Plone 4.3.12

There may be hotfixes applicable to this release. Always check the Plone Hotfix page before production deployment.

Release notes

Date released2017-03-15
Release managerEric Steele

Windows users: use the Vagrant kit. We anticipate having a binary Windows installer for later releases.

OS X users: use the Vagrant kit or install XCode command-line tools and use the Unified Installer.

Automated provisioning: See Plone's Ansible Playbook for a full-stack installation kit.



collective.recipe.template: 1.9 → 1.13

setuptools: 20.1.1 → 26.1.1

mr.developer: 1.33 → 1.34

plone.recipe.zeoserver: 1.2.9 → 1.3

New features:
  • Add support for log rotation. [hvelarde]
Bug fixes:
  • Typo in documentation. [ale-rt]

plone.recipe.zope2instance: 4.2.21 → 4.2.22

Bug fixes:
  • Add coding headers on python files. [gforcada] 1.0 → 1.0.1

Bug fixes:
  • fix broken links [staeff]

Plone: 4.3.11 → 4.3.12

New features:
  • Release Plone 4.3.12

Products.Archetypes: 1.9.12 → 1.9.13

Bug fixes:
  • no allowable_content_types for description (avoid validation) [tschorr]

  • add item here

Products.CMFDiffTool: 2.2.0 → 2.2.1

Bug fixes:
  • Fix error when showing changes to objects of type "set" [deankarlen]

Products.CMFDynamicViewFTI: 4.1.4 → 4.1.5

Bug fixes:
  • Don't instantiate browser view to check for existence. [malthe]

Products.CMFEditions: 2.2.21 → 2.2.23

Bug fixes:
  • In ShadowStorage's isRegistered and getHistory methods, avoid checking for a history_id of None in the storage's BTree. This fixes compatibility with BTrees 4.x, which disallows comparing keys to None. [davisagli]

  • Fix deprecated import from Globals that is changed in Zope4. [pbauer]

  • Do not log using plone restricted python logging script. [jensens]

Products.CMFFormController: 3.0.6 → 3.0.8

Bug fixes:
  • Applied security hotfix 20160830 for redirect_to. This action refuses to redirect to unknown external sites. Added external_redirect_to action in case someone does need to redirect to an external site. This option is also there in the hotfix. [maurits]

  • Move patch from plone.protect 3.x to Actions.RedirectTo so it allows ATContentTypes add forms to append auth token. Issue [staeff, fredvd]

Products.CMFPlacefulWorkflow: 1.5.13 → 1.5.14

Bug fixes:
  • Fixed workflow tests for new comment_one_state_workflow. [maurits]

Products.CMFPlone: 4.3.11 → 4.3.12

New features:
  • Added ok view. This is useful for automated checks, for example httpok, to see if the site is still available. It returns the text OK and sets headers to avoid caching. [maurits]

  • Add sort_on field to search controlpanel. [rodfersou]

Bug fixes:
  • Added security checks for str.format. Part of PloneHotfix20170117. [maurits]

  • Fixed workflow tests for new comment_one_state_workflow. [maurits]

  • Fix base tag differs from actual URL (fixes #86_). [rodfersou]

  • Load some patches earlier, instead of in our initialize method. This is part of PloneHotfix20161129. [maurits]

  • Apply security hotfix 20160830 for z3c.form widgets. [maurits]

  • Fixed tests in combination with newer CMFFormController which has the hotfix. [maurits]

  • Apply security hotfix 20160830 for @@plone-root-login. [maurits]

  • Apply security hotfix 20160830 for isURLInPortal. [maurits]

  • Include inactive content in worklists. [sebasgo]

Products.CMFQuickInstallerTool: 3.0.13 → 3.0.15

Bug fixes:
  • Fix imports since Globals was removed in Zope4 [pbauer]

  • Added link to the Add-ons control panel in the QI ZMI form. And say the form itself is deprecated. [maurits]

  • Apply security hotfix 20160830 for installProducts redirection. On top of that, we require a POST request. [maurits]

Products.contentmigration: 2.1.13 → 2.1.15

Bug fixes:
  • Errors has been dropped/deprecated errors from OFS.CopySupport. [tschorr]

  • Remove unused import of Archetypes. [davisagli]

Products.DCWorkflow: 2.2.4 → 2.2.5

Products.ExternalEditor: 1.1.0 → 1.1.3

  • Fixed reflective XSS in findResult. This applies PloneHotfix20170117. [maurits]

  • Quote variable in manage_tabs to avoid XSS. From Products.PloneHotfix20160830. [maurits]

  • Reverted dtml to older Zope 2.12/2.13. Version 2.0.0 had changes for Zope trunk that were making the management interface ugly (missing icons) in older Zopes. So there now is a branch 1.1.x to support those versions. Note that our code patches OFS.ObjectManager.manage_main and App.Management.Tabs.manage_tabs, adding external edit icons to those files.

  • Moved code to

Products.GenericSetup: 1.8.3 → 1.8.6

  • Added a purge_old option to the tarball import form. By default this option is checked, which matches the previous behavior. If you uncheck it, this avoids purging old settings for any import step that is run. [maurits]

  • Stopped using a form library to render the components form.

  • Made _profile_upgrade_versions a PersistentMapping. When (un)setLastVersionForProfile is called, we migrate the original Python dictionary. This makes some code easier and plays nicer with transactions, which may especially help during tests. [maurits]

Products.PlacelessTranslationService: 2.0.6 → 2.0.7

Bug fixes:
  • Fix import from Globals that is removed in Zope4. [pbauer]

Products.PlonePAS: 5.0.11 → 5.0.13

Bug fixes:
  • In getMemberInfo, if a property is not present it now returns an empty string, rather than raising an exception. This fixes login for sites that have location removed. [MatthewWilkes]

  • Depend on plone.protect 2.0.3 or higher. Fixes [maurits]

Products.TinyMCE: 1.3.23 → 1.3.25

Bug fixes:
  • Allow HTML 5.1 allowfullscreen attribute for iframe. This is needed for some embed videos to allow full screen functionality. [vincentfretin]

  • Breadcrumbs on browser plugin will not longer be emtpy when one of the parents is not accessible. See #150_. [keul]

Products.ZSQLMethods: 2.13.4 → 2.13.5

Products.statusmessages: 4.1.1 → 4.1.2

Bug fixes:
  • Fix deprecated import in test. [pbauer] 1.0.13 → 1.0.15

Bug fixes:
  • Fix summary view for results with Discussion Items [ichim-david]

  • Check with getattr if item isPrincipiaFolderish as Comment does not have this attribute which would render an AttributeError [ichim-david]

  • Make formatting of start & end dates in tabular view consistent with other dates [djowett] 2.1.5 → 2.1.7

Bug fixes:
  • Removed registry settings for download behaviour of blobs based on mimetype patterns. This was missing support in upgrades, and was not used in core, and did not end up in Plone 5.0 or 5.1. So let's not use it in a version for Plone 4.3. See issue 119 <>_. [maurits]

  • Apply security hotfix 20160830 for folder factories redirection. [maurits]

  • Added registry settings for download behaviour of blobs based on mimetype patterns. [djay] 2.3.9 → 2.3.11

New features:
  • Added options to change default search order. [rodfersou]
Bug fixes:
  • Fix tests for syndication control panel to pass also with new versions [Asko Soukka] 2.2.18 → 2.2.20

Bug fixes:
  • Make comment on private content not publicly available in search results. Part of PloneHotfix20161129. [vangheem, maurits]

  • Apply security hotfix 20160830 for redirects. [maurits] 2.1.17 → 2.1.18

Bug fixes:
  • Remove broken references when making checkout. Fixes issue 30 <>_. [maurits] 1.8.0 → 1.9.0

New features:
  • An overlay registered by the prepOverlay function can now be optionally be triggered by a hover or doubleclick event, instead of click. [petri] 2.3.15 → 2.3.17

Bug fixes:
  • Fix error in viewlet when related dexterity item has been deleted. [maurits]

  • Rework sitemap.xml.gz to allow filtering of sitemap elements; and supply such a filter if LinguaPlone is installed. [djowett] 4.3.11 → 4.3.12

  • Update French translations for plone.protect 3.0.x (backported from Plone 5 French translations). [vincentfretin] 2.5.5 → 2.5.6

Bug fixes:
  • Apply security hotfix 20160830 for redirects. Also, made sure that all form views have a referer property: until now some did not have it, some had it as property, some had it as method. [maurits] 1.2.10 → 1.2.11

Bug fixes:
  • Import DateTimeError from DateTime.interfaces, class attribute DateTime.DateTimeError was removed in DateTime 3.0 [vincentfretin] 1.1.8 → 1.1.11

New features:
  • Added options to change default search order. [rodfersou]
Bug fixes:
  • Fixed sometimes failing search order tests. [maurits]

  • Fix Search RSS link condition to use search_rss_enabled option and use rss.png instead of rss.gif that doesn't exist anymore. [vincentfretin] 1.2.7 → 1.2.8

New features:
  • Enable the RichText field to work together with a simple ITextAreaWidget. [jensens]
Bug fixes:
  • Cleanup: Use more zope.interface decorators, add utf8 headers, isort imports, zcml conditions are enough. [jensens] 1.3.27 → 2.0.0 1.2.4 → 1.2.5

Bug fixes:
  • Give a 404 when the user-information form is called with a not existing userid. [maurits]

  • Don't show unescaped user id in user-information form. This applies PloneHotfix20160830. [maurits] 1.1.1 → 1.1.3

Bug fixes:
  • Fix test in Zope 4. [davisagli]

  • Update code to follow Plone styleguide. [gforcada]

plone.alterego: 1.0.1 → 1.1.1

New features:
  • Add compatibility with Python 3. [datakurre]
Bug fixes:
  • Update code to follow Plone styleguide. [gforcada]

plone.behavior: 1.1.2 → 1.1.4

New features:
  • Support Python 3. [davisagli]
Bug fixes:
  • Add already introduced attribute name to interface IBehavior. This was missing. Also modernized other IBehavior interface descriptions a bit. [jensens]

plone.browserlayer: 2.1.6 → 2.1.7

Bug fixes:
  • Removed ZopeTestCase. We were importing from it but not using it... [ivanteoh, maurits]

plone.cachepurging: 1.0.12 → 1.0.13

Bug fixes:
  • Code-Style: isort, utf8-headers, zca-decorators, manual cleanup. [jensens]

plone.dexterity: 2.2.7 → 2.2.8

Bug fixes:
  • Fix error when copying DX containers with AT children which caused the children to not have the UID updated properly. [jone]

plone.locking: 2.0.9 → 2.0.10

Bug fixes:
  • Update README.rst with Compatibility [djowett]

plone.namedfile: 3.0.9 → 3.0.10

New features:
  • Add Pdata storage [vangheem]

plone.outputfilters: 1.15.1 → 1.15.3

New features:
  • Added tel: to ignored link types. [julianhandl]
Bug fixes:
  • Do not transform a and img tags when inside script tag. [gotcha]

  • Explicitly exclude mailto: links from being UID-resolved. [thet]

plone.portlets: 2.2.3 → 2.3

New features:
  • Support Python 3. [davisagli]

plone.registry: 1.0.4 → 1.0.5

Bug fixes:
  • Fix endless recursion on getting values from broken records proxy objects This fixes [tomgross, maurits]

plone.resource: 1.0.6 → 1.2.1

New features:
  • Fire events on resources creation/modification [jpgimenez, ebrehault]

  • Use mimetypes_registry utility to dertermine mimetype if available. [jensens]

Bug fixes:
  • 'unittest2' is a test dependency, make this explicit in [jensens]

  • Remove duplicte import [jensens]

  • Add coding headers on python files. [gforcada]

  • Applied 20160830 security hotfix. [maurits]

plone.scale: 1.4.1 → 1.4.2

Bug fixes:
  • When getting an outdated scale, don't throw it away when there is no factory. [maurits]

  • Avoid TypeErrors when looking for outdated scales. Fixes issue 12 <>_. [maurits]

  • Catch KeyError when deleting non existing scale. This can happen in corner cases. Fixes issue 15 <>_. [maurits]

  • Set zip_safe=False in Otherwise you cannot run the tests of the released package because the test runner does not find any tests in the egg file. Note that this is only a problem in zc.buildout 1.x: it uses unzip=False by default. zc.buildout 2.x no longer has this option and always unzips eggs. [maurits]

plone.schemaeditor: 1.3.11 → 1.4.1

Bug fixes:
  • Re-add overlay registration for Plone 4 accidentally removed in 1.4. [seanupton]

  • Make tests and mocks for plone keyring work fine for both plone.protect 2.x and 3.x. This required adding test dependency on lxml, as plone.protect 3.x transform outputs HTML varying from 2.x. [seanupton]

  • Backport doctest (functional/browser) fix for choices from 2.0. [seanupton]

  • Auto-include plone.protect in ZCML, so that tests will run (backport). [seanupton]

  • Use window.href.pathname for re-order URL construction, to avoid muddled URL concatenation conflicting with authenticator token possibly in querystring. [seanupton]

  • Removed debugger statement from schemaeditor.js. [seanupton]

  • Backport field reorder compatbility fixes from 2.0.3 for jquery.event drag and drop (vangheem). [seanupton]

  • Backport CSRF protection from plone.schemaeditor 2.0.2, for AJAX compatibility with plone.protect 3.0.x in Plone 4.3.x. [seanupton]

  • Fix for cases where _authenticator is injected into the querystring of the URL; in such cases, we get appropriate base URL. This may be particular to use of plone.protect 3.0.x in Plone 4, in some circumstances. [seanupton]

plone.stringinterp: 1.0.13 → 1.0.14

New features:
  • Provide a ContextWrapper adapter in order to easily pass custom messages to StringInterpoator [avoinea]

plone.subrequest: 1.7.0 → 1.8

New features:
  • Provide an exception-handler for rewriting Unauthorized to 401's. [jensens]

plone.synchronize: 1.0.1 → 1.0.2

New features:
  • Test Python 3 compatibility. [datakurre]

plone4.csrffixes: 1.0.9 → 1.1

z3c.form: 3.2.9 → 3.2.11

  • Fix TypeError: object of type 'generator' has no len(). Happens with z3c.formwidget.query. [maurits]

  • Turned items into a property again on all widgets. For the select widget it was a method since 2.9.0. For the radio and checkbox widgets it was a method since 3.2.10. For orderedselect and multi it was always a property. Fixes [maurits]

  • Removed z3c.coverage from test extra. [gforcada, maurits]

  • RadioWidget items are better determined when they are needed [agroszer]

  • CheckBoxWidget items are better determined when they are needed [agroszer]

  • Bugfix: The ChoiceTerms adapter blindly assumed that the passed in field is unbound, which is not necessarily the case in interesting ObjectWidget scenarios. Not it checks for a non-None field context first. [srichter] 1.1.6 → 1.1.8

Bug fixes:
  • Do not index sync_uid, start and end fields if they are empty. [bsuttor]

  • Fix bug when an event is in creation and has not yet uid. [bsuttor] 0.7.5 → 0.7.6

Bug fixes:
  • Add coding header on python files. [gforcada]

plone.formwidget.autocomplete: 1.2.10 → 1.2.11

Bug fixes:
  • Better handling of undefined data [agitator]

Products.LinguaPlone: 4.1.5 → 4.1.8

Bug fixes:
  • Fix Home link in the translationbrowser_popup template to point to navigation root, not the site root. [vincentfretin]

  • Add tests for sitemap [djowett]

  • Fixed bug where even Manager could not view a folder with private default page. Fixes [maurits]

  • Fixed CSRF protection bug on @@language-setup-folders view. [syzn]

  • Show also current language link in header hreflang links. [erral]

Project resources

Learn about Plone