diff --git a/CHANGELOG.md b/CHANGELOG.md index 093150284..12c5ea66e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,37 @@ # Develop -- TODO Change to 1.8.x. -* ... +### Compatibility-breaking changes +* Authorization failures now return 403 by default instead of 401 +* The `authorize` hook is now only called after successful + authentication. Use the new `preAuthorize` hook if you need to bypass + authentication +* The `authFailure` hook is deprecated; use the new + `authnFailure` and `authzFailure` hooks instead +* The format of `ENTER`, `CREATE`, and `LEAVE` log messages has changed +### Notable new features +* Users can now import without creating and editing the pad first +* Added a new `readOnly` user setting that makes it possible to create users in + `settings.json` that can read pads but not create or modify them +* Added a new `canCreate` user setting that makes it possible to create users in + `settings.json` that can modify pads but not create them +* The `authorize` hook now accepts `readOnly` to grant read-only access to a pad +* The `authorize` hook now accepts `modify` to grant modify-only (creation + prohibited) access to a pad +* All authentication successes and failures are now logged +* Added a new `cookie.sameSite` setting that makes it possible to enable + authentication when Etherpad is embedded in an iframe from another site +### Notable fixes +* Fixed rate limit accounting when Etherpad is behind a reverse proxy +* Fixed typos that prevented access to pads via an HTTP API session +* Fixed authorization failures for pad URLs containing a percent-encoded + character +* Fixed exporting of read-only pads +### Minor changes +* Temporary disconnections no longer force a full page refresh +* Toolbar layout for narrow screens is improved +* Fixed `SameSite` cookie attribute for the `language`, + `token`, and `pref` cookies +* Fixed superfluous database accesses when deleting a pad +* Expanded test coverage. # 1.8.6 * IMPORTANT: This fixes a severe problem with postgresql in 1.8.5