Release Notes 9.0

June 21, 2023

Release Notes For Version 9.0

Upgrading to 9.0
New Features
Changes
Updates

Upgrading to 9.0

Note that Calpendo no longer supports Java 6 or Java 7. It must now use at least Java 8.

You can upgrade directly to 9.0 from any earlier version. If you are upgrading to 9.0 from 8.2.x or earlier, then please take note of the upgrade instructions for 8.3. In particular, the 8.3 upgrade can take up to two hours.

Upgrading from 8.3.x to 8.4 and from 8.4 to 9.0 is very quick and is considered a small upgrade.

Upgrading from any version to the latest (including applying bug fix updates) should be done with the following procedure:

Stop tomcat
For major upgrades, you must create a backup of your database before proceeding. For minor upgrades, it is recommended to create a backup, but it is less important. After having stopped tomcat, the typical command required is:
```
  mysqldump -u USERNAME -p calpendo > calpendo.sql
```
or, depending on your system:
```
  sudo mysqldump calpendo > calpendo.sql
```
Save the hibernate.cfg.xml and log4j.properties files from your existing webapps/Calpendo/WEB-INF/classes directory
Take the Calpendo directory from the tar.gz download, and replace your existing webapps/Calpendo with it.
Put the saved hibernate.cfg.xml and log4j.properties files into the new directory.
Make sure you do not have both old and new versions in the webapps directory at the same time, unless they point to a different database. Booting multiple versions of Calpendo that point to the same database will cause problems and is best avoided.
Restart tomcat

Downgrading between major releases is not normally supported. The general procedure for downgrading is:

Stop tomcat
Drop the calpendo database and recreate it
Rebuild the calpendo database from a backup
Change the Calpendo directory under tomcat to be the previous version
Restart Calpendo.

Do not merely load an old database on top of an upgraded or partially upgraded database and run an old Calpendo. It will break things, but possibly not until you come to do another upgrade, by which time it may be too late to fix things easily.

Having said that, 9.0 is such a small update to the database that downgrading to 8.4.24 or later is supported without you having to make any changes to the database. That is, after upgrading to 9.0.x, you can then change the program files to 8.4.24 or any later version of 8.4 and it will boot and downgrade the database for your gracefully.

New Features

Themes and Skins

The general look of all tables in Calpendo has changed with Calpendo 9.0

Everything now looks much cleaner than it did before.

We have also added support for skins and themes. A skin is a set of CSS instructions that change some aspect of how the system looks. Currently, all skins are built-in and you can’t provide your own (although you can add custom CSS in global preferences).

A theme is a specification of lots of things that generates into CSS.

An admin can choose which themes and skins are loaded by default, and users can individually choose to apply themes and/or skins as well so that each user can achieve a custom look.

There are built-in themes, but you can also create your own by creating an instance of a new biskit type called Theme.

If you do create a new theme, then once you refresh your browser, you will then be able to select it in Global Preferences/Appearance/Skins and each user can also select it in User Settings/Appearance.

Tables look very different in Calpendo 9. If you want to revert to the old look, you can do so by selecting the skin uncleanTables in global preferences.

A new Themes Manager page, linked on all admin menus, provides the easiest way to view, edit and create themes.

PDF Generation

We have added support for converting XSL-FO formatted strings to PDF. There’s a new workflow function for this called “toPDF”. Give it an XSL-FO formatted string, and it returns the PDF file.

There are some “Hello World” type examples in the workflow manager. Open Workflow Biskit/Versioned Workflow Biskit/Workflow/Example PDF generation with XSL FO

XSL-FO tutorials and information:

The standard is described here:

https://www.w3.org/TR/xsl/

Barcodes

We have added support for barcodes. This comes in two parts where PDFs can include barcodes, and also string-valued properties can be displayed in the UI as a barcode.

For PDFs to include barcodes, see the XSL FO workflow example mentioned above for a “Hello World” type example. For examples of all the types of barcode available, see http://barcode4j.sourceforge.net/examples.html

The format of the XML required inside the XSL FO file is described at http://barcode4j.sourceforge.net/2.1/barcode-xml.html

You can also now configure a string-valued property to display its content as a barcode in the browser.

In the bakery, choose a String Property Type of “Barcode”
Then select one of the barcode types
These properties are inherently read-only which means they would generally either formulaic properties (that is, generated from other properties) or be created by a workflow.
For details on the different types of one-dimensional barcode available, see https://github.com/lindell/JsBarcode/wiki
We also support QR Codes, which provide a two-dimensional barcode.
The number of rows and columns assigned to a barcode property has an impact on how it is displayed:
- For one-dimensional barcodes:
  - the number of rows is used as the number of pixels high the barcode should be drawn (default 30).
  - the number of columns indicates the width of each of the thinnest lines drawn (default 1).
- For QR Codes:
  - the number of rows is not used
  - the number of columns indicates the width of each cell displayed in the code (default 1).
QR Code is a trademark of Denso Wave - for more, see https://www.qrcode.com/ and https://www.denso-wave.com/

Note that the PDF barcodes (generated by Barcode4j) have a different set of barcode types from those available in the browser (generated by JsBarcode). In particular, the PDF barcodes can include 2D barcodes in QR format whereas those in the browser cannot.

LDAP Authentication

We have supported LDAP authentication for a while now. The method of authentication we had was known as “bind-as-user”. This is where the user provides their login name and password, and we attempt to connect (bind) to the LDAP server as that user and password. If we can connect, then the user is authenticated.

For this to work, it requires that there’s a single format of user DN. The user DN (or Distinguished Name) is a path that leads to a particular entry in the LDAP server.

Some LDAP servers are not structured such that all users have a DN of the same format. In other words, they are located in different places within the LDAP server.

To support such use cases, we now provide an additional means of authenticating over LDAP using a mode known as bind-as-admin. This is where you configure a known DN and password for a particular user (the admin), and then once connected to the LDAP server as that user, you perform a search for the user you want to authenticate. Once you find the user, you can then use the password the user provides along with the user DN to authenticate the user.

When choosing these two methods, they each have advantages and disadvantages:

bind-as-user cannot handle multiple formats of user DN, but it does not require you to provide an admin’s user DN and password.
bind-as-admin has the disadvantage of having to store an admin’s user DN and password, but can handle multiple formats of user DN.

Multi-Edit Children

Add support for a new multi-edit mode when editing the children of a one-to-many property.

This allows you to edit all children at the same time, with a large grid.

This is currently not the default way of editing one-to-many properties.

It is enabled for a particular property by adding a layout for the biskit being edited, and selecting the appropriate option for that property.

Auto-filter Drop-Down of One-to-many Children

This is a facility that provides automatic filtering of the biskits that can be selected in a biskit-valued drop-down under very specific and limited circumstances.

This is designed specifically for managing samples that have been submitted for alaysis, but could be used in other places too.

Suppose there is a biskit called “order” which has two one-to-many properties called “samples” and “analyses” of type Sample and Analysis respectively.

Further, suppose Analysis has a property “sample” of type “Sample” and order.samples is fully-owned by order. (This means sample must always have a non-null parent Order, so it belongs to that order), and order.analyses is also similarly fully-owned by order (so that Analysis must always have a non-null parent Order).

Then when editing the value of Analysis.sample, the options that can be chosen in the drop-down should not be any old Sample, but only those Samples that are in the set analysis.order.samples.

Auto-filtering of booking properties from resource one-to-many

If you have a one-to-many property on a resource that stores biskits of a particular type, and there’s a property on a booking that points to a biskit of the same type, then the values that will be offered by the drop-down on the booking will only include those linked from the currently selected resource.

Exposed Password Checks

We can now check whether passwords have been exposed in a security breach.

When a user sets a new or initial password, we can now check whether that password has been exposed in a security breach.

For this purpose, we use haveibeenpwned.com

For details of the method used without exposing user passwords to the people that run haveibeenpwned.com, see:

Pwned Passwords overview
k-anonymity (Wikipedia)

There’s a new global preferences setting on the Security tab for this. You can choose a threshold which is the number of times a password has been exposed, beyond which we should reject the password.

By default, we have turned this on for everybody and set the threshold to one. This means a password will be rejected as long as it has been exposed at least once in a security breach.

Note that this method rejects passwords that have been exposed in a security breach and does not directly check password complexity. That means it is possible we could reject a complex password and accept a simple one.

Importing Bookings From External iCal Feed

We can now automatically import bookings from an external iCal feed, and maintain bookings in sync with that feed.

Resource now has two extra properties - one to record the URL and another to specify the update frequency.
Booking has a hidden property that records the iCal ID that generated the booking.
If an iCal feed contains a repeat booking, then it will be imported as multiple non-repeating bookings, all having the same iCal ID.
You cannot create, update or delete bookings that come from an iCal feed. The iCal importer takes complete control of the bookings.
If a booking that used to exist in an iCal feed is later removed from the feed, then Calpendo will delete the booking for it.

Changes

Communication

Version 9.0 has completely replaced the mechanism used for communicating between the browser and the server. This has been done for several reasons:

Future-proofing due to the third party software we are using being likely to remove support for the communication method we were using.
Making development easier by making the messages between browser and server human-readable.
Allowing us to remove some server-side code that was used to make the old mechanism work, but which had large negative performance consequences. That is, it slowed things down and caused the server to use more memory than it would otherwise have required.
Version 10 (Enterprise) requires inter-database communication so that one Calpendo can be set up as a slave to another. The new communication protocol between browser and server will be used for the server-server communication required by Enterprise.

Speed

Some systems have become much slower over time. Version 9.0 completes the major work that was begun with version 8.4 to address these speed issues. Those suffering with poor performance should find that 9.0 has a dramatic effect on the feel of the system.

While there will continue to be individual operations that can be tuned to perform better, it is already much faster than before in many places.

Menus

The menu editor has had a big makeover. It is now consistent with the look and feel of the rest of Calpendo rather than doing things in completely unexpected ways. It used to have a button bar at the top and the bottom, with the one at the bottom affecting menu items and the one at the top affecting whole menus.

It now has a list of the existing menus on the left, and you click on a menu to view or edit, like many other editors.

Internally, the Menu biskit type has been separated into a top-level Menu type with sub-types RootMenu and ChildMenu. The old property parent on Menu has been moved to ChildMenu. Every ChildMenu must have a parent, and RootMenu does not have a parent.

Privileged Search

The privileged search feature allows limited searching to be done for things that would normally be hidden by permissions. This is used by those using an Exprodo database to store a pool of research study volunteers. Researchers setting up a new study can search through the volunteers for people to be invited to join the new study, while only allowing certain properties to be used in the search, such as age, gender, handedness or MRI compatibility etc.

This system generates emails to be sent to the volunteers when they are to be invited.

The new change is that these emails can now be in HTML format as well as plain text.

New Workflow Events

Add new PrivilegedSearchWorkflowEvent
- A privileged search is a mechanism for allowing people to search for things in a limited and controlled fashion for which they can’t ordinarily see.
- For example, if you have a database of research volunteers, then you might want principal investigators to be able to search for volunteers meeting certain criteria while not allowing the full details of who those volunteers are to be seen.
- What we’ve now done is to add a new workflow event so that a workflow can filter the biskits returned by a search.
- This can be used, for example, to prevent volunteers who have participated in certain conflicting studies from being returned.

New Workflow Functions

The following workflow functions have been added:

convertUnits to convert a number from one unit to another.
CsvEncode to encode a list of numbers or strings to a comma-separated values format.
toPDF to convert an XSL-FO formatted string to a PDF file.
xmlEscape to escape HTML or XML markup from some text so that when viewed within an HTML context, it will display exactly as the original and not interpreted as HTML.
- For example, if you put in:
```
  "<div>Hello & Goodbye</div>"
```
  it would result in
```
  "&lt;div&gt;Hello &amp; Goodbye&lt;/div&gt;
```
htmlClean to remove tags and attributes from some HTML following a specification from a whitelist of what’s allowed.
- For example, if a div tag is not allowed, then the above example would be translated to:
```
  "Hello & Goodbye"
```
createHtmlWhitelist creates a whitelist for cleaning HTML content.
- This offers a selection of starting points, of whitelists that contain bothing, basic things, or are quite permissive.
addTagToWhitelist and removeTagFromWhitelist to provide a means of modifying a whitelist to add or remove tags that are allowed to be used.
addAttributeToWhitelist and removeAttributeFromWhitelist to provide a means of modifying a whitelist to add or remove attributes that are allowed for a particular tag.
addEnforcedAttributeToWhitelist and removeEnforcedAttributeFromWhitelist to provide a means of specifying a value that a particular attribute must have on a particular tag, or of removing an enforced attribute value.
toLower and toUpper for converting text strings to upper case or lower case.
ldapSearch is a pre-existing function for searching an LDAP server. We now have an overloaded version that lets you specify the timeout to use for the query.
countRepeats to count the number of repeating instances of something that repeats, like a booking or template.
- This works similar to expandRepeats, except that instead of expanding the resulting biskits, it will simply return the number of repeats.
- Use this if all you want to do is to count the number of repeats something would have.
first and last are pre-existing functions that give the first and last item in a list of integers, longs, doubles and other things. We now have added a version that handles lists of DateRange values.
parsepk to replace toInt when used for primary keys
- This is an aid to upgrading to version 10, where primary keys are longs and not integers.
- If you have a workflow function action that calls the function “toInt”, and it’s parsing what is a primary key of a biskit, then the function call should be replaced with one that calls “parsepk” instead.
- That way, it will be converted properly to longs when the upgrade to version 10 is done.
- This will be covered in the upgrade notes for version 10.

Other Workflow Changes

Add a “Run Now” button to UserWorkflowEvent in the workflow manager
- This makes it a little easier to test a user workflow event by providing a button in the workflow manager to let you run it.
Add a “Run Now” button to Report Manager so that when there’s a scheduled report, you can make it run now and send its result via an email.
Add an “Attachments” tab to email workflow action
- Emails already supported attachments, but only by a magic process of having the body of the email reference an attachment that would not then appear in the body, but an attachment would be added to the email.
- This was not terribly intuitive. It also did not work when you generated the body of the email via a templated text (as you might want to do when looping through some data).
- So now we have a tab for the specification of the attachments, so this should make much more sense. It also allows you to specify a path to a list of attachments as well as a path to an individual attachment, and the previous system did not support a list of attachments; they had to be added manually.
Add an “Export” button that appears when viewing a workflow
- This makes it easier to copy a workflow from one system to another.
- This downloads an export of the workflow in SQL format.
Add support for session ID meta-property to be available in workflows
- Inside a workflow, you can now access a new meta-property called “sessionID”.
- This stores the session ID for the current user’s session, if the workflow is running as a direct result of a user’s session.
- This is provided so that page generated dynamically by a workflow can include hyperklinks to attachments.
- We need the user’s session ID because that’s a part of the security checks used when a user downloads an attachment.
- Note that the meta-property is present in conditions in other pages (such as report conditions and permission conditions) but the session ID will always be null outside a workflow.

Services

Add support for disabling a Service
- Each service now has an enabled property that chooses whether it should be displayed on the Available Services page.

Holidays

The HolidayDate biskit, which is used in workflow business date calculations, now has a description property.
This allows you to mark each holiday with some text to help you identify what it is for.
This is not used in the workflow business date calculations, but is present only as a way to help whoever maintains the holidays.

Report Manager

Reports that are scheduled to run at set times in the report manager can now display a custom preamble at the start of the email that sends out the report. This is done in a new tab in the report manager under so that you can control the text that appears in the email.
When you click on “System Reports”, “Personal Reports” or one of the items representing a user, the display shown on the right has changed. It is now a standard search widget where before it was a custom page with some odd quirks, that was only used in the report manager.

Services and Bookings Linkage

We now have better support for linking bookings and service orders.

This provides support for a convenient way to specify bookings for instruments that will be used in fulfillment of a service order.

From a user’s perspective, what they will see is that you can have one or more properties on a service order to reference bookings, and bookings can reference service orders. This is for those services that will require an instrument to be booked in order to fulfill the service request.

When specifying the booking on the service order, you will be shown a pop-up that lets you select the booking. If the order has a project set, then it will only show bookings that use that project.

Further, if the selected bookings have a property referencing back to a service order, then that will be automatically populated with the appropriate reference.

This should make it easy for people to set up the references between service orders and bookings, and so get better reports.

To configure this, start by adding one or more properties to a service order in the bakery to store a reference to a booking.

Then, when configuring a service, after you select the type of biskit to use for its service orders, it will show a table with a row for all the Booking properties on the service order so that you can choose the resource to be used for that Booking.

When entering the service order, you will see a button labelled “Select Booking” which lets you choose a booking for the appropriate resource.

Count concurrent bookings multiple times in TotalTimeBookedRule

If you make multiple bookings at the same time, perhaps for different resources, then TotalTimeBookedRule was counting that only once.

This was done by design, but isn’t the ideal way of working.

This change now means that if you have multiple concurrent bookings, they are each counted towards the total time.

Add booking drop-down filtering based on projects containing one-to-many
- When a project has a one-to-many property, and the child of that one-to-many is also a property on a booking, then we can now automatically filter the options displayed in the booking based on the project that has been selected.
- This works the same as the resource-based filtering that we now have on bookings.
- An example of what this means is that if a user needs to specify a funding source or grant on a booking, and their projects have a collection of approved funding sources or grants, then when creating a booking, the user will only be shown the funding sources or grants that exist on the project selected.
Add auto-filtering of booking drop-downs for user one-to-many properties
- This is similar to the project filtering just added (described above) and the resource filtering that was added earlier in the 9.0 release cycle.
- This is about having a drop-down on a booking that only shows values appropriate for the current user rather than the selected project or resource.
- There are two modes in which this can work:
  1. If there is a one-to-many property directly on a user, and there is a property on booking that stores a biskit that is a child of that one-to-many. Then we only offer that the booking can have values from that one-to-many.
  2. If there is a many-to-one directly on the user, then we follow 3 that property to locate the biskit on the other side. That will be a biskit that has a one-to-many property storing users. If it also has another one-to-many that stores a biskit which is also stored on a booking, then we will only offer the values on that one-to-many for the booking.
- An example of the first option is when a user has a collection of funds they can use, and a booking must select one of them.
- An example of the second option is when users all belong to exactly one lab group, and the lab group has a collectionof funding sources. Then when a booking selects a funding source, it can pull it off the lab group’s funding sources.
Auto filter Booking drop-down possible values by permissions check
- All the automatic filtering of drop-down boxes, as described above now uses permissions to assist in the filtering.
- For example, suppose a grant has a core facility representing the facility in which that grant can be spent.
- And also suppose a resource has a core facility that owns that resource.
- Then you could create two permissions:
  - Deny the right to create a booking when the grant’s core facility is different from the resource’s core facility.
  - Deny the right to update a booking when the new booking’s grant’s core facility is different from the new booking’s resource’s core facility.
- Before adding a biskit to one of the booking drop-downs, it will be checked according to these permission filters before deciding whether to allow it as an option.
Add support for booking projects to be selected from the owner’s projects
- When selecting a resource, Calpendo knows whether the user has admin rights over that resource.
- If they do, then it did allow you to make a bookiug for any project.
- This was troublesome when you were booking on somebosy else’s behalf and you wanted to choose one of those user’s projects, but had no feedback to help you know which projects are appropriate.
- Now, there’s a configuration option next to the project selection.
- This lets you choose whether to display:
  - All approved projects, as it currently does
  - All your projects
  - All projects for the booking’s owner.
- There’s now a global preference and a user preference to choose the default option for which projects to display.
Change booking display
- Hide booker in booking pop-up when creating a booking (except for root)
- Move booker and owner to be below project in the booking pop-up

Miscellaneous Changes

Prevent users that can’t log in from being used for authentication
- The ExprodoAuthenticationMethod allows one Exprodo database (such as Calpendo) to be used as the authenticator for another database.
- Previously, a user that existed on the authenticator, but could not log in (eg if their status was blocked), could still be used to authenticate their password for another database.
- This has now changed so that disabling the account on the authenticator prevents them from authenticating on a secondary system via an ExprodoAuthenticationMethod.
Remove the option of “Any X” from a custom search page biskit selector
- When a custom search page has a drop-down that lets you select multiple allowed values for a biskit-valued property, it was displaying an option that indicated any value was allowed.
- This was really confusing because you could untick other items, and then be surprised that those items were still showing, and it was because “any” was ticked.
Change bookmark formatted name to be simply the name property
- This was set to various things on different systems, for example including the bookmark’s ID number and whether it was private (aka scratch) and who owned it.
- This was inappropriate. The menu editor in particular displays the name of a bookmark for bookmark menu items, and it makes more sense for it to be a simple name.
Show the user’s full identity in a tooltip that shows when your mouse hovers over the login name label shown in the top-right corner of every page.
Prevent multiple non-admin local users from having the same email address
- If there is an attempt to create a non-admin, non-root, local user with the same email address as another non-admin, non-root user, then this is now prevented.
Refuse to boot if using Java older than Java 8
- We now require Java 8 as a minimum, so we have protection against trying to run with an older version of Java.
Allow limited workflow search on non-enumerable biskits with no conditions
- When searching for a biskit which is not enumerable, you must put something in place to limit the number that are found.
- This was achieved by requiring some conditions to be present.
- That requirement has now been dropped if you’ve set the search action to restrict the number of items that it can find using the option to limit the size of the results to a fixed number.
Added new project status called Restricted.
- Only admins or those in a resource’s manager user group may book for these projects, not regular project users.
- A new button labelled “Restrict” now appears when you see a list of projects, and it will set the ticked projects to a status of restricted.
- The My Projects page will now select restricted projects as well.
- The Project Approvals page will show a button labelled “Restrict” that will change the ticked projects to a status of Restricted.
- The Project Search page will automatically include restricted projects.
Automatically delete child locations when you delete a parent location
Add support for allow attachments to be download from any IP address
- We remember which IP address somebody logs in from, and record that in their session. Then, whenever they access the system, we check that they are coming in from the IP address stored in their session.
- This is a security restriction that prevents people who have somehow got a copy of your session ID from being able to impersonate you.
- Some networks are configured such that every request you make to an external system (like Calpendo) appears to come from a different IP address. This is (presumably) done to make it harder to track you and so to help privacy issues. However, it defeats one of our security checks.
- So there’s a global preferences option that allows sessions to continue to work when requests come in from different IP addresses. This should be disabled unless you require it.
- When somebody downloads an attachment, it also checks the IP address matches the session.
- In 9.0.40 there’s a new option that lets you choose to allow attachments to be downloaded from any IP address, as opposed to restricting it to be from the same IP address as the user’s session.
- We strongly recommend to avoid enabling this if you can avoid it.

Updates

9.0.0 February 19th, 2019

First released version.

9.0.1 March 11th, 2019

Bug Fixes

BUGFIX: Menu editor did not display scrollbar when the tree of menu items was too tall for the visible space

9.0.2 March 26th, 2019

Changes

Add support for HolidayDate to have a description
Add support for disabling Service (hidden from available services)
- This was Issue 2254
Remove top-level “Root Menu” item you have to open from menu editor
Stay on current menu item when go between edit & read modes in Menu Editor
Remove the option of “Any X” from a custom search page biskit selector
- When a custom search page has a drop-down that lets you select multiple allowed values for a biskit-valued property, it was displaying an option that indicated any value was allowed.
- This was really confusing because you could untick other items, and then be surprised that those items were still showing, and it was because “any” was ticked.
Prevent users that can’t log in from being used for authentication
- The ExprodoAuthenticationMethod allows one Exprodo database (such as Calpendo) to be used as the authenticator for another database.
- Previously, a user that existed on the authenticator, but could not log in (eg if their status was blocked), could still be used to authenticate their password for another database.
- This has now changed so that disabling the account on the authenticator prevents them from authenticating on a secondary system via an ExprodoAuthenticationMethod.
Change bookmark formatted name to be simply the name property
- This was set to various things on different systems, for example including the bookmark’s ID number and whether it was private (aka scratch) and who owned it.
- This was inappropriate. The menu editor in particular displays the name of a bookmark for bookmark menu items, and it makes more sense for it to be a simple name.
Add a workflow function to convert a number from one unit to another called convertUnits.
Add a “Run Now” button to UserWorkflowEvent in the workflow manager
- This makes it a little easier to test a user workflow event by providing a button in the workflow manager to let you run it.
Add a “Run Now” button to Report Manager so that when there’s a scheduled report, you can make it run now and send its result via an email.
Add a preamble at the start of a scheduled report so that you can control the text that appears in the email.
Change virgin db permissions to booking creation allowed only in future
- The permissions that allow you to create template-approved bookings and booking requests have both had a new condition added that requires the booking to start later than now.
- This fixes issues 2237 and 2238.
Use standard search widget when click on tree nodes in the report manager
- Apart from the tree nodes that represent individual reports, all of the other nodes in the tree now display a standard list report on the right hand side.
- The widget that was used here was only used on the report manager and nowhere else, and it had some quirks about it.
- This fixes issue 2222.
Prevent custom page from being mutated into a regular page
Show full identity in tooltip of login name label shown in top-right corner
Prevent multiple non-admin local users from having the same email address
- If there is an attempt to create a non-admin, non-root, local user with the same email address as another non-admin, non-root user, then this is now prevented.
- This fixes issue 2253
Refuse to boot if using Java older than Java 8
- We now require Java 8 as a minimum, so we have protection against trying to run with an older version of Java.
Add new workflow function CsvEncode
- This encodes a list of numbers or strings to a command-separated format.
Add support for skins and themes
- Global preferences now has a new tab under Appearance
- This lets you select skins and/or themes to load.
- This provides an easy way to customise how everything looks.
- Select the skins and/or themes to include, save and refresh your browser.
- Each user also has personal settings where they can select skins and/or themes and provide their own personal CSS. This allows each user to customise the way their own system looks without affecting other users.
- You can create a new biskit type “Theme”, and then once saved, your custom theme can be selected in global preferences or by individual users.
Change the default look of all tables to be much cleaner
- This is done using the new support for skins.
- If you prefer the old look, add the “uncleanTables” skin in global preferences.
Allow limited workflow search on non-enumerable biskits with no conditions
- When searching for a biskit which is not enumerable, you must put something in place to limit the number that are found.
- This was achieved by requiring some conditions to be present.
- That requirement has now been dropped if you’ve set the search action to restrict the number of items that it can find using the option to limit the size of the results to a fixed number.

Bug Fixes

BUGFIX I2273: Custom search pages always displayed as list reports
- If you add a custom search page to the menu that is supposed to show a group report, and then go to that page, it would display a list report.
- It didn’t have the report types downloaded, so got things a bit wrong.
BUGFIX I2274: Update search conditions and description updates without run
- If you have Autoron disabled, then changing the conditions should not change the description of the conditions at the top of the report.
- Otherwise the report says it contains something different from what it really does.
- It was updating when conditions change, regardless of whether the report ran.
BUGFIX I2277: Clicking on File–>Export to export a report gave an exception.
BUGFIX: Biskits sorted by case-sensitive name in types and groups editor
BUGFIX: MenuEditor not showing bookmark name for Bookmark page menu items
BUGFIX: Tag set editor was showing suggestions on focus but not click
- When you click in a tag set’s text box the first time, it shows a drop-down of suggestions.
- That is because it shows it on gaining the focus.
- But if it already has the focus, clicking again doesn’t show the drop-down.
BUGFIX: When global preferences has bad temp directory, you can’t fix it
- Saving the global preferences caused a temporary file to be created as a means of validating the temporary directory, but this happened before the updated preferences were applied, and so it used the old directory.
- This prevented global preferences from being saved whenever the temporary directory was set to a directory that did not exist or was not writeable.
BUGFIX: A dynamic workflow page with a <button> submits the form twice
- If you configure a workflow to generate an HTML page that includes an HTML5 <button> or <button type=“submit” …> then it will cause the form it’s in to be submitted when pressed.
- This is in addition to the work we already automatically do when pressing the button.
- The fix to this means you can use any button or an <input type=“submit” …> and they all work as you’d expect with a workflow-generated page causing another workflow to run and possibly generating a further dynamic page.

Bug Fixes From 8.4.29

BUGFIX I2268: TemplatedText copy/paste with FreeMarker content corrupted
- When copy/paste a TemplatedTextWorkflowAction that contains a FreeMarker portion, the result contains corrupted text.
BUGFIX I2279/2280: Count of licensed users included suspended users
BUGFIX I2281: Drop layout editor properties node onto itself duplicates all
- If you edit a layout, and drag-and-drop a properties node onto itself or onto its parent tab, then the properties within it all get duplicated.
BUGFIX: Exception on clicking history item with no associated details
- Each audit log entry stores a basic set of information about what was changed and when, and also can the full properties of the item that was created/updated/deleted.
- In the history page, when you click on an item, it shows you that detail.
- It is possible for that information not to be present, and if it’s not present, then you got an exception.

Bug Fixes From 8.4.30

BUGFIX: Deleting ancillary biskit can erroneously fail referenced check
- If you delete a biskit, and then in the same transaction, a workflow deletes a different biskit that referenced the first one, there’s a problem.
- The second delete first checks whether the biskit is referenced, and it does so on a fresh database connection.
- So it stills thinks the first biskit exists and stops the whole thing.

Bug Fixes From 8.4.31

BUGFIX: Date/time settings not ready when needed to boot
- Depending on your configuration, there can be a boot failure because the date/time global preferences settings are not set up before it is possible that they may be required.

Bug Fixes From 8.4.32

BUGFIX: Non-static one2many prop with inverse that is static breaks things
- This address a class of configuration mistake that should not happen, but for which there was no check when you asked to validate the biskit definitions in the bakery, and also that caused logins to Calpendo to fail.
- The fix is therefore threefold:
  - Make Calpendo tolerant of the misconfiguration in this way
  - Make the bakery validation detect errors of this nature
  - Log an error that will be emailed back to Exprodo Software when this happens so we can proactively assist with fixing the misconfiguration.
- If you have a one2many property X.children that stores a set of Y, then the inverse property of X.children might be set to something like “parent” which means Y.parent points back to the X.
- In that case, Y.parent should have an inverse property name that is “children” so they each point to the other.
- But there was no validation check to make sure that the inverse of the inverse is where you started.
- Also, there was a particular case of this that led to the exception. This is when X.children is a non-static property, and Y.parent is a static property. Since Y.parent is a static property, then it should have been set up with an inverse property that is also static. That would mean it can’t point back to X.children.

9.0.3 April 29th, 2019

Changes

Record full detail of originating request when client receives exception from server
- When the client receives an exception in response to a request it sends the server, the client sends a follow-up message to the server telling it some details about what it was doing.
- This is then stored in system events.
- Part of this is to provide information about the original request.
- This is visible in the system event under “originating request”.
- The content of this sometimes included the details of the request, but mostly it did not.
- Now that all requests are convertible to JSON in version 9.0, we can convert the request to JSON and store that on the system event.
- This means whenever a client receives an exception from the server, the server record of what happened will include the client’s idea of the request.
- Note that for security reasons, some requests will hide some of the details. In particular, if an exception occurs in a password reset request, then the old and new passwords will not be saved into the database.
- The only other time passwords are handled is a login request. In that case, there is no report from the client to the server if the login produces an exception.
Check that each resource has a concrete BiskitDef for its bookings.
- When editing a resource, you are only offered concrete BiskitDefs that are subtypes of Booking. This means you can’t choose an abstract type.
- If you go to the bakery and make a BiskitDef abstract when that BiskitDef is selected as the booking BiskitDef on a resource, then you will get back an error when validating biskit definitions.
Add an “Attachments” tab to email workflow action
- Emails already supported attachments, but only by a magic process of having the body of the email reference an attachment that would not then appear in the body, but an attachment would be added to the email.
- This was not terribly intuitive. It also did not work when you generated the body of the email via a templated text (as you might want to do when looping through some data).
- So now we have a tab for the specification of the attachments, so this should make much more sense. It also allows you to specify a path to a list of attachments as well as a path to an individual attachment, and the previous system did not support a list of attachments; they had to be added manually.
Add support for converting XSL-FO formatted strings to PDF
- There’s a new workflow function called “toPDF”
- Give it an XSL-FO formatted string, and it returns the PDF file
- There are some “Hello World” type examples in the workflow manager. Open Workflow Biskit/Versioned Workflow Biskit/Workflow/Example PDF generation with XSL FO
- XSL-FO tutorials and information:
- The standard is described here:
  - https://www.w3.org/TR/xsl/
Add support for barcodes
- See Barcodes for the details
Added Theme Manager page (this should appear on all admin menus)
Add support for themes to change the menu bar colours
Added new project status called Restricted.
- Only admins or those in a resource’s manager user group may book for these projects, not regular project users.
- A new button labelled “Restrict” now appears when you see a list of projects, and it will set the ticked projects to a status of restricted.
- The My Projects page will now select restricted projects as well.
- The Project Approvals page will show a button labelled “Restrict” that will change the ticked projects to a status of Restricted.
- The Project Search page will automatically include restricted projects.
Added support for bind-as-admin LDAP Authentication
Add support for attachments being uploaded at user registration time
- Previously, if you added a property on a user to store an attachment, it would only work after login. It would not work on the new user registration page.
Add support for a new multi-edit mode when editing the children of a one-to-many property.
- This allows you to edit all children at the same time, with a large grid.
- This is currently not the default way of editing one-to-many properties.
- It is enabled for a particular property by adding a layout for the biskit being edited, and selecting the appropriate option for that property.

Changes From 8.4.33

Add disabled permission for allowing users to create iCal feeds
- This permission makes it easy for people wanting to allow users to create iCal feeds themselves by providing a permission that can simply be enabled.

Bug Fixes

BUGFIX: Change password via direct DB update leaves old password working
- A reboot was required before the latest password would be used.
- This did not apply when changing a user’s password through the standard user interface.
BUGFIX: Comments on workflow actions/events not showing in multiple lines
BUGFIX: Workflow function getBookableProjects assumed users with the admin role (plus those in the resource’s manager user group) were the ones able to book for any project. It ignored the global preferences setting for the roles which allow you to book for any project.
BUGFIX: Some very old databases have broken permission conditions
- Something like 5 years or more ago, there was a change to how permission conditions were stored so that an old type of “UPDATED” became “NEW_VALUE”.
- Apparently, this wasn’t updated properly on all databases.
- This occurred before our automatic system of database upgrades was implemented, and so this may have been a manual error on a limited number of systems, possibly only one.
BUGFIX: Non-admin users who were in the manager’s user group could not book for any project.
BUGFIX: Setting default value on tag property in bakery gave exception
BUGFIX: Column wrong type for scheduled report preamble (longtext/varchar)
BUGFIX I2294: Menu editor doesn’t show report name the first time
BUGFIX: Themes didn’t apply to all properties as expected
BUGFIX I2282: Could not create new layouts in layout editor
- This was a bug introduced in 9.0.1
BUGFIX: Themes didn’t apply to all properties as expected
BUGFIX: Database downgrade for skins/themes had syntax error
BUGFIX: Bad error message on refusing upload conversion due to mismatch of IP address
- That is, when your IP address changes between uploading a temporary file, and that file being converted to an attachment when you save the biskit it should be attached to.
BUGFIX: Sending a Calpendo Location over the network did not ensure the parent of all locations was set properly.
BUGFIX: RichText editor did not initialise its contents properly
- Sometimes a RichText editor would not use the value it was given to initialise the contents of the editor.
- This could be seen in the new multi-edit mode for one-to-many properties.
BUGFIX: null-valued properties on children of one-2-many treated as shallow
- If you have a one-to-many property, and one of the children (one of the many) has a property whose value is null, then that behaved as if the value was shallow.

Bug Fixes From 8.4.33

BUGFIX: Detection of file type failed on Java 11
- This occurred when using workflows to create a temporary file, for example from a file generated by a system command.
- When looking at the content of the file it was trying to turn into a temporary file, it would not be able to recognise some file types (most notably PDF files).
- This was not a problem on Java 6, 7 or 8.
BUGFIX: updating multiple biskits could fail to start transaction
BUGFIX: Exception generated when ListExtract action can’t identify output
- If the BiskitDefinition of the input list biskits is not known, or the property being extracted from that list is not a known property, then we would get a NullPointerException.
- It now gives a standard workflow error instead.
BUGFIX: Downloading a public resource can be mishandled when on error
- If there’s a problem decoding the data in a public resource, so that it can’t be sent back to the browser, then we generate an exception in the server because we start to write a response to the browser, and then try to tell the browser there was an error instead when the resource decode fails.
- But you can’t change your mind about whether you’re sending data or an error, and so this itself caused a problem.
BUGFIX: Links to public resources not always working in service description
BUGFIX: Renumbering workflow can give exception
- This happened if an event’s index was re-used by something that was not an event.
- For example, if an event was #9 and then after a renumber, an action became #9, then you would get an exception.
- This same problem means that when a workflow is renumbered, the old and new triggers were not correctly matched up, so anything being told about a change to a trigger could be given an old and new trigger that were not actually related apart from sharing the same type index (which means nothing when renumbering things).
BUGFIX: createCalendarInvitation func does not specify return biskit type
- The workflow function createCalendarInvitation returns an attachment, but the function signature specified that it was returning a biskit without specifying that it was an attachment.
BUGFIX: createCalendarInvitation did not handle non-exists bookings well
- If permissions say a user can’t have EXISTS permission on a booking, then a call to the workflow function createCalendarInvitation would result in a NullPointerException.
BUGFIX: createCalendarInvitation could apply incorrect permissions
- When generating an attachment with the workflow function createCalendarInvitation, you specify a user that should be used for removing anything that should not be seen according to the permissions.
- If you don’t specify a user, then it uses the special user ical_viewer.
- If you do specify a user, then that user’s information was not all loaded, and so (for example) they won’t appear to have any roles.
- This is likely to make the permissions evaluate incorrectly, with the most likely result being that less information will be published than it should rather than more.
BUGFIX: Time slots with multi-day/midnight bookings give exception
- If you have time slots enabled for a resource, and you make a multi-day booking, then you would get an exception.
- The same would apply when creating a booking that was not (strictly) multi-day, but which ended at midnight.
BUGFIX: Export summary report badly formats multi-dimensional rows
- When you have a summary report that has multiple row dimensions defined, then exporting would display the raw underlying value for each property.
- For example, if you had a property that was a time of day, then it would show a raw number of seconds since midnight rather than formatting it as HH:MM or HH:MM:SS.
- This applied to all export formats.
BUGFIX: Renumbering a workflow can generate false-positive errors
- Some workflows, when renumbered, show errors claiming that things are referencing items that don’t exist, when there was nothing wrong at all.
BUGFIX: Import users and it forced login nick name to be same as identifier
BUGFIX: Change displayed resource colour for new user gives exception
- When a brand new user logs in for the first time, they don’t have any colours chosen for the resources yet. They will be given the default colours for each resource.
- If that user tries to change the colour on the calendar during that first login session, then there’s an exception generated in the server.
- The user sees this as a pop-up in the bottom-right corner that disappears automatically after a short time.

Bug Fixes From 8.4.34

BUGFIX: Checked-edit can give ShallowException on set biskit-valued prop
- If:
  1. you have a list of biskits
  2. and use the checked-editing facility
  3. and you modify a biskit-valued property
  4. and the value you choose has a property hidden from you by permissions
  then the checked-edit would fail with a “ShallowException”.

9.0.4 May 8th, 2019

Changes

Allow properties hidden in biskit detail in checked edit (iff use layout)
- Normally, a property that is marked as hidden in biskit detail is not shown when looking at checked editing.
- Now, if you provide a layout which includes such a property, it will appear in checked editing.
- If you don’t provide a layout, it is still hidden as before.
Add support for Excel-like drag and drop when using oneToMany multi-edit
Add support for copy/paste within multi-edit table
Add checked-editing of multi-edit one-to-many tables
Add support for auto-filtering of biskit-valued properties on biskits that are on a one-to-many child
Remove month view tab from SDM calendar as this view not supported
Display only ServiceOrder types for Service.orderBiskitDef editor
Optimise SystemUsageDAO by no longer caching user information
- Previously, this was storing references to users, which may have been loaded from the DB and so could have had a large memory footprint.
- It now stores light information instead.
Show checked-editing pop-up near “Edit checked” button, not screen centre

Bug Fixes

BUGFIX: Duration displayed in usage recorder can be wildly wrong
- When a ResourceUsage session has been left open for a long time (a few months), the displayed duration of the session was displayed incorrectly.
BUGFIX: Usage Recorder gives exception on clicking “Enter session details” if no resource was selected.
- When there are 20 or more resources in existence, then it is possible to set the resource to a null value in the usage recorder.
- The “Enter session details” button would then generate an exception.
BUGFIX: Long-running usage sessions don’t appear on calendar
- The resource usage calendar would only show currently-active usage sessions that started in the current week (in a week view) or the current month (for a month view).
BUGFIX: Usage pop-up had no visible gap between the displayed date and time
BUGFIX: Button to approve and run a privileged search sometimes incorrectly greyed out.
BUGFIX: Theme prevented border on bottom of menu bar
BUGFIX: calendar filter widgets had no border unless theme loaded
BUGFIX: Classic theme had tab.bar.color white instead of black
BUGFIX: SDM EventPopup not always undo changes when Cancel button is pressed
BUGFIX: SDM Task selection drop-down menu is not loaded with the default “Selected Tasks”
BUGFIX: DateBox doesn’t have enough width to suit all date formats (css issue)
BUGFIX: SDM gives bad message when creating new event (“Updated event 0”)
BUGFIX: Hibernate exceptions due to oneToMany collections getting destroyed
BUGFIX: Example service modules did not set enabled

Bug Fixes From 8.4.36

BUGFIX: Memory leak whenever a user, user group, user type or permission is changed
- The Calpendo server cached permissions, and rebuilds those permissions whenever anything related to permissions changes.
- However, it was retaining the old permissions in memory when it creates the new set.

Bug Fixes From 8.4.37

BUGFIX: Memory leak every time a user logs in or refreshes their browser

9.0.5 May 14th, 2019

Changes

Add an “Export” button that appears when viewing a workflow
- This makes it easier to copy a workflow from one system to another.
- This downloads an export of the workflow in SQL format.
Add padding inside One-to-many multi-edit cells for easier cell selection
Automatically delete child locations when you delete a parent location
Change reported MIME type for compressed database dump to SQL, not GZIP
- FireFox seems to prefer the MIME type being specified as that of the underlying file rather than merely saying that it is gzipped.

Bug Fixes

BUGFIX: Removing PropertyDef from BiskitDef failed with exception
BUGFIX: Exporting a layout produced FreeMarker error

Bug Fixes From 8.4.38

BUGFIX: User-uploaded files were assigned the wrong content type
- They were always marked as application/gzip
- When downloading these files, most browsers decompressed the file, saw what type it really was, and handled it appropriately.
- FireFox did not do that, and so that made it harder for a user to see the file content.
- Arguably, the FireFox method is safer in general.
- The fix now makes sure files are tagged with the content type of the underlying data.

9.0.6 May 15th, 2019

Changes

Disable the example XSL FO workflow for generating PDF files
- The workflow broke anything with a Lite licence because it used too many workflow actions for a Lite licence.
- This workflow can be enabled on full Calpendo systems to see it in action.

9.0.7 May 16th, 2019

Security Bug Fixes From 8.4.40

SECURITY BUGFIX: A forced password change did not require password change
- When a user is forced to change their password (because somebody set their status to indicate a password reset was required), we required that they choose a new password.
- However, it did not require that the new password was different from the old password.
- This is now a requirement.

Bug Fixes

BUGFIX: Password reset wasn’t working
- This means the link in the top-right corner of every page and also when you’re forced to change your password.
- Depending on whether you were already logged in or not, the behaviour was different, but wrong in both cases.
BUGFIX: Default LDAP authentication filter did not work
- When you create an LDAP authentication method and configure it to use the 9.0 option of bind-as-admin, it suggests a filter that did not work.
- It now uses a filter of “(uid=%u)” which is a better example and likely to be useful for people connecting to LDAP.
BUGFIX: Login page showed the system as “unlicensed” even if licensed

9.0.8 May 17th, 2019

Changes

Add support for stepped-editing of biskits with one-to-many properties
- This is required to properly support sample tracking.
Use case insensitive check at login for login name (not login identifier)
- For those using a local user login, this means the login name you type in is case insensitive. This matches what the behaviour used to be in 8.4.
Make cancel button from new service go back to available services page
- When you start from the available service page, and create an order, but then change your mind by pressing the Cancel button, it used to do the equivalent of pressing the browser’s Back button.
- This didn’t always produce the result the user expected or wanted.
- It now makes sure the Available Services page is displayed again, and should better match expectations.

Bug Fixes

BUGFIX: Showing detail from group report of PropertyDef gave exception
BUGFIX: Editing a ResourceUsage that’s already been deleted gives exception
- It’s possible for somebody to view a report or calendar entry that contains a ResourceUsage, then somebody else deletes it, and then the original person (who still sees it on screen) can try to modify it.
- When this happens, they got an exception.

Bug Fixes from 8.4.40

BUGFIX: request to “https://yourcalpendo/anon” produced an exception
- Notice the lack of a trailing slash in the URL which is essential for the bug to manifest.
BUGFIX: Shallow exception on ProcessDef.initialStep when send to browser
- Cleaning a ProcessDef before sending it out to a browser could give an exception.

9.0.9 May 22nd, 2019

Security Changes

Add support for checking whether passwords have been exposed in a security breach
- When a user sets a new or initial password, we can now check whether that password has been exposed in a security breach.
- For this purpose, we use haveibeenpwned.com
- For details of the method used without exposing user passwords to the people that run haveibeenpwned.com, see:
  - Pwned Passwords overview
  - k-anonymity (Wikipedia)
- There’s a new global preferences setting on the Security tab for this. You can choose a threshold which is the number of times a password has been exposed, beyond which we should reject the password.
- By default, we have turned this on for everybody and set the threshold to one. This means a password will be rejected as long as it has been exposed at least once in a security breach.
- Note that this method rejects passwords that have been exposed in a security breach and does not directly check password complexity. That means it is possible we could reject a complex password and accept a simple one.

Security Bug Fixes From 8.4.41

SECURITY BUGFIX: No PII check when updating passwords via checked edit
- If you edit a password by checking those users you want to change from a list, and then putting in a new password into the popup, then it wasn’t performing all password checks.
- It was using the password complexity checks, such as requiring passwords to be a certain length or contain capitals etc.
- But it wasn’t checking that the password contained no personally identifying information such as your name or the name Calpendo or Exprodo.

Changes

Add support for downloads and uploads from/to a one-to-many table
- This allows you to download a CSV file with the headers and current content of the children of a one to many, and then upload a CSV file to add new children.
All workflows are now disabled 30 days after licence expiry
Added property resourceUsage to RemoteUserLog
- RemoteUserLog is the biskit used to store information coming from an external instrument actual usage supplier like CAR (Calpendo Activity Recorder).
- It records one entry every time there’s a remote event, like a user logging in or out, or a ping containing information about the remote processes being run.
- ResourceUsage is the biskit that has a start and end time and for those using CAR, it is calculated from the RemoteUserLog records.
- By adding a link from RemoteUserLog to ResourceUsage, this makes management and reporting of the whole thing easier.
Changed biskit types for remote actual usage recording biskits
- RemoteUserLog is now Calpendo.RemoteUserLog
- RemoteProcess is now Calpendo.RemoteProcess
- RemoteAuthorisationRequestWorkflowEvent is now Calpendo.RemoteAuthorisationRequestWorkflowEvent
- RemoteUserIdentificationRequestWorkflowEvent is now Calpendo.RemoteUserIdentificationRequestWorkflowEvent.
- Changing the biskit type on all these means they are now only present in Calpendo, where before they were present in our non-Calpendo systems too.
- This change has been made to support adding a link from RemoteUserLog to ResourceUsage, since ResourceUsage only exists in a Calpendo system.

Bug Fixes

BUGFIX: Auth methods with disabled new user registration appear on reg page
- If you set the “new user registration allowed” to disabled for one or more authentication methods, those methods would still appear as buttons on the new user registration page.
BUGFIX: Self-managed password reset mechanism fails with exception
- The process for recovering your own password when you don’t remember it was broken in 9.0.
BUGFIX: CalendarByLocation didn’t show locations with only nested resources
- For all locations used directly by a resource, those locations would show up correctly on a CalendarByLocation menu item.
- For any locations that only had resources in a child or grandchild location instead of containing a resource directly, they would not show up on a CalendarByLocation menu item.
BUGFIX: Exception clicking on a biskit in a list from group report you cannot EXISTS
- When you have a group report, and you click on a group, it will show you a list of the biskits in that group. When it does this, it will only show biskits for which you have EXISTS permission.
- If permissions change on the server, or the properties on a biskit change in the database, then it is possible for you to not have EXISTS permission on one of those biskits in the list.
- When clicking on such a biskit in the list, the server is asked for the details which would then be returned as null.
- If this happened, the browser shows an exception message.
- It now delivers a good message to the user instead.
BUGFIX: Resources in your current bookmark would show as having no location in the resource editor and their locations were missing from a CalendarByLocation menu item
BUGFIX: CalendarByLocation had submenu item for resources with no location
- When you have some resources with no location set, the CalendarByLocation menu item would show a submenu labelled “No location”, containing two items.
- One labelled “No location” would show the calendar for resources with no location, and the other would be a simple link back to the calendar without changing the displayed resources.
- But that simple item would already have been shown at the top level of the menu, and so the whole thing was more complex than it should have been.
- There’s now no submenu at all, and just one menu item labelled “No location”.

9.0.10 May 29th, 2019

Changes

Provide feedback when configuring LDAP authentication incorrectly
- For bind-as-user, you must specify the user DN, and for bind-as-admin, you must specify bindDN and a filter. Previously, you could leave these empty and get no warning.
Display as much of menu as possible when page not wide enough
- Previously, if the menu was wider than the page, then the whole menu would be replaced with a “Hamburger” style icon that let you see the whole menu when you clicked it.
- Now, it only hides as much of the menu as is required for it all to fit in, with the hamburger there to provide access to those menu items that had to be removed to make it fit.
Add a “Test Theme” button when displaying a Theme biskit.
- This lets you see what effect the theme has.
- This also works without you having to save the theme, so you can see changes immediately.
Display initial page drop-down show page names without appended number
- In the global preferences, where you choose the initial page that should be displayed by default, there’s a button to show a drop-down with a list of pages that exist, those on the menu, and those recently accessed.
- That list was putting a number in brackets after some of the page names.
- Those numbers have now been removed.
Display the login identifier with label “Login name” for new-user-request
- When there’s no nick name allowed, we were showing a text entry for a “Login identifier” which was confusing some people.
- This has been changed to read “Login name” on the new user request page.
Make menu editor tolerant of menu items of type CUSTOM_PAGE but wrong class
- Menu items of type CUSTOM_PAGE must always be of class CustomPageMenu, but sometimes (for reasons not yet understood), they are not.
- We found a case where there was one of class ChildMenu instead.
- Once this happens, you can’t recover from the UI because clicking on the menu item gives an exception.
- This commit makes the UI tolerant of the situation so you can recover by removing the item.

Bug Fixes

BUGFIX: Exception on showing pop-up for choosing global prefs initial page
- On the global preferences “General” tab, there’s an option to choose the initial page that should be displayed.
- If you click the button to show a pop-up that helps you select an initial page, it gives an error.
BUGFIX: Summary report not correctly segregate data by biskit-valued keys
- If you put a row that is a biskit-value, and add a column that will have different values for the same value of biskit displayed in the row, so values appear in multiple columns for the same biskit, then the summary report would show multiple rows for the same biskit-value row key when it should all appear in the same row.
BUGFIX: Reading history failed when property definitions changed
- Suppose you have a property that used to be an integer and changed to a string, and there is recorded history for an instance of a biskit with the property as an integer.
- Then when looking at the history, it would fail with an exception because it was trying to parse the old integer value as if it were a string.
- The history display now ignores any properties whose type is not consistent with the current definition of that property. More specifically, if it can’t parse the old value using the new property definitions, then it ignores any such properties.
BUGFIX: Log in fails with exception if menu item denied EXISTS permission
- If you create a permission that denies EXISTS permission on a menu item that is on the menu for a user, then that user would not have been able to log in.
BUGFIX: Properties in layout but not visible in biskit detail get lost
- If you have a property that is set to be NOT visible in biskit detail, then on saving such a biskit, the value of the invisible property would be destroyed.
- This might happen if you had a property marked as visible in a biskit list (for it was available for checked editing) but you don’t want it to be shown when looking at the detail of a biskit, so you mark as not visible in biskit detail in the bakery.
- Any value set via checked-editing or an import would then be lost if you were to edit the biskt in the normal way.
- This bug is pretty obscure and would happen only under the above very peculiar and particular conditions. We expect this to have affected very few people.
BUGFIX: Forgotten password self-recovery fails if email address duplicated
- If there are multiple accounts with the same email address, and one such user uses the forgotten password mechanism, then it would fail with a misleading error message saying:
```
  "I'm sorry, but you already have an account with the same email address"
```

9.0.11 May 30th, 2019

Bug Fixes

BUGFIX: Approving a booking from bookings requests page gives exception
BUGFIX: Creating service order gives exception if displayed using a layout that hides some properties
BUGFIX: Shallow exception handling shallow one-to-many property post-save

9.0.12 June 3rd, 2019

Changes

Add support for importing bookings from an external iCal feed
- Resource now has two extra properties - one to record the URL and another to specify the update frequency.
- Booking has a hidden property that records the iCal ID that generated the booking.
- If an iCal feed contains a repeat booking, then it will be imported as multiple non-repeating bookings, all having the same iCal ID.
- You cannot create, update or delete bookings that come from an iCal feed. The iCal importer takes complete control of the bookings.
- If a booking that used to exist in an iCal feed is later removed from the feed, then Calpendo will delete the booking for it.
Allow WEBDAV login to match login name with case insensitive match
- This is how it used to work in 8.4 and earlier, so this puts the behaviour back as it was.

Bug Fixes

BUGFIX: Exception exporting a workflow that sends an email with attachments
BUGFIX: Creating biskit from layout hiding some properties gave exception
BUGFIX: Drag and drop in one-to-many multi-edit table fails FireFox
BUGFIX: Links in new user request emails do not work
- Clicking on the links in an email sent following a new user request result in a message:
```
  "Failed to update user's status: Cannot update
  properties on biskits of type 'nurs' because I
  can't find a BiskitDef for it."
```
BUGFIX: Editing a booking not via calendar gave exception on save

9.0.13 June 4th, 2019

Bug Fixes

BUGFIX: Calendar not display if permissions hide Booking.booker

9.0.14 June 13th, 2019

Changes

Change message when no bookings found selecting booking for resource usage
- When you enter a resource usage, you can choose which booking the usage relates to.
- When it doesn’t find any suitable bookings, it showed the slightly misleading message:
```
  "There are no bookings"
```
- It’s now been changed to
```
  "There are no bookings you are permitted to choose"
```
Add “Free text search” as hint for custom search page free text search
- A free text search is added to a custom search page by adding the magic text “[free]” to the search specifier as if it were a property name.
Add support for custom search page to search a property with a set of tags
- Add a property path to a tag set property within any custom search page, and it now shows aa suitable widget for selecting the tags that should be used for the search.
Add support for linking bookings and service orders
- This provides support for a convenient way to specify bookings for instruments that will be used in fulfillment of a service order.
- To configure this, start by adding one or more properties to a service order in the bakery to store a reference to a booking.
- Then, when configuring a service, after you select the type of biskit to use for its service orders, it will show a table with a row for all the Booking properties on the service order so that you can choose the resource to be used for that Booking.
- When entering the service order, you will see a button labelled “Select Booking” which lets you choose a booking for the appropriate resource.
- If the service order has a project, then you will only be offered bookings that are set up to use that project.
- When you update an order so that it references a booking, then we check to see if the booking has a reference to a Service Order. If so, then the booking will be updated to reference the order it relates to.
Change the default display type for one-to-many properties
- This now uses the new ‘multi-edit’ format that’s a little like Excel by default, unless you create a layout that specifies the original version.
Add bakery validation error for string tag property without a TagDef
- This means that if you set up a property for a tag or set of tags, and forget to choose which TagDef it is, then the biskit validation will give you an error.
Optimised create, update and delete of templates
- This is much faster for some Calpendos.
- It depends on the data you have as to how large a change this is.
- This will also improve speed for TotalTimeBooker rule time masks, Exprodo SDM events and editing PropertyDef instances outside the bakery.
Optimised moving bookings calendar from one week to another
- For some systems, this was very slow.
- In the cases we looked at, it is now very fast.

Bug Fixes

BUGFIX: Shallow exception on selecting a booking for resource usage
- This did not happen all the time, but should now be handled properly.
BUGFIX: Exceptions displaying RelativeTime workflow event conditions
- There was a timing issue when displaying a RelativeTime workflow event that had some conditions referencing biskits in it.
- If the display needed to fetch the data for the biskits involved from the server, then it tried to display before the server response came back.
BUGFIX: Layout editor incorrect one-to-many error-feedback on import header
- It complained about the property names being wrong when they weren’t.
BUGFIX: Typo in global preferences “System Usage Statistics” page
- One of the properties was labelled
```
  "Sysytem Usage Statistics Minutes Per Statistic"
```
BUGFIX: Creating a template showed an info pop-up indicating it had been allocated ID zero (which it wasn’t)
BUGFIX: RelativeTime workflow event conditions sometimes render incorrectly
- This only affected the first time an event’s conditions were displayed, and only in read-only mode.
- As soon as you clicked Edit, or clicked on another event/action and went back to the RelativeTime event, it would display properly.
- When displaying incorrectly, all conditions would display a message saying “No property path selected”.

9.0.15 June 14th, 2019

Bug Fixes

BUGFIX: Bookings created from importing an ical feed did not send the iCal global ID to the client.

9.0.16 June 18th, 2019

Changes

Add validation to a biskit update workflow action
- This will generate a pop-up error message when you leave the biskit to update set to null.

Bug Fixes

BUGFIX: Exception on displaying a dynamic one-to-many property before a value is set for it
- For example, add a one-to-many property to a project and then try to create a project.

9.0.17 June 19th, 2019

Changes

Allow style and class attributes on a div in a layout’s HTML heading
- A layout can have a custom heading, but the content is filtered.
- It did not allow a div to have any attributes at all, but we now allow it to have a style and class attribute.
- This allows more control over the way it might display.
Add support for %biskitType% in a BiskitDef format
- This allows the type of a biskit to become part of its displayed name.

Bug Fixes

BUGFIX: First row sum wrong exporting 2 dimensional summary report

9.0.18 June 21st, 2019

Changes

Add CSS classes to the navigation buttons in a stepped-editor page
Add CSS classes to the heading and content of each tab displayed by a layout.
Add CSS class ‘exprodo-login-first-auth’ to first login part on login page
- This allows more control over the way the login page is displayed

Security Bug Fixes from 8.4.42

SECURITY BUGFIX: Stepped-editing allows users to see/edit prohibited items
- If you set up stepped-editing (most commonly for service orders) so that you can edit a biskit in multiple steps, clicking next/previous buttons to go between pages, then you could change the URL to choose a different service order to edit, and it would work.
- This would apply even if you had no permission to view or update the service order in question.
- This means the stepped-editor was bypassing permissions checks.
- Note that this does not provide a mechanism for accessing any data type.
- It only applied to those types that were configured with a stepped-editor.
- The vast majority of systems are not set up in this way and so are not affected.
- To see if your system could have been affected, do a search for “Process Definition”. If there are none defined, then you have not been affected.
- If there is at least one Process Definition defined, then it is possible you have been affected.
- The limits of any exposure are:
  - The “Process BiskitDef” property on the “Process Definition” specifies which biskit type the process deals with.
  - For Calpendo systems, this is most likely to be Service Order and possibly Project instances that are created and updated via a stepped-edit process.
  - Users on your system could have used the stepped-edit process to read objects of the type you found above (eg Service Order or Project).
    - If you do not have permissions limiting the ability of users to read the contents of such objects, then this will not affect you.
  - Users on your system could have used the stepped-edit process to update objects of the type you found above.
    - Typically such users would only be allowed to edit their own objects.
    - The audit log can be used in this case to identify who has changed which objects and what changes were made.

Bug Fixes

BUGFIX: Order of displayed columns for summary report was not alphabetical (and so was inconsistent with versions exported via csv or xls that are alphabetical)
BUGFIX: Workflow warning messages not being displayed at login time
- There’s a workflow function called “warn” that can be used by a workflow to deliver a pop-up message to a user.
- This wasn’t working when called from a UserLoginWorkflowEvent.
- Now this is fixed, this can be used as a way of giving notices to people when they log in.
- Just create a workflow that responds to a UserLoginWorkflowEvent and call the function “warn”, passing your required message.

9.0.19 June 25th, 2019

Changes

Always permit a property to be updated that doesn’t change the value
- This is a change to the permissions system for something that is not considered a security issue.
- When changing a property on a biskit, and the new value happens to be the same as the old value, and this is the only thing you’re trying to change, then it would previously check permissions to see if this was allowed.
- It would only be allowed if there was a permission that said it was allowed.
- However, since the operation in question is effectively a no-op, it did not make sense to check permissions which might then refuse it.
- So this is now always allowed.
- This fixes an error in workflows where a Biskit Update action could under some circumstances be refused permission to run when the person asking for it to run does not have permission, but the action has been endowed with roles that should allow it.

Bug Fixes

BUGFIX: Automated “updated by” properties could overwrite entry with null
- When a biskit is modified by the system, and not by a user, then the “updated by” property (if one is configured) would be set to null.
- In these cases, we no longer change the recorded “updated by” property.
BUGFIX: Some server classes could not have their verbose mode turned on
- Occasionally, it is useful to turn on a verbose mode for some parts of the system.
- In some cases, this wasn’t working.
BUGFIX: NPE collecting attachment garbage if any attachment has no owner
BUGFIX: CalendarByLocation menu item not working under test
- When you click the Test button in the menu editor, a newly added CalendarByLocation menu item does not work properly.
- Only after saving and refreshing the browser would it work.
BUGFIX: Stepped-edit process can fail with shallow exception
- The security bugfix in 9.0.18 applied its cleaning of the data incorrectly. It prevented the security issue, but it left a problem that meant there could be an exception under some circumstances.
- For example, when in the middle of a stepped-edit of a biskit, a page refresn would result in an exception.
BUGFIX: Clicking on the menu button in rich text editor gives exception
- When editing some HTML text in a rich text editor, one of the buttons you have provides a drop-down that lets you select a menu item.
- This inserts text into the HTML that will generate a hyperlink to whatever the menu item runs when selected.
- However, the drop-down would not show, and instead an exception was shown.
BUGFIX: Report asking for resources failed with exception
BUGFIX: Layout editor generated exception

9.0.20 July 4th, 2019

Changes

Set creator/updator automated properties to nobody if no known user
- If there are automated properties configured to record who created or last updated a biskit, and when a change is made, we don’t know who the editor was, then we now record the editor as the special user “nobody”
Mark Booking.resource as required
- This means that when you search for bookings and select the “Resource…” options, the drop-down no longer offers you the “No resource” option because we now mark the resource as “required”.
- This means it knows there won’t be any booking that has no resource, and so it doesn’t need to offer the ability to choose bookings whose resource it not set.
Allow webdav login names of the form “username@authMethodName”
- This allows internal users, whether they are local or not, to be able to use webdav.
Optimise booking updates
- For some people, udpating bookings was slow.
- For the situation we looked at, this now happens instantly.

Bug Fixes

BUGFIX: Downgrading a N/A update script generated false-positive error msg
- This applies when downgrading Calpendo, and there is an automatic database upgrade that could have been applied, but was marked as not applicable during the upgrade procedure.
- If an upgrade script was deemed not applicable, and the downgrade ran, then you’d get an error because it didn’t know how to handle the statuses.
BUGFIX: Some services modules did not downgrade cleanly
- There were problems with the example radiological assessment Service module and the Histopathology Service module.
BUGFIX: Radiological assessment service used sex and gender inconsistently
- A column name of gender was used, but the property name is sex.
- This added some confusion, and also meant the layout that was created when the service was loaded did not place the sex property where it was meant to go.
BUGFIX: Report showing Layout instances gives exception
- Create a group report showing the number of Layout instances, and then click on the number shown and it gave an exception.
BUGFIX: Adding project to user did not persist
- If you edited a user and added a project, then after saving the user, it did not add the project.
- However, if you edited the project and added the user, then it did work.
- This was a bug introduced in 9.0.14

9.0.21 July 17th, 2019

Bug Fixes

BUGFIX: Could not send email to mail servers configured only for TLS 1.2
- This was a problem with a library we were using, and required an upgrade to a later version.

9.0.22 July 29th, 2019

Changes

Add extra boot time info when things go wrong
- This helps when a misconfiguration prevents the system from booting

Bug Fixes

BUGFIX: Deleting something that does not exist gives exception
BUGFIX: setting response.buttons to null in user workflow event gives NPE
BUGFIX: A valid failure to load a biskit can yield an unexpected exception
- If you try to load a Calpendo.UserSettings but it fails with an exception because a mapped error means you can’t load any Calpendo.UserSettings, then we would try to load an instance of ExprodoUserSettings instead.
- However, that can fail if the type we’re now trying to load (ExprodoUserSettings) is not mapped.
BUGFIX: users could not log in if their user settings could not be loaded from DB
- This helps, for example, if the biskit definitions are misconfigured in such a way as to prevent loading user settings.
BUGFIX: Biskits in response received from server contain shallow biskits
- This was seen to cause multiple errors, including editing reports in the report manager displaying the wrong thing.
BUGFIX: NPE fetching iCal when permissions result in a null title
BUGFIX: CSV/XLS summary report doesn’t handle reports with no results

9.0.23 August 12th, 2019

Changes

Reset booking biskit type when resource Booking BiskitDef changes
- A resource specifies what the biskit type should be for any bookings for that resource.
- If you modify a resource so that it should use a different subtype of booking, then existing bookings are now modified so that they declare they are of the new biskit type.
Fail gracefully when trying to boot a 10 database with a 9.0 program
- It was failing with an exception because it was loading a long PK and treating as an integer.
- Now it fails with a much better exception message in the logs.

Bug Fixes

BUGFIX: Permissions for RemoteUserLog were missing from older Calpendos
- RemoteUserLog is used to record remote activity, such as somebody logging on to a PC that drives an instrument.
BUGFIX: LDAP Authentication didn’t handle DN with multiple %u placeholders
- If the DN or filter you specify in an LDAP authentication method has multiple %u entries, then only the first one would be replaced with the user name.
- This means it wouldn’t quite work the way one would expect.
BUGFIX I2339: Read-only calendar displayed owner with shallow information
BUGFIX: Exceptions on login complaining about User.projects being shallow
- This was caused by a fix in 9.0.22
- It was in the release notes as
```
  "BUGFIX: Biskits in response received
  from server contain shallow biskits"
```

9.0.24 August 14th, 2019

Bug Fixes

BUGFIX: Shallow exceptions were triggered from multiple places
- This was caused by a fix in 9.0.23 that fixed a problem in 9.0.22
- The 9.0.23 release notes entry is:
```
  "BUGFIX: Exceptions on login complaining
  about User.projects being shallow"
```
BUGFIX: Changing Resource’s bookingBiskitDef not change biskit type of existing bookings

9.0.25 August 15th, 2019

Bug Fixes

BUGFIX: Infinite loop when a system event created because of an error that has been logged itself causes another error.
BUGFIX I2328: Click on TemplateGroup in TemplateEditor gives exception
- Delete a template group in the Template Editor, and the list on the left shows a “Template Group” item. Click on it, and it gave an exception.
BUGFIX: “Template Group” item appears when delete item from template editor
- In the Template Editor, if you delete a template group, then the list on the left gets a new item appear labelled “Template Group”.
BUGFIX I2341: Cannot remove values from a MappedInt or MappedString set
- In the bakery, if you try to remove a value from either a MappedInt or a MappedString and save it, then you get an exception.

9.0.26 August 19th, 2019

Bug Fixes

BUGFIX I2345: Logout with network metrics enabled can give infinite loop
- If network metrics are enabled, and it’s time to send network metrics to the server when you log out, then the log out will generate an infinite loop.
BUGFIX I2344: Shallow exception on selecting bookmark from menu
- This didn’t happen every time, and once the calendar is running, it wouldn’t happen again.

9.0.27 August 20th, 2019

Bug Fixes

BUGFIX: Old audit log history can give exception
- When viewing the history of a biskit, and you click on an old change (made before version 8.3 was released when history storage changed to become more complete), then you can get an exception due to some of the expected data being missing.
- For example, doing this on a report might complain about problems with of items with conditions, builtinReportType.dataFormattype and user groups.
BUGFIX: Viewing history of biskit with BiskitDef properties breaks server
- When you have a biskit which has a property that references a BiskitDef (such as a Service or Resource) and you look at the previous versions in the history of one of those biskits, then the server in-memory version of the BiskitDef referenced in the history becomes corrupted.
- The result is that logging in to Calpendo would then not work.
- No data in the database would be corrupted - this only stopped the server working properly until it was next rebooted.

9.0.28 August 29th, 2019

Changes

Add service order creation date to search options in service order searches
Change permissions so admins can update/delete/create remote user log data
- This is because we need a workflow to be able to modify RemoteUserLog to link it to ResourceUsage, and we don’t want the workflow to have root role permissions since that would mean admins couldn’t edit the workflow.
Do not send workflow emails to users who have no user settings
- A user can choose to opt out of receiving automated emails.
- If they have never logged in, then they don’t have any user settings yet.
- In that case, it used to default to sending them emails.
- This is now reversed so that users who have never logged in do not receive automated emails or reminders.
Add support for searches to path references in the bakery finding formulae
- When searching in the bakery for references to a property, it did not show any formula that referenced it.

Bug Fixes

BUGFIX: Menus with a separator on them broke selection of landing page
- When choosing the landing page (default initial token) in the global preferences, there’s a drop-down that lets you choose from some likely candidates from the menu and recent pages.
- That drop-down gave an exception if any of the menu items had a null label - which is normal for separator menu items.
BUGFIX: NPE updating a biskit when the old version has already been deleted
BUGFIX: Rounding java.sql.Date to the second gives IllegalArgumentException
- This is because we were accessing the hours/minutes/seconds when it doesn’t have them.
BUGFIX: Type an underscore at the end of BiskitDef type gives exception
- If you try and create a BiskitDef and type an underscore, then if that underscore is at the end of the string, you get an exception.
BUGFIX: Viewing CRM Email gives shallow exception if it has a ReplyTo
BUGFIX: Different object same identifier exception from excess cloning
- If you try to create a Sanger Sequencing Order on the demo (which uses a stepped editor), and choose a project that already has some ProjectResourceSettings, then it would give an exception when it tries to save the order.
BUGFIX: Workflow validation errors pop-up did not colour table rows bg
- When a workflow has validation errors, it shows a pop-up which shows the errors in a table.
- Such tables are normally background coloured with alternating colours for each row.
- This wasn’t done at all so that the background was white until the mouse went over it, when it gained a colour for the first time.
BUGFIX: Bakery property path references missed search action conditions
- When using the bakery to search for references to a particular property name or path, then the search conditions on a Search Workflow Action were not included in the resulting references found.
BUGFIX: Date rounding dropdown would remain editable in read only state
BUGFIX: ReportManager allows to create Group Report with No columns
- When you create a report in the report manager, it makes it a group report by default. When you select the type of biskits the report should search for, it should have then selected an initial column for the group report, but it didn’t.
- Group reports should always have a column, and they cannot run without them, so it was possible to create an illegal report using the report manager.
BUGFIX: Conditions comparing dates with month or year accuracy don’t work
- If you have a date property (as opposed to a date-time property) and you have a condition that tests for comparison with month or year accuracy, it would instead do a comparison with day accuracy.
- For example, if you create a report looking for bookings with condition:
```
  created.date equals now to the month
```
  then you would get back those bookings created today instead of those created this month.
- A work around in this case would be to use:
```
  create equals now to the month
```
BUGFIX: Edit Service without going to Orders tab and it forgets order BD
- A service knows which flavour of service order must be used for that service.
- It stores the BiskitDef for the service order to do this.
- If you edit the service without ever going to the tab which shows the service order BiskitDef, then it forgets which order BiskitDef was selected, and it gets reset back to the default.
BUGFIX: Orders with booking property displays booking incorrectly read-only
- When a service order has a property that stores a booking, it displays with a booking selector widget when in read-write mode.
- When it does this, it shows a hyperlink for the currently selected booking that, when clicked, shows the details of the booking in a pop-up.
- When in read-only mode, it displayed the currently selected booking with a non-hyperlink label that showed the start and finish date of the booking, so it wasn’t even in the same format as the read-write version.
- We now show a hyperlink for the booking in read-only mode so that the user can easily get access to the booking details.
BUGFIX: Clicking on old historical report entries gives exceptions
- If you ask for the history of a report, then clicking on old versions of the report will give an exception if the versions you click on are from a time before version 8.3 was released (February 2018).
BUGFIX: Some users can’t log in
- When a user has a resource missing from their bookmark, and they have a default project, then they can have an exception during the login process that prevents them logging in.
BUGFIX: Group report of Layout gives exception when click on count found
- Create a group report of Layout and don’t select any columns to add to the report, click Go and then click on the number of layouts found, and you got an exception.
BUGFIX I2348: Cannot view processDef Step as a biskit on its own
- Go to a URL like #ba&type=Step&action=view&id=16 and you get an exception.

9.0.29 September 13, 2019

Changes

Count concurrent bookings multiple times in TotalTimeBookedRule
- If you make multiple bookings at the same time, perhaps for different resources, then TotalTimeBookedRule was counting that only once.
- This was done by design, but isn’t the ideal way of working.
- This change now means that if you have multiple concurrent bookings, they are each counted towards the total time.
Reset trigger id/name in workflow driven page when parse from encoded data
- When clicking a button on a workflow driven page, the button press is recorded in the form data sent to the server.
- This is also encoded into the data part of the URL.
- If the user were to refresh their browser, or move to another page and back, then the same actions would be taken, including sending the form data to the server indicating the user had clicked the button again, which they hadn’t.
- So we now remove the information inside the form data that says which button was pressed when we parse the base64-encoded “data” property in the URL since we know that happens when it is not triggered by a button press.
Add support for auto-filtering of booking properties from resource one-to-many
- If you have a one-to-many property on a resource that stores biskits of a particular type, and there’s a property on a booking that points to a biskit of the same type, then the values that will be offered by the drop-down on the booking will only include those linked from the currently selected resource.
Changed visibility of UserLoginWorkflowEvent so it doesn’t show up as a searchable type for non-admins.
Add support for PrivilegedSearchWorkflowEvent
- A privileged search is a mechanism for allowing people to search for things in a limited and controlled fashion for which they can’t ordinarily see.
- For example, if you have a database of research volunteers, then you might want principal investigators to be able to search for volunteers meeting certain criteria while not allowing the full details of who those volunteers are to be seen.
- What we’ve now done is to add a new workflow event so that a workflow can filter the biskits returned by a search.
- This can be used, for example, to prevent volunteers who have participated in certain conflicting studies from being returned.
Reduced visibility of UserLoginWorkflowEvent
- This relatively new workflow event was set up with higher visibility than it should, which meant that it was offered as a search option to non-admins.
- However, for non-admins, this would just be noise that should not be there.
Add support for session ID meta-property to be available in workflows
- Inside a workflow, you can now access a new meta-property called “sessionID”.
- This stores the session ID for the current user’s session, if the workflow is running as a direct result of a user’s session.
- This is provided so that page generated dynamically by a workflow can include hyperklinks to attachments.
- We need the user’s session ID because that’s a part of the security checks used when a user downloads an attachment.
- Note that the meta-property is present in conditions in other pages (such as report conditions and permission conditions) but the session ID will always be null outside a workflow.
Mark workflow change to booking as done by nobody when not caused by user
- When a repeat booking goes into the past, the repeat gets modified.
- If a workflow is triggered by that change, then it doesn’t have a user associated with it, and yet it wanted to record who had last changed the booking.
- It used to throw an exception when this happened, but it now marks the booking as being changed by the special user nobody.
- Individual workflows can avoid this by asserting a particular user as doing the edit, but when triggered by a repeat booking going into the past, there really isn’t a suitable user.
Hide the Network Message workflow action URL path box with RAW msg type
- When setting up an action to send a network message, you can use HTTP or HTTPS (for which you need a URL path) or RAW (for which the URL path is irrelevant).
- The UI was always asking for the URL path, which was confusing.
- This is now removed when the message type is RAW.

Bug Fixes

BUGFIX: Adding booking to order did not always add link back from booking to order
- You can add a property to a booking to store an order.
- When you make an order and store a booking on the order, then if the service is configured for it, the booking will be updated to store a link to the order.
- This wasn’t always working, depending on the type of order, type of booking, and the declared BiskitDef of the property on the booking that references the order.
BUGFIX: Change resource and the server keeps the old version cached
- Bug description:
  - If you go to the resource editor and look at a resource, it tells you its version number.
  - Edit the resource and save it, and the version number goes up by one.
  - Click the Refresh button inside the resource editor or the browser’s refresh button, and the version number goes back to the original value and not the latest value.
  - If you click Edit, it tells you you’ve got the old version, and it won’t let you save any changes you make.
- This happened as a side-effect of a recent change that showed up a long standing but previously hidden problem.
BUGFIX: Non-persistent, non-formulaic property caused API error
- You are allowed to have properties on a biskit that are neither stored in the database, nor calculated.
- You might have such things in cases where you want the UI to ask for information, and then have a workflow do something with them, but not to store them.
- If you have such a property and put it into a report, the report will work okay.
- However, if you use the WEBDAV API and display the details of a biskit that contains a non-persistent, non-formulaic property, then the API would return an http 404 error (not found).
BUGFIX: SingleConditionWidget allows to choose variable type for Referenced
- When using advanced conditions, you have the option of adding a condition that searches for something depending on how many times it has been referenced by something else.
- The number of times you want it to have been referenced must be a fixed number.
- However, when you edit a saved report, it would let you choose the number to be a variable that it fetches from somewhere else.
- This was not supported and would not work.
- So the UI now prevents you from choosing a variable value for the number of times something has been referenced.
BUGFIX: Create New report gave error message
- If you created a new report in the report manager, it gave an error.
- This bug was introduced in 9.0.28
BUGFIX: Exported summary report sometimes loses data
- If you have a summary report which has multiple rows, then when exporting the report, the data could be sorted in a way that accidentally throws away some data.
- This did not affect reports displayed on screen.
- For example, a report of bookings showing project and project.partner for the rows, where project.partner is a biskit, could lose data depending on whether you put project first or project.partner first.
BUGFIX: Edit privileged search project deselects all tabs
- If you set up a project subtype which has a one-to-many property so that the project will display with tabs, then every time you view or edit the biskit, at least one tab should be selected.
- However, if you view the project from the privileged search project selection page, and then click Edit, it will deselect the tabs.
- This means you have a tab panel with no tabs selected.
- This only happened when displaying projects from within a privileged search.
BUGFIX: RemoteUserLog permissions required both admin & root instead of either
- There are permissions to allow admins to modify RemoteUserLog biskits, but those permissions were not set up correctly so they required an admin also to have the root role.
BUGFIX: Saving attachment to a biskit in a workflow gave unusable download
- Create a workflow that generates an attachment and then adds it as a property of another biskit, and you can’t download the attachment.
BUGFIX: Create attachment in workflow and save to biskit saved duplicate
- When you create an attachment in a workflow, and then store that onto a biskit within a workflow, there would be TWO attachments created, with only one of them downloadable.
BUGFIX: createCalendarInvite workflow function on new booking made nothing
- When a workflow adds an invitation to a booking in response to the booking being created, and it did so with vetoable events (so it’s in the same transaction), then the invitation would not be created.
BUGFIX: Drag auto-generate number one-to-many sequence ignores format
- If you have a one-to-many property and edit the contents, and put in a value like “WTR001” in one cell, and use the select-and-drag to extend that cell to other cells, then it should insert values like “WTR002”, “WTR003” etc.
- However, it was inserting “WTR2”, “WTR3” etc.
BUGFIX: Referenced-by conditions display incorrectly in read-only mode
- When rendering read-only referenced-by conditions, it needs to know the BiskitDef of the thing doing the referencing.
- It gets this from the parent condition’s referenced-by editor, but this was only getting a value set during render when in writeable mode.
BUGFIX: Boolean property export ignored custom true/false text
- If you set up custom true/false text on a boolean propety, then you would expect to see it when exporting a report with values-as-labels.
- It should only show “true/false” if exporting with values-as-underlying-value, but it always did it this way.
BUGFIX: Boolean property in workflow actions ignored custom true/false text
- If you set up custom true/false text on a boolean propety, then you would expect to see it in workflow actions that export a value.
- For example, a templated text or an email.
- However, it always used the text “true” and “false”.
BUGFIX: timeDiffDays workflow function fails when given a date property
- If you have a date property you pull from a biskit stored in the database as a date property rather than a date-time, then using it in a calculation to compare days will fail.
BUGFIX: History of BiskitDef can give exception
- This was found on the demo looking at history of BiskitDef Resource
BUGFIX: Add Attachment in a workflow fails on non-fast-properties update
- There are two different code paths that can be taken when a biskit is updated. This is akin to the checked-editing of biskits that edits individual properties, and the full biskit edit that saves everything.
- One is faster than the other, but it can’t always be used.
- When adding an attachment to a biskit in a workflow, there were very recent changes to make it work for the fast-properties update version.
- It didn’t also work for the slower version, so you would get an exception.
BUGFIX: Test menu with run-report menu item in menu editor gives exception
- In the menu editor, you can test menus by clicking the Test button which will then load that menu into your web browser.
- Refresh the browser and you go back to your normal menu.
- If the menu you test includes an item that runs a report, then you would get an exception as soon as you clicked the Test button for that menu.

9.0.30 September 17, 2019

Bug Fixes

BUGFIX: Booking Popup fails when no resource selected
- When clicking in the calendar to create a booking, you can click in a resource’s column to initiate a booking for that resource.
- Alternatively, you can click in the blue border to the side of the day’s bookings, and that initiates a booking popup without presetting the resource.
- That was failing (since 9.0.29)
- Also, clicking in the all-day bookings area at the top of a day’s booking column produced the same error.
BUGFIX: History of bookings produced exception when there were repeats
BUGFIX: Resource selector can give shallow exception
BUGFIX: An EvaluateExpression calling a function returning null mishandled
- For example, if you have an EvaluateExpression workflow action that has content like:
```
  round([INDEXED#6.biskit.foo.bar]*365])
```
  where [INDEXED#6.biskit.foo.bar] evaluates to null, then this generated an exception instead of cleanly returning a value of null.

9.0.31 September 18, 2019

Bug Fixes

BUGFIX: Booking calendar giving shallow exceptions under rare conditions

9.0.32 September 19, 2019

Bug Fixes

BUGFIX: Creating template by clicking outside resource column broken
- On the template editor, you can click in a resource’s column to create a template for that resource.
- You can then change that resource if you want to.
- You can also click in the vertical blue bar separating the columns for each day.
- If you do that, it creates a template for the day to the left.
- Now when you did that, it would show a pop-up that was entirely read-only so you couldn’t modify it in any way.
BUGFIX: Bookings calendar headings generated exception on resource shallow
- This is similar to bugs fixed in the previous two releases, none of which we have been able to replicate in testing but which have happened to one customer only.
- When permissions hide some information about resources, the bookings calendar is giving problems.
- Exactly what generates this, we haven’t been able to nail down.
- However, we are able to see some of the problem from the information we get back from automated error reports, so we are making progress with fixing the problem.

9.0.33 September 20, 2019

Security Bug Fixes

SECURITY BUGFIX: Information about hidden resources can leak to users
- If you have a bookmark that includes a particular resource, and then a user displays that bookmark, and then somebody later changes the permissions so that the resource in question is denied EXISTS permission so that the user should not even know the resource exists, then the bookmark the user receives at login time includes a reference to the hidden resource.
- The standard user interface would not show you any details of the resource, and it would only happen in the circumstances described above.
- This is considered a security issue because users could see information they should not, but is considered low risk because the circumstances are quite particular, and also because the user interface does not have a ready means of displaying the information.

Bug Fixes

BUGFIX: Workflow validation broken when event has a null TypedPath
BUGFIX: “Matches” string value conditions fail on empty string on MySQL
- If you create a search and add a condition on a string property, and make that condition use “matches” or “does not match”, and set the pattern to compare against to be the empty string, then you get an error when running on MySQL.
- This works correctly on MariaDB.
- This may possibly be related to the version of MySQL in use as well.
- The fix for this makes it work properly, which means that everything matches the empty string (for consistency with MariaDB).

9.0.34 September 24, 2019

Bug Fixes

BUGFIX: Exception editing bookmarks with hidden resources
- This has not been replicated in a test environment, but has been seen in production.
BUGFIX: Cannot edit a biskit in single item report with version numbers
- If you set up version numbers on a biskit, and then create a menu item that shows a search for that biskit type and display a single item report, then you won’t be able to edit any biskit unless it happens to be at version number 1.
- Version numbers should be a part of the data fetched from the database for any report because they are sometimes very import and always very light in terms of what it costs to load.
BUGFIX: Changing type to search for ignored after you cancel changes once
- If you search for something and then change the type to search for, you might be asked whether you want to discard the report before moving on to the next one.
- Once it asks you that question, it never asked you again, but always assumed the first answer applies thereafter.
- So if you cancel changes the first time, it would always cancel changes which means it would prevent you from changing the type to search for.
- This was introduced back in 2012 in response to a bug which meant the question about whether to discard a report was asked twice.

9.0.35 September 25, 2019

Bug Fixes

BUGFIX: Scheduled reports give exception when clicked from report list
- If you go to the report manager and click on “System reports” or “Personal Reports” rather than opening them up, then you get a list of reports.
- Clicking on a report to display the report definition would then give an exception if the report ran on a schedule and had users or user groups that it would be sent to.
BUGFIX: Rules did not reliably run on repeat bookings
- When a repeat booking is modified, the bookings are expanded out and each of those is then checked to see if they pass the rules.
- When you modify a booking for just one instance, or “this and later”, then the expanded bookings are a mixture of bookings taken from the old repeating sequence and the new version of it.
- However, when this expansion occurred, it got confused between the new and the old.
- This means booking rules would sometimes do the wrong thing with repeat bookings.

9.0.36 October 9, 2019

Security Bug Fixes

Do not allow LDAP authentication with an empty password
- This is needed because some LDAP servers allow connections from valid users with a blank password.
- This seems to be a common way to configure ActiveDirectory, but results in allowing anybody to log in by simply choosing a blank password.
- This only applies to Calpendo’s built-in LDAP authentication, and when your LDAP server is configured to allow connections from users with a blank password.

Changes

Given better message when try to use auto password reset for root
- Automatically resetting passwords for root users is not supported.
- This was giving a fairly confusing message (“Only root users may modify root users”).
- This has now been changed so it’s more explicit about not supporting automatic password reset of root users.
Make pressing enter on login page activate even with multiple visible auths
- When pressing the Enter button in the login page, it was activating the login only if there was exactly one non-external authentication method button displaying.
- It will now work when there are one or more, in which case it will choose the first visible authentication method.
Extend PDF creation example workflow to generate table rows with FreeMarker
- FreeMarker is a templating engine, and it can be used inside a TemplatedTextWorkflowAction to produce output.
- In particular, you can loop through a list of biskits produced earlier in a workflow, and add output for each biskit.
- This makes it perfect for adding rows to text, one per biskit, which in turn is good when a PDF includes a table where each row comes from a biskit.

Bug Fixes

BUGFIX: “forgotten password” system fails with null givenName or familyName
- Asking to reset your password (following a failed login) gives an exception when either your givenName or familyName is set to null.
BUGFIX: Template creation doesn’t trigger Database workflow event
- Depending on how the template was created, events were not fired when they should have been.
- This also applied to other repeatable classes.
BUGFIX: template are applied to bookings update for minor changes
- When you update a booking templates are applied as always.
- They should be applied only if you change:
  - project
  - resource
  - repeat information
  - booking date range
- That means that when a workflow or a user modifies a booking and none of the above information, then the booking status implied by the template should not be stored onto the booking.
BUGFIX: SDM Subject gave errors when used in a process (DTO shallow props)
BUGFIX: FindTextWorkflowAction produces bad group names when > 9 groups
- With 10 to 19 groups in a regular expression, the first one found is given name “group01” (which is correct) but then groups 2 to 9 are named “group2”, “group3” etc without the leading 0 on the number, so they won’t list in the right order when alphabetic.
BUGFIX: bindAsAdmin set to null after 9.0.3 upgrade
- Before 9.0.3 LDAP Authentication method had only one implementation which was what is now known as “bind-As-User”.
- The upgrade to the new system (bind-as-user OR bind-as-admin) lost this information and set “bind-As-User” to a null value.
- This broke LDAP authentication.
- Further, if a user then edits an LDAP Authentication method that was created before 9.0.3, the user interface would display the first option for bind-As-User/bind-As-Admin which is bind-As-Admin.
BUGFIX: Workflow search with variable biskitDef couldn’t derive search type
- If you do a search action in a workflow, and set the type to search for to a variable value by taking the path to some biskit and then choosing it’s “biskitType” pseudo-property, the search would fail with not knowing what type to search for.
BUGFIX: Function action arguments of “Now” conversion to/from JSON broken
- When a workflow function argument is set to a date or date-time value of “Now”, then when this was converted to JSON, it inserted the current date/time instead of a semantic marker of “Now”.
- So when it was reloaded, it became a fixed value of the time it was.
- This could be seen by looking at the history of a function with such an argument.
BUGFIX: Reloading DB config in Exprodo SDM could prevent login until reboot

9.0.37 October 10, 2019

Bug Fixes

BUGFIX: Resource editor did not allow viewing resources
- This bug was introduced with 9.0.36
- This also reverts the fix in 9.0.36 whereby reloading the DB config in Exprodo SDM prevented logins until reboot

9.0.38 November 13, 2019

Changes

Provide RepeatsAffected to a BookingRuleWorkflowEvent
- When you create a booking rule workflow event, it gets fired whenever booking rules are about to be run, and then again once for every rule that is run.
- The event now has an extra value that you can access whenever a rule is being run when a repeat booking is being updated.
- This extra value tells you whether the booking is being having a single instance modified (“This item”), a particular instance and all later ones (“This and later items”) or the whole repeating sequence (“All items”).
- For non-repeat bookings and for rules triggered when a booking is created, this RepeatsAffected property will be null.
Disable history button and menu items if user has no AuditLog access
- If the permissions prevent a user from any EXISTS or READ permission on AuditLog values, this means they won’t be able to view the history on anything.
- Any menu items that show history of a biskit will no longer appear.
- Any button that shows history of a biskit will now be greyed out.

Bug Fixes

BUGFIX: Reloading DB config in Exprodo SDM could prevent login until reboot
- This was originally fixed in 9.0.36 and then reverted in 9.0.37 because it caused problems in Calpendo.
- The fix is now compatible with both Calpendo and SDM.
BUGFIX: ExprodoUser.userIdentity.loginName could not be mapped in SSO
- When using an ExternalAuthenticationMethod, if you tried to map the loginName from a value provided from the IdP, it would fail.
- That’s because it was overwritten by the identity (REMOTE_USER) we received.
- However, a configurer should be able to choose which attribute feeds into the loginName property.
BUGFIX I2305: BookingRuleWorkflowEvent did not cast booking to subtype
- Actions below a booking rule workflow event should be able to treat the booking as the type indicated in the event’s declaration of the type of bookings it works on.
- However, it was always treated as a plain booking instead.
BUGFIX I2390: No BookingPopup tooltip for dateRange, repeat and notice period
- These properties should have displayed a tooltip taken from the relevant property definitions, but there was no tooltip.
BUGFIX I2385: Workflow adding user to group takes effect when workflow ends
- If a workflow calls the function addToGroup to add a user to a group, then inside the same workflow, any condition that checks for membership of the group implies the user is not a member.
- Only after the workflow completes (and the transaction is committed) will conditions return a result indicating the user is a member of the group.
BUGFIX: Update a user in a workflow and conditions imply value unchanged
- If you create a variables workflow action
- and it has a variable to store a user that you set with a fixed value (so you choose a particular user)
- and you then have a biskit update to change the user’s status
- and then you have a condition to check whether the user stored in the variables has the status they’re supposed to
- then they would be seen to have their original status
- and not the new one
BUGFIX: webdav query API applies permissions incorrectly
- When an API call is made to webdav/q, you can ask for only the properties you require to see.
- We would then pull out only those properties from the database.
- It should have also examined the permissions to see which additional properties are needed so that the permissions can be applied correctly.
- But this did not happen so when permissions were applied, it only had available the properties you had asked for.
- This could mean data being hidden that should be visible.
- For example, add a permission to deny EXISTS for a resource to a user when the resource name is some fixed value, and then point your browser here:
```
  https://yourcalpendo/webdav/q/Calpendo.Booking/AND/dateRange.start/GT/20191101-0000/dateRange.start/LT/20191108-0000?paths=resource.id
```
- and log in as one of the users that the new permission applies to
- and it should then show the ID numbers of all resources on bookings from November 1 to November 8.
- But instead, it would show “null” for all the IDs because it won’t load the resource name, and so thinks the permission might apply, and hence hide the data.
- We do not believe it was possible for this problem to make something visible that should be hidden. That’s because the server is designed to hide data if there’s any doubt whether a permission applies to it (as here, where we know that the resource name has not been loaded from the database, so we don’t know whether a permission using the name applies), and so this bug is not considered to be a security issue.
BUGFIX: Allow cascade-free many-to-one properties to appear in checked-edit
- CalpendoUser has a property called “projectsOwned” which is a collection of all the projects where the user is listed as the owner.
- This means that Project.owner is a many-to-one property and CalpendoUser.projectsOwner is a one-to-many property.
- When viewing a list of projects, you can check one or more projects, and then click the “Edit Checked” button to set values on the checked projects.
- It wasn’t offering the option to change the project owner in the pop-up.
- That’s because there are occasions where changing the value of a many-to-one property is not possible, and the pop-up was being too zealous in preventing this.
- It has now changed so that it will allow you to change the value of a many-to-one property in this checked-edit pop-up as long as the parent property (CalpendoUser.projectsOwned in this case) is not set to cascade deletes to the child (Project).
- Cascading means that the parent “fully owns” the child, so that there can’t be an orphaned child, and the child can’t be adopted by a new parent.
- It also means that if the parent (CalpendoUser) is deleted, then the children (Project) would also be deleted.
- This is not how the relationship between user and projects work, and so it should have been allowed to change the owner of a project.
BUGFIX I2397: AddUserToProject and RemoveUserFromProject removed all users
- These workflow functions were supposed to add a user to a project or remove one from it.
- They were now removing all users instead.
BUGFIX I2387: When a new user registers, they don’t receive an email
- This applies when the workflow is configured to send the email to the user, rather than to the user’s email.
- The difference is a little more than semantic, since the user’s settings are considered in the first case, but not the latter.
- The problem is that when a user has never logged in, then they don’t yet have any user settings.
- In that case, we made a recent change that affects this, because it stopped users that have never logged in from receiving emails.
- This was troublesome both for the new user problem, but also because lurkers are meant to be users that can’t log in, but do receive email.
- Consequently, we have now reversed the change that meant users who have never logged in cannot receive emails.

9.0.39 November 22, 2019

Changes

Simplify displayed EvaluateExpression output values in system events
- When you run an EvaluateExpression in a workflow, a system event would show the output, but not in a useful way.
- You can now see what the output value actually is.
Add “Expired” button to checked button bar when viewing a list of users
- When viewing a list of users, there are buttons that you can click to set the status of ticked users to a particular value.
- There wasn’t one to set a user’s status to Expired though

Bug Fixes

BUGFIX I2369: Checked-edit of ProjectResourceSettings with formulaic properties fails
- If you have any formulaic properties defined on ProjectResourceSettings, and then search for ProjectResourceSettings and use a checked-edit approach to set some values on them, then you get an exception.
- The same problem causes workflows trying to update ProjectResourceSettings to fail, but only if there are formulaic properties defined for it.

9.0.40 December 11, 2019

Changes

Add booking drop-down filtering based on projects containing one-to-many
- When a project has a one-to-many property, and the child of that one-to-many is also a property on a booking, then we can now automatically filter the options displayed in the booking based on the project that has been selected.
- This works the same as the resource-based filtering that we now have on bookings.
- An example of what this means is that if a user needs to specify a funding source or grant on a booking, and their projects have a collection of approved funding sources or grants, then when creating a booking, the user will only be shown the funding sources or grants that exist on the project selected.
Add auto-filtering of booking drop-downs for user one-to-many properties
- This is similar to the project filtering just added (described above) and the resource filtering that was added earlier in the 9.0 release cycle.
- This is about having a drop-down on a booking that only shows values appropriate for the current user rather than the selected project or resource.
- There are two modes in which this can work:
  1. If there is a one-to-many property directly on a user, and there is a property on booking that stores a biskit that is a child of that one-to-many. Then we only offer that the booking can have values from that one-to-many.
  2. If there is a many-to-one directly on the user, then we follow 3 that property to locate the biskit on the other side. That will be a biskit that has a one-to-many property storing users. If it also has another one-to-many that stores a biskit which is also stored on a booking, then we will only offer the values on that one-to-many for the booking.
- An example of the first option is when a user has a collection of funds they can use, and a booking must select one of them.
- An example of the second option is when users all belong to exactly one lab group, and the lab group has a collectionof funding sources. Then when a booking selects a funding source, it can pull it off the lab group’s funding sources.
Auto filter Booking drop-down possible values by permissions check
- All the automatic filtering of drop-down boxes, as described above now uses permissions to assist in the filtering.
- For example, suppose a grant has a core facility representing the facility in which that grant can be spent.
- And also suppose a resource has a core facility that owns that resource.
- Then you could create two permissions:
  - Deny the right to create a booking when the grant’s core facility is different from the resource’s core facility.
  - Deny the right to update a booking when the new booking’s grant’s core facility is different from the new booking’s resource’s core facility.
- Before adding a biskit to one of the booking drop-downs, it will be checked according to these permission filters before deciding whether to allow it as an option.
Add support for booking projects to be selected from the owner’s projects
- When selecting a resource, Calpendo knows whether the user has admin rights over that resource.
- If they do, then it did allow you to make a bookiug for any project.
- This was troublesome when you were booking on somebosy else’s behalf and you wanted to choose one of those user’s projects, but had no feedback to help you know which projects are appropriate.
- Now, there’s a configuration option next to the project selection.
- This lets you choose whether to display:
  - All approved projects, as it currently does
  - All your projects
  - All projects for the booking’s owner.
Change booking display
- Hide booker in booking pop-up when creating a booking (except for root)
- Move booker and owner to be below project in the booking pop-up
Add support for allow attachments to be download from any IP address
- We remember which IP address somebody logs in from, and record that in their session. Then, whenever they access the system, we check that they are coming in from the IP address stored in their session.
- This is a security restriction that prevents people who have somehow got a copy of your session ID from being able to impersonate you.
- Some networks are configured such that every request you make to an external system (like Calpendo) appears to come from a different IP address. This is (presumably) done to make it harder to track you and so to help privacy issues. However, it defeats one of our security checks.
- So there’s a global preferences option that allows sessions to continue to work when requests come in from different IP addresses. This should be disabled unless you require it.
- When somebody downloads an attachment, it also checks the IP address matches the session.
- In 9.0.40 there’s a new option that lets you choose to allow attachments to be downloaded from any IP address, as opposed to restricting it to be from the same IP address as the user’s session.
- We strongly recommend to avoid enabling this if you can avoid it.
Add support for workflow functions to remove unwanted markup from HTML
- New function: xmlEscape
  - Given some text, anything that might be HTML or XML markup is escaped so that when viewed within an HTML context, it will display exactly as the original and not interpreted as HTML.
  - For example, if you put in:
```
  "<div>Hello & Goodbye</div>"
```
    it would result in
```
  "&lt;div&gt;Hello &amp; Goodbye&lt;/div&gt;
```
- New function: htmlClean
  - Given a whitelist of what’s allowed and some HTML, this function cleans up the HTML so that it removes anything that should not be allowed.
  - For example, if a div tag is not allowed, then the above example would be translated to:
```
  "Hello & Goodbye"
```
- New function: createHtmlWhitelist
  - Creates a whitelist for cleaning HTML content.
  - This offers a selection of starting points, of whitelists that contain bothing, basic things, or are quite permissive.
- New function: addTagToWhitelist and removeTagFromWhitelist
  - These provides a means of modifying a whitelist to add or remove tags that are allowed to be used.
- New function: addAttributeToWhitelist and removeAttributeFromWhitelist
  - These provide a means of modifying a whitelist to add or remove attributes that are allowed for a particular tag.
- New function: addEnforcedAttributeToWhitelist and removeEnforcedAttributeFromWhitelist
  - These provide a means of specifying a value that a particular attribute must have on a particular tag, or of removing an enforced attribute value.

Critical Bug Fixes

BUGFIX: Edit user from search page and Calpendo could delete projects
- If you edit a user from the user search page, and that user owns one or more projects, then it would try to delete those projects that were owned by the user.
- If the project was referenced by something (for example bookings) then the save of the user would fail because it wouldn’t be allowed to delete the projects.
BUGFIX I2418: Refresh when view single user shows no projectsOwned
- Go to a list of users, shift-click on a user that owns some projects.
- Then refresh your browser, and the projectsOwned tab showed no projects.
- What makes this worse is that if you save the user while the projectsOwned tab was incorrectly empty, then it would cause Calpendo to try to delete your projects. If those projects were actively used (eg by bookings) then they would not be deleted. However, if there was nothing referencing them, then they would be deleted.
BUGFIX I2416: Running report could hide data leading to data loss
- If you run a report, then the data fetched from the server will usually be missing something.
- That is, reports only require a portion of the data, and so you don’t receive all of it.
- The missing information should not overwrite anything stored in the browser’s cache, but it was doing so.
- For example, go to the reports manager as an admin, and open up “Personal reports”, and click on one of the nodes inside (the name of a user).
- Then open up the list of nodes (click on the [+] to the left of the user that you clicked on) and go to the “Columns” tab, and it will be empty.
- Click on “Refresh” and it’s back. Click on the user’s name in the tree on the left again, and click on the particular report again, and the columns are gone again.
- If you were to edit and save the report while it is not showing any columns, then it would save the report without any columns.
- This kind of problem could theoretically have caused unexpected data loss in other places, although we have had no reports of this having happened.
- This problem was introduced in August 2019.

Bug Fixes

BUGFIX I2407: Custom Location props not showing in UI except in search page
- If you add custom properties to Location, and then assign values to some of those for a location, then when you view the locations in the resource editor, it has no values for the custom properties.
- Using a search page, you can still see that values are set.
- You may need to set values either by an import or a checked-editing approach to observe this behaviour.
BUGFIX I2408 Location property editor not showing with hierarchy drop-down
- When you have a biskit that holds a dynamic property that references a Location, it was showing with a regular biskit drop-down rather than a drop-down that showed the full location hierarchy.
- That is, locations can be nested inside “larger” locations, and so the drop-down should respect that real-world relationship and produce a tree-like selector.
- This happened because when we cached information about locations, we recorded the name, but dropped the richer information required about who was nested inside who.
BUGFIX I2410: One-to-many table shows columns for hidden properties
- If you have a one-to-many property, and you set some of the properties of the child biskit to be hidden in the bakery, then they would display anyway when looking at the parent.
BUGFIX I2409: Edit location with parent having non-unique name shows in red
- Create a location hierarchy where there are multiple locations of the same name, and edit a child of one such location.
- Then the parent shows within a box having a red border, to indicate there’s an error, when there isn’t.
- The problem is that this wasn’t properly handling the situation where there were multiple items with the same name.
BUGFIX I2414: Booking requests page hides properties from booking subtypes
- If you have a booking request that is for a booking subtype, then the table at the top of the booking requests page shows only properties that on the base booking type.
- That’s okay. But when you click on a booking and its details show up below, it was still only shows properties that are on the base type and none of the subtype’s properties.
BUGFIX I2415: Error when add item to update a UserWorkflowEvent’s response
- From a user event in the workflow manager, if you add a Biskit Update action that changes the event’s response, then every time you add a new item to the list of properties to set (the green (+) button) it shows an error that tells you:
```
  "UserWorkflowButton is not mapped".
```

9.0.41 December 13, 2019

Changes

Make project filtering use a customisable option, default “all projects”
- The 9.0.40 option to allow the project drop-down on a booking to display projects for a particular user instead of all projects caused some confusion.
- In particular, the default behaviour changed inadvertently.
- When an admin or resource manager makes a booking, it used to show all projects, but changed to showing the booking owner’s projects.
- The old behaviour is now the new default from 9.0.41.
- However, there’s now a global preference and a user preference to choose the default option for which projects to display.
- This only has an impact when an admin or resource manager creates or edits a booking.
Add workflow functions toLower and toUpper for converting text strings to upper case or lower case.

Bug Fixes

BUGFIX: Biskit drop-downs sometimes not sorted by correct property
- When you have a biskit property, and the biskit it contains is set to be sorted by one of its numerical properties, then the sorting displayed can sometimes be alphabetical instead of using the property prescribed in the bakery.
BUGFIX: Remove info pop-up every time a biskit box is reconfigured
- 9.0.40 accidentally left a debug message turned on which would occasionally display for a few seconds in the bottom-right corner at various times.
BUGFIX: Booking Popup exceptions for users that can’t update owner
- When you change a property in the Booking Pop-up, it gave an error for any user that could not update the owner.
- Issue #2422, Ticket #1852

9.0.42 January 7, 2020

Changes

Add new date and date/time formats that support a two-digit year
- Date formats that include a year have always only offered a four-digit year.
- There are now additional options for a two-digit year as well as all the previous options.
Auto-select a value if booking popup filtering finds unique drop down value
- When a biskit-valued property on a booking is marked as required and not null allowed, and it’s configured for automatic filtering, and the filter finds only one possible value, and there is currently no value selected, then it will now automatically select that value.

Critical Bug Fixes

BUGFIX: user view sometimes does not display all projects owned
- Go to a user page, for example:
```
  #ba&type=Calpendo.CalpendoUser&action=view&id=8
```
  and it should show the projects owned.
- However, sometimes this will show a subset of the actual projects owned by the user.
- This is particularly troublesome because editing the user from this page would mean it’s treated as a request to delete projects that are not present.
- Issue 2434

Bug Fixes

BUGFIX: Anonymous HTTP events parsing POST params mishandled exotic chars
- If you have a form to Calpendo that goes to an Anonymous HTTP event, and the data in that form includes non-Latin characters (ie those that require UTF-8 encoding) then they would be garbled.
- Issue: 2432
- Ticket: 1538
BUGFIX: Create a copy of something with attachments does not work properly
- If you have a biskit which has attachments, and then create a copy of that biskit, then the new biskit did not create a new copy of the attachment(s).
- This is wrong because attachments are designed such that they are each owned by one specific biskit.
- So creating a copy of a biskit should create a copy of any underlying attachments as well.
- Issue 2401
- Ticket 1659
BUGFIX: Workflow function fromJson(String, BiskitDef) ignored the BiskitDef
BUGFIX: The standard workflow called “Project association requests” had errors in it that prevented it sending an email when a user changed the project request info.
BUGFIX: Finding path references in bakery can give NPE
- It is possible for a biskit update to select a biskit for update that has no known properties.
- In that case, if the user adds an item to set a value on one of the properties, it results in the property name being null.
- When looking for path references, it couldn’t then cope with something indicating it dealt with a property name that was null.
- So if you were then to ask for references to any property in the bakery, it would give an exception.

9.0.43 January 10, 2020

Changes

Add filtering of selectable booking types by permissions
- The drop-down showing booking types in the booking pop-up now automatically filters the drop-down values so that it won’t allow the user to select any value that permissions say they can’t choose for the current resource.
Allow auto-filtered booking properties to be auto-selected more often
- 9.0.42 added support for the automatic selection of a biskit-valued property on a booking when there was filtering of the available values that can be selected, and when there was only one non-null selectable value and when the booking property was marked as required and with null not allowed.
- 9.0.43 has removed the requirement for the booking property to be marked as required and with null not allowed.

Bug Fixes

BUGFIX: The read-only calendar did not expand things like ${version}
- If you have ${version} in your header (as defined in the global preferences) then this gets replaced by the current version number of Calpendo.
- However, the read-only calendar generated from workflows did not expand this, so you would get the literal text “${version}” in the output
- Ticket: 1921
- Issue: 2437
BUGFIX: Updating a booking in a non-vetoable event fails (part 1)
- This is a partial solution to issue 2438, which says that updating bookings in a database event triggered by the creation of the booking set to run outside the original transaction fails due to the resource being a hibernate proxy with an involve session.
- This works around it by not always needing to call a method on the resource.
- Issue 2438

9.0.44 January 13, 2020

Changes

Disable auto-filtering of custom properties on Booking storing a project
- Under rare conditions, you might add to booking a property that stores a project (as well as the standard property that stores a project).
- When you do this, the filtering that applies will kick in and only show projects owned by the current user.
- And yet if you add a property to store a project, this is probably not what you wanted.
- So an exception has been added so that custom properties on a booking to store a project will not be filtered in the normal way.
- They are, however, still filtered by permissions checks.
- So that does let you provide some filtering if required.

9.0.45 January 14, 2020

BUGFIX: Booking Popup shows some bad values in biskit-valued drop-downs
- Under some circumstances, biskit-valued drop-downs were showing the wrong thing.
- This bug was introduced in 9.0.40
- Tickets: 1943, 1950
- Issue: 2439

9.0.46 January 16, 2020

Changes

Change sort order of AuthenticationMethod biskit to be ‘sortOrder’
- In the authentication methods editor page, you can drag and drop the authentication methods to choose the order in which they will appear on the login page.
- That order is now also used for any sorting of authentication methods.
- In particular, it means that when you manually create a new user, the drop-down for showing authentication methods will be in the order you chose.
- Previously it was always alphabetical, which meant that you had no control over which authentication method was shown as the default when manually creating a new user.

9.0.47 January 30, 2020

Changes

Make user-based biskit-valued BookingPopup prop filtering use owner
- If you set up the structures required to enable filtering of biskit-valued properties on a booking popup according to which user is using Calpendo, then this is now based on the booking’s designated owner rather than the currently-logged-in user.
Add automatic Permission BookingPopup filtering of biskit-valued properties
- Currently, filtering of the biskit-valued drop-downs in the Booking pop-up is enabled by setting up appropriate one-to-many properties.
- For example, if Project has a property that stores many Grants, and Booking stores a Grant, then when you select a project, it will only offer you the grants that are stored on the selected project.
- Once this is enabled, then permissions will also be checked.
- The change we’re making now is that even if you don’t set up a one-to-many property anywhere for performing filtering, then it will still apply permissions.
- This only applies to biskit-valued properties.
- So if you add a permission that prevents a booking being created with a particular value of a biskit-valued property, then the drop-down for that property will not show that particular value.
Provide better information when a schema update fails due to having changed
- When you click the button to perform an update to the database schema in the bakery, it generates a set of SQL instructions that should be applied to the database.
- When you then click the “Apply Changes” button so that it applies that SQL to the database, then it first re-calculates the SQL it thinks it should apply.
- If the new set of changes is different, then it returns an error.
- This is a rare event, and would only happen when the SQL required is not unique, and so could be any of a number of possible scripts that would be effectively equivalent, although not exactly identical.
- When this happened, you would not be given any indication of what had gone wrong. It now generates a better error message and also creates a system event entry with the details.
- This problem was seen on a system with a custom BiskitDef that had child BiskitDefs, each of which had the same Biskit-valued property added to them instead of being defined on the supertype.
- This then meant that when adding a foreign key constraint for these properties, it would only add one foreign key constraint (since they were all effectively the same) but the name for it would depend on which of the child BiskitDefs it got to first.
- This order is not defined or even consistent, and so the SQL to update the database schema was not consistent.
Add workflow function “indexOf” to find the index of an item within a list
Add option for custom timeout to LDAPSearch function & default to 60 secs
- The LDAPSearch workflow function had a default timeout of 20 seconds.
- This isn’t always enough, so the default has now changed to 60 seconds.
- We’ve also added an overloaded version of the function that takes the same parameters except that it also takes a timeout.

Bug Fixes

BUGFIX: Copy & Paste in calendar copied automated properties
- You can click on a booking in the calendar and select a “Copy” option.
- Whenever you then click in the calendar to create a new booking, it will initialise the new booking with values from the booking that was copied.
- There was a problem whereby properties that are automated (for example they may be set up by a workflow) because they were also being copied.
- So a workflow could get confused when a booking is created and already has a property preset that it should not have.
- This applies to all calendars.
BUGFIX: BookingPopup filtering of biskits only checked perms for no repeat
- When applying permissions to the filtering of biskit-valued properties, we checked permissions to see whether a biskit-valued property could take each value that might be offered as a potential value in the drop-down.
- To do this, we looked at permissions whose resource was selected, and whose repeat was set to null, and all other properties were marked as unknown, apart from the particular property under test.
- This should not have set the repeat to null, but treated it as unknown so that we could have used permissions that affect repeats as well.
BUGFIX: “contains” function fails when list contains null or check for null
- If the lis/set you’re checking through contains a null value, or if you’re checking to see if null exists in the list/set, then the “contains” function gives an exception.
BUGFIX: Booking pop-up sometimes gets the list of selectable statuses wrong
- When you edit a booking from the calendar, it looks at permissions to decide which booking statuses you are allowed to choose.
- It then configures the status drop-down to only allow you to select those statuses.
- If there’s only one value that’s allowed, then the drop-down displays read-only.
- However, the way it checked permissions was too strict. It checked whether the booking’s status could be changed without changing anything else as well.
- The permissions check is now more lenient, so that it works out whether there are any changes to the booking which mean it would allow you to change the status as well as changing other things.
- This means that you will now be more likely to be able to change the status than before.
- However, the server will still apply the final permissions checks so that you can’t choose values on the booking that permissions don’t allow.
- Issue 2449
- Ticket 1922
BUGFIX: UserGroup and ProjectType could not save a set of tags
- If you add a property to a UserGroup or a ProjectType to store a set of tags, then the tags would not be saved to the database when you save the UserGroup or ProjectType.
- Issue 2450
- Ticket 1963

9.0.48 February 6, 2020

Changes

Make error messages much friendlier when a workflow vetoes a change
- If you create a VetoWorkflowAction and give it a suitable message, then the message the user saw had some text added to the end which wasn’t ideal, and which could easily be confusing.
- This has now been changed so that it appends something like:
```
  (Error code 1234#56)
```
  where 1234 is the workflow number and #56 is the action inside it that did the veto.
- This should make the message friendlier, but still helpful to those who want to track down where the veto came from.
Downgrade permission denied downloading attachment from error to warning
- When there’s a permissions failure as someone tries to download an attachment, it was sending an email back to Exprodo Software.
- This has now been disabled by treating the event as a warning and not an error.
Treat no users to email to as not being an error for an email action
- An email action logged an error in system events if there were no users to send the email to.
- This has now been changed so it’s treated as normal.
- This means:
  1. The system event still shows no users, but will be logged as info and not as an error.
  2. Child actions will now run where before they would not. This should match what would generally be expected.

Bug Fixes

BUGFIX: Default biskit renderer did not show upload/download on one-to-many
- One-to-many properties display with a table that allows a CSV upload/download so you can build the contents in an external spreadsheet application.
- However, this did not always display.
- For example, create a dynamic biskit for a partent, and a dynamic biskit for a child, and it would not display the upload/download buttons.
BUGFIX: Children of a one-to-many did not display in their sorted order
- If you specify a property to sort by for a biskit that is the child of a one-to-many property, then the children should be displayed in the appropriate order, but they were displayed in a random order.
BUGFIX: Double booking rule fails when using subtypes of resource
- Set up a subtype of resource, and make bookings for it, then a double booking rule would fail to notice when you were making a booking at the same time as a pre-existing booking.
- Ticket: 2458
BUGFIX: Click in bookings calendar month view gave an exception
- The filtering added recently in the booking pop-up produced an exception if there was no resource automatically selected when you click in the calendar.
- There is never a resource selected automatically in the month view, and sometimes in other views.
- Ticket: 2091
- Issue: 2459
BUGFIX: Version number checks on new biskit can fail and so prevent update
- Some biskits have a version number on it.
- Every time they are saved, the version number is increased.
- We can use this to make sure that when you update something with a version number, you always started editing with the latest version.
- This helps to avoid accidentally overwriting information.
- However, sometimes a biskit is created and it is immediately updated by a workflow.
- For example, when a repeat booking goes into the past, a new non-repeat booking is created to represent the now historical part of the repeat.
- If you have workflows that modify newly created bookings, then this will act on this new booking. At this point, the transaction that created the booking has not yet been committed. So any update to the booking that looks at the old version of the booking in the database will find nothing.
- So if there’s a version number check, it would fail because it thought you didn’t have the latest version.
- Whereas there was nothing in the database so whatever you have should be treated as the latest.
- Ticket: 2089
- Issue: 2460
BUGFIX: Workflow changing new RepeatableHandler booking fails system event
- When a repeat booking goes into the past, RepeatableHandler creates a new non-repeat booking to represent that historical version, and then modifies the start date of the repeat.
- There’s no real user involved in this because it happens automatically.
- If a workflow then modifies that newly created booking, then there’s still no real user involved.
- A system event was created that referenced a fictitious user created for the workflow to do permissions checks - but system events should never reference these temporary fictitious users, and the attempt to do so could cause the workflow to fail which in turn caused the RepeatableHandler to fail to complete its work.
- Ticket: 2089
- Issue: 2461

9.0.49 February 7, 2020

Changes

Add ldapSearch workflow function with parameter for max result size
- The existing versions of the ldapSearch workflow function assume you want an unlimited number of results from the LDAP server.
- This adds an option to choose the maximum number of results you can receive.

Bug Fixes

BUGFIX: Workflow function createList did not create a list
BUGFIX: List of DateRange values could not be handled in workflows

Whenever you reference a variable value in a workflow, for example by specifying a value that should be passed to a function, and you indicate a property that is a list of DateRange values, then the actual value retrieved would be null instead of the value the list had.

9.0.50 February 12, 2020

Changes

Make messages given during a password reset procedure more user friendly

Bug Fixes

BUGFIX: Custom label for no booking type from bakery ignored
BUGFIX: Checked edit of an attachment property gives an exception
- When you try to update a biskit with a checked-edit, it fails with an exception.
- Updating properties can be done in one of two ways - fast or regular.
- The fast method is typically invoked using a checked-edit from the UI, but it can also be done at other times.
- In this case, it was triggered via a stepped-edit process, but you could demonstrate it with a checked edit just as well.
- Ticket: 2073
- Issue: 2465
BUGFIX: Some systems show the wrong labels in the layout editor
- In particular, this is for the “Display in columns” option, which should have a “true” text of “Display children in a single column”, but for some people would show a much longer text which was actually the help text for the item instead.
- The “false” text should have been “Display children in multiple columns”, but was actually showing as “Display children in a single column” instead, which was very confusing!
BUGFIX: Exporting PropertyDef did not save ReferenceDeletionOption
BUGFIX: Edit/save project BiskitDef without changes can generate errors
- If you edit the definition of Calpendo User in the bakery, and click on the projectsOwned property, then any systems that have this set to NO_ACTION would find it automaticlly change to CASCADE.
- This would then generate a warning when doing a validation of the biskit definitions because CASCADE is not compatible with having the inverse property of a one-to-many (in this case, Project.owner) set to not being “required”.
- Issue: 2464

9.0.51 February 19, 2020

Changes

Add “Primary Key” as an option for the type of an integer property.
- This does not affect the display or content of an integer property in any way.
- It will be handled exactly the same as if it had been set as “UNCONTRAINED”.
- The difference is that when a property marked as storing a primary key is found while upgrading to version 10, it will automatically be converted from an integer to a long integer..
- This serves as a mechanism for indicating to the upgrade procedure that you want this to happen (since primary keys are stored as long integers in version 10).
- The upgrade instructions for version 10 will specify that any custom integer properties that store a primary key should be marked as such. It is expected that the need for this will be relatively rare.
Add auto-filtering of selectable projects based on permissions
- If you create a permission that denies the right to create or update a booking based on the project being a certain value, then the booking pop-up will no longer offer that as one of the options in the project drop-down.
- For example, you might have a permission that denies the right to create a booking with an expired project, and another permission that denies the right to update a booking with the new booking’s project being an expired project. This would result in the user not even being able to choose an expired project from the drop-down on the booking pop-up.
- Typically, for the update side, you would have the permission conditions set so that it only applies when the new project is different from the old project.
- Otherwise you would not be able to modify any booking that referenced an expired project unless you changed the project.
Auto filter Booking pop-up drop-down for owners according to permissions
- The selection of users that appear in the owner drop-down on a booking is now filtered according to permissions so that there are fewer users to select from.
- This means you should set permissions to deny the ability to create a booking with a particular owner, and to deny the ability to update a booking with a particular owner.
- This might mean that you refuse bookings with an owner whose status is expired or blocked, for example.
Tweak error messages on client login failing to send to the server
- It wasn’t clear from an LDAP authentication failure whether a failure to “connect to the server” was browser to Calpendo server, or Calpendo server to LDAP server.
- This should make things clearer.

Bug Fixes

BUGFIX: Changes made by booking rule workflows not rolled back on rejection
- If a booking is rejected by a rule, but after a workflow was triggered while checking rules and the workflow changed something in the database, then the change would remain.
- This commit changes it so that anything done by a workflow is rolled back when the booking is rejected.
BUGFIX: Boolean properties giving exception when rendering null value
- Boolean properties should be only true or false.
- The editor does not offer an option to select null, but should handle values that already null when we try to display it.
- But this wasn’t working properly, and so you could get an exception displaying a boolean property with a null value.
- Ticket: 2123
- Issue: 2468
BUGFIX: Update schema with Biskit prop having no BiskitDef gives bad error
- The user interface won’t let you do this, but if there is a BiskitDef that has a Biskit-valued property that does not specify the type of biskit it stores, then updating the DB schema generates an exception that doesn’t tell you specifically what’s wrong.
BUGFIX: Custom SQL commands run in bakery give error when too large
- When running hand-written SQL in the bakery (which you can only do if you have the root role), if there were many lines of SQL in the snippet you asked to run, then the server would execute them correctly, but could then run out of memory while populating the response to the server.
- It was building a response that was unnecessarily large.
- (Every line of input was sent back to the client with a complete copy of all lines executed).
BUGFIX: Deny exists on projects gives exception choosing calendar resources
- Issue: 2469

9.0.52 March 3, 2020

Changes

Add workflow functions getAsPrimaryKey and getAsPrimaryKeyList
- These are being added to help make upgrades to version 10 smoother.
- Version 10 has long values for primary keys and not integer values.
- So if you have a workflow that converts a string to an integer and then uses it as a primary key, for example by passing it to the “find” function, then this will not work in version 10.
- By changing appropriate calls to getAsInt or getAsIntList to getAsPrimaryKey or getAsPrimaryKeyList, then these functions will be converted in version 10 to return a long instead of an int.
- This may not fix all workflows, but it is a part of the way we will make upgrades work.
- This means that before upgrading to 10, calls to getAsInt/getAsIntList should be examined.
- This will be described in the release notes for version 10.
Show only one non-numeric item by default when creating a chart
- This avoids there being too many different strings shown on the Y axis which makes the thing impossible to read and useless.
Add support for hiding the menu bar on some pages
- Whenever you visit a page, there’s a “breadcrumb” that shows which page you’re on.
- This is displayed in the top-right corner.
- There are some circumstances when you might want a page that hides the entirety of the menu bar.
- This can happen when you have a stepped-edit process that you want to initiate and then hand over to people that are not normally users.
- To make this work, you must add some custom CSS to the Global Preferences on the Appearance tab.
- There are two ways to hook in to this:
  - There’s the history token (the part of the URL after the # and before the & if there is one),
  - and the page label (the text that shows in the breadcrumb).
- You would add a CSS entry like this:
```
  .exprodo-historyToken-userSearch .exprodo-primary-menubar
  {
    visibility:hidden;
  }
```
- to hide the userSearch history token, but leave space for it to display and like this:
```
  .exprodo-historyToken-userSearch .exprodo-primary-menubar
  {
    display:none;
  }
```
- to hide it and not leave space where the menu bar used to be.
- To hide it via the page label, you would use this:
```
  .exprodo-page-UserSearch .exprodo-primary-menubar
  {
    visibility:hidden;
  }
```
- Ticket: 3302
- Issue: 2477
Optimisation: User workflow buttons had permissions applied too often
- When a user logs in, we check to see which workflow buttons they have permission to see.
- It checked permissions to filter out hidden buttons more than it should have.
- This isn’t a security issue because it functioned correctly.
- It was just less efficient than it should have been.
Hide “Groups” tabs when creating user, resources and projects
- These tabs don’t function properly until the main biskit has been saved, so the tab is no longer displayed until that point.
Prevent non-Exprodo and non-root users from changing Exprodo users
- All systems have an “Exprodo” authentication method. This uses proxy.exprodo.com to authenticate “Exprodo” users, and relies on
  1. the user existing on proxy.exprodo.com
  2. the user existing in the Calpendo you’re logging in to
- In order to provide support, some Calpendo systems include users for Exprodo Software staff to use that are authenticated using this “Exprodo” authentication method.
- This update now means that you can’t modify these Exprodo Software users in any way except by either an Exprodo Software user or root users.
- Note that Exprodo Software user accounts do not count towards your licensed number of users.
- Anybody hosting their own system should have root access, in which case this change should not make any real difference.
- For those we host, then having access ourselves is essential to the support we provide.
Remove the right to remove roles from users you don’t have
- Permissions correctly stop you from editing users you shouldn’t.
- But there’s a restriction that you can’t add a role to a user unless you already have that role (or you have the root role).
- So if you make a mistake and remove a role from a user that you don’t have, then you wouldn’t be able to add it back.
- Also, it doesn’t feel right to allow users to remove roles from other users they don’t themselves have.

Bug Fixes

BUGFIX: Double booking rule fails across resources when one has no project
- If you have a double booking rule across resources A and B
- and A does not require projects
- and B does require projects
- and the rule should prevent you from booking B with a particular project
- when there is already a booking for A
- then the rule would allow all bookings
BUGFIX: Charts showing MappedInt and integer/double properties gave error
- By default, they would both be put onto the same Y axis, but since one displayed as a string and the other as a number, it confused things.
BUGFIX: Report with count distinct can generate errors
- If you create a group booking report that shows the project and owner, and then set an aggregation on project so that it counts the number of distinct projects for each owner, then if there are multiple projects for at least one owner, the report fails and generates an exception.
- Issue: 2476
BUGFIX: Booking pop-up showed type with a drop-down in read only mode
- This happened as a result of the recent changes that introduced filtering for the booking type drop-down.
- It didn’t mean you could change the tyoe, only that in read-only mode there was a drop-down whose value could be changed without any mechanism for saving that change.
- Issue: 2478
BUGFIX: UserIdentity display gave exception when given shallow UserIdentity
BUGFIX: Workflow permission roles behaved like writeable in read only mode
- On a workflow action’s “Control” tab, the permissions section showed roles.
- When viewing a workflow, you could click on the roles and get a drop-down that would let you change roles.
- This should not have happened in read-only mode.
- It did not, however, offer any mechanism to save any change you made.
BUGFIX: Cannot save LabGroup if userIdentity displayed in biskit list
- The user identity stored on a user is an object that doesn’t have a separate ID, but lives as an integral component of the user.
- When you set up a LabGroup biskit with a one-to-many users, and the users display their identity in a list, then the data transported to the server for a LabGroup doesn’t properly handle that user identity.
BUGFIX: Download of partial data could overwrite browser cache
- Suppose:
  - you create a biskit type X that contains a set of users in a one-to-many property (so you have a set of users)
  - and that you also have a property on X that references a user (for example a principal investigator)
- then editing an instance of X and setting the principal investigator to a user that happens to be in the set of users linked to that X would cause the information for the user you selected to be lost from the browser cache.
- This could be seen if you saved the X biskit, and then clicked on the link to the new principal investigator, and it would not show you all the detail for the user, but indicate it was hidden.
Reading data from JSON could initiate our end-of-stream processing multiple times.
- Sometimes, data in JSON represents an object without providing all the details for that object. For example, when sending a project to the server, the JSON would indicate the project owner by specifying the ID of the user without all the details of the user.
- When reading the data in, at the end we mark all those objects that were loaded without having full data associated with them.
- This process could be done multiple times.
- This is wrong not only for efficiency sake, but also because objects might be present multiple times, once with full data and other times without data.
- The ordering of the objects may vary, and so it might introduce an error to execute the end-of-stream processing early.
BUGFIX: Workflow function “expandRepeats” did not include the last repeat
BUGFIX: Search page lets you search for all items, regardless of visbility
- Every BiskitDef has an assigned visibility.
- The intention is that when you go to the search page, you will only have the option to search for things that are within the visibility you’re been assigned.
- However, the search page was allowing you to search for everything regardless of who you are.
- This means that regular users would face a choice of searching through lots of data types that they should not see; for them, the extras are just clutter.
- This works by looking at the roles the user has:
  - If you have the root role, then you can search for anything.
  - If you have the admin role but not the root role, you can search for anything with visibility of ADMINS, USERS, EVERYBODY
  - If you have neither root nor admin roles, then you can search for anything with visibility of USERS or EVERYBODY
- Issue: 2429

9.0.53 March 16, 2020

Security Bug Fix

Prevent illicit SystemCommand actions being run
- There were default permissions designed to prevent people from running system commands from a workflow that you don’t want to allow.
- However, they were only added to systems that were already installed by November 2017, and not the new ones that have been created since.
- This update adds them to all current systems and also to any future systems too.
- This means that anybody who has admin rights would have been able to create a workflow which ran any system cammand.
- Since this is limited to those with admin access, it’s unlikely to have had a significant impact.
- This update closes this problem.

Changes

Add support for PublicResource to store dynamic properties
- For example, you might want to add tags to a public resource

Bug Fixes

BUGFIX: Disble everyone-can-read-for-everyone permission breaks system
- In a typical system, you would have a permission that allows everybody to read everything, and then you would layer on top of that permissions that prevent read access for the things you need to protect.
- If you disable that everyone-can-read-for-everyone permission, then nobody, not even root, was able to log in.
- This was due to the way the details about authentication methods were handled.
BUGFIX: Failure to save global preferences means future updates ignored
- If you save global preferences while the temporary directory is set to a directory that does not exist, then the preferences are not saved, which is correct.
- But the browser has updated its copy of the preferences anyway.
- So if you save the global preferences again (after fixing the temporary directory) then it won’t necessarily send any other changes you made to the server because it thinks they were already dealt with.
- For example, everything on the email tab behaves like this.
- So:
  - Edit global preferences
  - Set the temporary directory to a non-existant directory
  - Set the SMTP host to XXX
  - Save global preferences, which fails due to bad temporary directory
  - Change temporary directory to something real
  - Save global preferences
  - The SMTP host on the server is now NOT changed to XXX
  - But the browser makes it look like the setting is XXX
  - The work-around was to change it (eg to YYY), save it, then put it back

9.0.54 March 23, 2020

Changes

Add support for Calpendo Activity Recorder (CAR) for to record info offline
- The soon-to-be-released CAR version 2.0 will add support for handling temporary loss of connectivity to Calpendo.
- CAR can be configured to accept users while disconnected.
- For this to work, Calpendo now needs two things:
  1. to be able to recorder whether CAR accepted the user in information we receive later, when CAR reconnects.
  2. to be able to accept a message from CAR containing multiple items. Previously, every contact from CAR contained only a single item.
Add workflow function countRepeats
- This works similar to expandRepeats, except that instead of expanding the resulting biskits, it will simply return the number of repeats.
- Use this if all you want to do is to count the number of repeats something would have.
Widen the pop-up showing recipient email addresses in the Send Email page
- The pop-up showing the recipients in the “Send email” page was not wide enough for some email addresses.
- Issue: 2487
Added version of workflow functions first and last that gives the first and last item in a list of DateRange.
- These functions already handled lists of other types, but not DateRange.

Bug Fixes

BUGFIX: expandRepeats function did not behave as documented on non-repeats
- The documented behaviour for the expandRepeats workflow function is that when you give it a non-repeating booking, it appears once in the resulting expansion.
- However, if you ask for the expansion to be from or to a null date, then it failed with an exception rather than doing what the documentation said.
- Issue: 2492
- Ticket: 3433
BUGFIX: Adding date or date-time properties to global preferences breaks UI
- If you add some date or date-time properties to Config or CalpendoConfig in the bakery, then when you go to the global preferences page, you can enter values for those properties.
- Once you enter any values, if you refresh your browser and go back to the global preferences page, you get an exception and cannot use the global preferences page.
BUGFIX: “first” and “last” workflow functions only worked for biskit lists
- If you have a list of something other than biskits, then the first and last functions both always returned null.
- Issue: 2485
BUGFIX: expandRepeats added one too many days when told number of days
- There are versions of the expandRepeats workflow function that take a number of days to expand.
- When you specified a certain number of days, it always included one day too many.
BUGFIX: Function workflow actions convert fixed DateRange values to null
- If you have a function workflow action that takes an argument of type DateRange, and you specify a fixed value for it, then on saving the workflow, the fixed value would be saved as null instead of the value you entered.
BUGFIX: Sending email via checked selection from list selects wrong tab
- There’s a feature whereby you can email people by first creating a search to find them, or find objects that reference users, and then from a list you tick the check boxes for the items to receive an email, and click the “Send Email…” button.
- That gives you a pop-up so you can select a path to be taken from all items selected, where the path must lead to a user, user type or email address.
- That then takes you to the “Send Email” page, with the relevant user, user types or email addresses filled in.
- This feature is enabled in global preferences on the “Buttons” tab where you should select the “Send Email” option.
- All this already worked.
- When selecting email addresses to send to, it worked as expected.
- The email addresses were added to the BCC section of the email, and the BCC/Email Addresses tab was auto-opened in the Send Email page.
- If you selected either users or user types, then the users and user types would also be added to the BCC section, but it was the “TO” tab that was auto-selected.
- We now automatically open the correct tab so that it becomes obvious to the user that it’s picked up the relevant users or user types from the search.
- Issue: 2486

9.0.55 March 31, 2020

Changes

Auto-select the booking type when BookingPopup has only one possible value
Add workflow function “parsepk” to replace toInt when used for primary keys
- This is an aid to upgrading to version 10, where primary keys are longs and not integers.
- If you have a workflow function action that calls the function “toInt”, and it’s parsing text that contains a primary key of a biskit, then the function call should be replaced with one that calls “parsepk” instead.
- That way, it will be converted properly to longs when the upgrade to version 10 is done.
- This will be covered in the upgrade notes for version 10.
Add individual biskit update action properties changed to its declared refs
- The workflow manager shows references between events and actions on its “References” tab.
- A Biskit Update Action previously added an item to the references tab for the biskit it updated (plus any values it uses to assign to that biskit).
- In addition to this, we now add to the References tab an entry for each of the properties set so that the linkage is more visible on the References tab.
Add properties for storing primary keys to deprecated Registers biskit
- Before the “Create Variables” workflow action existed, the general practice for storing and handling variables in a workflow was to create an instance of a biskit called “Registers”.
- This biskit was created specifically for this task.
- A Create Variables action is far superior to Registers because you can name the variables, where Registers only has generic names like ‘int1’, ‘string2’ etc.
- New workflows should therefore always use Create Variables and not Registers.
- We have now added new variables called pk1, pk2, pk3 etc to Registers that are integer valued and that are used for storing a primary key.
- When such a workflow is upgraded to version 10, these variables will automatically be switched from an int to a long.
- We have introduced this change to Registers so that any existing workflows that use a Registers biskit can be modified in version 9.0 in such a way that they can be upgraded more cleanly to version 10.
- This will be covered in the upgrade notes for version 10.
Allow custom search pages to have a much longer descriptor
- The descriptor is what specifies the custom search options.
- It was previously limited to 255 characters.
- This has now been increased to 4096.
Add checks for potential bug when applying permissions to clean data
- This will log errors with the message “Shallowify modifying a HibernateProxy” if the code is triggered.
- This is here to help us check for possible errors and provide the information we will need to track it down and fix it.

Bug Fixes

BUGFIX: Dynamic biskits on user settings that reference users breaks login
- If you added a property to user settings that held a nested reference to a user or users, then the login would fail.

9.0.56 April 23, 2020

Changes

Add extra info to new checks added in 9.0.55
- 9.0.55 added a new check for a potential bug that could create a system event error with the message “Shallowify modifying a HibernateProxy”.
- We have now added some more information to the message to help us understand the issue better.
Prevent display of “groups” tabs when you have no permission to change them
- When viewing a user, project or resource, it displays a tab that shows the UserGroups, ProjectGroups and ResourceGroups (respectively) it belongs to.
- This has been changed so that it no longer shows the tab unless the user has permission to modify UserGroups, ProjectGroups or ResourceGroups.

Bug Fixes

BUGFIX: Selecting a biskit type from a BiskitTreeEditor can give an exception
- Suppose:
  - You have a BiskitDef of type X
  - You have an integer property on X
  - You set that property as the sort value for X
  - You have a BiskitTreeEditor page showing X biskits
- Then if you:
  - Select one of the X in the tree
  - Refresh your browser so it starts with a clean slate, selecting the same X biskit
  - Select “X” itself in the tree, to show a search of X biskits
- This will then give an exception.
BUGFIX: Over-zealous cleaning of data applied where it should not be
- The new checks added in 9.0.55 for a potential bug when cleaning data sent to users showed we had an issue.
- We now avoid cleaning some data in situations where it’s unnecessary because it couldn’t be sent back to the user anyway.

9.0.57 April 27, 2020

Security Bug Fixes

SECURITY BUGFIX: Search for item where tag matches string with quote fails
- If you have a property set up to contain tags, and then perform a search that checks whether it can find something containing a particular tag, and happen to choose a tag with a quote in it, then this would fail.
- The manner in which the request was generated could possibly be exploited to generate a SQL injection attack, where a specially crafted query could allow somebody to run a custom query against the database.
- This was specific to properties that store tags.
- These properties are not in widespread use by Calpendo sites, so the vast majority could not have been affected.
- We believe it is extremely unlikely that this has been exploited.

9.0.58 May 12, 2020

Changes

Remove the restriction that prevents to create active resource usage starting in the past.
- This is to aid CAR (Calpendo Activity Recorder) operating in a “temporary offline” mode, whereby it sends usage information to Calpendo when online after a period of having been offline but still collecting data.
- Calpendo 9.0.58 is now the minimum version required for full compatibility with the soon-to-be-released CAR 2.0.
Add a “defined by” section to the help text for a custom function
- When you look at a function action in the workflow manager that calls a custom function,it would be helpful to know where that function is defined.
- Click the (?) help button, and it now shows which event and workflow defines it, as well as the usual description about the function parameters and returns.

Bug Fixes

BUGFIX: 4-param version of workflow function “intersect” gave exception
- Every time you called the version of the workflow function called “intersect” that takes 4 parameters, it would give an exception.
BUGFIX: User settings wouldn’t show default project or let you choose one
- This depended on permissions, but would normally be the case.
BUGFIX: User settings for non-admins showed useless default project filter
- In user settings you can select your default project.
- For admins, next to that there’s a configuration option to choose whether to include in the selectable projects all approved projects or your own projects.
- For non-admins, the button to trigger this drop-down was displayed, but it showed an empty drop-down.
- The button is no longer visible for non-admins.
BUGFIX: DateRange function input/output values not visible in system events
- If you call a workflow function that either has an input or an output that is a DateRange, then the system event created to represent that shows the DateRange as “UnknownType#0” with a link that doesn’t work.
BUGFIX: Handling repeats at system boot can trigger before fully booted
- If Calpendo boots and finds that there are repeat bookings or templates that are in the past and need to have the past instances carved off, then it starts on that work at boot time.
- However, it starts working before the system is fully booted.
- This can lead to exceptions at boot time.
- Typically, this is not a problem in production because a system isn’t usually down long enough to accumulate past repeats.
- This is mostly about what happens at test or development time instead.
BUGFIX: Timer events at system boot can trigger before fully booted
- If Calpendo boots and finds that there are timed events that are overdue, then it starts on that work at boot time.
- However, it starts working before the system is fully booted.
- This can lead to exceptions at boot time.
- Typically, this is not a problem in production because a system isn’t usually down long enough to accumulate missed timed events.
- This is mostly about what happens at test or development time instead.
BUGFIX: Memory leak every time a warning or error is logged
- Every time a warning or error is logged, this resulted in using some memory that was never released.
- If there were a significant number of these, then it could take down Calpendo such that it would require a restart.

9.0.59 May 15, 2020

Bug Fixes

BUGFIX: Exception loading bookmark menu item where no EXISTS perm on resources
- If you load a bookmark from a menu item where the bookmark indicated contains resource to which you have no EXISTS permission, then you would get an exception.

9.0.60 June 2, 2020

Changes

Add support for CreateVariables to create a list of email addresses
- This can then be populated and used as the target of an Email Workflow Action.

Bug Fixes

BUGFIX: Variable Replacer cache garbage collection running too often
- The garbage collector for the cache of expressions used in parsing templates for references to values that should come from the database was running every time we checked whether it was due.
- This now only runs when we think it is due.
BUGFIX: Workflow buttons don’t show on the user, project and booking requests pages
- These pages are special in the way they work, and so they didn’t already show any workflow-generated buttons you may have configured.
- Now they will. Note that these pages always operate in write mode and never in read mode, so they only show workflow buttons that are configured to appear when updating a biskit.
BUGFIX: Boolean properties ignore custom true/false text on calendar
- Booleans wouldn’t display custom true/false text (if set).
- Issue: 2359

9.0.61 July 1, 2020

Changes

Remove licence information from outgoing email headers
- Outgoing email have an X-Mailer option that says which version of Calpendo is used, and who it’s licensed to.
- The licence information has been removed.

Security Bug Fixes

SECURITY BUGFIX: authenticate workflow function password saved in sys event
- There’s a workflow function to authenticate a user’s password.
- This is used in one Calpendo to the best of our knowledge.
- When this is used, it should be done with the recording of system events turned off.
- If system events are turned on, then the password would be stored in system events where it records information about the arguments and returned values from workflow functions.
- This has now been changed in two ways:
  - Values passed for the password are considered private and do not appear in system events.
  - If you have this action configured to record system events when it runs, then a warning is logged so that this might draw attention so it can be fixed.

Bug Fixes

BUGFIX: Number of bookings rule failed with booking-to-match conditions
- If you used a number of bookings rule, and used it with conditions that relied on comparing against the booking-to-match, then it would behave as if the booking-to-match were null.
- This required that we add the context for the booking-to-match to the search.
BUGFIX: Workflow search to refine a list gives exception if input list null
- Previously it would give an error when you did this.
- This was by design,but it didn’t make much sense.
- Issue: 2563
BUGFIX: “An error occurred on the server” message displayed on login
- In 9.0.55, a change was made to log an error when a situation was detected was could indicate something being wrong when removing data before sending to a user.
- There was a fear that this could accidentally remove data from the database, although we’d never seen it happen.
- It’s now clear that the messages were being generated in situations that could not have been any kind of problem.
- So these messages now apply an additional test to check the conditions under which data is being cleaned.
- This should remove most if not all of these error messages.
BUGFIX: Exception selecting bookmark page after switching menus
- For example, if you log in as root and use the menu editor to switch menus and then pick off the menu a page that selects a calendar for a bookmark, then you get an exception.
- You can get the same thing using the “Settings” page to change your menu.
- Issues: 2558, 2501
BUGFIX: Exception creating project by edit user and their “projects owned”
- This has been fixed by enforcing user.projectsOwned to be read-only even when editing a user.
- The reason for this is that it doesn’t make sense to create projects in this way, so this change forces users to go to the project page to do it instead.
- The problem with this is that user.projectsOwned is a one-to-many property and creating projects there would imply that the user truly owns the projects.
- But they don’t in a technological sense: if the user is deleted, then any one-to-many biskits they own would also be deleted.
- But that’s not how one would want projects to work.
- A project has its own life separate from the user marked as its owner.
- Consequently, you can’t create a project by editing a user, just like you can’t create a user by editing a project.
- Issue: 2506
BUGFIX: Cancel creation of service order, leave page, go back and blank
- If you go to the available service page, click the link to order one of the services, then click the cancel button, it takes you back to the available services page.
- If after doing that, you leave and go to another page, and then go back to the available services page, then the page is completely blank.
- Issue 2576
BUGFIX: TotalTimeBooked over all time does not expand pre-existing repeats
- When a total time booked rule is asked to limit the amount of time somebody has booked across all time (rather than in a window of for example every 7 days), then pre-existing repeating bookings in the database were not expanded.
- This means the rule was not noticing when some situations should have been prevented from booking.
- Issue: 2560
BUGFIX: Typing into text boxes in BookingPopup is sometimes very slow
- We perform filtering of drop-downs in the BookingPopup, and that is triggered by making a change to the values in the booking.
- When the permissions are sensitive to changes in text properties, then typing into those boxes was triggered this filtering at every key press which caused terrible performance.
- We now do the filtering only after there’s a period of no typing, and only once as well.
- Ticket:3741
- Issue: 2577

9.0.62 July 30, 2020

Changes

Add bookings calendar menu item to create new booking if click booking
- When you click on an existing booking or template, there’s now a new item in the pop-up menu to let you create a new booking (or template).
- This makes it easier when you want another booking alongside existing bookings (particularly in the horizontal or vertical views).

Bug Fixes

BUGFIX: Occasional exception viewing the calendar (complains about shallow bookmark elements)
- This is a problem we’ve received reports on, but the problem does not occur reliably.
- We have a fix that does fix a bug that might be the cause of this, although we can’t be certain because of the sporadic nature of the problem showing itself.
- Tickets: 3890, 3972, 3975
BUGFIX: Hidden PRS properties lose values when edit/save a project
- If you set up some properties on ProjectResourceSettings that are not visible (perhaps because they are automated and store a calculation that’s part of the working out, and doesn’t need to be public), then when you edit a project and save it, any values in those properties will be lost.
BUGFIX: Exception on changing parent of Locations
- If you edit a location to change its location from one parent to another, then you get an exception.
- This bug was introduced in version 9.0.5

9.0.63 Aug 11, 2020

Changes

Add hostname & osDomainName to RemoteUserIdentificationRequestWorkflowEvent
- We now provide the hostname and osDomainName of the remote system so that it can be used as a part of a strategy that maps remote actual usage users to Calpendo users.
- This is used when the Calpendo Activity Recorder (CAR) is running on a PC and you allow users to log in without using Calpendo as the authenticator, and so you need to map the PC users to Calpendo users.

Bug Fixes

BUGFIX: SDM exception editing event from calendar if set subject
- If you start with an event that has no subject and then set one in the calendar, then it gives an exception
BUGFIX: string conditions with a relation of “matches” causes SQL syntax error
- Issue 2529
BUGFIX: Biskit column would sort alphabetically instead of by sort order
- When you see a list of biskits, and click on the heading of a column then the list is sorted by that column.
- If that column happens to contain a biskit, then it should be sorted by that biskit’s natural sort order.
- However, it was sorting alphabetically instead.
- Issue 2555
BUGFIX: Bookmark wouldn’t instantly appear in new owner node after edit
- Issues 2615 and 2614
BUGFIX: SDM calendar exception if hover mouse over event after set subject
- If you have an event without a subject and then set a subject, and save it, and then hover your mouse over it in the calendar, then it generates an exception.
BUGFIX: listening for database events for workflows leaks memory
BUGFIX: No orderly shutdown of WorkflowManager.TriggerStack ThreadLocal
- Apache Tomcat gave a warning about memory leaks on shutting down Calpendo that relate to a ThreadLocal in the workflow manager.
- This would generate a memory leak if anybody self-hosting their Calpendo unloaded and reloaded Calpendo instead of doing a full tomcat restart.
BUGFIX: No orderly shutdown of EventContext thread when server stopped
- Apache Tomcat gave a warning about memory leaks on shutting down Calpendo that relate to a EventContext thread.
- This would generate a memory leak if anybody self-hosting their Calpendo unloaded and reloaded Calpendo instead of doing a full tomcat restart.
BUGFIX: Typo in message given when click “Run now” on a report in manager
- When you click “Run now” in the report manager on a scheduled report, it said “Emailed report to to N recipients”, doubling the “to”.

9.0.64 September 8, 2020

Changes

Add extra verbose configuration option for seeing workflow permissions info
- This is a verbose setting with the name:
```
  com.springsolutions.exprodo.core.server.workflow.WorkflowManager:permissions
```
- When looking for permissions-related verbose settings, this would show up if you searched for “perm”, which is recommended practice.
Display warning to user if they set relative time event to month offset
- Month offsets are not recommended because they don’t always behave the way you expect.
- For example, if you ask for an event to fire one month before a booking, what should happen when the booking is on March 31?
- When is one month before March 31?
- The way it works is that it takes off a month, to get to February 31.
- But there aren’t 31 days in February, so this is rounded off to March 2 or March 3.
- There is no good and right way to do this, and so we recommend avoiding month offsets where possible.
Make Sort Workflow Action put biskits with null keys last, not remove
- When sorting biskits, if you ask to sort using a property, and some of the biskits had a null value in that property, then those biskits were automatically removed from the sorted list.
- In version 10, you have the option to choose how this works.
- In 9.0, the nulls will appear last when sorting increasing, and first when sorting decreasing.

Bug Fixes

BUGFIX: Excel and CSV reports and biskit name format all ignored PK props
- Any integer property marked as being of type PRIMARY_KEY would not appear in:
  - Any xls or xlsx files generated for a report
  - Any CSV or TSV file generated for a report
  - The biskit name of a biskit, when the format specifier on the BiskitDef indicates it should use a PRIMARY_KEY integer property value
BUGFIX: Relative time events fire at wrong time for month/year
- When you specify a relative time event to fire a some months or years before or after a time, the calculation used was wrong.
- It was using the average duration of a month/year, and using that to calculate when to fire.
- It now will add a whole multiple of months or years.
- Note that this will still not work as you expect for months, and it is in general recommended to avoid relative time events a given number of months before or after a time.
- For example, if you have a booking on March 31, and you have a relative time event that fires a month before a booking, that means it should fire on February 31.
- But since there are only 28 or 29 days in February, that means the event will fire on March 2 or March 3.
- While one might argue that this is wrong, I would argue that there is no good, single, correct answer to the question of the date that is one month before March 31.
- Therefore, it is best to avoid date offsets of a month.
- Issue 2649
BUGFIX: Usage recorder complains “Please select a resource” on first use
- On first use, even when there’s a resource preselected, you get a pop-up message asking you to select a resource.
- Issue: 2670
BUGFIX: Sort Workflow Action treated null dates as if they were Jan 1, 1970
- When sorting using the Sort Workflow Action, dates were handled differently from other sort values.
- We now treat them the same as other properties.

9.0.65 October 13, 2020

Bug Fixes

BUGFIX: users can make active any resource usage when they use Search page
- ResourceUsage finishing in the past cannot be currently active.
- Issue 2600
BUGFIX: Layout editor tab buttons spread out with huge gaps in edit mode
- This affects Chrome-based browser, but not FireFox
- Issue: 2682
BUGFIX: Biskit drop-down list hides items with repeated names
- This (very old) bug shows in a quite rare circumstances, requiring very particular conditions.
- Issue: 2697
BUGFIX: Infinite loop if click on header while importing user
- When importing a user, if you get the headers wrong, and click on one of the header columns to select the property path you want to assign it, then it would go into an infinite loop.
- Issues 2617 and 2618
BUGFIX: custom property dropdown on booking form in wrong order
- A custom property on a booking that contains a biskit generates a drop-down on the booking form.
- This drop-down shows its entries not in alphabetical order.
- Issue: 2581
BUGFIX: Deleting specific entry on one-to-many table deletes every entry
- On Biskit Editor, for Biskits that have been configured with a One to Many Biskit Set property.
- Using the multi-add function, deleting a selected row would clear all rows from the multi-add instead of just the selected row.
- Issue: 2654
BUGFIX: Bakery allows you to set up unit type and units with duplicated names which then prevents system from running.
- Issues: 2695, 2696
BUGFIX: Server exception if theme has any missing items
- If a theme is missing some expected elements, it causes an exception in the server.
- This makes sure they have everything - although you should use the theme manager to make sure all colours are defined.
- Anything undefined is a very bright green (#08FF00) (so it stands out).
- If this happens, go to the Theme Manager and make sure everything has a defined colour.
BUGFIX: Booking creation doesn’t check for special roles defined in config
- In Global preference -> Projects you can define roles that can book for any project.
- By default this list only contains the ‘admin’ role.
- When the Calpendo server checks if the current user has the right permissions for creating a booking, it assumes only the admin role should be used for this purpose rather than those roles listed in global preferences.
- Issue 2686
- Ticket 4236
BUGFIX: Separate verbose setting for workflow permissions was ignored
- 9.0.64 added a verbose setting with this name:
```
  com.springsolutions.exprodo.core.server.workflow.WorkflowManager:permissions
```
- It was supposed to control whether the WorkflowManager would log extra information about workflow permissions.
- However, this setting was ignored and it was using the standard verbose setting with the name:
```
   com.springsolutions.exprodo.core.server.workflow.WorkflowManager
```
BUGFIX: Users with a login name containing a ‘+’ character could not login.
- Local users were not allowed to have a ‘+’ character in their login name.
- However, single-sign-on users would have an identifier that came from a remote system which could therefore include a ‘+’.
- When any type of user had a ‘+’ in their login name, they could not login properly.
- Issue 2689
BUGFIX: Send Network Message workflow action failed with query parameters
- If the URL included query parameters, then they were encoded incorrectly.

9.0.66 October 27, 2020

Changes

Add Hostname and OSDomainName to RemoteAuthorizationWorkflowEvent
- When the Calpendo Activity Recorder (CAR) sends usage information to Calpendo, it triggers a RemoteAuthorizationWorkflowEvent when somebody logs in on the remote PC.
- The event is used as an opportunity for a workflow to authorise the user, or not.
- We now make the PC’s declared hostname and domain name available for the workflow to use in identifying the PC (and hence the resource).
- Previously, this was only possible from the PC’s IP address.

Bug Fixes

BUGFIX: ShallowException using download button on oneToManyMultiEdit widget
- Issue 2709

9.0.67 November 4, 2020

Bug Fixes

BUGFIX: New user registration broken when user has attachment property
- When registering a new user, if you had an attachment on the user, then the new user registration page would generate a URL for the upload. But that would use the session ID, which is null.
- The method of generating that URL meant there was an exception that resulted in the user registration switching straight back to the login page, thereby breaking new user registration.

9.0.68 November 17, 2020

Changes

Add user agent on URL requests for images inside PDF files
- When creating a PDF using the workflow function “toPDF” which generates a PDF file from an XML file in the format of XSL-FO, you can insert images into the PDF file.
- Those images need to be specified via a URL.
- Some servers on which the URL is stored may refuse to serve content if there is no user agent specified.
- So we now make sure requests for images have a user agent specified on them.

Bug Fixes

BUGFIX: Workflows with a sort action failed export via Export button
- The “Export” button on the workflow manager did not export any workflow that contains some workflows.
- A Sort action was one of those affected - whenever the “defaultValue” was set for the sorting weight value.
- Issue: 2497
BUGFIX: Workflow export fails with a function having a PropertyDef argument
- Issue: 2446

9.0.69 November 26, 2020

Bug Fixes

BUGFIX: No reject pop-up on RuleEvent if runs before standard rules
- When booking rules reject a booking, there’s an inconsistency in which circumstances cause the user to see a pop-up telling them about the rejection.
- If the rules are running directly because of a user action, then the error should always appear, but this wasn’t always the case.
- Issue: 2694
BUGFIX: ListExtractAction sometimes returns empty list
- ListExtractAction is most commonly run on lists (for example for extracting elements from a list returned from Search Action).
- In this case it works well.
- If it’s run on a Set property, then it always returns an empty list.
- Issue 2736
BUGFIX: Biskit tree editor pages hide new biskit if create from search view
- Suppose you go to any BiskitTreeEditor page (such as the resource editor).
- Then you click on one of the biskit types in the tree on the left, so that you see a search pane on the right, and then you create a new biskit from that search pane.
- Then when you save the biskit, it does not show you the details of the biskit you just created.
- You should see a read-only version of it, but you would either see nothing, or just a tab panel if the biskit displays with a tab panel (like resources do).
- Issue 2737

9.0.70 December 8, 2020

Bug Fixes

BUGFIX: External auth methods fail if they have a space in the name
- If you define an authentication method of type “External Authentication Method”, and if the name you assign it has a space in it, then authentication through this method will fail with a 404 error.
- This is a bug that was introduced in 9.0.65.

9.0.71 December 16, 2020

Bug Fixes

BUGFIX: History fails on a BiskitDef whose format is not null
- Edit a BiskitDef whose format is not null (or you change it so it is not null), and then look at the history of that BiskitDef, and click on the most recent version of it (or any version where the format was not null) and you get an exception.
BUGFIX: TimedWorkflowEvent repeat corrupted if multiple events in workflow
- When a workflow has more than one TimedWorkflowEvent, and they both have repeats configured, then the two repeats get confused with one another when clicking between the two events.
- This can cause the display to not reflect what’s stored in the database, and to corrupt the repeat information that gets stored in the database.
- Issue: 2710
BUGFIX: In Bakery, Biskit Property Type would automatically change value
- Issue 2678
BUGFIX: Change BiskitDef supertype, then lose child if edit/save supertype
- If you create and save a sub-type of a BiskitDef (for example create a SubBooking as a child of Booking), and without reloading the DB config you edit and save the parent (Booking in this example), even without making any changes to it, then the child BiskitDef loses its connection to the superdef.
- So in this example, SubBooking would think it has no superdef.
- Issue 2750

9.0.72 December 16, 2020

Bug Fixes

BUGFIX: Set Biskit format to use date property and browser gives exception
- The browser will show a login prompt and allow you to log in, but it then fails with an error.
- This happens whenever you set up a BiskitDef with a format specifier that uses a date, datetime or dateRange property in the biskit’s name format.

9.0.73 December 31, 2020

Bug Fixes

BUGFIX: rules table too large to run on recent versions of MariaDB
- Upgrading MariaDB can cause errors from MariaDB about the row size being too large with the rules table.
- See here for details:
- This change reduces the size required by some of the columns with no impact on its functionality for Calpendo.

9.0.74 January 12, 2021

Changes

Add CSS class names to non-static resource usage properties
- This affects the built-in resource usage recorder.
- It allows you to control the display of individual properties using CSS.

Bug Fixes

BUGFIX: Copied bookings when pasted shortened if time slots involved
- When fixed time slots are used, and you copy a booking on the calendar, then pasting a booking into the calendar can result in a much shorter booking that you would expect.
- Issue 2691

9.0.75 January 25, 2021

Bug Fixes

BUGFIX: Cannot recreate layout from one recovered from audit log
- Issue: 2808
BUGFIX: Create copy of workflow from audit log steals actions from latest
- A workflow recovered from audit log results in the actions being intrincisally linked to those in the latest (non-history) version of the workflow.
- Issue: 2470

9.0.76 January 29, 2021

Bug Fixes

BUGFIX: Import load file fails with exception for some BiskitDefs
- When you use the import page to load a CSV file, then it goes through a process of trying to guess which BiskitDef you want to import.
- In some circumstances, that guessing procedure fails with an exception.
- Issue: 2705
BUGFIX: Templates have effect on booking start day only
- When a booking is created or updated, Calpendo checks if templates can affect the new booking.
- This check only took into consideration the templates on the day the booking started, rather than the entire duration of booking (which could be multi-day).
- Issue: 2822

9.0.77 February 5, 2021

Bug Fixes

BUGFIX: Shallow exception when using summary report for resource usage
- Clicking a biskit row in the report would generate a shallow exception for the booking property of resource usage.
- Changing the partialBiskits flag of BiskitsDetail will ensure the resource usage biskit is retrieved fully from the server.
- Issue: 2827
BUGFIX: Pop-up message on booking auto-denial can be empty
- If you set up templates with no message that specify automatic denial for booking, then when you click on that time period in the calendar, you get a message that shows the name of the resource and nothing else.
- It now pulls in the message that’s configured in the global preferences for automatic denial.
- Issue: 2834

9.0.78 February 15, 2021

Bug Fixes

BUGFIX: Change resource on a booking where it needs different subtype fails
- If you have resources ResourceA and ResourceB, and subtypes of Booking called BookingA and BookingB, with ResourceA set to use bookings of type BookingA, and ResourceB set to use bookings of type BookingB, then if you edit a booking for ResourceA, and change the resource drop-down to make it ResourceB, it fails with an error message saying the bookings appears to have been deleted.
- Issue: 2861
BUGFIX: Drag booking to resource where it needs different subtype fails
- If you have resources ResourceA and ResourceB, and subtypes of Booking called BookingA and BookingB, with ResourceA set to use bookings of type BookingA, and ResourceB set to use bookings of type BookingB, then if you drag a BookingA for ResourceA to ResourceB, then the booking does not change to being of type BookingB.
- Issue: 2862

9.0.79 February 17, 2021

Bug Fixes

BUGFIX: Templates checked on click in month view but it makes no sense
- When a user clicks in a day, week, horizontal or vertical view, a booking is generated, and then templates are checked in the browser for the period of the booking.
- This makes sense in those views.
- In the month view, you select a day, but you have no means of selecting the time of day when you want the booking. So there’s no way of checking templates over a sensible time period until after the user has selected the start/finish time they want.
- So templates are no longer checked in the month view at the time when the user clicks in the calendar.
- They will still be checked when the booking is sent to the server.
- Issue: 2857
BUGFIX: Default month view booking start time was midnight not start of day
- You can define in the global preferences what time the day is deemed to start, for the purpose of displaying the calendar.
- So when you click in the month view to create a booking, it should use that start-of-day time for the default booking time.
- Previously it was set to midnight, regardless of when the calendar start of day was.
- Issue: 2858

9.0.80 March 3, 2021

Bug Fixes

BUGFIX: Click at very top of month in month view ignored default time setting
BUGFIX: TotalTimeBookedRule undeletable after being updated at least once
- When you try to delete a total time booked rule that it has been updated at least once in the past, you got a database exception.
- This happened because every time the rule was saved into the database Calpendo created an condition in the database (when it wasn’t supposed to) instead of updating the existing one.
- This meant multiple things were referencing the rule when we were only expecting one, and so the deletion didn’t work properly.
- This fix stops the situation getting worse by the creation of additional conditions referencing the rule.
- If there are existing extraneous conditions that reference the rule, then those will need to be deleted before the rule could be deleted (though they can always be disabled).
- Issue: 2889

9.0.81 March 5, 2021

Security Changes

Add requirement for permission to update DB schema to change BiskitDef
- If you are to be allowed to create or modify biskit definitions, then you not only need create and update permissions directly on BiskitDef, but you now also need permission to be able to update the database schema.

Security Bug Fixes

SECURITY BUGFIX: data deletion relied on browser permissions checks
- The server should always check that the requests it receives are valid, and that the user has permission to do whatever it is that they are trying to do.
- However, a small number of request types did not apply those checks on the server.
- This therefore relied on the browser to apply the checks.
- There are two major problems with this:
  1. The client code might have been altered, or the requests come from a completely different sort of client and not the code that we make available to access Calpendo.
  2. One can configure permissions in such a way that they reference data that will not be available in the browser when permissions are checked. In such cases, the browser is always lenient because it knows the server will have all data available to it, and so it will be able to apply the permissions fully. That doesn’t work when the server doesn’t apply checks, as in this case.
- The requests concerned relate to deleting data.
- Put all this together and it means somebody would have been able to delete data from the database when they should not have been able to do so. However, this is limited to valid users of the system, and there would be a full record of what they had done in the audit log.

9.0.82 March 26, 2021

Bug Fixes

BUGFIX: external proxy auth fails when log in to dynamic workflow page
- If you have a user that logs in via an External Proxy Authentication method (which means they work via Shibboleth), and you go to a dynamic workflow page and click logout and log immediately back in, then you get an error telling you it can’t identify the authentication method.
- You can’t log in without changing the URL the browser is trying to go to.
- This is a clash between the “&data=” parameter that a dynamic workflow page puts into the URL, and the same parameter that’s also used by the external proxy login procedure.
- Issue: 2835

9.0.83 April 5, 2021

Changes

Add workflow function csvDecodeAsPrimaryKeys
- In version 9.0.x, the new workflow function csvDecodeAsPrimaryKeys is functionally identical to calling the version of csvDecode that returns integers.
- However, the difference occurs when the database is upgraded to 10.0.
- Any use of csvDecodeAsPrimaryKeys in 9.0 will be converted to the function of the same name in version 10.0 that returns a list of longs instead of a list of integers.
- That means your workflow will need to cope with the function returning a list of longs after the upgrade.

9.0.84 April 25, 2021

Bug Fixes

BUGFIX: Edit project could lose resource settings information
- Suppose you view project A, and look at the resource settings.
- Then display a different tab so the resource settings are not displayed.
- Now view project B and click Edit and then Save (without even saving anything).
- This means you should have edited project B without ever seeing its resource settings.
- Then:
  - project A now has no resource settings
  - the resource settings for project A would now become owned by project B
  - the resource settings previously owned by project B are deleted
- An identical problem happens with project service settings (for those using services).
- This problem is caused by an error in the user interface for projects, and so it does not affect any other parts of the system.

9.0.85 May 26, 2021

Changes

Accept an X-Forwarded-For HTTP header that contains a bad address followed by good
- The format of X-Forwarded-For is “, , ,…”
- We were only parsing the first value. But if that fails, then we could take the remaining ones as well, and that’s what we do now.
- This allows us to get an IP address and not log an error.
- This problem can occur when there are some unusual networking configurations that generates an error in the HTTP headers.

Bug Fixes

BUGFIX: Infinite loop when the X-Forwarded-For HTTP header is bad
BUGFIX: Some old workflows referencing “concatenate” function broken
- If you added the “concatenate” workflow function to a workflow in version 8.4.0 or 8.4.1 (back in August 2018), then that workflow was broken in 8.4.2 and all subsequent versions.
- If you added this function any time from version 8.4.2 onwards, then there would have been no problems.

9.0.86 June 12, 2021

Bug Fixes

BUGFIX: User registration page disappears immediately with empty drop-down
- If you add a biskit-valued property to a user, but have no values for the drop down so that it is empty, then the user registration page only shows briefly before disappearing.
- Issue: 2947
BUGFIX: Refresh button in biskit tree editor causes the tree to disappear
- This doesn’t happen for all biskit tree editors, but depends on what data types it’s displaying.
- It does happen in Calpendo when showing Location instances.
- Issue: 2946

9.0.87 July 9, 2021

Bug Fixes

BUGFIX: Daily repeating timed workflow events sometimes trigger twice
- When a daily repeating timed workflow event triggers, we calculated the date when it was next due, but the time was always set to noon.
- This would mean it was then scheduled to fire at noon the next day.
- Now we rebuild our cache of what’s scheduled to run and when every 24 hours.
- So if the cache rebuilt between the repeating job firing and noon, then the problem would not occur.
- But if the cache rebuilt after noon, then the job would trigger at noon (when it shouldn’t) and then again when it was supposed to.
- Due to timezone effects, the “noon” firing was actually at the equivalent of noon UTC in your local timezone.
- Issue: 2967
- Ticket: 6040

9.0.88 August 20, 2021

Changes

Overhauled handling of incoming CAR (Calpendo Activity Recorder) data
- There were issues with the way incoming CAR data was handled.
- In particular, it was excessively slow. This could lead to a downward spiral in which CAR would send data, think Calpendo had not imported it when it had because it was slow, and next time would send the same data plus a little bit more making it slower.

Bug Fixes

BUGFIX: Server killed if rename biskit type with exists+path permission
- Suppose:
  - you have a dynamic biskit type, let’s call it X.
  - X has a property “search”, which has a property “owner” of type user
  - you also have an exists permission on X, which applies to search.owner
- If you then go to the bakery and change the biskit type of X to something else and do the rest of the steps you’re supposed to (update the DB schema and reload the database config), then you will no longer be able to get to the login screen.
- Open a new browser, and it will fail.
- The original browser tab will still work, if it’s still open.
- Issue: 3011

9.0.89 August 25, 2021

Changes

Reduced memory requirement when loading large files from CAR
- Calpendo would use a lot of memory when loading a file from CAR that contained many items (such as you would get when after a period of a network outage between Calpendo and CAR).

9.0.90 September 13, 2021

Bug Fixes

BUGFIX: Emails sent unnecessarily when Calpendo receives CAR data
- Under normal CAR activity, Calpendo was logging informational messages as if they were errors.
- This in turn caused emails to be sent to Exprodo Software to.
- These messages are no longer logged as errors.

9.0.91 November 22, 2021

Bug Fixes

BUGFIX: CAR Remote Authorisation workflow events not told who the user is
- When a Calpendo Activity Recorder request comes in to authorise a user, you can set up a workflow that will let you customise the choice of whether that user should be authorised to use the relevant instrument.
- This allows you to do things like check whether they have had the appropriate training.
- However, ever since 9.0.88 the user was not passed in to the workflow, so it could not work properly.
- Issue: 3111
- Ticket: 6831

9.0.92 December 20, 2021

Security Bug Fixes

SECURITY BUGFIX: Users can sometimes read data they should not be able to
- This bug means that valid users who can log in but are not normally allowed to see some data can, under some circumstances, see data they should not be able to.
- This depends on your configuration whether this might have affected a real system.
- Further details withheld to allow everybody to upgrade their systems.
- Issue: 3174

9.0.93 April 6, 2022

Security Bug Fixes

SECURITY BUGFIX: failed attempt to create or update local users stores password
- Issue: 3331

9.0.94 March 30, 2023

Bug Fixes

BUGFIX: Exception saving an Exprodo SDM subject in a process step

9.0.95 June 21, 2023

Bug Fixes

BUGFIX: Calpendo is not compatible with MariaDB 10.6.0 or later
- The column called “offset” in table “units” is not allowed in MariaDB 10.6.0 as “offset” is now a reserved word.
- This has now been renamed to “offset_value”.
- Issue: 3364

Release Notes For Version 9.0

Table Of Contents

Upgrading to 9.0

New Features

Themes and Skins

PDF Generation

Barcodes

LDAP Authentication

Multi-Edit Children

Auto-filter Drop-Down of One-to-many Children

Auto-filtering of booking properties from resource one-to-many

Exposed Password Checks

Importing Bookings From External iCal Feed

Changes

Communication

Speed

Menus

Privileged Search

New Workflow Events

New Workflow Functions

Other Workflow Changes

Services

Holidays

Report Manager

Services and Bookings Linkage

Count concurrent bookings multiple times in TotalTimeBookedRule

Booking Popup Display Changes

Miscellaneous Changes

Updates

9.0.0 February 19th, 2019

9.0.1 March 11th, 2019

9.0.2 March 26th, 2019

9.0.3 April 29th, 2019

9.0.4 May 8th, 2019

9.0.5 May 14th, 2019

9.0.6 May 15th, 2019

9.0.7 May 16th, 2019

9.0.8 May 17th, 2019

9.0.9 May 22nd, 2019

9.0.10 May 29th, 2019

9.0.11 May 30th, 2019

9.0.12 June 3rd, 2019

9.0.13 June 4th, 2019

9.0.14 June 13th, 2019

9.0.15 June 14th, 2019

9.0.16 June 18th, 2019

9.0.17 June 19th, 2019

9.0.18 June 21st, 2019

9.0.19 June 25th, 2019

9.0.20 July 4th, 2019

9.0.21 July 17th, 2019

9.0.22 July 29th, 2019

9.0.23 August 12th, 2019

9.0.24 August 14th, 2019

9.0.25 August 15th, 2019

9.0.26 August 19th, 2019

9.0.27 August 20th, 2019

9.0.28 August 29th, 2019

9.0.29 September 13, 2019

9.0.30 September 17, 2019

9.0.31 September 18, 2019

9.0.32 September 19, 2019

9.0.33 September 20, 2019

9.0.34 September 24, 2019

9.0.35 September 25, 2019

9.0.36 October 9, 2019

9.0.37 October 10, 2019

9.0.38 November 13, 2019

9.0.39 November 22, 2019

9.0.40 December 11, 2019

9.0.41 December 13, 2019

9.0.42 January 7, 2020

9.0.43 January 10, 2020

9.0.44 January 13, 2020

9.0.45 January 14, 2020

9.0.46 January 16, 2020

9.0.47 January 30, 2020

9.0.48 February 6, 2020

9.0.49 February 7, 2020

9.0.50 February 12, 2020