Version 4.4.3¶
Released: February 11, 2023
Status: Stable
Changes¶
Converter¶
The transformation views’ URLs were updated to always specify which content object’s transformations are being manipulated. This ensures the permission system work correctly on all situations such as when deep ACLs are used to grant access to transformation from a document type.
The transformation and decoration links were updated to take advantage of the new link dynamic attributes features.
Dependencies¶
Support for Python 3.7 and Python 3.8 was dropped for the version 4.4 release. Python 3.9 is now the minimum version supported. This change happened in version 4.4 but was not documented.
Redactions¶
The transformation and decoration links were updated to take advantage of the new link dynamic attributes features. Redaction access control now works properly on complex access control scenarios.
Tags¶
The tag labels are now sanitized when generating the Select2 user interface widget template. This closes the XSS weakness reported in CVE-2022-47419: Mayan EDMS Tag XSS.
This is a limited scope weakness of the tagging system markup that can be used to display an arbitrary text when selecting a tag for attachment to or removal from a document.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Attempting to exploit this weakness requires a privileged account and is not possible to enable from a guest or an anonymous account. Visitors to a Mayan EDMS installation cannot exploit this weakness.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Other¶
Move transformation and redactions links to either their own
links.py
module. In the case of thedocuments
app, the module is namedmiscellaneous_links.py
.Improve transformation and redaction link testing.
Removals¶
Management commands¶
Remove deprecated management commands:
checkdependencies
replaced bydependencies_check
.checkversion
replaced bydependencies_check_version
.createautoadmin
replaced byautoadmin_create
.generaterequirements
replaced bydependencies_generate_requirements
.initialsetup
replaced bycommon_initial_setup
.installdependencies
replaced bydependencies_install
.mountindex
replaced bymirroring_mount_index
.performupgrade
replaced bycommon_perform_upgrade
.platformtemplate
replaced byplatform_template
.preparestatic
replaced byappearance_prepare_static
.purgelocks
replaced bylock_manager_purge_locks
.purgepermissions
replaced bypermissions_purge
.purgeperiodictasks
replaced bytask_manager_purge_periodic_tasks
.purgestatistics
replaced bystatistics_purge
.revertsettings
replaced bysettings_revert
.savesettings
replaced bysettings_save
.showsettings
replaced bysettings_show
.showversion
replaced bydependencies_show_version
.
Backward incompatible changes¶
Cabinets¶
The cabinet create permission is now required to create parent as well as child cabinets. This change replaces requiring the edit permission to create child cabinets via the HTTP views.
Documents¶
A new permission was added to change the type of a document. When support for changing the type of a document was added, it was considered a property and controlled via the document property edit permission.
Since changing the type of a documents now causes a cascade of other changes, it was isolated as an individual class of event along with its own permission.
The new document change type permission is required for the document being changed and for the document type to which the document will be changed into.
Downloads¶
Download files are now associated to a specific users and not to a parent object. Delete, download, and view permissions were added to allow users to share a download file.
OCR¶
The OCR backend code is now executed under a new method called
_execute
to avoid subclasses not calling the super class.
The base backend class now prepares the image to be processed for OCR and passes the file object to the subclass.
Search¶
In addition to the search system refactor, new search indexes were added. The search backend needs to be reindexed to ensure these new indexes are populated.
Settings¶
The default secret key value is now only used if the secret key file is not found not just if the secret key file is present but unreadable.
Templating¶
The home_view
setting was removed from the default Template context.
Template instances need to include their own context using the new
context
argument.
Deprecations¶
The Cabinet API serializer field named
parent
, will be removed in version 5.0. Use theparent_id
instead which is functionally identical.The
IndexTemplateNodeSerializer
serializer fieldsparent
andindex
will be removed in version 5.0. Use fieldsparent_id
andindex_id
which are functionally identical.The
WorkflowInstanceSerializer
field namedworkflow_template_url
will be removed in version 5.0. Use theurl
attribute of theworkflow_template
instead.
Issues closed¶
GitLab issue #1137 Mayan requires python 3.9 or higher since version 4.4