diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/ADMIN.md | 4 | ||||
| -rw-r--r-- | doc/CHANGES.md | 19 | ||||
| -rw-r--r-- | doc/INSTALL.md | 2 |
3 files changed, 22 insertions, 3 deletions
diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 059010e68..07fe9398d 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -16,6 +16,6 @@ The javascript is included in a funky way To change it, edit the coffeescript at `lib/view/general/admin.coffee`, and then do something like: - $ coffee -o /tmp/ -c lib/views/general/admin.coffee - $ mv /tmp/admin.js lib/views/general/admin_js.erb + $ coffee -o /tmp/ -c app/views/admin_general/admin.coffee + $ mv /tmp/admin.js app/views/admin_general/admin_js.erb diff --git a/doc/CHANGES.md b/doc/CHANGES.md index 59c2d3f37..debf9d7c7 100644 --- a/doc/CHANGES.md +++ b/doc/CHANGES.md @@ -1,3 +1,22 @@ +# Version 0.8 +## Highlighted features +* Support for running the site over SSL/TLS only and corresponding removal of support for a proxied admin interface, including the deprecation of the main_url and admin_url helpers. +* Merging of the adminbootstrap theme into core Alaveteli, replacing the existing admin theme. (Matthew Landauer) +* Move to HTML 5 (Matthew Landauer) +* More consistent UI for links in the admin interface +* [Security] Upgrades the Rails version to 2.3.17 to get fixes for CVE-2013-0277, CVE-2013-0276 (Although core Alaveteli does not use serialize or attr_protected), upgrade JSON gem to get fix for CVE-2013-0269. +* A bugfix for Chrome's autofilling of signup fields (Vaughan Rouesnel) +* Improvements to the accessibility of the search boxes (Nathan Jenkins) +* Only one email sent when asking for admin attention to a request [issue #789](https://github.com/mysociety/alaveteli/pull/864) (Matthew Landauer) +* A number of XSS escaping fixes for Version 0.7 (Matthew Landauer) +* The emergency admin account can now be disabled + +## Upgrade notes +* Check out this version and run `rails-post-deploy` as usual. +* Remove adminbootstrap from the THEME_URLS or THEME_URL config variable, and remove vendor/plugins/adminbootstraptheme, and the softlink public/adminbootstraptheme. +* There is a new config variable FORCE_SSL, which defaults to true, meaning that Alaveteli will redirect all "http" requests to "https", set the Strict-Transport-Security header and flag all cookies as "secure". For more information about running your install over SSL/TLS, see the [install guide](https://github.com/mysociety/alaveteli/blob/develop/doc/INSTALL.md#set-up-production-web-server). If you don't want to run over SSL/TLS, add the config variable FORCE_SSL to your config/general.yml and set it to false. +* If you would like to disable the emergency user account, set DISABLE_EMERGENCY_USER to true in you config/general.yml + # Version 0.7 ## Highlighted features * [Security] Upgrades the Rails version from 2.3.15 to 2.3.16 to get fix for a critical security flaw in Rails (CVE-2013-0333). diff --git a/doc/INSTALL.md b/doc/INSTALL.md index 5fb49131a..ea71454b7 100644 --- a/doc/INSTALL.md +++ b/doc/INSTALL.md @@ -293,7 +293,7 @@ There is an emergency user account which can be accessed via `/admin?emergency=1`, using the credentials `ADMIN_USERNAME` and `ADMIN_PASSWORD`, which are set in `general.yml`. To bootstrap the first `super` level accounts, you will need to log in as the emergency -user. +user. You can disable the emergency user account by setting `DISABLE_EMERGENCY_USER` to `true` in `general.yml`. Users with the superuser role also have extra privileges in the website frontend, such as being able to categorise any request, being |