Page MenuHomePhabricator

2019 Week 7 (Mid February)
Updated 155 Days AgoPublic

Summary of changes from February 8, 2019 to February 15, 2019.

CodebaseRepositoryHEADActivity
PhabricatorrPrP8810cd2f436 commits
ArcanistrARCrARC07a208d82 commits
libphutilrPHUrPHUda84d9c7 commits
Instances (SAAS)rSAASrSAASacff9421 commit
Services (SAAS)rSERVICESrSERVICES832743e2 commits
Core (SAAS)rCORErCORE2340e131 commit
  • These changes were promoted to stable.

General

  • No notes in this period.

Security

When users follow an invite link to an instance, they are now more consistently permitted to register an account using non-registration authentication providers. This was originally an intended behavior, but often didn't work correctly.

For example, if your install uses password authentication but doesn't let users register accounts, users who you explicitly invite will still be able to register and set up a password. This also applies to other types of providers, including OAuth providers.

(This is primarily a bug fix, not a security change, but it does change the rules around who can register an account to include "users who have been explicitly invited" in some cases where they were previously unable to register an account.)

Migrations

MigrationRiskDurationNotes
20190206.external.03.providerphid.sql2,453 ms
20190206.external.04.providerlink.php81,433 ms

"Duration" is the duration for this install, and may not be representative.

Upgrading / Compatibility

  • The internal API for PhutilURI has changed. If you maintain custom extensions or applications, you may make some adjustments. See T13251 for details.
  • The "Import From LDAP" workflow has been removed. In many cases, it did not work well and could put account records in unsafe or inconsistent states. Real account import/sync tools are somewhere on the horizon.
  • Phabricator now raises setup warnings about "Locked" configuration values which are present in the database. Usually, this means you set a value in the database a long time ago, then a later Phabricator upgrade changed the setting from "unlocked" to "locked". The setup warning should guide you through moving this config to another source (usually a config file) and removing it from the database. There is no associated behavioral change yet, but some future version of Phabricator will stop reading this configuration from the database (since this will slighlty improve security).

Minor

  • [] arc diff now warns when any reviewers are currently away, even if not all reviewers are away.
  • Fixed an issue with text in the form [x]() emitting a warning in Remarkup.
  • Various exception handling behavior has been improved under PHP7+.
  • Fixed various issues with URI handling introdued in the previous release, generally manifesting as __toString() fatals.
  • [] Corrected an issue where some logic was inverted with the new "Unreviewed Revision" audit rules.
  • Added support for Mailgun EU domains.
  • Users with no account password who visit the "Password" settings panel will now be more clearly guided to "Set Password". This is technically only a UX change, not a functional change.
  • [] bin/audit delete now synchronizes commit audit status after making changes.
  • [] The help for bin/audit synchronize is now more helpful.
  • Fixed an issue where publishing build results to bare diffs (not attached to a revision) would fail. This workflow is unusual.
  • [] Corrected some visual/aural hints in timelines, for screenreaders.
  • Fixed an issue where CAPTCHAs failed to render on the password reset flow because of an excessively strict Content-Security-Policy.
  • [] The Maniphest task graph now shows more nodes (200, up from 100) and suppports a standalone view which draws up to 2,000 nodes.
  • [] When users follow a "Welcome" or "Password Reset / Email Login" link to an instance, and the instance does not use passwords, and their account has no external providers linked, they are now prompted to link an external provider. This prompt is a little rough in this release, but probably better than the old flow, which just dumped them in the middle of the desert with no food and no water.
  • [] Duo MFA now live-updates when you confirm a challenge on your phone.

The [] icon indicates a change backed by support mana.

Last Author
epriestley
Last Edited
Feb 16 2019, 3:04 AM

Event Timeline

epriestley created this document.Feb 16 2019, 3:04 AM
epriestley edited the content of this document. (Show Details)