Changelogs » Udata

PyUp Safety actively tracks 263,329 Python packages for vulnerabilities and notifies you when to upgrade.



- Plugin's translations are now correctly loaded [2529](
  - Vine version is now pinned in requirements [2532](
  - Fix reuses metrics [2531](
  - Reuses "datasets" metrics are now triggered correctly
  - New job to update the datasets "reuses" metrics: `update-datasets-reuses-metrics` to be scheduled
  - Add a migration to set the reuses datasets metrics to the correct value [2540](
  - Add a specific dataset's method for resource removal [2534](
  - Flask-Security update [2535](
  - Switch to fork Flask-Security-Too
  - New settings to set the required password length and complexity
  - Fix Flask-security sendmail overriding [2536](
  - Add a custom password complexity checker to Flask-Security [2537](
  - Change too short password error message [2538](


- Some fixes for the static files deletion [2526](
  - New static files migration replacing the older one:
  - The migration now uses FS_URL.
  - Fixed the fs_filename string formating.
  - Now checks the community ressource's URLs too.
  - Removing the deletion script link in the CHANGELOG previous entry.
  - Add a schema facet to the dataset search 🚧 requires datasets reindexation [2523](


- CORS are now handled by Flask-CORS instead of Flask-RestPlus[2485](
  - Oauth changes [2510](
  - Authorization code Grant now support PKCE flow
  - New command to create an OAuth client
  - :warning: Implicit grant is no longer supported
  - :warning: Deletion workflow changes [2488](
  - Deleting a resource now triggers the deletion of the corresponding static file
  - Deleting a dataset now triggers the deletion of the corresponding resources (including community resources) and their static files
  - Adding a celery job `purge-orphan-community-resources` to remove community resources not linked to a dataset. This should be scheduled regularly.
  - Adding a migration file to populate resources fs_filename new field. Deleting the orphaned files is pretty deployment specific.
  A custom script should be writen in order to find and delete those files.
  - Show traceback for migration errors [2513](
  - Add `schema` field to ressources. This field can be filled based on an external schema catalog [2512](
  - Add 2 new template hooks: `base.modals` (base template) and `dataset.resource.card.extra-buttons` (dataset resource card) [2514](


- Fix internal links in markdown when not starting w/ slash [2500](
  - Fix JS error when uploading a resource in certain conditions [2483](






Breaking changes
  - Full metrics refactoring [2459](
  - Metric collection is now useless and will not be filled anymore, you can remove it or keep it for archival sake. It will not be automatically removed.
  - [udata-piwik]( now uses InfluxDB as a buffer for trafic data before injecting them into udata's models.
  - Most of celery's tasks related to metrics are removed, this should help performance-wise on a big instance.
  - Charts related to metrics are removed from admin and dashboard panel until we have accurate data to populate them.
  - Site's metrics computation are not triggered by signals anymore.
  - A specific celery job needs to be run periodically to compute site's metrics.
  New features
  - Nothing yet


- Fix export-csv command (py3 compat) [2472](


- :warning: Security fix: fix XSS in markdown w/ length JS filter [2471](


- :warning: Breaking change / security fix: disallow html tags in markdown-it (JS markdown rendering) [2465](

2.0.1 not secure

- Allow images to be displayed in markdown by default [2462](
  - Fix deleted user's authentication on backend side [2460](

2.0.0 not secure

Breaking changes
  - Migration to Python 3.7 [1766](
  - The new migration system ([1956]( uses a new python based format. Pre-2.0 migrations are not compatible so you might need to upgrade to the latest `udata` version `<2.0.0`, execute migrations and then upgrade to `udata` 2+.
  - The targeted mongo version is now Mongo 3.6. Backward support is not guaranteed
  - Deprecated celery tasks have been removed, please ensure all old-style tasks (pre 1.6.20) have been consumed before migrating [2452](
  New features
  - New migration system [1956](
  - Use python based migrations instead of relying on mongo internal and deprecated `js_exec`
  - Handle rollback (optionnal)
  - Detailled history
  - Template hooks generalization: allows to dynamically extend template with widgets and snippets from extensions. See [the dedicated documentation section]( [2323](
  - Markdown now supports [Github Flavored Markdown (GFM) specs]( (ie. the already supported [CommonMark specs]( plus tables, strikethrough, autolinks support and predefined disallowed raw HTML) [2341](

1.6.20 not secure

- New Crowdin translations [2360](
  - Fix territory routing for latest [2447](
  - Refactor Celery: py2/py3 compatibility, use ids as payload [2305](
  - Automatically archive dangling harvested datasets :warning: this is enabled by default [2368](
  - Refactor celery tasks to avoid models/documents in the transport layer [2305](

1.6.19 not secure

- `rel=nofollow` on remote source links [2364](
  - Fix admin messages and fix user roles selector default value [2365](
  - Fix new harvester's form tooltip showup [2371](
  - Fix responsive design of search results [2372](
  - Fix non-unique ids in datasets' comments [2374](
  - Case insensitive license matching [2378](

1.6.18 not secure

- Remove embedded API doc [2343]( :warning: Breaking change, please customize `API_DOC_EXTERNAL_LINK` for your needs.
  - Removed published date from community ressources [2350](
  - Added new size for avatars in user's model (`udata images render` must be run in order to update the size of existing images) [2353](
  - Fixed user's avatar change [2351](
  - Removed dead code [2355](
  - Resolved conflict between id and slug [2356](
  - Fix next link in posts pagination [2358](
  - Fix organization's members roles translation [2359](

1.6.17 not secure

- Disallow URLs in first and last names [2345](

1.6.16 not secure

- Prevent Google ranking spam attacks on reuse pages (`rel=nofollow` on reuse link) [2320](
  - Display admin resources list actions only if user has permissions to edit [2326](
  - Fix non-admin user not being able to change their profile picture [2327](

1.6.15 not secure

- Style links in admin modals [2292](
  - Add activity.key filter to activity.atom feed [2293](
  - Allow `Authorization` as CORS header and OAuth minor fixes [2298](
  - Set dataset.private to False by default (and fix stock) [2307](
  - Fixes some inconsistencies between admin display (buttons, actions...) and real permissions [2308](

1.6.14 not secure

- Cleanup `permitted_reuses` data (migration) [2244](
  - Proper form errors handling on nested fields [2246](
  - JS models load/save/update consistency (`loading` always `true` on query, always handle error, no more silent errors) [2247](
  - Ensures that date ranges are always positive (ie. `start` < `end`) [2253](
  - Enable completion on the "`MIME type`" resource form field (needs reindexing) [2238](
  - Ensure oembed rendering errors are not hidden by default error handlers and have cors headers [2254](
  - Handle dates before 1900 during indexing [2256](
  - `spatial load` command is more resilient: make use of a temporary collection when `--drop` option is provided (avoid downtime during the load), in case of exception or keybord interrupt, temporary files and collections are cleaned up [2261](
  - Configurable Elasticsearch timeouts. Introduce `ELASTICSEARCH_TIMEOUT` as default/read timeout and `ELASTICSEARCH_INDEX_TIMEOUT` as indexing/write timeout [2265](
  - OEmbed support for organizations [2273](
  - Extract search parameters as settings allowing fine tuning search without repackaging udata (see [the **Search configuration** documentation]( [2275](
  - Prevent `DoesNotExist` error in activity API: silence the error for the consumer but log it (ie. visible in Sentry) [2268](
  - Optimize CSV export generation memory wise [2277](

1.6.13 not secure

- Rename og:image target :warning: this will break your custom theme, please rename your logo image file to `logo-social.png` instead of `logo-600x600.png` [2217](
  - Don't automatically overwrite `last_update` field if manually set [2020](
  - Spatial completion: only index last version of each zone and prevent completion cluttering [2140](
  - Init: prompt to loads countries [2140](
  - Handle UTF-8 filenames in `spatial load_logos` command [2223](
  - Display the datasets, reuses and harvesters deleted state on listing when possible [2228](
  - Fix queryless (no `q` text parameter) search results scoring (or lack of scoring) [2231](
  - Miscellaneous fixes on completers [2215](
  - Ensure `filetype='remote'` is set when using the manual ressource form [2236](
  - Improve harvest sources listing (limit `last_job` fetched and serialized fields, reduce payload) [2214](
  - Ensure HarvestItems are cleaned up on dataset deletion [2214](
  - Added `config.HARVEST_JOBS_RETENTION_DAYS` and a `harvest-purge-jobs` job to apply it [2214]( (migration). **Warning, the migration will enforce `config.HARVEST_JOBS_RETENTION_DAYS` and can take some time on a big `HarvestJob` collection**
  - Drop `no_dereference` on indexing to avoid the "`dictionary changed size during iteration`" error until another solution is found. **Warning: this might result in more resources consumption while indexing** [2237](
  - Fix various issues around discussions UI [2190](

1.6.12 not secure

- Archive dataset feature [2172](
  - Refactor breadcrum includes [2173](
  - Better dependencies management [2182]( and [2172/install.pip](
  - Reduce following to staring [2192](
  - Simplify display of spatial coverage in search results [2192](
  - Add cache for organization and topic display pages [2194](
  - Dataset of datasets: id as ref instead of slug [2195]( :warning: this introduces some settings changes, cf [documentation for EXPORT_CSV](
  - Add meta og:type: make twitter cards work [2196](
  - Fix UI responsiveness [2199](
  - Remove social media sharing feature [2200](
  - Quick fix for activity.atom [2203](
  - Remove diff from js dependencies to fix CVE [2204](
  - Replace default sort label for better readability [2206](
  - Add a condition to up-to-dateness of a dataset [2208](
  - Prevent deleted harvesters from running until purged. Harvest jobs history is deleted too on purge. [2209](
  - Better quality.frequency management [2211](
  - Fix caching of topic pages [2213](

1.6.11 not secure

- Center incomplete rows of cards [2162](
  - Allow .dxf upload [2164](
  - Always use remote_url as harvesting source [2165](
  - Update jquery to ~3.4.1 [2161](
  - Fix various issues with search result page [2166](
  - Restore notbroken facet includes [2169](

1.6.10 not secure

- Remove `<br>` in badge display [2156](
  - Display user avatar and fix its sizing [2157](
  - Redirect unfiltered csv exports to dataset of datasets [2158](
  - Show organization id in a modal and add hyperlinks to ids in detail modal [2159](

1.6.9 not secure

- Add user slug to dataset cache key [2146](
  - Change display of cards of reuses on topic pages [2148](
  - Display remote source of harvested dataset [2150](
  - Prefill community resource type on upload form [2151](
  - Fix user profile UI [2152](
  - Remove concept of permitted reuse [2153](

1.6.8 not secure

- Configurable search autocomplete [2138](

1.6.7 not secure

- Refactor DCAT harvesting to store only one graph (and prevent MongoDB document size overflow) [2096](
  - Expose sane defaults for `TRACKING_BLACKLIST` [2098](
  - Bubble up uploader errors [2102](
  - Ensure `udata worker status --munin` always outputs zero values so munin won't see it has a "no data" response [2103](
  - Metrics tuning: breaks circular dependencies, drop exec_js/eval usage, proper logging... [2113](
  - Change reuse icon from "retweet" to "recycle" [2122](
  - Admins can delete a single comment in a discussion thread [2087](
  - Add cache directives to dataset display blocks [2129](
  - Export multiple models objects to CSV (dataset of datasets) [2124](

1.6.6 not secure

- Automatically loads default settings from plugins (if `plugin.settings` module exists) [2058](
  - Fixes some memory leaks on reindexing [2070](
  - Fixes minor UI bug [2072](
  - Prevent ExtrasField failure on null value [2074](
  - Improve ModelField errors handling [2075](
  - Fix territories home map [2077](
  - Prevent timeout on `udata index` in some cases [2079](
  - Pin werkzeug dependency to `0.14.1` until incompatibilities are fixed [2081](
  - Prevent client-side error while handling unparseable API response [2076](
  - Fix the `udata job schedule` erroneous help message [2083](
  - Fix upload button on replace resource file [2085](
  - Ensure harvest items statuses are updated on the right job [2089](
  - Added Serbian translations [2055](

1.6.5 not secure

- Replace "An user" by "A user" [2033](
  - Use "udata" and fix a few other typos in documentation and UI/translation strings [2023](
  - Add a surrounding block declaration around community section [2039](
  - Fix broken form validation on admin discussions and issues [2045](
  - Fix full reindexation by avoiding `SlugField.instance` deepcopy in `no_dereference()` querysets [2048](
  - Ensure deleted user slug is pseudonymized [2049](
  - Prevent the "Add resource" modal from closing when using the frontend "Add resource" button [2052](

1.6.4 not secure

- Fix workers: pin redis version for Celery compatibility [2019](

1.6.3 not secure

- Remove extra attributes on user deletion [1961](
  - Pin phantomjs to version `2.1.7` [1975](
  - Protect membership accept route against flood [1984](
  - Ensure compatibility with IE11 and Firefox ESR [1990](
  - Lots of fixes on the resource form. Be explicit about uploading a new file [1991](
  - Centralize `selectize` handling and style in `base-completer` and apply some fixes [1992](
  - Added the missing `number` input field widget [1993](
  - Fix the organization private datasets and reuses counters [1994](
  - Disable autocorrect, spellcheck... on search and completion fields [1995](
  - Fix harvest preview in edit form not taking configuration (features and filters) [1996](
  - Ensure organization page react to URL hash changes (including those from right sidebar) [1997](
  - Updating community resource as admin keeps original owner [1999](
  - Major form fixes [2000](
  - Improved admin errors handling: visual feedback on all errors, `Sentry-ID` header if present, hide organization unauthorized actions [2005](
  - Expose and import licenses `alternate_urls` and `alternate_titles` fields [2006](
  - Be consistent on search results wording and icons (Stars vs Followers) [2013](
  - Switch from a "full facet reset" to a "by term reset" approach in search facets [2014](
  - Ensures all modals have the same buttons styles and orders, same color code... [2012](
  - Ensure URLs from assets stored on `CDN_DOMAINS` are considered as valid and that associated error message is properly translated [2017](

1.6.2 not secure

- Display the owner/organization on harvester view [1921](
  - Improve harvest validation errors handling [1920](
  - Make extra TOS text customizable [1922](
  - Fixes an `UnicodeEncodeError` occuring when parsing RDF with unicode URLs [1919](
  - Fix some external assets handling cases [1918](
  - Harvest items can now match `` before `source.domain` — no more duplicates when changing an harvester URL [1923](
  - Ensure image picker/cropper only allows images [1925](
  - Make tags min and max length configurable and ensure admin takes its configuration from the backend [1935](
  - Prevent errors when there is no date available to focus on the calendar [1937](
  - Update authlib to 0.10 [1916](

1.6.1 not secure

- Allows arguments and keyword arguments in the task `connect` decorator [1908](
  - Allows to restore assets after being deleted (Datasets, Organizations and Reuses) [1901](
  - Fixes form events not bubbling (and so fixes harvester config not displaying) [1914](

1.6.0 not secure

New features
  - Harvest sources are now filterable through the harvest source create/edit admin form [1812](
  - Harvest sources can now enable or disable some optional backend features [1875](
  - Static assets are now compatible with long-term caching (ie. their hash is present in the filename) [1826](
  - Post UIs have been reworked: publication date, publish/unpublish action, save and continue editing, dynamic sidebar, alignments fixes... [1857](
  Minor changes
  - Only display temporal coverage years on cards and search results [1833](
  - Add publisher's name on dataset template [1847](
  - Improved upload error handling: deduplicate notifications, localized generic error message, sentry identifier... [1842](
  - Allows to filter datasets on resource `type` (needs reindexing) [1848](
  - Switch the admin sidebar collapse icon from "hamburger"to left and right arrows [1855](
  - Discussion add card style coherence [1884](
  - `LINKCHECKING_UNCHECKED_TYPES` setting to prevent linkchecking on some ressource types [1892](
  - `swagger.json` API specifications now pass validation [1898](
  Breaking changes
  - Theme are now responsible for adding their CSS markup on template (no more assumptions on `theme.css` and `admin.css`). Most of the time, overriding `raw.html` and `admin.html` should be sufficient
  - The discussions API `posted_by` attribute is now an embedded user instead of an user ID to avoid extra API calls [1839](
  - Hide the `resource.type` attribute from JSON-LD output until handled by a dedicated vocabulary/property [1865](
  - RDFs, CSVs and resource redirect views are now handling CORS properly [1866](
  - Fix broken sorts on organization's datasets list in admin [1873](
  - Ensure harvest previewing is done against current form content [1888](
  - Ensure deleted objects are unindexed [1891](
  - Fix the dataset resources list layout wrapping [1893](
  - Fix wrong behavior for weblinks [1894](
  - Ensure `info config` command only displays configuration variables [1897](
  - Upgrade to Authlib 0.9 [1760]( [1827](
  - Add a `Dataset.on_resource_added` signal

1.5.3 not secure

- Prevent UnicodeError on unicode URL validation error [1844](
  - Hide save button in "Add resource" modal until form is visible (and prevent error) [1846](
  - The purge chunks tasks also remove the directory [1845](
  - Upgrade to latest Fine-Uploader version to benefit from bug fixes [1849](
  - Prevent front views from downloading `swagger.json` [1838](
  - Ensure API docs works without data [1840](
  - Expose the default spatial granularity in API specs [1841](
  - Fix missing dataset title on client-side card listing [1834](
  - Allows to clear the dataset form temporal coverage. [1832](
  - Ensure that admin notifications are displayed once and with a constant width. [1831](
  - Fix broken date range picker date parsing (ie. manual keyboard input) [1863](
  - Normalize uploaded filenames to avoid encoding issues, filesystem incompatibilities... [1852](

1.5.2 not secure

- Fix client-side temporal coverage rendering [1821](
  - Prevent word breaking when wrapping discussions messages [1822](
  - Properly render message content on issues and discussions mails [1823](

1.5.1 not secure

- Ensure OEmbed compatibility with external CDN [1815](
  - Fixes some static URL serialization [1815](

1.5.0 not secure

New features
  - Slugs are now redirected on change when changed until old slug are free [1771](
  - Improve usability of new organization form [1777](
  - Allows to serve assets on an external CDN domain using `CDN_DOMAIN` [1804](
  Breaking changes
  Bug fixes and minor changes
  - Sort dataset update frequencies by ascending frequency [1758](
  - Skip references tests when site is unreachable [1767](
  - Fix resources reorder (registered extras validation logic) [1796](
  - Fix checksum display on resource modal [1797](
  - Use metrics.views on resource card [1778](
  - Fix dataset collapse on ie11 [1802](
  - Upgrade i18next (security) [1803](
  - Backports some Python 3 forward compatible changes and fixes some bugs [1769](
  - avoid `filter` and `map` usage instead of list comprehension
  - explicit encoding handling
  - avoid comparison to `None`
  - use `next()` instead of `.next()` to iterate
  - unhide some implicit casts (in particular search weight)
  - Tests are now run against `local.test` instead of `localhost` to avoid pytest warnings


- Improve detect_by_url error handling [171](

1.4.1 not secure

- Fix community resource creation and display [1733](
  - Failsafe JS cache storage: use a custom in-memory storage as fallback when access to `sessionStorage` is not allowed [1742](
  - Prevent errors when handling API errors without data/payload [1743](
  - Improve/fix validation error formatting on harvesting [1745](
  - Ensure daterange can be parsed from full iso datetime [1748](
  - API: enforce application/json content-type for forms [1751](
  - RDF parser can now process [european frequencies]( [1752](
  - Fix images upload broken by chunked upload [1756](

1.4.0 not secure

New features
  - Typed resources [1398](
  - Initial data preview implementation [1581]( [1632](
  - Handle some alternate titles and alternate URLs on licenses for improved match on harvesting [1592](
  - Allow to specify a dataset acronym [1217](
  - Starts using harvest backend `config` (validation, API exposition, `HarvestFilters`...) [1716](
  - The map widget can now be configured (tiles URL, initial position...) [1672](
  - New discussions layout [1623](
  - Dynamic API documentation, Enhancement to Pull 1542 - [1542](
  - Resource modal overhaul with markdown support [1547](
  Breaking changes
  - Normalize resource.format (migration - :warning: need reindexing). [1563](
  - Enforce a domain whitelist when resource.filetype is file. See [`RESOURCES_FILE_ALLOWED_DOMAINS`]( settings variable for details and configuration. [1567](
  - Remove extras from datasets search index (needs reindexation) [1718](
  Bug fixes and minor changes
  - Switch to for package links [1583](
  - Show resource type in modal (front) [1714](
  - Adds ETag to internal avatar for efficient caching control [1712](
  - Fix 404/missing css on front pages [1709](
  - Fix markdown max image width (front) [1707](
  - Ensure registered extras types are properly parsed from JSON. Remove the need for custom `db.Extra` classes [1699](
  - Fix the temporal coverage facet query string parsing [1676](
  - Fix search auto-complete hitbox [1687](
  - Fix Firefox custom error handling, part 2 [1671](
  - Add resend confirmation email link to login screen [1653](
  - Audience metrics: use only `views` [1607](
  - Add missing spatial granularities translations [1636](
  - Protocol-relative URLs support [1599](
  - Simplify `ExtrasField` form field signature (no need anymore for the `extras` parameter) [1698](
  - Register known extras types [1700](

1.3.12 not secure

- Fix side menu on mobile [1701](
  - Fix update frequency field [1702](

1.3.11 not secure

- Protect Resource.need_check against malformed/string dates [1691](
  - Fix search auto-complete loading on new page [1693](

1.3.10 not secure

- Expose Resource.extras as writable in the API [1660](
  - Fix Firefox custom errors handling [1662](

1.3.9 not secure

- Prevent linkchecker to pollute timeline as a side-effect. (migration). **Warning, the migration will delete all dataset update activities** [1643](
  - Fix OAuth authorization screen failing with unicode `SITE_TITLE` [1624](
  - Fix markdown handling of autolinks with angle brackets and factorize (and test) markdown `parse_html()` [1625](
  - Fix timeline order [1642](
  - Fix markdown rendering on IE11 [1645](
  - Consider bad UUID as 404 in routing [1646](
  - Add missing email templates [1647](
  - Polyfill `ChildNode.remove()` for IE11 [1648](
  - Improve Raven-js/Sentry error handling [1649](
  - Prevent regex special characters to break site search [1650](

1.3.8 not secure

- Fix sendmail regression [1620](

1.3.7 not secure

- Fix some search parameters validation [1601](
  - Prevent API tracking errors with unicode [1602](
  - Prevent a race condition error when uploading file with concurrent chunking [1606](
  - Disallow resources dict in API [1603](
  - Test and fix territories routing [1611](
  - Fix the client-side Raven/Sentry configuration [1612](
  - Raise a 404 in case of unknown RDF content type [1613](
  - Ensure current theme is available to macros requiring it in mails [1614](
  - Fix documentation about NGinx configuration for https [1615](
  - Remove unwanted commas in default `SECURITY_EMAIL_SUBJECT_*` parameters [1616](

1.3.6 not secure

- Prevent OEmbed card to be styled when loaded in bootstrap 4 [1569](
  - Fix organizations sort by last_modified [1576](
  - Fix dataset creation form (and any other form) [1584](
  - Fix an XSS on client-side markdown parsing [1585](
  - Ensure URLs validation is the same everywhere [1586](

1.3.5 not secure

- Upgrade `sifter` to `0.5.3` [1548](
  - Upgrade `jquery-validation` to 1.17.0 and fixes some issues with client-side URL validation [1550](
  - Minor change on OEmbed cards to avoid theme to override the cards `font-family` [1549](
  - Improve cli unicode handling [1551](
  - Fix DCAT harvester mime type detection [1552](
  - Add the missing harvester URL in admin [1554](
  - Fix harvester preview/job layout [1553](
  - Fix some search unicode issues [1555](
  - Small fixes on OEmbed URL detection [1556](
  - Use nb_hits instead of views to count downloads [1560](
  - Prevent an XSS in TermFacet [1561](
  - Fix breadcrumb bar layout on empty search result [1562](

1.3.4 not secure

- Remove territory claim banner [1521](
  - Expose an [OEmbed]( API endpoint using the new cards [1525](
  - Small topic fixes [1529](
  - Fixes the search result vertical cut off [1530](
  - Prevent visually disabled pagination buttons from being clicked [1539](
  - Fixes "sort organization by name" not working [1537](
  - Non-admin users should not see the "publish as anyone" filter field on "publish as" screen [1538](

1.3.3 not secure

- Fixes on upload: prevent double upload and bad chunks upload [1516](
  - Ensure OAuth2 tokens can be saved without `refresh_token` [1517](

1.3.2 not secure

- Support request-body credential in OAuth2 (Fix a regression introduced in 1.3.0) [1511](

1.3.1 not secure

- Fix some geozones/geoids bugs [1505](
  - Fix oauth scopes serialization in authorization template [1506](
  - Prevent error on site ressources metric [1507](
  - Fix some routing errors [1508](
  - Mongo connection is now lazy by default, preventing non fork-safe usage in celery as well as preventing commands not using the database to hit it [1509](
  - Fix udata version not exposed on Sentry [1510](

1.3.0 not secure

Breaking changes
  - Switch to `flask-cli` and drop `flask-script`. Deprecated commands have been removed. [1364](
  - Update card components to make them more consistent [1383]( [1460](
  - udata is now protocol (`http`/`https`) agnostic. This is now fully the reverse-proxy responsibility (please ensure that you are using SSL only in production for security purpose). [1463](
  - Added more entrypoints and document them. There is no more automatically enabled plugin by installation. Plugins can now properly contribute translations. [1431](
  New features
  - Soft breaks in markdown is rendered as line return as allowed by the [commonmark specifications](, client-side rendering follows the same security rules [1432](
  - Switch from OAuthlib/Flask-OUAhtlib to Authlib and support all grants type as well as token revocation [1434](
  - Chunked upload support (big files support) [1468](
  - Improve tasks/jobs queues routing [1487](
  - Add the `udata schedule|unschedule|scheduled` commands [1497](
  Bug fixes and minor changes
  - Added Geopackage as default allowed file formats [1425](
  - Fix completion/suggestion unicode handling [1452](
  - Added a link to change password into the admin [1462](
  - Fix organization widget (embed) [1474](
  - High priority for sendmail tasks [1484](
  - Add security.send_confirmation template [1475](
  - Switch to pytest as testing tool and expose a `udata` pytest plugin [1400](

1.2.11 not secure

- Translate Flask-Security email subjects [1413](
  - Fix organization admin pagination [1372](
  - Fix missing spinners on loading datatables [1401](
  - Fixes on the search facets [1410](

1.2.10 not secure

- Markdown rendering is now the same between the back and the frontend. [604](
  - Make the dataset page reuses section and cards themable. [1378](
  - `ValueError` is not hidden anymore by the Bad Request error page, it is logged. [1382](
  - Spatial encoding fixes: prevent breaking unicode errors. [1381](
  - Ensure the multiple term search uses a `AND` operator [1384](
  - Facets encoding fixes: ensure lazy strings are propery encoded. [1388](
  - Markdown content is now easily themable (namespaced into a `markdown` class) [1389](
  - Fix discussions and community resources alignment on datasets and reuses pages [1390](
  - Fix discussions style on default theme [1393](
  - Ensure empty harvest jobs properly end [1395](

1.2.9 not secure

- Add extras field in discussions [1360](
  - Fix datepicker [1370](
  - Fix error on forbidden scheme in `is_url` harvest filter [1376](
  - Fix an error on rendering present territory date [1377](

1.2.8 not secure

- Fix html2text dependency version [1362](

1.2.7 not secure

- Bump chartjs version to 2.x [1352](
  - Sanitize mdstrip [1351](

1.2.6 not secure

- Fix wrongly timed notification on dataset creation with misformed tags [1332](
  - Fix topic creation [1333](
  - Add a `udata worker status` command to list pending tasks.[breaking] The `udata worker` command is replaced by `udata worker start`. [1324](
  - Prevent crawlers from indexing spammy datasets, reuses and organizations [1334]( [1335](
  - Ensure Swagger.js properly set jQuery.ajax contentType parameter (and so data is properly serialized) [1126](
  - Allows theme to easily access the `owner_avatar_url` template filter [1336](

1.2.5 not secure

- Fix misused hand cursor over the spatial coverage map in dataset admin [1296](
  - Fix broken post edit page [1295](
  - Display date of comments in dataset discussions [1283](
  - Prevent `reindex` command from failing on a specific object and log error instead. [1293](
  - Position the community resource link icon correctly [1298](
  - Add a sort option to query of list of posts in API [1301](
  - Import dropdown behavior from `udata-gouvfr` and fix hidden submenus on mobile [1297](
  - show message for emtpy dataset search [1044](

1.2.4 not secure

- Fix flask_security celery tasks context [1249](
  - Fix `dataset.quality` handling when no format filled [1265](
  - Ignore celery tasks results except for tasks which require it and lower the default results expiration to 6 hours [1281](
  - Import community resource avatar style from udata-gouvfr [1288](
  - Terms are now handled from markdown and customizable with the `SITE_TERMS_LOCATION` setting. [1285](
  - Deeplink to resource [1289](

1.2.3 not secure

- Check only the uncollapsed resources at first on dataset view [1246](

1.2.2 not secure

- Fixes on the `search index command` [1245](

1.2.1 not secure

- Introduce `udata search index` commmand to replace both deprecated `udata search init` and `udata search reindex` commands. They will be removed in udata 1.4. [1233](
  - Rollback oauthlib from 2.0.5 to 2.0.2, pending a permanent solution [1237](
  - Get cached linkchecker result before hitting API [1235](
  - Cleanup resources checksum (migration) [1239](
  - Show check results in resource modal [1242](
  - Cache avatar rendering [1243](

1.2.0 not secure

New features and big improvements
  - Expose harvester scheduling through the API and the admin interface [1123](
  - Added a `udata info` command for diagnostic purpose [1179](
  - Switch from static theme avatars/placeholders to [identicons]( for readability (mostly on discussions) [1193](
  - Move croquemort features to a generic link checker architecture [1110](
  - CKAN and OpenDataSoft backends are now optional separate udata extensions [1213](
  - Better search autocomplete [1222](
  - Big post improvements (discussions support, navigation, fixes...) [1224](
  Breaking changes
  - Upgrade to Celery 4.1.0. All celery parameters should be updated. (See [Celery options documentation]( [1150](
  - Switch to [Crowdin]( to manage translations [1171](
  - Switch to `Flask-Security`. `Flask-Security-Fork` should be uninstalled before installing the new requirements [958](
  Miscellaneous changes and fixes
  - Display organization metrics in the organization page tab labels [1022](
  - Organization dashboard page has been merged into the main organization page [1023](
  - Fix an issue causing a loss of data input at the global search input level [1019](
  - Fixes a lot of encoding issues [1146](
  - Add `.ttl` and `.n3` as supported file extensions [1183](
  - Improve logging for adhoc scripts [1184](
  - Improve URLs validation (support new tlds, unicode URLs...) [1182](
  - Properly serialize empty geometries for zones missing it and prevent leaflet crash on invalid bounds [1188](
  - Start validating some configuration parameters [1197](
  - Remove resources without title or url [migration] [1200](
  - Improve harvesting licenses detection [1203](
  - Added missing delete post and topic admin actions [1202](
  - Fix the scroll to a discussion sub-thread [1206](
  - Fix duplication in discussions [migration] [1209](
  - Display that a discussion has been closed [1216](
  - Explicit dataset search reuse facet context (only known reuses) [1219](
  - Optimize indexation a little bit [1215](
  - Fix some reversed temporal coverage [migration] [1214](

1.1.8 not secure

- Display membership modal actions buttons for site administrators and on membership display. [1176](
  - Fix organization avatar in admin profile [1175](

1.1.7 not secure

- Prevent a random territory from being displayed when query doesn't match [1124](
  - Display avatar when the community resource owner is an organization [1125](
  - Refactor the "publish as" screen to make it more obvious that an user is publishing under its own name [1122](
  - Make the "find your organization" screen cards clickable (send to the organization page) [1129](
  - Fix "Center the full picture" on user avatar upload [1130](
  - Hide issue modal forbidden actions [1128](
  - Ensure spatial coverage zones are resolved when submitted from the API or when querying oembed API. [1140](
  - Prevent user metrics computation when the object owner is an organization (and vice versa) [1152](

1.1.6 not secure

- Fix CircleCI automated publication on release tags


- Fix the organization members grid in admin
  - Fix and tune harvest admin loading state and payload size
  - Automatically schedule validated harvesters and allow to (re)schedule them
  - Raise the minimum `raven` version to ensure sentry is filtering legit HTTP exceptions
  - Pin GeoJSON version to avoid breaking changes
  - Deduplicate organization members

1.1.4 not secure

- Fix packaging

1.1.3 not secure

- Make the spatial search levels exclusion list configurable through `SPATIAL_SEARCH_EXCLUDE_LEVELS`.
  - Fix facets labelizer with html handling
  - Ensure territories pages have image defined in metadatas
  - Strip tags in autocomplete results
  - Transmit link checker status to frontend
  - Remove plus signs from search query

1.1.2 not secure

- Handle territory URLs generation without validity
  - Added a contact button to trigger discussions
  - Improve harvest error handling
  - Improve elasticsearch configurability
  - Lots of fixes admin files upload
  - Prevent the "Bad request error" happening on search but only on some servers
  - Migrate spatial granularities to new identifiers
  - Migrate remaining legacy spatial identifiers
  - Fix the discussion API documention

1.1.1 not secure

- Fix an issue preventing reuse edition:
  - Fix an issue preventing user display and edit in admin:
  - Fix an error when a membership request is accepted:
  - Fix issue modal on a reuse:
  - Fix sort by date on admin users list:
  - Improve the `purge` command
  - Ensure search does not fail when a deleted object has not been
  unindexed yet
  - Start using Celery queues to handle task priorities
  - Updated translations

1.1.0 not secure

New features and improvements
  - Added a [DCAT]( harvester
  and expose metadata as RDF/DCAT.
  See the dedicated documentions:
  - [RDF](
  - [Harvesting](
  - Images are now optimized and you can force rerendering using the `udata images render` command.
  - Allowed files extensions are now configurable via the `ALLOWED_RESOURCES_EXTENSIONS` setting
  and both admin and API will have the same behavior
  - Improve and fix notifications:
  - Changed notification style to toast
  - Fix notifications that weren't displayed on form submission
  - Add a toggle indicator on dataset quality blocks that are collapsible
  - Integrating latest versions of GeoZones and GeoLogos for territories.
  Especially using history of towns, counties and regions from GeoHisto.
  Breaking Changes
  - Themes are now entrypoint-based [829](
  There is also a new [theming documention](
  - Images placeholders are now entirely provided by themes
  - Harvester declaration is now entrypoint-based
  - Ensure URLs are stripped [823](
  - Lot of fixes and improvements on Harvest admin UI
  - harvester edition fixed (and missing API added)
  - harvester deletion fixed
  - harvester listing is now paginated
  - more detailed harvesters widgets
  - ensure harvest source are owned by a user or an organization, not both [migration]
  - Pure Vue.js search facets
  Improve and fix the datepicker:
  - Proper sizing and positionning in dropdowns
  - Fix initial value not being displayed
  - Make it usable on keyboard
  - Allows to define `min` and `max` values to disable some dates
  - Keyboard input is reflected into the calendar
  - Disable `next` button when no file has been uploaded
  - Fix badges notification mails
  - Fix the `udata search reindex` command
  - Reindex datasets when their parent organization is purged
  Miscellaneous / Internal
  - Upgrade to Flask-Mongoengine 0.9.3, Flask-WTF 0.14.2, mongoengine 0.13.0.
  - Upgrade to Flask-Login 0.4.0 and switch from Flask-Security to the latest
  - Migrated remaining widgets to Vue.js [828](
  - bug fixes on migrated widgets (Issues button/modal, integrate popover, coverage map)
  - more coherent JS environment for developpers
  - lighter assets
  - drop Handlebars dependency
  - bleach and html5lib have been updated leading to more secure html/markdown cleanup
  and [better performances](
  - Drop `jquery-slimscroll` and fix admin menu scrolling
  - drop jquery.dotdotdot for a lighter css-only solution (less memory consumption)
  - Lighter style [869](
  - Drop glyphicons and use only Font-Awesome (more coherence, less fonts)
  - lighter bootstrap style by importing only what's needed
  - make use of bootstrap and admin-lte variables (easier for theming)
  - proper separation between front and admin style
  - Drop `ExtractTextPlugin` on Vue components style:
  - faster (re)compilation time
  - resolves most compilation and missing style issues
  - allows use of hot components reloading.
  - Pure Vue.js modals. Fix the default membership role. Added contribute modal.
  - Easier Vue.js development/debugging:
  - Drop `Vue.config.replace = false`: compatible with Vue.js 1/2 and no more style guessing
  - `name` on all components: no more `Anonymous Component` in Vue debugger
  - No more `Fragments`
  - More ES6 everywhere
  - Make metrics deactivable for tests

1.0.11 not secure

- Fix presubmit form errors handling
  - Fix producer sidebar image sizing
  - Fix js `` not updating in some cases

1.0.10 not secure

- Fix bad stored (community) resources URLs [migration]
  - Proper producer logo display on dataset pages
  - Fix CKAN harvester empty notes and `metadata` file type handling
  - Remove (temporary) badges metrics
  - Test and fix topic search

1.0.9 not secure

- Fix broken post view
  - Fix new issue submission
  - Display full images/logo/avatars URL in references too

1.0.8 not secure

- Allow more headers in cors preflight headers
  - Fix editorialization admin
  - Fix missing completer images and ensure completion API is usable on a different domain

1.0.7 not secure

- Fix display for zone completer existing values
  - Proper badge display on dataset and organization page
  - Remove useless `discussions` from views contexts.
  - Fix the inline resource edit button not redirecting to admin
  - Fix broken checksum component

1.0.6 not secure

- Default values are properly displayed on dataset form
  - Prevent a redirect on discussion fetch
  - API exposes both original and biggest thumbnail for organization logo, reuse image and user avatar
  - Restore the broken URL check feature
  - Temporarily ignore INSPIRE in ODS harvester
  - Allow `X-API-KEY` and `X-Fields` in cors preflight headers

1.0.5 not secure

- Fixes error display in forms [830](
  - Fixes date range picker dates validation [830](
  - Fix badges entries not showing in admin [825](

1.0.4 not secure

- Fix badges trying to use API too early
  - Some minor tuning on generic references
  - Cleanup factories
  - Fix user default metrics not being set [migration]
  - Fix metric update after transfer
  - Improve spatial completion ponderation (spatial zones reindexation required)

1.0.3 not secure

- Fix JavaScript locales handling [786](
  - Optimize images sizes for territory placeholders [788](
  - Restore placeholders in search suggestions, fix [790](
  - Fix share popover in production build [793](

1.0.2 not secure

- Fix assets packaging for production [763]( [765](
  - Transform `udata_version` jinja global into a reusable (by themes) `package_version` [768](
  - Ensure topics datasets and reuses can display event with a topic parameter [769](
  - Raise a `400 Bad Request` when a bad `class` attribute is provided to the API
  (for entry point not using forms). [772](
  - Fix datasets with spatial coverage not being indexed [778](
  - Ensure theme assets cache is versioned (and flushed when necessary)
  - Raise maximum tag length to 96 in order to at least support
  [official INSPIRE tags](
  - Properly raise 400 error on transfer API in case of bad subject or recipient
  - Fix broken OEmbed rendering [783](
  - Improve crawlers behavior by adding some `meta[name=robots]` on pages requiring it

1.0.1 not secure

- Pin PyMongo version (only compatible with PyMongo 3+)

1.0.0 not secure

Breaking Changes
  * 2016-05-11: Upgrade of ElasticSearch from 1.7 to 2.3 [449](
  You have to re-initialize the index from scratch, not just use the `reindex` command given that ElasticSearch 2+ doesn't provide a way to [delete mappings]( anymore. The command is `udata search init` and may take some time given the amount of data you are dealing with.
  * 2017-01-18: User search and listing has been removed (privacy concern)
  New & Improved
  * 2017-01-06: Add some dataset ponderation factor: temporal coverage, spatial coverage,
  certified provenance and more weight for featured ones. Need reindexation to be taken into account.
  * 2016-12-20: Use all the [Dublin Core Frequencies](
  plus some extra frequencies.
  * 2016-12-01: Add the possibility for a user to delete its account in the admin interface
  In some configurations, this feature should be deactivated, typically when
  there is an SSO in front of udata which may cause some inconsistencies. In
  that case, the configuration parameter DELETE_ME should be set to False (True
  by default).
  * 2016-05-12: Add fields masks to reduce API payloads [451](
  The addition of [fields masks]( in Flask-RESTPlus allows us to reduce the retrieved payload within the admin — especially for datasets — and results in a performances boost.
  * 2016-11-29: Mark active users as confirmed [619](
  * 2016-11-28: Merge duplicate users [617](
  (A reindexation is necessary after this migration)
  Theses are deprecated and support will be removed in some feature release.
  See [Deprecation Policy](
  * Theses frequencies are deprecated for their Dublin Core counter part:
  * `fortnighly` ⇨ `biweekly`
  * `biannual` ⇨ `semiannual`
  * `realtime` ⇨ `continuous`


- Add a timeout to `analyze()` [19](


- Add a timeout to `track()` [18](


- Fix build and packaging

0.9.0 not secure

- First published version