Wagtail

~~~~~~~~~~~~~~~~~~

* Fix: CVE-2023-28836 - Stored XSS attack via ModelAdmin views (Thibaud Colas)
* Fix: CVE-2023-28837 - Denial-of-service via memory exhaustion when uploading large files (Jake Howard)
* Fix: Fix radio and checkbox elements shrinking when using a long label (Sage Abdullah)
* Fix: Fix select elements expanding beyond their container when using a long option label (Sage Abdullah)
* Fix: Fix timezone handling of `TemplateResponse`s for users with a custom timezone (Stefan Hammer, Sage Abdullah)
* Fix: Ensure TableBlock initialization correctly runs after load and its width is aligned with the parent panel (Dan Braghis)
* Fix: Ensure that the JavaScript media files are loaded by default in Snippet index listings for date fields (Sage Abdullah)
* Fix: Fix server-side caching of the icons sprite (Thibaud Colas)
* Fix: Avoid showing scrollbars in the block picker unless necessary (Babitha Kumari)
* Fix: Always show Add buttons, guide lines, Move up/down, Duplicate, Delete; in StreamField and Inline Panel (Thibaud Colas)
* Fix: Ensure datetimepicker widget overlay shows over modals & drop-downs (LB (Ben) Johnston)
* Docs: Fix module path for `MultipleChooserPanel` in panel reference docs
* Maintenance: Render large image renditions to disk (Jake Howard)

~~~~~~~~~~~~~~~~~~

* Fix: Support creating `StructValue` copies (Tidiane Dia)
* Fix: Fix image uploads on storage backends that require file pointer to be at the start of the file (Matt Westcott)
* Fix: Fix "Edit this page" missing from userbar (Satvik Vashisht)
* Fix: Prevent audit log report from failing on missing models (Andy Chosak)
* Fix: Fix page/snippet cannot proceed a `GroupApprovalTask` if it's locked by someone outside of the group (Sage Abdullah)
* Fix: Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer)
* Fix: Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
* Fix: Fix dialog component's message to have rounded corners at the top side (Sam)
* Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
* Fix: Prevent duplicate addition of StreamField blocks with the new block picker (Deepam Priyadarshi)
* Docs: Clarify `ClusterableModel` requirements for using relations with `RevisionMixin`-enabled models (Sage Abdullah)
* Maintenance: Update Algolia DocSearch to use new application and correct versioning setup (Thibaud Colas)

~~~~~~~~~~~~~~~~

* Added StreamField data migration helpers (Sandil Ranasinghe, Jacob Topp-Mugglestone, Joshua Munn, Karl Hobley)
* Added ability to lock snippet models with `LockableMixin` (Sage Abdullah)
* Added ability to submit snippets for moderation with `WorkflowMixin` (Sage Abdullah)
* Create `{% fullpageurl %}` tag for getting the absolute URL of a page (Jake Howard)
* Added `MultipleChooserPanel`, a variant of `InlinePanel` with improved editor experience when inserting multiple linked objects (Matt Westcott)
* Test assertion util `WagtailPageTestCase.assertCanCreate` now supports the kwarg `publish=True` to determine whether to publish the page (Harry Percival, Akua Dokua Asiedu, Matt Westcott)
* Ensure that the `rebuild_references_index` command can run without console output if called with `--verbosity 0` (Omerzahid Ali, Aman Pandey)
* Add full support for secondary buttons with icons in the Wagtail design system - `button bicolor button--icon button-secondary` including the `button-small` variant (Seremba Patrick)
* Add `purge_embeds` management command to delete all the cached embed objects in the database (Aman Pandey)
* Make it possible to resize the page editor’s side panels (Sage Abdullah)
* Add ability to include `form_fields` as an APIField on `FormPage` (Sævar Öfjörð Magnússon, Suyash Singh, LB (Ben) Johnston)
* Ensure that images listings are more consistently aligned when there are fewer images uploaded (Theresa Okoro)
* Add more informative validation error messages for non-unique slugs within the admin interface and for programmatic page creation (Benjamin Bach)
* Always show the page editor title field’s border when the field is empty (Thibaud Colas)
* Snippet models extending `DraftStateMixin` now automatically define a "Publish" permission type (Sage Abdullah)
* Users now remain on the edit page after saving a snippet as draft (Sage Abdullah)
* Base project template now populates the meta description tag from the search description field (Aman Pandey)
* Added support for `azure-mgmt-cdn` version >= 10 and `azure-mgmt-frontdoor` version >= 1 in the frontend cache invalidator (Sylvain Fankhauser)
* Add a system check to warn when a `django-storages` backend is configured to allow overwriting (Rishabh jain)
* Update admin focus outline color to have higher contrast against white backgrounds (Thibaud Colas)
* Implement latest design for the admin dashboard header (Thibaud Colas, Steven Steinwand)
* Add Axe accessibility checker integration within userbar, with count and list of errors (Albina Starykova)
* Restyle the userbar to follow the visual design of the Wagtail admin (Albina Starykova)
* Allow configuring Axe accessibility checker integration via `construct_wagtail_userbar` hook (Sage Abdullah)
* Support pinning and un-pinning the rich text editor toolbar depending on user preference (Thibaud Colas)
* Make the rich text block trigger and slash-commands always available regardless of where the cursor is (Thibaud Colas)
* Adjust the size of panel labels on the "Account" form (Thibaud Colas)
* Delay hiding the contents of the side panels when closing, so the animation is smoother (Thibaud Colas)
* ListBlock now shows item-by-item differences when comparing versions (Tidiane Dia)
* Implement a new design for chooser buttons with better accessibility (Thibaud Colas)
* Fix: Make sure workflow timeline icons are visible in high-contrast mode (Loveth Omokaro)
* Fix: Ensure authentication forms (login, password reset) have a visible border in Windows high-contrast mode (Loveth Omokaro)
* Fix: Ensure visual consistency between buttons and links as buttons in Windows high-contrast mode (Albina Starykova)
* Fix: references extraction for ChooserBlock (Alex Tomkins)
* Fix: Incorrectly formatted link in the documentation for Wagtail community support (Bolarinwa Comfort Ajayi)
* Fix: Text within status tags text will now resize correctly when customizing browser font size (Mary Ojo)
* Fix: Ensure logo shows correctly on log in page in Windows high-contrast mode (Loveth Omokaro)
* Fix: Comments notice background overflows its container (Yekasumah)
* Fix: Ensure links within help blocks meet color contrast guidelines for accessibility (Theresa Okoro)
* Fix: Ensure the skip link (used for keyboard control) meets color contrast guidelines for accessibility (Dauda Yusuf)
* Fix: Ensure tag fields correctly show in both dark and light Windows high-contrast modes (Albina Starykova)
* Fix: Ensure new tooltips & tooltip menus have visible borders and tip triangle in Windows high-contrast mode (Juliet Adeboye)
* Fix: Ensure there is a visual difference of 'active/current link' vs normal links in Windows high-contrast mode (Mohammad Areeb)
* Fix: Avoid issues where trailing whitespace could be accidentally removed in translations for new page & snippet headers (Florian Vogt)
* Fix: Make sure minimap error indicators follow the minimap scrolling (Thibaud Colas)
* Fix: Remove the ability to view or add comments to `InlinePanel` inner fields to avoid lost or incorrectly linked comments (Jacob Topp-Mugglestone)
* Fix: Use consistent heading styles on top-level fields in the page editor (Sage Abdullah)
* Fix: Allow button labels to wrap onto two lines in dropdown buttons (Coen van der Kamp)
* Fix: Remove spurious horizontal resize handle from text areas (Matt Westcott)
* Fix: Move DateField, DateTimeField, TimeField comment buttons to be right next to the fields (Theresa Okoro)
* Fix: Support text resizing in workflow steps cards (Ivy Jeptoo)
* Fix: Ignore images added via fixtures when using `WAGTAILIMAGES_FEATURE_DETECTION_ENABLED` to avoid errors for images that do not exist (Aman Pandey)
* Fix: Restore ability to perform JSONField query operations against StreamField when running against the Django 4.2 development branch (Sage Abdullah)
* Fix: Ensure there is correct grammar and pluralization for Tab error counts shown to screen readers (Aman Pandey)
* Fix: Pass through expected expected `cc`, `bcc` and `reply_to` to the Django mail helper from `wagtail.admin.mail.send_mail` (Ben Gosney)
* Fix: Allow reviewing or reverting to a Page's initial revision (Andy Chosak)
* Fix: Use the correct padding for autocomplete block picker (Umar Farouk Yunusa)
* Fix: Ensure that short content pages (such as editing snippets) do not show an inconsistent background (Sage Abdullah)
* Fix: Fix horizontal positioning of rich text inline toolbar (Thibaud Colas)
* Fix: Ensure that `DecimalBlock` correctly handles `None`, when `required=False`, values (Natarajan Balaji)
* Fix: Close the userbar when clicking its toggle (Albina Starykova)
* Fix: Add a border around the userbar menu in Windows high-contrast mode so it can be identified (Albina Starykova)
* Fix: Make sure browser font resizing applies to the userbar (Albina Starykova)
* Fix: Fix check for `delete_url_name` attribute in generic `DeleteView` (Alex Simpson)
* Fix: Re-implement design system colors so HSL values exactly match the desired RGB (Albina Starykova)
* Fix: Resolve issue where workflow and other notification emails would not include the correct tab URL for account notification management (LB (Ben) Johnston)
* Fix: Use consistent spacing above and below page headers (Thibaud Colas)
* Fix: Use the correct icon sizes and spacing in slim header (Thibaud Colas)
* Fix: Use the correct color for placeholders in rich text fields (Thibaud Colas)
* Fix: Prevent obstructing the outline around rich text fields (Thibaud Colas)
* Fix: Page editor dropdowns now use indigo backgrounds like elsewhere in the admin interface (Thibaud Colas)
* Fix: Allow parsing of multiple key/value pairs from string in `wagtail.search.utils.parse_query_string` (Beniamin Bucur)
* Fix: Prevent memory exhaustion when purging a large number of revisions (Jake Howard)
* Fix: Add right-to-left (RTL) support for the following form components: Switch, Minimap, live preview (Thibaud Colas)
* Fix: Improve right-to-left (RTL) positioning for the following components: Page explorer, Sidebar sub-menu, rich text tooltips, rich text toolbar trigger, editor section headers (Thibaud Colas)
* Fix: Add right-to-left (RTL) support for the caret of select inputs (Badr Fourane)
* Fix: Use the workflow name as the workflow information dialog title (Sage Abdullah)
* Fix: Link to workflow history view instead of page history view in the workflow information dialog (Sage Abdullah)
* Fix: Fix in-progress count in warning message when disabling workflows (Sage Abdullah)
* Fix: Show workflow name on workflow history index page (Sage Abdullah)
* Fix: Fix workflow history detail timeline content from showing on initial load (Sage Abdullah)
* Fix: Center-align StreamField and rich text block picker buttons with the dotted guide line (Thibaud Colas)
* Fix: Search bar in chooser modals now performs autocomplete searches under PostgreSQL (Matt Westcott)
* Fix: Server-side document filenames are preserved when replacing a document file (Suyash Singh, Matt Westcott)
* Fix: Add missing wagtailadmin_tags in `workflow_state_approved.html` template (Alex Tomkins)
* Fix: Do not show bulk actions checkbox in page type usage view (Sage Abdullah)
* Fix: Prevent account name from overflowing the sidebar (Aman Pandey)
* Fix: Ensure edit form is displayed as unlocked immediately after canceling a workflow (Sage Abdullah)
* Fix: Prevent `latest_revision` pointer from being copied over when copying translatable snippets for translation (Sage Abdullah)
* Fix: Page listings actions under the "More" dropdown are now accessible for screen reader and keyboard users (Thibaud Colas)
* Fix: Bulk actions under the "More" dropdown are now accessible for screen reader and keyboard users (Thibaud Colas)
* Fix: Navigation to translations via the locale dropdown is now accessible for screen reader and keyboard users (Thibaud Colas)
* Fix: Make it possible for speech recognition users to reveal chooser buttons (Thibaud Colas)
* Docs: Add custom permissions section to permissions documentation page (Dan Hayden)
* Docs: Add documentation for how to get started with contributing translations for the Wagtail admin (Ogunbanjo Oluwadamilare)
* Docs: Officially recommend `fnm` over `nvm` in development documentation (LB (Ben) Johnston)
* Docs: Mention the importance of passing `request` and `current_site` to `get_url` on the performance documentation page (Jake Howard)
* Docs: Add documentation for `register_user_listing_buttons` hook (LB (Ben Johnston))
* Docs: Add development (contributing to Wagtail) documentation notes for development on Windows (Akua Dokua Asiedu)
* Docs: Mention Wagtail’s usage of Django’s default user model by default (Temidayo Azeez)
* Docs: Add links to treebeard documentation for relevant methods (Temidayo Azeez)
* Docs: Add clarification on where to register entity plugins (Mark McOsker)
* Docs: Fix logo in README not being visible in high-contrast mode (Benita Anawonah)
* Docs: Improve 'first wagtail site' tutorial (Akua Dokua Asiedu)
* Docs: Grammatical adjustments of `page models` usage guide (Damilola Oladele)
* Docs: Add class inheritance information to StreamField block sreference (Temidayo Azeez)
* Docs: Document the hook `register_image_operations` and add an example of a custom Image filter (Coen van der Kamp)
* Docs: Fix incorrect example code for StreamField migration of `RichTextField` (Matt Westcott)
* Docs: Document the policy needed to create invalidations in CloudFront (Jake Howard)
* Docs: Document how to add permission restriction to a report view (Rishabh jain)
* Docs: Add example for how to configure API `renderer_classes` (Aman Pandey)
* Docs: Document potential data loss for BaseLogEntry migration in 3.0 (Sage Abdullah)
* Docs: Add documentation for the reference index mechanism (Daniel Kirkham)
* Docs: Remove confusing `SettingsPanel` reference in the page editing `TabbedInterface` example as `SettingsPanel` no longer shows anything as of 4.1 (Kenny Wolf, Julian Bigler)
* Docs: Add more extensive documentation for the `permission` kwarg support in Panels (LB (Ben) Johnston)
* Maintenance: Switch to using Willow instead of Pillow for images (Darrel O'Pry)
* Maintenance: Remove unsquashed `testapp` migrations (Matt Westcott)
* Maintenance: Upgrade to Node 18 for frontend build tooling (LB (Ben) Johnston)
* Maintenance: Run Python tests with coverage and upload coverage data to codecov (Sage Abdullah)
* Maintenance: Clean up duplicate JavaScript for the `escapeHtml` function (Jordan Rob)
* Maintenance: Clean up Prettier & Eslint usage for search promotions formset JS file (LB (Ben Johnston))
* Maintenance: Ensure that translation file generation ignores JavaScript unit tests and clean up unit tests for Django gettext utils (LB (Ben Johnston))
* Maintenance: Migrated `initButtonSelects` from core.js to own TypesScript file and add unit tests (Loveth Omokaro)
* Maintenance: Migrated `initSkipLink` util to TypeScript and add JSDoc & unit tests (Juliet Adeboye)
* Maintenance: Clean up some unused utility classes and migrate `unlist` to Tailwind utility class `w-list-none` (Loveth Omokaro)
* Maintenance: Clean up linting on legacy code and add shared util `hasOwn` in TypeScript (Loveth Omokaro)
* Maintenance: Remove unnecessary box-sizing: border-box declarations in SCSS (Albina Starykova)
* Maintenance: Migrated `initTooltips` to TypeScript add JSDoc and unit tests (Fatuma Abdullahi)
* Maintenance: Migrated `initTagField` from core.js to own TypeScript file and add unit tests (Chisom Okeoma)
* Maintenance: Added unit tests & JSDoc to `initDissmisibles` (Yekasumah)
* Maintenance: Standardise on `classname` for passing HTML class attributes (LB (Ben Johnston))
* Maintenance: Clean up expanding formset and `InlinePanel` JavaScript initialization code and adopt a class approach (Matt Westcott)
* Maintenance: Extracted revision and draft state logic from generic views into mixins (Sage Abdullah)
* Maintenance: Extracted generic lock / unlock views from page lock / unlock views (Sage Abdullah)
* Maintenance: Move `identity` JavaScript util into shared utils folder (LB (Ben Johnston))
* Maintenance: Remove unnecessary declaration of function to determine URL query params, instead use `URLSearchParams` (Loveth Omokaro)
* Maintenance: Update `tsconfig` to better support modern TypeScript development and clean up some code quality issues via Eslint (Loveth Omokaro)
* Maintenance: Set up Stimulus application initialization according to RFC 78 (LB (Ben) Johnston)
* Maintenance: Refactor submit-on-change search filters for image and document listings to use Stimulus (LB (Ben) Johnston)
* Maintenance: Switch userbar to initialize a Web Component to avoid styling clashes (Albina Starykova)
* Maintenance: Refactor userbar stylesheets to use the same CSS loading as the rest of the admin (Albina Starykova)
* Maintenance: Remove unused search-bar and button-filter styles (Thibaud Colas)
* Maintenance: Use util method to construct dummy requests in tests (Jake Howard)
* Maintenance: Remove unused dev-only react-axe integration (Thibaud Colas)
* Maintenance: Migrate accessible Skip Link implementation to a Stimulus controller (Loveth Omokaro)
* Maintenance: Split up `wagtail.admin.panels` into submodules, existing exports have been preserved (Matt Westcott)
* Maintenance: Refactor userbar styles to use the same stylesheet as other components (Thibaud Colas)
* Maintenance: Add deprecation warnings for `wagtail.core` and other imports deprecated in Wagtail 3.0 (Matt Westcott)
* Maintenance: Migrate admin upgrade notification message implementation to a Stimulus controller (Loveth Omokaro)
* Maintenance: Migrate workflow and workflow tasks enable action and lock/unlock actions to a Stimulus controller (Loveth Omokaro)
* Maintenance: Pull out icon sprite setup function from inline script to its own TypeScript file & add unit tests (Loveth Omokaro)
* Maintenance: Upgraded Transifex configuration to v3 (Loic Teixeira)
* Maintenance: Replace repeated HTML `avatar` component with a template tag include `{% avatar ... %}` throughout the admin interface (Aman Pandey)
* Maintenance: Remove unused `icon-help` and `help-inverse` code (Thibaud Colas)
* Maintenance: Migrate privacy switch, FileFields, history buttons, error messages, Datetimepicker, ordering icons, thumbnails, ModelAdmin, page listings, workflows, and user creation form controls to SVG icons (Thibaud Colas)
* Maintenance: Switch form submission listings to use the same ordering icons as other listings (Thibaud Colas)
* Maintenance: Refactor "More" dropdowns, locale selector, "Switch locales", page actions, to use the same dropdown component (Thibaud Colas)
* Maintenance: Remove or replace legacy CSS classes: visuallyhidden, visuallyvisible, divider-after, divider-before, inline, inline-block, block, u-hidden, clearfix, reordering, overflow (Thibaud Colas)
* Maintenance: Prevent future issues with icon.html end-of-file newlines (Thibaud Colas)
* Maintenance: Rewrite styles using legacy `c-`, `o-`, `u-`, `t-`, `is-` prefixes (Thibaud Colas)
* Maintenance: Remove invalid CSS styles / Sass selector concatenation (Thibaud Colas)

~~~~~~~~~~~~~~~~~~

* Fix: CVE-2023-45809: Disclosure of user names via admin bulk action views (Matt Westcott)

~~~~~~~~~~~~~~~~~~

* Maintenance: Additionally update Pillow dependency to allow use of versions with security fixes (Dan Braghis)

~~~~~~~~~~~~~~~~~~

* Maintenance: Relax Willow dependency to allow use of current Pillow versions with security fixes (Dan Braghis)