Ticket search results

email auth verification by link

Dave Brondsema — Fri, 01 May 2026 18:21:37 -0000

With a link we can have a longer token for more security (still type-able if needed). And the link will defeat some MITM phishing attacks, forcing you to the right site. We can apply this to 2FA accounts too (currently being skipped) so they get the MITM protections too Downside is if you don't have email access on the same computer you're logging in to :(

improve bad markdown performance

Dave Brondsema — Mon, 23 Feb 2026 20:20:24 -0000

In some very specific cases the performance of markdown can be quite bad

Python Packages Upgrades

Guillermo Cruz — Tue, 10 Feb 2026 22:08:51 -0000

Like every quarter let's update the Python packages we use.

improve regexes and remove regex-as-re-globally pkg DROPS python 3.10

Dave Brondsema — Mon, 01 Dec 2025 17:36:58 -0000

`regex-as-re-globally` is a very hacky package (I made it, I'm ok to admit it) and it continuously has needs more fixes for every new version of python https://github.com/brondsem/regex-as-re-globally/issues?q=is%3Aissue So lets fix our regexes so we don't need it

[Feature Request] Easier Merge Request Creation

Dillon Walls — Tue, 18 Jun 2024 22:32:57 -0000

One feature that I've always thought would be nice is the ability to create an "empty" merge request that represents a new chunk of work. So even If I don't have a fork, as long as I have write access to a git repo, I can "Create Merge Request" and it will default to merging master onto master. This could immediately be updated to point to a branch of your choosing. Or maybe this flow could create a branch for you! Or you could leave it pointing to master and update the MR later. But having this option to arbitrarily create new MRs will streamline the process of embarking on new work. It has the added benefit of keeping all relevant discussion happening as close as possible to the work itself. I believe GitHub has something similar to this, but I'm not 100% sure.

Java Runtime Error with XWPFDocument.getParagraphs() poi-ooxml-5.2.5.jar

Vamsi — Wed, 29 May 2024 20:54:52 -0000

Hi, I’m facing following issue with Apache POI code. I am trying to access below function (getParagraphs()) using Java programming but seeing the error mentioned below. I am using poi-ooxml-5.2.5.jar for this implementation and don’t see any compile issues but getting the below error log at runtime. Could you please help out and let me know if this is an existing bug or any other way I can resolve, thanks. ***Code:*** List xwpfParagraphList = new ArrayList(); xwpfParagraphList = doc.getParagraphs(); ***Error Log:*** javax.servlet.ServletException: java.lang.NoSuchMethodError: org.apache.poi.xwpf.usermodel.XWPFDocument.getParagraphs()Ljava/util/List; at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:391) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:207) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at com.vdh.fa.te.web.TERoleCheckFilter.doFilter(TERoleCheckFilter.java:51) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at com.vdh.security.VDHSecurityFilter.doFilter(VDHSecurityFilter.java:249) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at com.vdh.web.filters.ReqHeaderCheckFilter.doFilter(ReqHeaderCheckFilter.java:82) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at com.vdh.web.filters.URLCheckFilter.doFilter(URLCheckFilter.java:61) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at oracle.security.jps.ee.http.JpsAbsFilter$3.run(JpsAbsFilter.java:172) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:650) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:110) at oracle.security.jps.ee.http.JpsAbsFilter.doFilterInternal(JpsAbsFilter.java:273) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:147) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:94) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:248) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3701) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3667) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326) at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197) at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203) at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71) at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2443) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2291) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2269) at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1703) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1663) at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:272) at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352) at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337) at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57) at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41) at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415) at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)

deprecate and remove has_access(..)() syntax

Dave Brondsema — Mon, 08 Dec 2025 22:50:55 -0000

`has_access` returns a TruthyCallable which can be treated as a bool or called again, which is confusing. There's lots of `has_access(...)()` syntax that can be cleaned up now. After cleanup is done (including within external plugins/extensions), we can then remove the TruthyCallable and predicate behavior of has_access, and have it return a simple bool. Code changes necessary: - `has_access(...)()` -> `has_access(...)` - `has_access(c.app, 'read')(user=user)` -> `has_access(c.app, 'read', user)` - `require(has_access(c.app, 'read'))` -> `require_access(c.app, 'read'))` If `require(...)` is used in other situations, ideally it should be changed completely. Or, change from a callable to a bool like `require(lambda: foo == bar)` -> `require(foo == bar)` but this cannot be done ahead of time, it mus be done at the time of full removal.

a few JS performance improvements

Guillermo Cruz — Mon, 10 Jun 2024 15:31:45 -0000

- move `GoogleAnalytics` further down the page - remove `scanMessages` from `jquery.notify.js`

set up github codeql

Dave Brondsema — Mon, 10 Jun 2024 15:31:45 -0000

Our repo gets mirrored to https://github.com/apache/allura/ so we can set up CodeQL to run there and check for security issues in code

switch python email 'policy' for better line length handling

Dave Brondsema — Mon, 10 Jun 2024 15:31:45 -0000

If an email has a super long subject header (for example) with no spaces in it, email delivery can fail. For example `exim` gives `message has lines too long for transport` We’ve handled this before: - in `SMTPClient.sendmail` and `test_send_email_long_lines_use_quoted_printable` but apparently it doesn’t split a header if there’s no spaces or other chars to split on - `encode_email_part` handled it too, and debugging that seems like it works correctly (setting header charsets) but it still ends up rewritten later in sendmail, and causes the error https://docs.python.org/3/library/email.mime.html for MIMEText and MIMEMultipart extend from Message which has a default policy of compat32 (python 3.2 compatibility, bugs included). Specifying a different policy (or using EmailMessage perhaps) seems to work better, and maybe we can get rid of workarounds within our code. See https://docs.python.org/3/library/email.policy.html in the middle of the page. SMTP seems best. (SMTPUTF8 sound appealing, but not all mail servers support utf8)

improve ruff config

Dave Brondsema — Mon, 10 Jun 2024 15:31:45 -0000

support unicode in repo branch names

Dave Brondsema — Mon, 10 Jun 2024 15:31:45 -0000

Currently a branch name with unicode in it is browsable, but only if you go their directly. If you go to a code tool it'll try to do a redirect and get this error ``` File "/src/allura/Allura/allura/lib/custom_middleware.py", line 638, in __call__ start_response(status, headers, exc_info) ValueError: unicode object contains non latin-1 characters ```

Docker Upgrade Node Version

Guillermo Cruz — Mon, 06 Nov 2023 20:22:34 -0000

Update the installation url path for node 16

True Allura Object/Artifact delete and soft_delete support

Dillon Walls — Tue, 18 Jul 2023 22:56:03 -0000

Git-HTTP Dockerfile upgrade

Guillermo Cruz — Thu, 22 Jun 2023 18:43:27 -0000

allura/scm_config/git-http has a Dockerfile with an older LTS version of Ubuntu that support python2 but latest LTS version of Ubuntu has removed python2 related packages. So we need to upgrade to python3 in order to update the latest LTS version to keep it in sync with the base Dockerfile which was upgraded in here https://forge-allura.apache.org/p/allura/tickets/8513/

Jenkins Buikd Docker Error

Guillermo Cruz — Thu, 14 Sep 2023 18:51:38 -0000

When running the Jenkins build there's a python3 error related to pipensure not being present.

Incorrect links to ticket search rss feeds

Dave Brondsema — Tue, 02 May 2023 08:20:55 -0000

On ticket searches for example /p/test/tickets/search/?q=foo we have these references which are wrong: ```html ``` Check the ForgeTracker code to see if we have any support for feeds of a ticket search. I think probably not, in which case we should remove those links. (Make sure to keep them on other types of ticket pages where appropriate) And then ideally we should make those urls like ../search/feed.rss and ../search/feed.atom return a 410 Gone status so bots stop trying to crawl them.

CSP Headers Add Support For script-src-attr

Guillermo Cruz — Thu, 14 Sep 2023 18:51:37 -0000

Add support and remove inline events like `onclick` `onkeyup` etc. from code.

Replace pyflake with ruff

Guillermo Cruz — Thu, 14 Sep 2023 18:51:37 -0000

Setup ruff and fix code issues that might appear.

Update noindex Logic for User Profiles

Guillermo Cruz — Thu, 14 Sep 2023 18:51:37 -0000

Enforce user profiles to have at least one project and activity around before removing the `noindex` attribute from the robots tag

support python 3.8

Dave Brondsema — Thu, 14 Sep 2023 18:51:37 -0000

Currently only python 3.7 is supported. Shouldn't be too hard to get it running on 3.8 We can *allow* the Docker container to install 3.8 but leave the **default** to 3.7 I imagine we'll have more tickets to support 3.9, 3.10, 3.11. And then at the end can make the docker default be 3.11 or something like that.

Incorrect name of web docker image in compose files

Maarrk — Thu, 14 Sep 2023 18:51:37 -0000

When following steps in the [Installation manual](https://forge-allura.apache.org/docs/getting_started/installation.html#first-run) the following command: ``` docker compose run taskd paster setup-app docker-dev.ini ``` produces this output: ``` [+] Running 0/1 ⠿ outmail Error 2.9s Error response from daemon: pull access denied for allura_web, repository does not exist or may require 'docker login': denied: requested access to the resource is denied ``` But when I consult the Images list in Docker, I can see `allura-web` It seems to me that the image `allura_web` should be named `allura-web` in the `docker-compose[-prod].yml` files. These are the only files where I could find the pattern `allura[\-_]web`. After replacing underscore with hyphen, I was able to complete the instructions and connect to a working instance. I'd be happy to contribute a fix, but since I didn't find any other ticket mentioning this issue, maybe it is specific to my setup? ----- In case this is some recent change in the Docker, I am attaching detailed versions for everything that seems relevant. ``` $ lsb_release -drc Description: Ubuntu 22.04.1 LTS Release: 22.04 Codename: jammy ``` ``` $ docker version Client: Docker Engine - Community Cloud integration: v1.0.29 Version: 20.10.22 API version: 1.41 Go version: go1.18.9 Git commit: 3a2c30b Built: Thu Dec 15 22:28:04 2022 OS/Arch: linux/amd64 Context: desktop-linux Experimental: true Server: Docker Desktop 4.15.0 (93002) Engine: Version: 20.10.21 API version: 1.41 (minimum version 1.12) Go version: go1.18.7 Git commit: 3056208 Built: Tue Oct 25 18:00:19 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.10 GitCommit: 770bd0108c32f3fb5c73ae1264f7e503fe7b2661 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0 ``` Compose: v2.13.0