ChiliProject 3.0.0beta1 released

We are proud to announce the first Beta release of the upcoming version 3.0.0 of ChiliProject. When you read this announcement it means that the new and shiny 3.0.0 release is not far away anymore. This Beta release gives a first mostly complete look at the new features in 3.0.0. We expect to have a first Release Candidate on 2011-12-31. The final 3.0.0 release is scheduled to be in early January.

Because of the really great improvements we have already updated our own ChiliProject to the new Beta. That said, please be advised that this release is neither feature-complete nor considered stable.  Instead it is considered an old-style Beta, not a Beta-cause-it’s-cool (I’m looking at you, Google…) Please download this release, install it in a testing environment, play with it, and report any bugs or missing features. But please don’t install it on your production environment right now without knowing what you are doing (and having a backup).

Download ChiliProject 3.0.0beta1

Now that you have survived the disclaimer, be prepared for awesomeness. This release includes the long awaited new design as well as a completely new wiki template engine which allows you to create dynamic wiki pages curated with your content. It also contains the foundation for a built-in tagging system.

The New Design

New ChiliProject Theme

The new design is a first step into the complete overhaul of the ChiliProject user experience. It sports a modern look and a completely re-thought interaction model.

Gone are the days of the plethora of tabs that start to scroll on even medium-sized windows. We now have an ever-present navigation on the sidebar which allows for easier access and a better navigation model. Related functions are grouped together preventing a lost-in-space feeling.

We have greatly improved the contrast and font-sizes which makes ChiliProject more approachable to anyone. Blind or otherwise disabled people will love the new design as it greatly improves compatibility with screen readers and other support devices.

This beta release is the beginning of the end of a long journey to improve the user experience of ChiliProject which started about 2 years ago as it was still Redmine. A great deal of work from Eric Davis, the whole Finnlabs crew and some other contributors is going to mark this 3.0.0 release the biggest release in ChiliProject’s history.

The Liquid Template Language

ChiliProject inherited the old macro concept of Redmine which allowed to include a wiki page into another and to provide plugin authors with the ability to extend the standard textile markup language with additional functionality. This worked great at its time. However it became evident that a powerful templating system would provide users with much richer capabilities to display and organize content.

The Liquid template language completely replaces the old macro system and makes it even more mighty. It supports variables, includes facilities to display text based on conditions and even has loops. That allows users to create dynamic wiki pages based on many different data pieces in ChiliProject.

While it now brings minimal support for querying, remixing and displaying internal ChiliProject data, it allows us to easily extend the API. Users can then create custom issue or time reports inside a wiki without having to write a single line of Ruby code. It’s all inside the wiki editor.

Plugin developers can extend the language and create new tags, filters, and data APIs called drops  to provide access to many different data sources. It gives them much more flexibility in what ways to represent their data and allows users to easily remix, combine, and display different pieces of data.

The Tagging foundation

Yes, that’s correct. ChiliProject will finally have a tagging engine. This will allow you to organize your data in any way you like. We will be able to create issue tags to group issues and to instantly find the important ones. Or you can organize your Wiki with tag clouds to have a free-form order schema.

The technical foundation is in place right now but is not exposed to the user. In future releases (and maybe even for the final 3.0.0 release) we will add features which use it to allow you to keep control over your data.

What’s included

3.0.0beta1 sports the new design and the Liquid template language as well as several smaller new features and bugfixes. It also contains several features and bugfixes of the upcoming 2.6 release.

The full list of changes are below:

Included from the upcoming 2.6.0 release are the following changes:

  • Bug #356: Clicking on login while logged-in logs you out
  • Bug #463: REST API does not accept Basic HTTP auth when running through Apache mod_proxy
  • Bug #708: AAJ does not create journals, when models are created using sub classes
  • Bug #740: Revision page, new files are not displayed (Git Repo)
  • Bug #746: Problems with rdm-mailhandler.rb
  • Bug #748: ChiliProject::VERSION.revision doesn’t capture error output
  • Bug #761: Fix quoting in shell-out (git adapter)
  • Feature #298: Seperate core plugins and user plugins into different directories
  • Feature #388: Add LDAP filter to ldap authentication
  • Feature #486: Do not display edit link in annotation page when you don’t have permissions
  • Feature #733: Add css class for issues that are due today

Contributors to 3.0.0beta1

  • elm
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Johannes Wollert
  • Kornelius Kalnbach
  • Moritz Breit
  • Romano Licker
  • Spencer Markowski
  • And everyone I forgot… You are all awesome!

In closing, go and download ChiliProject 3.0.0-beta1 now.

new-chiliproject-theme

New Design For ChiliProject

New ChiliProject ThemeI’ve just upgraded ChiliProject.org to use the new design we are releasing as part of ChiliProject 3.0. There is still a lot of fit and finish we will be adding but the overall structure is finalized.

If you want to see what is possible with this new design, my own ChiliProject installation is also running the new design but with a custom theme. The custom theme is 100% CSS and images. This shows how much flexibility you’ll have when creating your own theme, even if you don’t know Ruby or Rails.

If you haven’t seen the new design, head over to ChiliProject.org, check it out, and leave any comments for us here.

ChiliProject 1.5.5 Released

ChiliProject 1.5.5 has just been released. This release is a security release to fix a cache poisoning bug in the bundle Redmine.pm module which can be used for authenticating and authorizing subversion or git users for repositories served through Apache. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.5.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.5

What’s included

1.5.5 includes a security fix which was back ported from ChiliProject 2.5.0.

  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion

All users of ChiliProject who use the bundled Redmine.pm module are strongly advised to update their installations as soon as possible as the resolved issue potentially allows users to access restricted repository data.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.5

I’d like to thank all of the contributors to the 1.5.5 release.

  • Holger Just
  • Jean-Philippe Lang

We would like to especially thank Niels Lindenthal who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.5.0.

ChiliProject 2.5.0 Released

ChiliProject 2.5.0 has just been released. It includes some bugfixes for ChiliProject 2.4.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.5 release which includes the security fix.

Download ChiliProject 2.5.0

What’s included

2.5.0 includes 3 new features and 9 bug fixes including 1 security fix for 2.4.0. The major highlights of this release are:

  • The provided perl module Redmine.pm for authenticating and authorizing subversion or git users for repositories served through Apache was vulnerable to a cache poisoning attack if caching was enabled. The vulnerability could result in a temporary permissions escalation giving a user write permission to a repository she normally had only read permission. The fix will be immediately active after installation and reboot of the Apache the Redmine.pm is installed on.
  • Registered but not-yet activated users can now be deleted.
  • ChiliProject will be transitioning to jQuery as the primary javascript library for client-side scripting. To ease the transition, plugin developers can query ChiliProject::Compatibility to decide if they want to use the to-be-bundled jQuery or use a version they bundle with their plugin. ChiliProject::Compatibility can also be queried to check for the presence or absence of Prototype.
  • 2 view hooks have been added to the Project index.
  • Still more Ruby 1.9 compatibility fixes.
  • The vendored ruby-net-ldap gem has been removed and replaced by an updated version (now called net-ldap) in the Gemfile.
  • Small bug fixes and translation improvements.

All users of ChiliProject are strongly advised to update their installations as soon as possible.

Users of Redmine should be advised that the fixed security issue of Redmine.pm is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix manually.
The full list of changes are below:

  • Bug #258: Upgrade from ruby-net-ldap to net-ldap gem
  • Bug #554: Failed to migrate from 1.2.0 to 2.1.0 with Ruby 1.9.2
  • Bug #688: doc/CHANGELOG.rdoc is very huge
  • Bug #698: Searching in issue is broken on ruby 1.9
  • Bug #707: Wiki diffs: incompatible character encoding error on Ruby 1.9.2
  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion
  • Bug #711: translation missing: en, field_lock_version on issue edit on Ruby 1.9
  • Bug #735: any user can edit time entries via context menu
  • Bug #736: Adding users with a dash “-” in email address is broken sometimes
  • Feature #124: User deletion
  • Feature #706: Add hooks to view projects/index.rhtml
  • Feature #725: Compatibility check for jQuery and Prototype availability

Contributors to 2.5.0

  • David O
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Ivan Cenov
  • Jan Schulz-Hofen
  • Jean Philippe Lang
  • Moritz Breit

We would like to especially thank Niels Lindenthal and Jan Schulz-Hofen who informed us of the (potential) security issues. If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

In closing, go and download ChiliProject 2.5.0 now.

ChiliProject 2.4.0 Released

ChiliProject 2.4.0 has just been released. It includes some bugfixes for ChiliProject 2.3.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.4 release which includes the security fix.

Download ChiliProject 2.4.0

What’s included

2.4.0 includes 3 new features and 8 bug fixes for 2.3.0. The major highlights of this release are:

  • The bundled Textile library which is used to transform the markup used in issues and wiki pages contained a bug which prevented it from properly escaping certain characters URLs for image tags. This allowed for a persistent cross-site-scripting vector (XSS). The fix for this bug prevents its exploitation for newly entered content as well as for already present text.
  • We tremendously improved our Ruby 1.9 compatibility. While our test suite completely passes for 1.9 we had several reports of encoding issues in the past. With this release we are very confident that these issues should be fixed by now – to the extend possible by the current Rails and Rack implementations. However we still recommend Ruby 1.8.7 or Ruby Enterprise Edition as the most widely deployed ruby variants for ChiliProject.
  • Users running MySQL and Ruby 1.9 should be aware that the mysql database adapter seems not to play nice with Ruby 1.9. We strongly recommend to use mysql2 with Ruby 1.9.
  • Users using the rmagick group to export the Gantt chart as a PNG mentioned that Ruby 1.9 requires rmagick 2.0.0 or newer. Thus we adapted our Gemfile to allow newer versions to be installed. In future versions of ChiliProject we will require rmagick 2 which currently requires rather new distributions. We will announce the deprecation time frame once it has been decided.
  • The project identifier can now automatically be created based on the project name saving project managers some keystrokes.

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved security issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

The full list of changes are below:

  • Bug #277: News list is missing Avatars
  • Bug #458: rmagick specified in the Gemfile doesn’t build in Ubuntu 11.04
  • Bug #591: ArgumentError (invalid byte sequence in US-ASCII)
  • Bug #640: internal error on journals for deleted custom fields
  • Bug #647: XSS: User input for images is not properly sanitized
  • Bug #652: wrong redirect after login when url contains umlaute
  • Bug #667: Label all input field and control tags
  • Bug #668: Duplicate “Modules” section on Copy Project
  • Feature #221: Use the git sha for the revision
  • Feature #240: Link to global news on projects list
  • Feature #615: Generate project identifier automatically with JavaScript

Contributors to 2.4.0

  • Eric Davis
  • Felix Schäfer
  • Greg Mefford
  • Holger Just
  • Jan Schulz-Hofen
  • Pieter Nicolai
  • Romano Licker
  • Toshi MARUYAMA
  • Etienne Massip
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue. If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

In closing, go and download ChiliProject 2.4.0 now.

ChiliProject 1.5.4 released

ChiliProject 1.5.4 has just been released. This release is a security release to fix a Cross-Site-Scripting bug (XSS) that was discovered in ChiliProject 1.5.3. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.4.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.4

What’s included

1.5.4 includes a security fix that was back ported from ChiliProject 2.4.0.

  • Bug #647: XSS: User input for images is not properly sanitized

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.4

I’d like to thank all of the contributors to the 1.5.4 release.

  • Etienne Massip
  • Holger Just
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.4.0.

ChiliProject 1.5.3 released

ChiliProject 1.5.3 has just been released. This release is a security release to fix numerous major security bugs that were discovered in ChiliProject 1.5.2. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.3.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.3

What’s included

1.5.3 includes 1 minor security fix that was back ported from ChiliProject 2.3.0.

  • Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it

Unless you use the Repository integration, you do not need to update your installation as the fix of Redmine.pm is the only update included in this release.

Contributors to 1.5.3

I’d like to thank all of the contributors to the 1.5.3 release.

  • Holger Just
  • Jan Schulz-Hofen

If you think you have found a security bug in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates from now on. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.3.0.

ChiliProject 2.3.0 released

ChiliProject 2.3.0 has just been released. It includes some bugfixes for ChiliProject 2.2.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.3 release which includes the security fix.

Download ChiliProject 2.3.0

What’s included

2.3.0 includes 3 new feature and 4 bug fixes for 2.2.0. The major highlights of this release are:

  • Our Gemfile is more compatible to Windows deployments.
  • The bundled Redmine.pm adapter for connection Subversion repositories to ChiliProjects Authentication and Authorization model now checks that the anonymous user has the actual browser_repository right on public projects. This should only affect very few people. It exposed repositories of public projects where the anonymous user has not given the browse_repository right read-access. Non-public projects were not affected and their content was not exposed.

The full list of changes are below:

  • Bug #594: Wiki Diff somehow off
  • Bug #617: Gemfile: Missing database related platform block for Windows + RubyInstaller
  • Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it
  • Bug #633: Update from 1.x to 2.x impossible under rare but valid circumstances
  • Feature #355: Turn on/off the if the start date will autofill by default
  • Feature #566: The “Watcher” filter should show all users.
  • Feature #644: Add Check/Uncheck all links to project form

Contributors to 2.3.0

  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Igor Zubkov
  • Jan Schulz-Hofen
  • Nick Peelman

A special thanks goes out to Jan Schulz-Hofen for finding and responsibly disclosing the Redmine.pm issue.

In closing, go and download ChiliProject 2.3.0 now.

ChiliProject 2.2.0 Released

ChiliProject 2.2.0 has just been released. It includes many bug fixes for ChiliProject 2.2.0 as well as a couple of security fixes. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Download ChiliProject 2.2.0

What’s included

2.2.0 includes 1 new feature and 9 bug fixes for 2.2.0. The major highlights of this release are:

  • Update to Rails 2.3.14 which contains a couple of security fixes:
    • SQL Injection Vulnerability in quote_table_name: (CVE-2011-2930)
    • XSS Vulnerability in strip_tags helper: (CVE-2011-2931)
    • XSS Vulnerability in the escaping function in Ruby on Rails in Ruby 1.9: (CVE-2011-2931)
    • Response Splitting Vulnerability in Ruby on Rails : (CVE-2011-3186)
  • A smarter algorithm to resolve plugin dependencies

The full list of changes are below:

  • Bug #256: requires_redmine_plugin should defer loading plugins if not all dependencies are met
  • Bug #517: Remove included lib/faster_csv.rb
  • Bug #551: Hardcoded French string in wiki/diff.rhtml
  • Bug #552: Hardcoded English string in RepositoriesHelper
  • Bug #557: Calendar links for previous/next month contains double escaped characters
  • Bug #561: PDF export of issue gives TypeError (can’t convert nil into String)
  • Bug #573: acts_as_searchable definition in WikiPage may be insufficient and cause SQL errors
  • Bug #577: Invalid watcher user error when adding an invalid user as watcher
  • Bug #586: TabularFormBuilder doesn’t work with subforms
  • Feature #275: Implement requires_chiliproject and requires_chiliproject_plugin methods
  • Task #584: Upgrade to Rails 2.3.14

Contributors to 2.2.0

I’d like to thank all of the contributors to the 2.2.0 release.

  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jean-Philippe Lang
  • Tom Rochette

The upgrading and installation documentation has already been updated for 2.2.0. If you have not yet upgraded to ChiliProject 2, make sure to follow the upgrading instructions in the release notes.

What’s Next?

This is the fourth release in our 2.0.0 series so we will continue to support it with monthly bugfix releases until around December 2011. Around that time the next major ChiliProject version will be released (3.0.0).

We are working on making ChiliProject leaner by removing custom code and using standard functionality from various gems instead. Based on that we are going to make ChiliProject much easier to install and upgrade. We are also going to introduce the new default theme which — besides looking great — will provide a much better user experience.

If you’re interested in participating or contributing to ChiliProject, please leave a comment below or post to our forums. This time is a great time to start contributing to the project and we would love to have your help with all aspects of ChiliProject.

In closing, go and download ChiliProject 2.2.0 now.

ChiliProject 2.1.1 Released

ChiliProject 2.1.1 has just been released. This release is a security release to fix numerous major security bugs that were discovered in ChiliProject 2.1.1. It contains no other bug fixes or new features. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Download ChiliProject 2.1.1

What’s included

2.1.1 includes 1 major security fix for a set of XSS vulnerabilities that the core team discovered late last Friday after the release of 2.1.0.

  • Bug #557: Multiple XSS vulnerabilities

Contributors to 2.1.1

I’d like to thank all of the contributors to the 2.1.1 release.

  • Eric Davis
  • Holger Just

If you think you have found a security bug in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

Download ChiliProject 2.1.1