indico v3.0 Release Notes
-
๐ Unreleased
Major Features ^
- There is a new built-in search module which provides basic search functionality out
of the box, and for more advanced needs (such as full text search in uploaded files)
plugins can provide their own search functionality (e.g. using ElasticSearch).
(:pr:
4841
) - The OAuth provider module has been re-implemented based on a more modern
library (authlib). Support for the somewhat insecure implicit flow has been
removed in favor of the code-with-PKCE flow. Tokens are now stored more securely
as a hash instead of plaintext. For a given user/app/scope combination, only a
certain amount of tokens are stored; once the limit has been reached older tokens
will be discarded. The OAuth provider now exposes its metadata via a well-known
URI (RFC 8414) and also has endpoints to introspect or revoke a token. (:issue:
4685
, :pr:4798
)
๐ Improvements ^
- Categories may now contain both events and subcategories at the same time
(:issue:
4679
, :pr:4725
, :pr:4757
) - ๐ Show the user's profile picture in many more places (:issue:
4625
, :pr:4747
) - ๐ Use a more modern search dialog when searching for users (:issue:
4674
, :pr:4743
) - โ Add an option to refresh event person data from the underlying user when cloning an
event (:issue:
4750
, :pr:4760
) - โ Add options for attaching iCal files to complete registration and event reminder
emails (:issue:
1158
, :pr:4780
) - ๐ Use the new token-based URLs instead of API keys for persistent ical links and replace
the calendar link widgets in category, event, session and contribution views with the
more modern ones used in dashboard (:issue:
4776
, :pr:4801
) - โ Add an option to export editables to JSON (:issue:
4767
, :pr:4810
) - โ Add an option to export paper peer reviewing data to JSON (:issue:
4767
, :pr:4818
) - Passwords are now checked against a list of breached passwords ("Have I Been Pwned")
in a secure and anonymous way that does not disclose any data. If a user logs in with
an insecure password, they are forced to change it before they can continue using Indico
(:pr:
4817
) - Failed login attempts now trigger rate limiting to prevent brute-force attacks
(:issue:
1550
, :pr:4817
) - ๐ Allow filtering the "Participant Roles" page by users who have not registered for the event
(:issue:
4763
, :pr:4822
) - iCalendar exports now include contact data, event logo URL and, when exporting
sessions/contributions, the UID of the related event. Also, only non-empty fields
are exported. (:issue:
4785
, :issue:4586
, :issue:4587
, :issue:4791
, :pr:4820
) - ๐ Allow adding groups/roles as "authorized abstract submitters" (:pr:
4834
) - Direct links to (sub-)contributions in meetings using the URLs usually meant for
conferences now redirect to the meeting view page (:pr:
4847
) - Use a more compact setup QR code for the mobile Indico check-in app; the latest version of
the app is now required. (:pr:
4844
) - Contribution duration fields now use a widget similar to the time picker that makes selecting
durations easier. (:issue:
2462
, :pr:4873
) - โ Add new meeting themes that show sequential numbers instead of start times for contributions
(:pr:
4899
) - โ Remove the very outdated "Compact style" theme (it's still available via the
themes_legacy
plugin) (:issue:4900
, :pr:4899
)
๐ Bugfixes ^
- Take registrations of users who are only members of a custom event role into account on the
"Participant Roles" page (:pr:
4822
) - Fail gracefully during registration import when two rows have different emails that belong
to the same user (:pr:
4823
) - ๐ Restore the ability to see who's inheriting access from a parent object (:pr:
4833
) - ๐ Fix misleading message when cancelling a booking that already started and has past
occurrences that won't be cancelled (:issue:
4719
, :pr:4861
)
Internal Changes ^
- ๐ Require Python 3.9 - older Python versions (especially Python 2.7) are no longer supported
confId
has been changed toevent_id
and the corresponding URL path segments now enforce numeric data (and thus pass the id as a number instead of string)- ๐
CACHE_BACKEND
has been removed; Indico now always uses Redis for caching - ๐ The integration with flower (celery monitoring tool) has been removed as it was not widely used, did not provide much benefit, and it is no longer compatible with the latest Celery version
session.user
now returns the user related to the current request, regardless of whether it's coming from OAuth, a signed url or the actual session (:pr:4803
)- Add a new
check_password_secure
signal that can be used to implement additional password security checks (:pr:4817
) - โ Add an endpoint to let external applications stage the creation of an event with some data to be
pre-filled when the user then opens the link returned by that endpoint (:pr:
4628
, thanks :user:adl1995
)
- There is a new built-in search module which provides basic search functionality out
of the box, and for more advanced needs (such as full text search in uploaded files)
plugins can provide their own search functionality (e.g. using ElasticSearch).
(:pr: