Release Notes for XWiki 15.9
This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.
This release provides a first experimental version of the Required Right Analysis feature, which needs to be activated by administrators to be used, and aims at better understanding consequences of editions regarding rights. It also comes with an important performance improvements on the rendering of macros. The look and feel also has been improved on heading and border radius, but also by polishing rights UI and Index Application. For developers, it's now possible to inject custom pre-edit checks similar to what already exists for locked pages, or pages owned by extensions. Finally, as usual, this release comes with a bunch of bug and security fixes.
New and Noteworthy (since XWiki 15.8)
Full list of issues fixed and Dashboard for 15.9.
For Users
Required Rights
When the rights of the current author are different from the rights of the page author, a required rights analyzer is executed.
This analyzer can raise a warning if:
- the current user has more rights than the content author (e.g., a macro previously failing by lack of right might start being evaluated)
- the current user has less rights than the content author (e.g., a macro previously working might stop working by lack of rights)
Note that this analysis is currently disabled by default. See the Admins section.
Headings appearance
In order to make headings easier to ready, they are now bolder. In addition, the size difference between two adjacent levels is larger.
Default radius of UI elements
The default radius of UI elements of the Flamingo Skin are now larger (about 1.75 times larger) by default.
Change viewer UI update
Improved the layout and added icons in the version comparison UI.
Miscellaneous
Added various HTML landmarks to improve the view page semantics.
Improved the visibility of the focus state of the "Create", "Edit" and "more actions" buttons found on the top right of every page content.
Added links towards documentation under the videos in the Help section.
Added autocompletion to the login page and the register form.
Improved contrast of the metadata display on the change viewer.
For Admins
XJetty Debian packages
XWiki now comes with new Debian package based on a customized Jetty optimized for XWiki that you can use instead of the traditional Tomcat based XWiki Debian package which unfortunately don't work on Debian 12+. See InstallationViaAPT for mode details.
Attachments Page from the Index now use a Live Data
The Attachments page displayed in the Index now use a Live Data instead of a Live Table for displaying the information.
Miscellaneous
Automatic validation and encryption keys: The validation and encryption key configured in the xwiki.cfg file and used for cookies don't need to be set anymore. When not set (the default now) they are automatically generated and stored.
Users can be filtered based on first name and last name in the rights UI: The rights UI now allows filtering based on the user first name last name and username. This is particularily helpful in cases where usernames do not contain any character from the user first name or last name (for example, uuid-based usernames).
Required Rights: The Required Rights Application analysis is deactivated by default as the analysis is still incomplete and the presentation needs to be improved to more clearly show what's wrong. Still, the analysis can already provide useful warnings and this is a good opportunity to provide feedback as this feature will be activated by default in a future version of XWiki. It can be activated by setting the security.requiredRights.protection to warning.
#-# [Since 15.9RC1]
#-# Indicates how documents are protected by required rights.
#-#
#-# The possible choices are:
#-# * none (the default): no required rights check
#-# * warning: a warning is presented to the user when trying to edit a document with required rights issues
# security.requiredRights.protection=noneThe rights livetables display user first name and last name: User first name and last name are now displayed in the rights UI using the standard user and group displayers.
Tour Application in platform: The Tour Application is now part of xwiki-platform and the contrib extension has been moved to the attic.
Extensions Security Vulnerabilities Application: After some forum discussions we agreed that the extension is current not useful to fix security vulnerabilities, and is at risk of presenting false-positive. Until those issues are fixed, we decided to stop bundling it as part of the standard distribution.
For Developers
Block preparation and caching
To continue the work on improving the performances and benefit from the Velocity scripts compilation introduced in 15.8, the concept of block preparation has been added to the Rendering framework. The goal is to pre-execute everything that does not rely on the context in a XDOM and cache it to not redo all this in each transformation pass.
The rendering framework now offers a helper to make a lot easier to cache part of the execution of a macro. When preparing a Block, the Macro transformation will call the new Macro#prepare API that any macro can implement to reduce the time spent in Macro#execute.
In 15.9, the following macros are prepared:
- the content is compiled in the velocity macros
- the wiki content is parsed (and the resulting blocks are prepared) in the following macros
- box
- info
- warning
- error
- success
- content
- footnote
- html
- async
- context
- cache
- container
- gallery
- translation
And the XDOM is prepared and cached in the following use cases:
- The content of the UI extensions
- The content of the panels
- The content of the wiki macros
See ExtendingMacro for more details.
Miscellaneous
#displayUser and #displayGroup now allow displaying a link to the profile: The standard velocity macros #displayUser and #displayGroup can now be configured to display a link to the user or group profile with the parameter displayLink. The parameter defaults to true.
Configuration modifications: There's now a setProperty() API to modify a single ConfigurationSource property.
Block attributes: Rendering Blocks now have the concept of attributes. The main difference between Block parameters and block attributes is that attributes are not meant to be parser/serialized, the point is to use them as internal metadata associated to a block. The current main use case is to store the result of pre-executed macros.
Pre-edit document check: It is now possible for extensions to define a pre-edit document check, similar to what already exists for locked pages, or pages owned by extensions.
Upgrades
The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):
- CSS4J 4.2.1 & XML-DTD 4.2.1
- dompurify 3.0.6
- vue2-touch-events 3.2.3
- Elastic search client 8.10.2
- CKEditor 4.22.1
- jodconverter 4.4.6
- WebSocket 1.1
- log4j API 2.21.0
- jDataUri 1.2.1
- httpcore 5.2.3
- Zookeeper 3.9.1
- Thumbnailator 0.4.20
- Stax2 API 4.2.2
- Snappy 1.1.10.5
- RssReader 3.5.0
- RE2/J 1.7
- Protobuf Java 3.24.4
- PrettyTime 5.0.7
- Netty 4.1.100.Final
- Liquibase 4.24.0
- Jetty Client 9.4.53.v20231009
- Jetty 10.0.17 for the standalone packaging
- Jackson 2.15.3
- JAXB Runtime 2.3.9
- Incava Java Diff 1.1.2
- Hibernate Validator 6.2.5.Final
- Guava 32.1.3-jre
- Error Prone annotations 2.23.0
- Commons Pool 2.12.0
- Commons Net 3.10.0
- Commons IO 2.14.0
- Checker Qual 3.39.0
- CVSS Calculator 1.4.2
- Byte Buddy 1.14.9
- ASM 9.6
- Maven Resolver to 1.9.16
- Maven to 3.9.5
Translations
The following translations have been updated:
Tested Browsers & Databases
Here is the list of browsers we support and how they have been tested for this release:
Browser | Tested on: | |
---|---|---|
Mozilla Firefox 120 | Not Tested | |
Google Chrome 119 | Not Tested | |
Microsoft Edge 119 | Jira Tickets Marked as Fixed in the Release Notes | |
Safari 16 | Not Tested |
Here is the list of databases we support and how they have been tested for this release:
Database | Tested on: | |
---|---|---|
HyperSQL 2.7.2 | Not Tested | |
MariaDB 11.1 | Jira Tickets Marked as Fixed in the Release Notes | |
MySQL 8.2 | Not Tested | |
PostgreSQL 16 | Not Tested | |
Oracle 19c | Not Tested |
Here is the list of Servlet Containers we support and how they have been tested for this release:
Servlet Container | Tested on: | |
---|---|---|
Tomcat 9.0.83 | Jira Tickets Marked as Fixed in the Release Notes | |
Jetty 10.0.17 (XWiki Standalone packaging) | Not Tested | |
Jetty 10.0.17 | Not Tested |
Security Issues
Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.
Known issues
Backward Compatibility and Migration Notes
General Notes
- When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
- xwiki.cfg
- xwiki.properties
- web.xml
- hibernate.cfg.xml
- Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.
Issues specific to XWiki 15.9
Extensions Security Vulnerabilities Application
Since the extension is not bundled by default anymore, if you upgrade from a version where it was installed by default (15.5-rc-1+), you will be proposed to uninstall it, or to make it top level (i.e., keep it install). If you choose to keep it, you will need to upgrade it manually to version 15.9+.
Default font change
The default font is now Open Sans, instead of the sans-serif font provided by the user system. We did this change to guarantee that all users use the same font, and that the font support different weights.
If you wish to change this, please go to the Flamingo Theme Application administration, customize your color theme and set @font-family-base to sans-serif in the Typography section.
API Breakages
The following APIs were modified since XWiki 15.8:
Real breakages
Real backward compatibility breakages that we have unwillingly accepted to do for the reasons mentioned in each violation below.
- New API added to a component very unlikely to have a custom implementation
- Violation type:java.method.addedToInterface
- Code:## Old:
## New:
method org.xwiki.velocity.VelocityTemplate org.xwiki.velocity.VelocityManager::compile(java.lang.String, java.io.Reader) throws org.xwiki.velocity.XWikiVelocityException
- Violation type:
- Needed to add attribute support in blocks, implementation is provided in abstract base class that should be inherited by all implementations.
- Violation type:java.method.addedToInterface
- Code:## Old:
## New:
method void org.xwiki.rendering.block.Block::setAttribute(java.lang.String, java.lang.Object)
- Violation type:
- Needed to add attribute support in blocks, implementation is provided in abstract base class that should be inherited by all implementations.
- Violation type:java.method.addedToInterface
- Code:## Old:
## New:
method void org.xwiki.rendering.block.Block::setAttributes(java.util.Map<java.lang.String, java.lang.Object>)
- Violation type:
- Was never meant to be public
- Violation type:java.class.removed
- Code:## Old:
class com.xpn.xwiki.render.XWikiScriptContextInitializer
- Violation type:
- Was never meant to be public
- Violation type:java.class.removed
- Code:## Old:
class com.xpn.xwiki.render.DefaultVelocityManager
- Violation type:
Unstable APIs
Not real backward compatibility breakages since they were done on APIs marked @Unstable (a.k.a Young APIs). Thus it's part of the contract that they can be broken until they become stable. They're listed purely for reference in case you decided to still use them (and thus agreed to be broken).
- Unstable API
- Violation type:java.method.removed
- Code:## Old:
method org.xwiki.velocity.VelocityTemplate org.xwiki.velocity.VelocityEngine::compile(java.lang.String, java.io.Reader) throws org.xwiki.velocity.XWikiVelocityException
- Violation type:
- Unstable code
- Violation type:java.method.removed
- Code:## Old:
method boolean org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::isFromEnvironment()
- Violation type:
- Unstable code
- Violation type:java.method.removed
- Code:## Old:
method boolean org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::isInstalledExtension()
- Violation type:
- Unstable code
- Violation type:java.method.removed
- Code:## Old:
method org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::setFromEnvironment(boolean)
- Violation type:
- Unstable code
- Violation type:java.method.removed
- Code:## Old:
method void org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::setInstalledExtension(boolean)
- Violation type:
Credits
The following people have contributed code and translations to this release (sorted alphabetically):
- Clément Aubin
- Farcasut
- Gankov Andrey
- Manuel Leduc
- Marius Dumitru Florea
- Michael Hamann
- Nikita Petrenko
- Oana-Lavinia Florean
- Pierre Jeanjean
- Sereza7
- Simon Urli
- Simpel
- Thomas Mortagne
- Vincent Massol
- fivemoons
- raphj