Plone 5.2.4

There may be hotfixes applicable to this release. Always check the Plone Hotfix page before production deployment.

Release notes

LicenseGPL
Date released2021-03-03
Release managerEric Steele

Plone 5.2.4 is a bug fix release of Plone 5.2. Release Manager for this version is Maurits van Rees (despite the automated text above).

Installers are being made, so not all links below will work yet. Experienced users can update their buildout config by pointing to https://dist.plone.org/release/5.2.4/versions.cfg.

Linux/BSD/Unix users: Use the Unified Installer. It is a configuration and setup kit with build scripts.

Windows 10 users: use the Unified Installer. See Windows-specific installation instructions. Consider using the unified installer within the Windows Subsystem for Linux (WSL).

OS X users: use the Vagrant kit or install XCode command-line tools and use the Unified Installer.

Automated provisioning: See Plone's Ansible Playbook for a full-stack installation kit.

Cross-platform Docker: install Docker and use the Plone Docker image.

For the Plone 5.2 upgrade guide, see https://docs.plone.org/manage/upgrading/

Specific release notes for Plone 5.2.4:

Some highlights of this release are:

  • Products.PluggableAuthService: security fix for open redirect and missing access control.
  • Zope: security fix for missing access control in some XML-RPC requests.
  • GenericSetup/CMFQuickInstallerTool: security fixes for possibly seeing information from installation logs and snapshots.
  • plone.recipe.zope2instance: Windows fixes
  • Products.MailHost: Use standard conforming ``\r\n`` line endings.
    If you use Microsoft Exchange to send mails, this should prevent empty mails.
  • mockup / plone.staticresources: various fixes in folder contents.
  • plone.app.caching: Restored ``resourceRegistries`` ETag, but now for Plone 5 resource registries.
    Fixes warning "Could not find value adapter for ETag component resourceRegistries".
  • plone.app.contenttypes: Various fixes for restoring references during migration.
  • plone.app.users: Fix setting "Use site default" for wysiwyg_editor.
  • plone.restapi 7.0.0 introduces new features, which should be backwards compatible:
    • Add ResolveUID functionality for Volto blocks, allowing Volto to preserve internal links when content is moved.
    • Add root element to the @breadcrumbs endpoint.
    • Mark restapi 7 with a zcml feature flag: plonerestapi-7
    • Add new @contextnavigation endpoint.
    • Refactor navigation endpoint, add new nav_title attribute
    • Add "smart fields" concept: if block has a searchableText field, this will be indexed in Plone

Downloads

Changes

Zope 4.5.3 → 4.5.5

plone.recipe.zope2instance: 6.8.1 → 6.8.3

Bug fixes:

  • Fix windows wsgi.ini to have a configurable listen address. Added missing WSGI config options for windows. [jensens] (#161)
  • Restored ability to use own explicit version of zodb-temporary-storage. [maurits] (#93)

plone.releaser: 1.8.2 → 1.8.3

Bug fixes:

  • When reporting interesting commits, catch errors when comparing with previously ignored commit. Fixes issue 39. [maurits] (#39)

Products.MailHost: 4.10 → 4.11

  • Use standard conforming \r\n line endings. This may require adaptations in testsSupport messages with line separation \r\n (#35).

mockup: 3.2.4 → 3.2.5

Bug fixes:

  • Do only remove the correct event listener on context-info-loaded before adding a new one. Fixes a problem where the current path was not updated for the upload popup when changing paths. Fixes: #1016 Refs: #1028, #1030, #1039 [thet] (#1041)

Plone: 5.2.3 → 5.2.4

Bug fixes:

  • Release Plone 5.2.4 final [maurits]
  • Removed plone.app.dexterity from dependencies. It is already required by Products.CMFPlone. [maurits]

plone.app.caching: 2.0.8 → 2.1.0

New features:

  • Restored resourceRegistries ETag, but now for Plone 5 resource registries. Fixes warning "Could not find value adapter for ETag component resourceRegistries". [maurits] (#61)

Bug fixes:

  • Do not break if some custom code provides an alias for Products.Archetypes or plone.app.blob (#72)

plone.app.contentrules: 4.1.5 → 4.1.6

Bug fixes:

  • Simplify test setup by using the MOCK_MAILHOST_FIXTURE (#59)

plone.app.contenttypes: 2.2.1 → 2.2.2

Bug fixes:

  • Various fixes for restoring references:

    • Migrate relatesTo AT relation to relatedItems DX relation.
    • In DX check the schema to see if relation field is list or item. Taken over from collective.relationhelpers.
    • restore_references: accept relationship_fieldname_mapping argument. This must be a dictionary with a relationship name as key and fieldname as value, instead of always using relatedItems as fieldname.

    [maurits] (#510)

  • Migrate relatesTo AT relation to relatedItems DX relation.

  • In DX check the schema to see if relation field is list or item. Taken over from collective.relationhelpers.

  • restore_references: accept relationship_fieldname_mapping argument. This must be a dictionary with a relationship name as key and fieldname as value, instead of always using relatedItems as fieldname.

  • Catch AttributeError for getNextPreviousEnabled during migration. [maurits] (#582)

  • migrate_datetimefield: do nothing when old value is None. This fixes AttributeError: 'NoneType' object has no attribute 'asdatetime'. [maurits] (#584)

plone.app.dexterity: 2.6.8 → 2.6.9

Bug fixes:

  • Fix the constraint types mode calculation, disabling acquisition and gracefully checking for the existence of a portal type attribute in the container (#319)

plone.app.discussion: 3.4.3 → 3.4.4

Bug fixes:

  • Fix tests with Products.MailHost 4.11. [maurits] (#174)

plone.app.linkintegrity: 3.3.14 → 3.4.1

New features:

  • Drop Plone 5.1 support, due to possible incompatibility with older plone.app.uuid. [maurits] (#79)

Bug fixes:

  • Use base64.decodebytes instead of decodestring when possible. Fixes Python 3.9 compatibility in the tests. [maurits] (#81)
  • Fix Unauthorized exception when you edit a page that links to another page that you are not allowed to see. Fixes issue 79. [maurits] (#79)

plone.app.locales: 5.1.27 → 5.1.28

  • Fix French and German translation for the assets folder (no spaces and lowercase). [pbauer]
  • Fix wrong DE translation in plone.app.caching. [jensens]

plone.app.multilingual: 5.6.2 → 5.6.3

Bug fixes:

  • Force view_methods to be a tuple on setup and uninstall (#337)

plone.app.registry: 1.7.7 → 1.7.8

Bug fixes:

  • Use better titles and descriptions for import and export steps. [jensens] (#1)

plone.app.upgrade: 2.0.36 → 2.0.38

Breaking changes:

  • Remove temp_folder from Zope root if broken. See issue 2957. [maurits] (#2957)

Bug fixes:

  • Make portal_setup objects accessible only to Manager/Owner. See GenericSetup issue 101. [maurits] (#101)
  • Plone 6.0: remove portal_form_controller tool. [maurits] (#3057)
  • Improved upgrade step for site_logo from ASCII to Bytes. The previous upgrade was incomplete and could remove the logo when called twice. See comment on issue 3172. [maurits] (#3172)

plone.app.users: 2.6.5 → 2.6.6

Bug fixes:

plone.app.vocabularies: 4.2.1 → 4.2.2

Bug fixes:

  • Change vocabulary tokens to use base64.urlsafe_b64encode(). No newlines and safe to use as an xml attribute. See community post. [flipmcf] (#64)

plone.app.workflow: 4.0.3 → 4.0.4

New features:

  • Have the icons from the sharing tab to have their URL relative to the site root [frapell] (#25)

plone.batching: 1.1.6 → 1.1.7

New features:

  • Include request form parameters from parent request to allow batching in plone.app.standardtiles and filtering with collective.collectionfilter. [agitator] (#26)

plone.cachepurging: 2.0.2 → 2.0.3

Bug fixes:

  • Replaced deprecated Thread.isAlive by is_alive. The old name no longer works in Python 3.9. The new name already works in Python 2.7. (#22)

plone.portlet.collection: 3.3.5 → 3.3.6

Bug fixes:

  • Show start date in portlet if available. [agitator] (#25)

plone.rest: 1.6.1 → 1.6.2

Bug fixes:

  • Explicitly make allow_credentials required in CORS policy. This was the default for Bool fields until and including zope.schema 6.0.1, but in 6.1.0 this changed. [maurits] (#104)

plone.restapi: 6.15.0 → 7.0.0

New features:

  • Mark restapi 7 with a zcml feature flag: plonerestapi-7 [sneridagh] (#1068)

  • Add a couple of additional tests for resolveuid feature reassurance [sneridagh] (#1072)

  • Add root element to the @breadcrumbs endpoint [sneridagh] (#1064)

  • Add new @contextnavigation endpoint. [tiberiuichim] (#1042)

  • Refactor navigation endpoint, add new nav_title attribute [sneridagh] (#1047)

  • Add nav_title attribute to breadcrumbs endpoint [sneridagh] (#1049)

  • Unify nav_title and title in navs [sneridagh] (#1051)

  • Add serializer/deserializer for remoteUrl Link's field [cekk] (#1005)

  • Register blocks transformers also for Site Root [cekk] (#1043)

  • Add sort feature to resort all folder items [petschki] (#812)

  • Remove unneeded stringtype checks [erral] (#875)

  • Enable Plone 4 Control Panels: Add-ons, Dexterity Content Types [avoinea] (#984)

  • Enhance traceback with __traceback_info__ on import to detect the field causing the problem. [jensens] (#1009)

  • Improved blocks transformers: now we can handle generic transformers [cekk]

  • Add generic block transformer for handle resolveuid in all blocks that have a url or href field [cekk]

  • Add "smart fields" concept: if block has a searchableText field, this will be indexed in Plone [cekk, tiberiuichim] (#952)

  • Replace internal links to files in blocks with a download url if the user has no edit permissions [csenger] (#930)

  • In block text indexing, query for IBlockSearchableText named adapters to allow extraction from any block type. This avoids hardcoding for the 'text' block type. [tiberiuichim] (#917)

  • Added IBlockFieldDeserializationTransformer and its counterpart, IBlockFieldSerializationTransformer concepts, use subscribers to convert/adjust value of blocks on serialization/deserialization, this enables an extensible mechanism to transform block values when saving content.

    Added an html block deserializer transformer, it will clean the content of the "html" block according to portal_transform x-html-safe settings.

    Added an image block deserializer transformer, it will use resolveuid mechanism to transform the url field to a UID of content.

    Move the resolveuid code from the dexterity field deserializer to a dedicated block converter adapter, using the above mechanism. [tiberiuichim] (#915)

  • Resolve links in blocks to UIDs during deserialization and back to paths during serialization. [buchi,timo,cekk] (#808)

Bug fixes:

  • Avoid duplicate fields within DX RestAPI [avoinea] (#1073)
  • Remove escape'd titles [sneridagh] (#1061)
  • Do not break if some custom code provides an alias for Products.Archetypes (#1004)
  • Handle missing review_state value in @navigation endpoint for items without a workflow [cekk] (#1060)
  • Fix transform object_browser href smartfield not working as expected [sneridagh] (#1058)
  • Fix href smart field in transformers do not cover the object_widget use case [sneridagh] (#1054)
  • Fix @id when content query has no fullbojects [sneridagh] (#837)
  • Fixed deprecation warnings for zope.site.hooks, CMFPlone.interfaces.ILanguageSchema and plone.dexterity.utils.splitSchemaName. [maurits] (#975)
  • Update tests to fix https://github.com/plone/plone.dexterity/pull/137 [@avoinea] (#1001)
  • Fix resolveuid blocks transforms [tisto, sneridagh] (#1006)
  • Fix type hint example in searching documentation. [jensens] (#1008)
  • Fixed compatibility with Zope 4.5.2 by making sure Location header is string. On Python 2 it could be unicode for the users and groups end points. Fixes issue 1019. [maurits] (#1019)
  • Check for Plone 5 in content-adding endpoint if plone.app.multilingual is installed [erral] (#1029)
  • Do not test if there is a meta_type index. It is unused ballast. [jensens] (#2024)
  • Fix tests with Products.MailHost 4.10. [maurits] (#3178)
  • Fixed compatibility with Zope 4.5.2 by making sure Location header is string. On Python 2 it could be unicode for the users and groups end points. Fixes issue 1019. [maurits] (#1019)
  • Re-release 7.0.0b8 as 7.0.0 final. [timo]

plone.staticresources: 1.4.1 → 1.4.2

New features:

  • Upgrade to latest mockup from 3.x branch with structure fixes, 3.2.5. [thet] (#125)

Bug fixes:

  • Remove bundle with typo. [petschki] (#123)
  • Include upgrade step 12, which was missing. [thet] (#123)
  • Replaced most upgrade profiles with one last_compilation profile. [maurits] (#126)

Products.CMFCore: 2.4.8 → 2.5.0

  • Update configuration for version 5 of isort.
  • Fix deprecation warnings occurring on Zope 5.
  • Added support for Python 3.9.

Products.CMFPlacefulWorkflow: 2.0.3 → 2.0.4

Bug fixes:

  • Removed unused mock request.SESSION from tests. [maurits] (#1)

Products.CMFPlone: 5.2.3 → 5.2.4

Bug fixes:

  • Release Plone 5.2.4 final. No changes compared to last release candidate. [maurits] (#3250)
  • Fixed tests in combination with Products.PluggableAuthService 2.6.0. [maurits] (#3251)
  • Bumped metadata version to 5211. [maurits] (#5211)

Products.CMFQuickInstallerTool: 4.0.3 → 4.0.4

Bug fixes:

  • Require 'Manage portal' permission for accessing the tool or an installed product. For most methods this was already the case, but you could get some info from the objects themselves. [maurits] (#24)

Products.GenericSetup: 2.0.3 → 2.1.1

  • Enforce access control on setup tool log files and snapshot files and folders. (#101)
  • Add support for Python 3.9.

Products.PlonePAS: 6.0.6 → 6.0.7

Bug fixes:

  • Fixes deprection message: AccessControl.User has moved to AccessControl.users. [jensens] (#59)

Products.PluggableAuthService: 2.5 → 2.6.1

  • Fix remaining open redirect sources
  • Fix missing access control on ZODB Role Manager enumerateRoles
  • Fix open redirect issue in Cookie Auth Helper redirect handling
  • Add support for Python 3.9.
  • Fixed error assigning groups in manage_groups page in ZMI. (#61, #84)
  • Fix DeprecationWarnings occurring on Zope 5.

z3c.autoinclude: 0.4.0 → 0.4.1

Bug fixes:

  • zc.buildout is not an install dependency, only used in testing.

collective.js.jqueryui: 2.1.6 → 2.1.8

plone.app.versioningbehavior: 1.4.1 → 1.4.2

Bug fixes:

  • Do not break if the portal_repository tool cannot be found (#53)

Products.Archetypes: 1.16.3 → 1.16.4

Bug fixes:

  • Lifted the ceiling for the maximum date from end of 2020 to 2051 in all places. See issue 133. [maurits] (#133)

Project resources

Learn about Plone