Summary of changes from February 1, 2019 to February 8, 2019.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rPa20f10803 | 34 commits |
| Arcanist | rARC | | rARC25c23819 | 0 commits |
| libphutil | rPHU | | rPHU24a884c | 2 commits |
| Instances (SAAS) | rSAAS | {icon lock} | rSAAS9999af1 | 4 commits |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICESf2c5cfb | 3 commits |
| Core (SAAS) | rCORE | {icon lock} | rCOREbbd45c0 | 0 commits |
- These changes were promoted to `stable`.
General
=======
[{icon tint, color=sky}] Users may now always log in to their accounts by sending themselves an email login link. Previously, this flow was only available if password auth was enabled, via the "Forgot Password?" link. Now, the login page will always have a link to this workflow (either "Forgot Password?" if password auth is enabled, or "Send a login link to your email address." if password auth is not enabled).
Users may now unlink their last external account. Previously, this was prevented because unlinking your last account may mean you can no longer log in. Since you can always log in via email now, you're permitted to unlink your last account as long as you confirm through a warning about the risk. This is mostly useful to fix accounts that have become linked incorrectly.
[{icon tint, color=sky}] Owners now supports some additional "Audit" modes. Previously, auditing could be "Disabled" or "Enabled". The "Enabled" option is now called "Audit Commits With No Owner Involvement", and triggers on commits not authored or reviewed by owners (this is substantially identical to the old behavior). New options allow automatic auditing of "Unreviewed Commits", where a corresponding revision does not exist or was not properly "Accepted" before the change landed.
When an Owners Package is a reviewer and that Package-Reviewer accepts a revision, this is now considered "owner involvement" for the purpose of "...With No Owner Involvement" audit rules.
Security
========
- //No notes in this period.//
Migrations
==========
| Migration | Risk | Duration | Notes |
|-----------|------|----------|-------|
| 20190206.external.01.legalpad.sql | | 24 ms |
| 20190206.external.02.email.sql | | 79 ms |
| 20190207.packages.01.state.sql | | 30 ms |
| 20190207.packages.02.migrate.sql | | 3 ms |
| 20190207.packages.03.drop.sql | | 23 ms |
| 20190207.packages.04.xactions.php | | 31 ms |
//"Duration" is the duration for this install, and may not be representative.//
Upgrading / Compatibility
=========================
- [{icon tint, color=sky}] `owners.edit` now accepts string constants for `auditing` transactions. String constants are now preferred. (For compatibility, `"0"`, `"1"`, and `""` are still supported.)
- `PhabricatorAuthLoginHandler` has been removed. This handler was used to add guidance to the login flow. It is substantially obsoleted by {nav Auth > Customize Messages}.
- `feed.http-hooks` now explicitly warns that it is deprecated.
- The `metamta.default-address` configuration option is now locked (and has a slightly richer description).
- Very old installs (from before June 2013) with LDAP or OAuth data that have not performed an upgrade since then will no longer be able to upgrade directly to a modern (February 2019) version of Phabricator because a required migration against ancient LDAP/OAuth data no longer functions. If you are affected, you will receive an error when you attempt to upgrade. To move forward, upgrade to an intermediate version of Phabricator first (any version released between June 2013 and February 2019), then upgrade to modern Phabricator. It is likely that the number of installs affected by this is 0 or very close to 0.
- Changing usernames no longer warns users about a need to reset their password, as this should no longer be necessary since January 2018. Users who: set a password on a version of Phabricator from before January 2018; and have never used that password to log in to any version of Phabricator released between January 2018 and January 2019; and have their usernames changed in a version of Phabricator released after January 2019 may still need to reset their password after the username change. They can use the "Forgot Password?" link to do this.
Minor
=====
- Improved handling of `EINTR` after `EPIPE` when writing to streams.
- Duo MFA validation is no longer improperly applied to other MFA types.
- Fixed a missing menu in `/mail/` on mobile.
- User renames now render more readably in Feed.
- Login and MFA forms now more consistently focus their inputs automatically.
- Fixed an issue where some `feed.http-hooks` data wasn't constructed properly.
- Fixed an issue where `transaction.search` would fail against Diff objects with matching transactions.
- Users may now be approved from their "Manage" page.
- Auth no longer raises warnings about registration being too open if no providers actually allow registration.
- [{icon tint, color=sky}] Improved construction of an Audit query in cases where viewers belong to a very large number of projects and/or packages.
- Minor UI/UX improvements to some payments workflows.
- [{icon tint, color=sky}] When you override the lock on an object, transactions are now marked with an icon to indicate you might be bending the rules. The existing "MFA" and "Silent" transaction markers are also now more visible.
- It is now more difficult to reach invalid vote states in Slowvote.
- The Duo MFA flow now provides more encouragement.
//The [{icon tint, color=sky}] icon indicates a change backed by support mana.//