exception
- BUGFIX: Description of standard trigger output "executedTime" was wrong
when viewed in the output tab of any event or action.
Changes From 8.3.36
- Change mouse cursor over calendar to indicate you can click
Bug Fixes From 8.3.36
Bug Fixes from 8.3.37
8.4.6 November 6, 2018
Changes
- Add new "References" tab to the display for each workflow event and action
- This shows which other events/actions reference this one (the inbound
references) and which other events/actions we reference (the outbound
references).
- When your mouse hovers over each reference, the item is highlighted in
the tree of actions and items.
- You can click on a reference to take you directly to that item.
- Add tool to bakery to find references to property paths
- This is found in two places:
- on each PropertyDef there's a new "References" button that finds
all references to this PropertyDef or any reference to a string
property path that might refer to properties with the same name
as this PropertyDef.
- Under the "Tools" option at the top-level of the bakery, there's
a tool to let you locate references to any property path. That means
you can type in the name of a property (or something that used to
be a property) or the name of a path that might have been used
somewhere, such as in conditions. This could be something like
"New.owner" or other things with a period in them as well as a simple
property name.
- Perform validation of a workflow and trigger every time they are rendered
- This means that if there are any inconsistencies within a workflow,
event or trigger, just clicking on it or saving it will display an
error message.
- Delete all attachment garbage you can when one or more fails
- Attachments remember what they are attached to. When the thing they are
attached to is deleted, or changed so it no longer references the
original attachment, then the old attachment can be deleted. However,
it isn't deleted immediately, and so a garbage collector looks for such
unreferenced attachments and removes them later.
- Previously, if any attachment garbage could not be deleted for some
reason, then none of it would be deleted. So garbage would increase
over time, and you would be left with trying to find the troublesome
item from all that garbage.
- The fix now means that all those that can be deleted will be, and
when there's trouble, the system events will say exactly which one(s)
are causing the trouble.
- Add auto-refresh to calendars with user/global setting for period
- All calendars can now automatically refresh every so often
- The time between refreshes is defined in a global preference (in the
tab labelled "Security") and a user setting (in a new tab labelled
"Refresh").
- By default, user settings will indicate it's the global preferences
setting that should be used for the time between automatic calendar
refreshes.
- The automatic refresh only happens while a calendar page is displayed.
- If you visit a calendar page, then go to a different page for a long time
and go back to the calendar, then it will automatically refresh when you
go back to the calendar.
- If you leave a calendar page displayed and you do not interact with it
for long enough so that your session expires, then it will automatically
switch to the login screen.
Added support for user authentication via a Calpendo proxy (where a user on
one system is authenticated by a separate Calpendo's record of a local user)
and also for external proxy authentication (in which one Calpendo can use
a separate server which may have Shibboleth configured for authentication).
This makes it much easier for us to support Shibboleth for systems we host.
- Add overloaded version of workflow function getBookingTemplates
- The new version doesn't take a booking as an argument, but all the
details that it would need from a booking.
- That means resource, booker, project, start and finish
Add overloaded version of workflow function createList which creates a list
of doubles.
- Display only authorised projects when admin/resource manager makes booking
- When an admin makes a booking for a resource that is marked as requiring
authorised projects only, we used to show ALL projects.
- This made it difficult for admins who had to pick one that was authorised.
- It now only shows those that are authorised, when the resource says
it requires it.
- It was already working this way for non-admins.
- Add support for showing a picture of each resource
- In the resource editor, set the picture in the "Picture" tab
- On the bookings calendar, the head of each column that shows the name
of the resource now shows a picture when you mouse hovers over it.
Changed summary report so that you can now break down the summaries by
multiple rows as well as by a column. This brings it closer to what you can
do in a spreadsheet with a pivot table.
- Add support for user suspension
- Set a user's status to SUSPENDED
- They will no longer receive emails
- They no longer count towards your licensed number of users
- If they try to log in, then their status will be changed to NORMAL and
they will be allowed to log in
- If you have run out of licensed users, then a suspended user will not
be allowed to log in or convert to a normal user
Focus on the OK button when alert box shows a message
- Prevent even root from creating users beyond licence limit
- There is protection set up so that you can't approve users and thereby
exceed the limits of your licence. There was an exception that allowed
root to do this.
- However, if you approve more users than your licence allows, then
non-root users are not allowed to log in.
- Consequently, it doesn't really make sense to allow even root to do
this to a system.
Changes From 8.3.39
- When action succeeds but won't run its children, mark system event as such
- This makes it easier when looking at system events to see whether a
TypeCastAction matched or not.
- Display good properties for CreateVariablesAction in system event
- Add collection size to ForEachWorkflowAction output
- When you run a for each and loop through its contents, the output of the
foreach now shows the number of items in that collection as well as the
current index.
- Add function name and signature to output of function workflow action
- Display details of output from evaluate expression in system event
Changes From 8.3.40
Bug Fixes
BUGFIX: expandRepeats workflow function had a typo in its help text
BUGFIX: Help text for subList workflow function was misleading
- BUGFIX: TemporaryFileManager start-up events logged out of sequence
- When starting up, the TemporaryFileManager logged two events, but
they appeared in the wrong sequence.
BUGFIX: remove workflow function had bad help text on the returned values
- BUGFIX: createDateRange workflow function said it returned a DateTime
- It actually returns a DateRange, as the name suggests.
BUGFIX: subList function always returned items from start of list
- BUGFIX: Templates prevented booking for projects a user only owns
- 8.4 now supports being able to book for projects they own as well as
those where they are in the project's users. However, templates were
preventing this from working.
- BUGFIX: Export of report did not write out tag string properties
- This applied to both Excel export and text (CSV/TSV).
- BUGFIX: email to/cc/bcc change broke upgrade from pre-8.0 database to 8.4
- Upgrading from a database older than 8.0 to 8.4 was not working.
BUGFIX: List report of CalpendoConfig ran for a very long time
- BUGFIX: Custom search pages could sometimes not correctly load a saved report
- When saving a report, the conditions are written out in an optimised
order with the fastest to execute first. So when loading a report into
a custom search page, it must cope with the order of the conditions
having been changed.
- However, a custom search page has conditions from the mangler and the
user-supplied conditions, and we always required the mangler conditions
to be first.
- If they happened not to be, then the report would not load correctly.
- This could be made to happen by making the manually added conditions
include more EQUALS conditions than there were custom search conditions.
- BUGFIX: PrivilegedSearch weighted randomisation by date was really uniform
- The weighted randomisation formula we use calculated weights
that were too similar across the range of dates in actual use.
- This meant that the random distribution was close to uniform rather
than being skewed by time as it should be.
Bug Fixes From 8.3.38
- BUGFIX: Renumbering workflow did not renumber veto actions
- This also means that when copying and pasting actions, if there's a
veto action that references a variable value, then the variable value is
not renumbered to reference the appropriate new source but is left as
it was.
- Consequently, a renumber or copy/paste would leave a veto action
in a broken state is the veto uses a variable value for its message.
- BUGFIX: Cannot add or remove property definitions in MariaDB 10.2.4 or later
- If you host your own Calpendo, and use MariaDB 10.2.4 or later, then
the bakery wouldn't work as normal.
- This is due to MariaDB introducing a new keyword called "rows" which
clashes with a column on the property_defs table.
- This fix renames the column to avoid the clash.
Bug Fixes From 8.3.39
- BUGFIX: Multiple threads not stopped when server shuts down
- This generated warnings from tomcat about memory leaks, although
tomcat was able to handle it and prevent a leak.
- BUGFIX: Occasional exception on trying to log in
- BUGFIX: Exception if expression workflow action output is (correctly) null
- If the output from an expression workflow action evaluates to null, then
there was an exception rather than simply letting the result be null.
- BUGFIX: intersect function did not return consistent results
- BUGFIX: Non-notifiable exceptions during workflow still sent email home
- For example, when a booking rule is contravened by a workflow, the rule
exception is marked as a non-notifiable exception. When a user triggers
a booking rule, there's no email back to Exprodo.
- However, when it's a workflow that triggers a booking rule, it did
generate an email.
- BUGFIX I2211: References to user not showing SystemUsage biskits
- This was because SystemUsage was marked abstract.
- BUGFIX I2210: Time drop-down in 12 hour mode in BookingPopup showed
12:00PM twice
- BUGFIX: Time entry box interprets "12am" as noon and "12pm" as midnight
Bug Fixes From 8.3.40
- BUGFIX: No message shown to user after new external user reg with redirect
- If you have an external authentication method set up and it is configured
to use a redirect after authentication to get back to Calpendo, then
the new user registration process does not show the message to the user
asking them to wait for the administrator before trying to log in.
- BUGFIX: Login after external redirect new user registration fails
- If you have an external authentication method configured with a redirect,
and then register a new user, then immediately logging in with a local
user goes to the new user registration page.
- Also, if you try a new user registration but cancel it, then a
subsequent login would fail if the new user registration was for an
external auth with redirect.
- BUGFIX: Discontiguous sibling_order in BookmarkElement prevents login
- If you have a bookmark whose elements are not contiguously numbered from
zero upwards, then after login the server generates a null pointer
exception preventing the browser from downloading all the data it needs
at boot time.
- This made the system is unusable for users whose bookmarks were broken
in that way.
Back to Top
8.4.7 November 13, 2018
Changes
- Add support for attributes published by a single-sign-on provider to
automatically populate user information that appears in the user registration
form.
- When installing Calpendo on your own server, this requires your
Apache configuration to capture Apache environment variables and make
them available as http headers.
- For the shibboleth External Proxy authentication run by the Exprodo
Software service at https://sp.exprodo.com/ we expose many standard
attributes as http headers, although each identity provider that we
deal with may choose to expose each of those attributes to us or not.
- The external authentication in Calpendo can now be set up to provide
a mapping from an http header to any string property of a user.
- You can map multiple headers to the same user property, in which case
the first one which is actually populate with a value is the one that
will be used.
Bug Fixes From 8.3.41
- Login was unnecessarily slow due to handling bookmarks badly
Back to Top
8.4.8 November 14, 2018
Changes
- Simplify installation on your own server by automatically building DB
- You no longer have to load a SQL file into a newly created database to
bootstrap Calpendo.
- All you have to do now is to create the database, and Calpendo will
populate it with the necessary tables when it first boots.
- Add support for ExternalProxy auth to choose a fixed identity provider
- External Proxy Authentication method can now be told which identity
provider to use. This avoids the need for users to select their
institution when they register and when they log in.
- You might therefore configure one authentication method specific to your
institution and another that doesn't specify the identity provider.
Bug Fixes
- BUGFIX: Email recipient paths saved incorrectly
- This was a problem introduced in 8.4.6 and means that any recipient set
with a property path would be bad, causing an error when saving the
workflow.
- BUGFIX: disabled authentication methods showed up on new user request page
Back to Top
8.4.9 November 26, 2018
Changes
- Add database analysis tool to bakery
- This is a new tool that lets you analyse the tables and columns to
see what they are used for, and whether any of them are unused.
- It is currently only visible to root users. This may be extended to
admins later.
- It currently only shows a read-only view of the system, but will
eventually allow unused columns and tables to be removed.
- Add organizer to ical feed as each booking's owner
- Add workflow function generateUserWorkflowEventURL
- This allows links to be emailed that will cause a UserWorkflowEvent to
be run.
- Change hiding of auth methods to support external auth methods
- Add support for users to hide the page banner
- When a system displays a page banner at the top of every page, there's
now a small button in the top left corner that you can click to hide it.
- A cookie remembers whether you want it hidden or not, so it will stay
hidden after refreshing your browser until you click the button again.
Bug Fixes
- BUGFIX: Summary report isRow DB upgrade broke old summary reports
- BUGFIX: iCal download of single files sometimes lost owner
- BUGFIX: Shibboleth attributes out of range caused exception
- For example, if you define a mapped string property, and a shibboleth
attribute has a value that is not in that mapped string, instead of being
ignored, it would cause an exception that stopped everything from working.
- BUGFIX: ResourceUsage lasting less than one minute give exception on
calendar refresh
- BUGFIX: change password via checked-editing gives exception if passwd null
- If a user's password is null (rather than a real password or the empty
string), then changing that user's password via checked-editing gives an
exception.
- Optimisation: Booking DTO conversion to Booking read its data twice
Back to Top
8.4.10 November 28, 2018
Changes
- Close system reports and personal reports by default in report manager
Bug Fixes
- BUGFIX: Login page site name can display off-centre due to bad width calc
- BUGFIX: Repeats were not showing in read-only calendar
- BUGFIX I2220: Hiding page banner leaves white space at bottom of page
- BUGFIX: Email address in user settings not always showing latest version
- If you change your email address in user settings, and then save it, and
then go to a different page and come back, then it would show the old
email address.
- The database stored the correct value, so it would work on refreshing
the browser.
- BUGFIX: Summary report wasn't showing the search conditions used in report
- BUGFIX: Saved reports from a custom search page with date-range could fail
- Reports weren't always recognising saved reports as being in the right
format because it was expecting the conditions to be in a set order,
whereas it can now change.
Back to Top
8.4.11 November 29th, 2018
Changes
- Disable ical by default in new systems
- This is so that new users will have to consider any security implications
and mitigations before enabling a public bookings feed.
Changes From 8.3.42
- iCal feed was only updating every 48 hours (changed to 1 hour)
- Title for bookings in iCal feed changed to display the owner instead of the
booker.
- Disable ical by default in new systems
- This is so that you won't be caught out by having a public feed that you
knew nothing about.
Bug Fixes From 8.3.41
- BUGFIX: Login was unnecessarily slow due to handling bookmarks badly
Security Bug Fixes From 8.3.42
- SECURITY BUG FIX: Existing iCal feeds continued to work after disabling
- If you disabled iCal feeds in the global preferences, it prevented users
from using the tool on the calendar from generating a new feed URL, but
did not disable the feeds themselves.
Bug Fixes From 8.3.42
- BUGFIX: If you set a permission to hide userIdentity from special user
nobody, it breaks the ical feed
Back to Top
8.4.12 November 30th, 2018
Bug Fixes
- BUGFIX: Sometimes can't cancel booking with reasons enabled
- If you require users to specify a reason when they cancel bookings, and
you have a booking subtype, and you have permissions that prevent bookings
to be updated when a property on that subtype changes, then it would not
be possible to cancel a booking.
Back to Top
8.4.13 December 8th, 2018
Changes
- Add support for anonymised iCal feeds
- All existing iCal feeds will no longer work
- Each user wanting a feed must ask Calpendo for a URL
- Each user is given a different URL for the same underlying data
- The URLs used now include a long random string so that it is hard to
guess an active feed URL.
- Add special user called ical_viewer
- ical_viewer is a new user that will exist in all Calpendos, and you
can't change its name, roles or status.
- This user cannot log in and so does not count towards the number of
licensed users.
- When generating an iCal feed, it is this new user whose permissions are
checked. That means that if you want to hide something from the iCal
feed, you would set permissions so that user ical_viewer cannot read
the relevant information.
- All existing and future Calpendos are now given permissions to prevent
ical_viewer from seeing who made or owns bookings and also the names
of resources.
- If you want this information to be available in the iCal feed, then
permissions will need to be changed to open this up.
- Disable ical feeds
- This is a precaution following recent security issues and corrects the
problem that ical feeds have historically been enabled by default.
- This reverses that and requires everybody to turn the feed back on if
it's required.
- Add support for choice of permissions user when download single booking
- From the bookings calendar, you can click on a booking and select
the option to download it in ical format so you can add it to some other
calendar.
- There's now a global preferences option to choose whether to control
the content of the downloaded data according to permissions for the
user doing the downloading or the special ical_viewer user.
- Normally, the ical_viewer user would be the most restrictive, and this
is the default.
- Add support for option to disable webdav API
- This is a precaution in case the webDAV API is found to have a security
issue in future, so it can be turned off.
Changes from 8.3.43
- Require a user to be logged in to download a single booking as an ics file
- This applies when you click on a booking in the calendar and select
Download from the menu.
- Previously, the link used to perform the download was available to
people without logging in, but it now requires you to be logged in
for it to work.
Security Bug Fixes
- SECURITY BUGFIX: workflow func createCalendarInvite had no perms control
- Workflows did not apply any filtering on the content of a calendar
invitation created using the function createCalendarInvite.
- We now have a new parameter to the method for the workflow author to
choose whose permissions to apply, with the default being the new
ical_viewer user.
- It also applies permissions for the user running the workflow to make
sure it's protecting the data.
- This change affects very few Calpendos because most did not have a
workflow that used this function.
Security Bug Fixes from 8.3.43
- SECURITY BUGFIX: Exception with ical if hide resource name
- An ical feed includes the name of the resource it applies to, when the
feed includes only one resource's bookings.
- If you set permissions so that the resource name cannot be read in an
ical feed, then this caused an exception that prevented the ical feed
from working.
- SECURITY BUGFIX: Server IP address was embedded in ical feed
- This was used as a part of a globally unique identifier for each booking,
as required for ical.
- This has been changed so that instead of using the server's IP address,
it now uses the hostname from the public-facing web address of the server.
- This is configured in the global preferences.
Bug Fixes
Bug Fixes from 8.3.43
- BUGFIX: Special user 'nobody' not protected from having status changed
- The user called "nobody" is a special user that is used for checking
permissions of variaous things. For example, data can go into an email
only if user "nobody" can read it.
- This user should never log in.
- Now regular users can't edit other users according to the default
permissions. Admins normally can.
- However, no user (not even root) should be able to change the status of
user "nobody" because it never makes sense to allow this user to log in.
- This fix now enforces this on all users, even root.
Back to Top
8.4.14 December 11th, 2018
Changes
- Our pGina plugin for capturing actual usage information has been separated
into a separately downloadable item.
- Instead of downloading Calpendo, and extracting the pgina plugin from it,
you now download pgina independently.
- Go to https://downloads.exprodo.com for the details.
- Avoid sending email to Exprodo Software on WebDAV login failures
- When there's a WebDAV login failure, we used to get an email every time.
- It now only sends us an email if the number of failures looks suspicious.
- Generate good exception message if unknown workflow user updates biskit
- Whenever a biskit is updated, some types of biskit automatically mark a
property as the user that updated it.
- But for some workflows, there is no real user known to be doing the
action.
- There's a workflow function to allow the user to be asserted for this
situation, but when it doesn't happen, the error message you get can be
unhelpful.
- This change makes sure the message points the workflow editor in the
right direction, and applies whenever a biskit has a property that
is set to automatically record the user creating or updating the biskit,
and that create or update is done from a workflow that is not directly
triggered by a user.
Bug Fixes
- Upgrade from anything before 8.3.44 to 8.4.13 produced upgrade error message.
- This was due an to 8.3 upgrade failing, but a subsequent 8.4 upgrade
automatically fixed it.
- So it didn't really matter, apart from the confusion it could cause.
BUGFIX: WebDAV API gave exception on queries
- BUGFIX: ICSFeed let you try to add custom properties but then didn't work
- This is the new biskit recording iCal feeds.
- It does not support adding custom properties but wasn't marked as such.
- So it let you add properties in the bakery when it shouldn't.
- BUGFIX: Static property as creator/updator not changeable on dynamic biskit
- If you create a BiskitDef in the bakery as a subtype of a built-in (static)
BiskitDef, and choose a static property as the createdBy, updatedBy,
creator, owner or version number, then you wouldn't be able to change it
again thereafter.
BUGFIX: createCalendarInvite function generated hibernate exception
- BUGFIX: History of BiskitDef having a oneToMany property failed
- Whenever a BiskitDef has a oneToMany property and you asked for the
history of that BiskitDef, it would fail.
BUGFIX: Exporting a summary report to Excel could sometimes generate an
exception.
BUGFIX: Exporting a summary report to Excel could result in the totals being
reported as N/A on some columns where it should have calculated a value
BUGFIX: Can't send an email with an attachment generated from
createCalendarInvite
Back to Top
8.4.15 December 17th, 2018
Changes
- Add support for logging SMTP transactions (don't use this unless you must)
- This provides an option for logging the details of the transaction with
an SMTP server, and can be useful in identifying problems with sending
emails.
- If you enable this, then every time we try to send an email, the system
event generated will record the log of the communication with the SMTP
server.
- This may be helpful for debugging, but is a security risk because the
entire content of all emails sent will be recorded in the system events.
- So you should:
- not turn this on unless you must
- not leave it turned on after you've finished with it
- manually delete any system events containing sensitive email logs
if you do turn it on
Bug Fixes
- BUGFIX: Old templates could not be deleted (even if resource allowed it)
- When a resource is configured to allow old bookimgs to be deleted or
created, then it should be possible to delete old templates too.
- But this wasn't always working.
- BUGFIX: Biskit with multiple one-to-many props fails if children related
- If you have multiple one-to-many properties and the children in two or
more of those sets have the same parent BiskitDef and are configured to
be stored in the same table, then things would not work.
- BUGFIX: Update schema in bakery fails under some circumstances
- Depending in whether your database is set up with its default character
encoding to be utf8mb4, the ics_feeds table (which tracks ical feeds)
could be missing its uniqueness index.
- Apart from missing the database-enforced uniqueness, any attempt to
update the database schema in the bakery would then lead to an error
message because it would try to create the required constraint, but get
the syntax wrong.
Back to Top
8.4.16 December 20th, 2018
Changes
Bug Fixes
- BUGFIX: Occasional threading-related exception checking permissions
- A problem was seen in production that pointed to a problem with multiple
threads accessing permissions and generating a
ConcurrentModificationException.
- This was extremely rare and not easily repeatable.
- The impact of this bug is thought to be very low.
BUGFIX: Exception with CalendarByLocation menu page
- BUGFIX: Reports or privileged search could fail to recognise conditions
- When a report or a privileged search is saved, it generates conditions
that match the search options chosen, and stores those conditions.
- We then have an algorithm that matches those conditions to the search
options that might have generated them.
- This algorithm did not always work so that reports or privileged searches
would not display properly.
BUGFIX: summary report exported to CSV sometimes produced no totals when it
should
BUGFIX: Summary report export to CSV/Excel doesn't handle null properties
- BUGFIX: Usage calendar does not update when you select a new resource to
display.
- This applies only when clicking changes the selection to the selected
resource.
- There was no problem with clicking on a resource is set to alter the
current selection by adding or removing the resource you click on.
- BUGFIX: External non-proxy new user registration fails when using redirect
- If you have an external authentication method set up, and it's configured
to work with a redirect rather than a pop-up or inline, then the new user
registration was broken in 8.4
Back to Top
8.4.17 December 21st, 2018
Security Bug Fixes
- SECURITY BUGFIX: 8.4.16 broke permissions that applies to a property path
- When a permission applies to a particular property path, or does not apply
to a particular property path, an error in 8.4.16 meant it behaved as if
there were no paths on the permission at all.
Back to Top
8.4.18 January 7th, 2019
Changes
- Users registered to an Exprodo authentication method using
https://proxy.exprodo.com as the authentication proxy are no longer counted
towards the number of licensed users.
Bug Fixes
- Multiple bugs with user login and new user registration
- Register a new user for an external authentication method that is
configured to use redirects, and there was an infinite loop if there is
only one authentication method configured to allow registering new users.
- Trying to log in as an external user that is not yet registered was not
automatically redirecting to the user registration page, which it was
supposed to.
- Exception logging in as an unregistered external non-redirect user
- When an external authentication method allows new user registration
and an unregistered user clicks on the login button for an external
method, then they should automatically go through new user
registration.
- However, when not using a redirect for the authentication method,
there was an exception whenever the authentication method in question
was the only one for which new user registration was allowed.
- Auto-registration not prevented after external non-user tries login
- If somebody who is not a registered user, but is known to an external
authentication method, tries to log in, then it took them to the
registration page.
- However, that should only be allowed if the authentication method
supports new user registrations.
- Otherwise, they should get an error message.
- External proxy login did not auto-register authenticated non-users
- If somebody who can identify themselves appropriately to an external
authentication proxy tries to log in before they have are registered
as a user, then it should automatically go to the new user
registration page.
- However, it was just showing an error instead.
- User sees no post-registration message using external redirect
authentication
- After registering as a new user, you should always see a message
telling you to wait for an email before trying to log in.
- But when using an external authentication method set up to use a
redirect, the user did not see the message.
- If unregistered external user logs in, it showed auth method choice
- If there are multiple authentication methods you might possibly
register with when registering a new user, and you try to log in
using an external authentication method, then it would show you a
choice of which authentication method to register with.
- However, by trying to log in, you have already indicated which
authentication method you want to use, so it should not ask again.
- Re-register external user and it did not redirect anywhere
- It was showing an error message, but not then doing anything useful
like logging you in or going to the login page.
- It now automatically tries to log you in if you try to register as
a new external user when you already have a registered user.
Back to Top
8.4.19 January 21st, 2019
Changes
Optimisations
Bug Fixes
- BUGFIX: minimum value on Repeat.repeatEvery was set on wrong property
- This was a fix originally brought in for 8.4.14
- It didn't work correctly for any new databases created in 8.4.14 or later.
- It did work correctly for pre-existing databases.
- BUGFIX: Users whose ID is less than 5 are forced to opt out of auto emails
- On logging in, any user whose ID is less than 5 has their user settings
changed so that opt out of automatic emails.
- This now can affect customers, but only used to affect accounts used by
Exprodo Software.
Back to Top
8.4.20 January 22nd, 2019
Bug Fixes
- BUGFIX: Bookings not show in calendar if perms depend on resource type
- This was a consequence of optimisations in 8.4.19. Most Calpendos were not
affected by this, but if permissions depended on resource type, then it
would behave as if there were no type on each resource when loading
bookings.
- BUGFIX: Avoid linking bookings with skeleton if permissions require more
- The recent optimisations make loading bookings for the calendar faster.
- However, it does this by loading only limited data. Sometimes, that's not
enough information. This can happen if you have created permissions that
require testing some properties that are not loaded.
- We now only use the optimisations introduced in 8.4.19 if the permissions
don't require that we load data the optimisations would drop.
- BUGFIX: Empty user groups not loaded for calendar (can affect templates)
- Templates can display with the wrong background colour in the bookings
calendar if your definition of templates relies on a user group or project
group which happens to be empty.
Back to Top
8.4.21 January 23rd, 2019
Changes
- Add extra detail about where problems lie in workflow validation error msgs
- This applies when a workflow has a reference to a property that does not
exist.
- It did not previously tell you whether it was a condition or whatever
was the cause of the problem.
Optimisations
- Asking for history on biskit was sometimes very slow
Bug Fixes
- BUGFIX: When an email can't be sent, the system event recorded for it did not
show the error msg.
Back to Top
8.4.22 February 4th, 2019
Bug Fixes
- BUGFIX: ReportManager let you create reports with illegal columns for list
and summary reports
- When trying to edit the columns for a report in the report manager, it
used the method appropriate for group reports.
- Consequently, if you were editing a list or summary report, and tried
to change the columns, it would not make sense and would save the report
in an inconsistent state.
BUGFIX: Choose a different bookmark on the bookings calendar, and the name
displayed for the current bookmark did not change.
- BUGFIX: Booking.projectResourceSettings sometimes null when should not be
- Booking reports that pull properties from projectResourceSettings were
showing the values as not there when they should have been.
- BUGFIX: Expressions referencing functions fail when a function arg is null
For example, suppose an expression that contains this:
if([x]>0,[y],[z])
where x, y and z are properties of type double. Then if the value of
y found at runtime is null, then the whole if would fail.
BUGFIX: Modules for loading project notes and service examples were broken
and would not load.
BUGFIX: Exprodo authentication users that authenticate against
https://proxy.exprodo.com/ were still counted as licensed users when they
should now come for free.
- BUGFIX: Exception after external login failure if new user reg disallowed
- If a user tries to log in using an External Authentication Method and
fails to do so (for example because their status it still Requested), and
if no unhidden authentication methods allow new users to be registered,
then you would get an exception.
- BUGFIX: Ask bakery for references to property not find any in email body
- In the bakery, you can click on a biskit's property and click the
"References" button.
- It shows all the places that look like a reference to that property.
- Any that were in the plain-text portion of a workflow action to send
an email would not be found.
BUGFIX: ExprodoLicence.date PropertyDef has type date instead of Datetime
Back to Top
8.4.23 February 5th, 2019
Changes
- Do not log system event when a browser needs a refresh
- When releasing a new version of Calpendo, you are now likely to get a
large number of exceptions overnight as those browsers left on the
bookings calendar would automatically refresh occasionally.
- These will then cause exceptions if the server has been upgraded to a
new version, potentially filling the system events with many exceptions.
Bug Fixes
- BUGFIX: Permissions on update booking duration cause calendar exception
- If you have a permission that prevents some people from updating a
booking that depends on the duration of the booking (eg so you
can't change the booking's duration once approved) then trying
to edit a booking in the calendar gave an exception.
- This bug was introduced in 8.4.22
- BUGFIX: Running user workflow event from non-existent menu gives exception
- If you set up a menu item to run a user workflow event, and then refresh
your browser so the menu item is available, and then delete that menu
item in another browser, then trying to access the menu item causes an
exception in the server.
Back to Top
8.4.24 February 8th, 2019
Bug Fixes
- BUGFIX: Authentication methods were displayed in alphabetical order
instead of the user-defined order.
- When editing authentication methods, you can use drag-and-drop
to re-order them. This has been the case for a long time.
- This order was ignored when it came to displaying buttons on the
login page.
- BUGFIX: Memory leak for some operations that write to database
- In particular, the RepeatableHandler is susceptible to this leak.
This is something that ensures repeat bookings and templates that
have just gone into the past are converted to a non-repeating
version in the past and a future repeating version.
- The problem was that the transaction was committed BEFORE telling
listeners. This was a problem for two reasons:
- Listeners may have thought they could veto a change when
they could not.
- The mechanism for allowing workflows database events to
be triggered after a transaction is commit requires that
we keep a copy of the modified data until the transaction
completes. When the transaction completes before we
get notified, as it sometimes was, then this copy of the
data was never cleaned up and so was a memory leak.
- As well as fixing this particular issue, whereby some create and
update operations are notified after the transaction is committed,
any further attempts to register a change after a transaction has
been committed will no longer cause a leak, and we will receive
an email telling us about it so it can be fixed properly.
- Further, there are new system events generated with a source name
of "DAOListenerManager" that checks every 12 hours for
assumulated records of changes, just in case we are missing any
events that should remove them in the normal flow of events.
- BUGFIX: New user request page authentication methods were in random order
- It now obeys the order you set from drag-and-drop of auth methods
in the authentication method manager.
- BUGFIX: Uploading resource usage without a message type handled badly
- When CAR or our pGina plugin collect actual usage information,
they upload it to Calpendo.
- On receiving it, if that information is malformed such that it
doesn't specify a message type, then Calpendo handled it
incorrectly and it generated an exception.
- The fix means that such messages are ignored apart from returning
an error to whoever sent the message in.
- BUGFIX: Create copy of permission from history failed
- View the history of any biskit, and there's a "Create Copy"
button that lets you create a copy of the biskit as it was in
history.
- The only difference is that this is a new biskit that's created
and so doesn't have the same ID as the original.
- When doing this for a permission, or any biskit with conditions,
it would fail with an exception.
Back to Top
8.4.25 February 14th, 2019
Changes
Make the label be the default name for rows and columns in a
summary report rather than the property path
Hide the iCal button if user can't create an IcsFeed biskit
- Add new HTML wrapper around login form to improve customisation
options
This should be invisible to almost everybody.
For anybody who customises their login page using the
"Login Header" part of the global preferences/Appearance, this
wraps the existing div:
<div id='loginInputsWrapper'>
...
</div>
in another div:
<div id='loginInputsOuterWrapper'>
<div id='loginInputsWrapper'>
...
</div>
</div>
which gives more options for how you can control the look
with custom HTML and CSS.
Bug Fixes
Back to Top
8.4.26 February 19th, 2019
Changes
- Add action info in workflow references to PropertyDef shown in bakery
- In the bakery, you can ask for references to a PropertyDef.
- When there's a workflow making such a reference, there was
nothing to indicate which event or action was referencing the
property, only which workflow it was on.
- It now shows the action/event as well as the workflow.
Bug Fixes
- BUGFIX: TemplatedTextWorkflowAction got confused over some FreeMarker usage
- The UI will help you to insert FreeMarker-formatted snippets that
will let you extract data from the context using a FreeMarker
format.
- FreeMarker includes facilities for number formatting and
interation that can be very useful.
- However, each FreeMarker snippet might take a particular value
from the context and call a FreeMarker function on it, such as:
${source123.New.bookingCost?string("0.00")}
and this was confusing because it thought the '?string("0.00")'
was a part of the property path.
- Also, references to multiple properties within a FreeMarker
string were handled badly too. For example:
${source123.New.bookingCost + source123.New.otherCost}
which is perfectly valid syntax, but wasn't handled correctly
in the UI.
- BUGFIX: Bakery refs does not show properties written by Biskit
create/update workflow
- If you have a workflow action that does a biskit create or
update and it assigns a value to one or more properties, then
those properties were not showing up in the bakery when you click
on the property and click the "References" button.
Back to Top
8.4.27 February 28th, 2019
Security Fixes
- SECURITY BUGFIX: API-private parameters not being treated as private
When an unexpected exception occurs in the server, a system
event is created that stores the details of the problem.
It also sends an email back to Exprodo Software telling us about
the problem so that we have an opportunity to fix the problem
even before people complain.
The email sent back to Exprodo Software can be turned off in
global preferences, but we've always recommended that it be left
turned on so that we get good automated feedback about issues.
This process makes a big difference to the quality of our product.
In order to make these reports as useful as possible, when a call
is made to the server that results in an unexpected exception,
the details of the information sent to the server is stored in
the system event and also sent home in the email.
When a user logs in, they provide a password (unless you're
using an external authentication method). When you reset your
password, you also provide your password.
If a user logs in or changes their password and there's an
unexpected exception in the server, then you really don't want
the password to be stored in the system events or sent via email.
For this reason, we have always had a mechanism to protect
passwords sent to the server so that they cannot appear in system
events or sent via email.
In 8.4.0, there were changes made to prepare for the complete
replacement of the communication mechanism between the browser
as the server. This work is completed in version 9.0 and is a
crucial part of the speed improvements that were started in 8.4
and finished in 9.0.
These one-off changes broke the mechanism that protected
passwords sent to the server from appearing in system events
and the ensuing email.
This doesn't affect all logins or password changes, only those
when an unexpected exception occurred in the server at the same
time.
On those occasions when it did happen, the text entered by the
user for their password was stored in a system event, and it was
emailed to Exprodo Software.
The mechanism protecting passwords has been fixed in 8.4.27.
- Also, when booting 8.4.27, an automatic process runs that cleans
up the data. Specifically, it:
- examines the system events looking for records that include
user passwords.
- When it finds them, it deletes the details from the system
event, but leaves behind the shell of the system, event so
you can still see the basic information without the fill
content.
- It also remembers the login name of the user whose password
was recorded.
- At the end, it then logs a system event that says how many
login attempts and password resets resulted in passwords
being exposed in this way, along with a list of the login
names of the affected users.
- An email is sent to Exprodo Software after the upgrade has
completed, and tells us how many users were affected. It
does not tell us the login names of the affected people
because we decided it was better that information was not
sent over email.
- The passwords that were mistreated in this way would then have
been accessible to three sets of people:
- Admins on each Calpendo can (normally, but not always)
view system events. This means they could have seen
the passwords for the affected users.
- Exprodo Software employees were sent emails with the
passwords buried in them, and so could have seen them.
- If you have set the global preferences option for a BCC to
be added to all outgoing emails, then whoever is on that BCC
would also have received a copy. At the time of writing this,
we have seen no cases where an affected system is using a
BCC. However, not all systems have been upgraded yet so
this may not remain true.
- SECURITY BUGFIX: External auth users asked for password on session timeout
- When a user's session times out, they will be asked to revalidate
themselves. If they were authenticated with an external
authentication method, then it means they never provided their
password to Exprodo/Calpendo in the first place. However, on
revalidation, they would be presented with a page that showed a
login form with their login name and a box for a password.
- This encouraged people to enter their single-sign-on password
directly to Calpendo, which should not happen because part of
the point of single sign in systems is that the authentication
is delegated to one trusted central system.
- Now Calpendo didn't know how to handle the password, so the
revalidation login would fail.
- The end result was confusion for the user.
- In the revalidation screen, externally authenticated users are
no longer asked for a password, and clicking on the login button
will revalidate their identity via the original external
authentication method. In many cases, this will happen without
the user seeing anything, and their Calpendo session will restart.
- This has been labelled a security fix for two reasons:
- single-sign-on passwords should never go to Calpendo, but
the bug encouraged people to give Calpendo their password
when their Calpendo session expired.
- When users did provide their SSO password on this
revalidation screen, it always generated an unexpected
exception in the server. Together with the security problem
described above, it means the text they entered for their
SSO password was stored in a system event and emailed to
Exprodo Software.
Changes
- Change XLSX export to use a more memory-efficient method
- When you use File-->Export... from a report and choose the
xlsx format, it now uses much less server memory
- Changed the label on the "Login" button seen when a login session
has timed out to "Continue Session".
- This should clear up any confusion between attempts to login
initially and revalidating a timed-out session.
- Add Exprodo and Shibboleth auth methods to all systems (but disabled)
- The Shibboleth authentication method makes it very easy for
users to switch to a single-sign-on system which most
universities already use.
- Please ask us if you would like to start using this instead of
having Calpendo store and validate passwords for users.
- The Exprodo authentication method exists so that one Calpendo
can authenticate users on behalf of another.
- We are gradually moving over to centralising the passwords used
for the accounts Exprodo Software use when logging in to each
system so that they can be centrally managed.
- Systems without these authentication methods will have them
automatically added as a part of the upgrade to 8.4.27, but they
will be disabled until and unless somebody manually enables
them.
- Ensure non-JSON response from JSON request is handled better
- A small number of messages sent by the browser to the server are
formatted as JSON. In version 9.0, all of them are JSON.
- When a JSON request is sent to the server, we expect a JSON
response.
- Sometimes, the response may not be JSON.
- In such cases, we didn't handle the response very well.
- We now show a sensible error message, with better information
about what the request and response were.
- Add version and URL to recorded licence information
- Every time Calpendo boots, it records information about the
licence and the number of users allowed by the licence and the
number actually in use.
- This can be used to "true up" at the end of a licence year when
we can charge people by the number of actual users that were
active over the year rather than the maximum allowed.
- We now also record the version number of the system each time
we record an entry, along with the URL stored in the global
preferences for accessing the system.
- Send email to Exprodo Software after an upgrade
- Whenever a system is upgraded, it now tells us about the upgrade.
- This is so we can check on who has upgraded to the latest version,
which is particularly useful when there are security bug fixes.
Bug Fixes
Back to Top
8.4.28 March 7th, 2019
Optimisations
Optimisation: Calls to /webdav/b/TYPE/ID loaded too much data
When using the webdav API to load a biskit via the call:
webdav/b/TYPE/ID
things were much slower than doing the equivalent with:
webdav/q/TYPE/id/EQ/ID?paths=name1,name2,name3
This was because the /b/ API was loading all the biskit's data
from the database rather than limiting it to the amount of data
it actually required to service the call.
Bug Fixes
Back to Top
8.4.29 March 15th, 2019
Bug Fixes
Back to Top
8.4.30 March 20th, 2019
Bug Fixes
- BUGFIX: Deleting ancillary biskit can erroneously fail referenced check
- If you delete a biskit, and then in the same transaction, a
workflow deletes a different biskit that referenced the first
one, there's a problem.
- The second delete first checks whether the biskit is referenced,
and it does so on a fresh database connection.
- So it stills thinks the first biskit exists and stops the whole
thing.
Back to Top
8.4.31 March 21st, 2019
Bug Fixes
- BUGFIX: Date/time settings not ready when needed to boot
- Depending on your configuration, there can be a boot failure
because the date/time global preferences settings are not set
up before it is possible that they may be required.
Back to Top
8.4.32 March 22nd, 2019
Bug Fixes
- BUGFIX: Non-static one2many prop with inverse that is static breaks things
- This address a class of configuration mistake that should not
happen, but for which there was no check when you asked to
validate the biskit definitions in the bakery, and also that
caused logins to Calpendo to fail.
- The fix is therefore threefold:
- Make Calpendo tolerant of the misconfiguration in this way
- Make the bakery validation detect errors of this nature
- Log an error that will be emailed back to Exprodo Software
when this happens so we can proactively assist with fixing
the misconfiguration.
- If you have a one2many property X.children that stores a set of
Y, then the inverse property of X.children might be set to
something like "parent" which means Y.parent points back to the X.
- In that case, Y.parent should have an inverse property name that
is "children" so they each point to the other.
- But there was no validation check to make sure that the inverse
of the inverse is where you started.
- Also, there was a particular case of this that led to the
exception. This is when X.children is a non-static property,
and Y.parent is a static property. Since Y.parent is a static
property, then it should have been set up with an inverse
property that is also static. That would mean it can't point
back to X.children.
Back to Top
8.4.33 April 11th, 2019
Changes
- Add disabled permission for allowing users to create iCal feeds
- This permission makes it easy for people wanting to allow users
to create iCal feeds themselves by providing a permission that
can simply be enabled.
Bug Fixes
- BUGFIX: Detection of file type failed on Java 11
- This occurred when using workflows to create a temporary file,
for example from a file generated by a system command.
- When looking at the content of the file it was trying to turn
into a temporary file, it would not be able to recognise some
file types (most notably PDF files).
- This was not a problem on Java 6, 7 or 8.
BUGFIX: updating multiple biskits could fail to start transaction
- BUGFIX: Exception generated when ListExtract action can't identify output
- If the BiskitDefinition of the input list biskits is not known,
or the property being extracted from that list is not a known
property, then we would get a NullPointerException.
- It now gives a standard workflow error instead.
- BUGFIX: Downloading a public resource can be mishandled when on error
- If there's a problem decoding the data in a public resource, so
that it can't be sent back to the browser, then we generate an
exception in the server because we start to write a response to
the browser, and then try to tell the browser there was an error
instead when the resource decode fails.
- But you can't change your mind about whether you're sending data
or an error, and so this itself caused a problem.
BUGFIX: Links to public resources not always working in service description
- BUGFIX: Renumbering workflow can give exception
- This happened if an event's index was re-used by something that
was not an event.
- For example, if an event was #9 and then after a renumber, an
action became #9, then you would get an exception.
- This same problem means that when a workflow is renumbered, the
old and new triggers were not correctly matched up, so anything
being told about a change to a trigger could be given an old and
new trigger that were not actually related apart from sharing the
same type index (which means nothing when renumbering things).
- BUGFIX: createCalendarInvitation func does not specify return biskit type
- The workflow function createCalendarInvitation returns an
attachment, but the function signature specified that it was
returning a biskit without specifying that it was an attachment.
- BUGFIX: createCalendarInvitation did not handle non-exists bookings well
- If permissions say a user can't have EXISTS permission on a
booking, then a call to the workflow function
createCalendarInvitation would result in a NullPointerException.
- BUGFIX: createCalendarInvitation could apply incorrect permissions
- When generating an attachment with the workflow function
createCalendarInvitation, you specify a user that should be used
for removing anything that should not be seen according to the
permissions.
- If you don't specify a user, then it uses the special user
ical_viewer.
- If you do specify a user, then that user's information was not
all loaded, and so (for example) they won't appear to have any roles.
- This is likely to make the permissions evaluate incorrectly, with
the most likely result being that less information will be
published than it should rather than more.
- BUGFIX: Time slots with multi-day/midnight bookings give exception
- If you have time slots enabled for a resource, and you make a
multi-day booking, then you would get an exception.
- The same would apply when creating a booking that was not
(strictly) multi-day, but which ended at midnight.
- BUGFIX: Export summary report badly formats multi-dimensional rows
- When you have a summary report that has multiple row dimensions
defined, then exporting would display the raw underlying value
for each property.
- For example, if you had a property that was a time of day, then
it would show a raw number of seconds since midnight rather than
formatting it as HH:MM or HH:MM:SS.
- This applied to all export formats.
- BUGFIX: Renumbering a workflow can generate false-positive errors
- Some workflows, when renumbered, show errors claiming that things
are referencing items that don't exist, when there was nothing
wrong at all.
BUGFIX: Import users and it forced login nick name to be same as
identifier
- BUGFIX: Change displayed resource colour for new user gives exception
- When a brand new user logs in for the first time, they don't have
any colours chosen for the resources yet. They will be given the
default colours for each resource.
- If that user tries to change the colour on the calendar during
that first login session, then there's an exception generated in
the server.
- The user sees this as a pop-up in the bottom-right corner that
disappears automatically after a short time.
Back to Top
8.4.34 April 18th, 2019
Bug Fixes
- BUGFIX: Checked-edit can give ShallowException on set biskit-valued prop
Back to Top
8.4.35 April 26th, 2019
Bug Fixes
- BUGFIX: Checked-editing fails on attachments properties
- This was broken in 8.4.34
Back to Top
8.4.36 May 2nd, 2019
Bug Fixes
- BUGFIX: Memory leak whenever a user, user group, user type or
permission is changed
- The Calpendo server cached permissions, and rebuilds those
permissions whenever anything related to permissions changes.
- However, it was retaining the old permissions in memory when
it creates the new set.
Back to Top
8.4.37 May 8th, 2019
Bug Fixes
- BUGFIX: Memory leak every time a user logs in or refreshes their
browser
Back to Top
8.4.38 May 10th, 2019
Bug Fixes
- BUGFIX: User-uploaded files were assigned the wrong content type
- They were always marked as application/gzip
- When downloading these files, most browsers decompressed the
file, saw what type it really was, and handled it appropriately.
- FireFox did not do that, and so that made it harder for a user
to see the file content.
- Arguably, the FireFox method is safer in general.
- The fix now makes sure files are tagged with the content type of
the underlying data.
Back to Top
8.4.39 May 15th, 2019
Bug Fixes
- BUGFIX: Dependency on Java 8 accidentally introduced
- This problem started in 8.4.33 when an incompatability with
Java 11 was discovered relating to detecting the type of the
content of a file.
- It made 8.4 compatible with Java 11, but at the expense of making
it incompatible with Java 6 and Java 7.
- This has now been reversed so that 8.4 is compatible with Java 6
and Java 7 again, but does not support Java 11.
- If you have or need Java 11 then you should upgrade Calpendo to
version 9.0.
Back to Top
8.4.40 May 16th, 2019
Security Bug Fixes
- SECURITY BUGFIX: A forced password change did not require password change
- When a user is forced to change their password (because somebody
set their status to indicate a password reset was required), we
required that they choose a new password.
- However, it did not require that the new password was different
from the old password.
- This is now a requirement.
Bug Fixes
- BUGFIX: request to "https://yourcalpendo/anon" produced an exception
- Notice the lack of a trailing slash in the URL which is essential
for the bug to manifest.
- BUGFIX: Shallow exception on ProcessDef.initialStep when send to browser
- Cleaning a ProcessDef before sending it out to a browser could
give an exception.
Back to Top
8.4.41 May 21st, 2019
Security Bug Fixes
- SECURITY BUGFIX: No PII check when updating passwords via checked edit
- If you edit a password by checking those users you want to change
from a list, and then putting in a new password into the popup,
then it wasn't performing all password checks.
- It was using the password complexity checks, such as requiring
passwords to be a certain length or contain capitals etc.
- But it wasn't checking that the password contained no personally
identifying information such as your name or the name Calpendo or
Exprodo.
Back to Top
8.4.42 June 21st, 2019
Security Bug Fixes
- SECURITY BUGFIX: Stepped-editing allows users to see/edit prohibited items
- If you set up stepped-editing (most commonly for service orders)
so that you can edit a biskit in multiple steps, clicking
next/previous buttons to go between pages, then you could change
the URL to choose a different service order to edit, and it would
work.
- This would apply even if you had no permission to view or update
the service order in question.
- This means the stepped-editor was bypassing permissions checks.
- Note that this does not provide a mechanism for accessing any
data type.
- It only applied to those types that were configured with a
stepped-editor.
- The vast majority of systems are not set up in this way and so
are not affected.
- To see if your system could have been affected, do a search for
"Process Definition". If there are none defined, then you have
not been affected.
- If there is at least one Process Definition defined, then it is
possible you have been affected.
- The limits of any exposure are:
- The "Process BiskitDef" property on the "Process Definition"
specifies which biskit type the process deals with.
- For Calpendo systems, this is most likely to be Service Order
and possibly Project instances that are created and updated
via a stepped-edit process.
- Users on your system could have used the stepped-edit process
to read objects of the type you found above (eg Service
Order or Project).
- If you do not have permissions limiting the ability of
users to read the contents of such objects,
then this will not affect you.
- Users on your system could have used the stepped-edit process
to update objects of the type you found above.
- Typically such users would only be allowed to edit their
own objects.
- The audit log can be used in this case to identify who
has changed which objects and what changes were made.
Back to Top