Version 4.4.3

Sat, Feb 11, 2023

Version 4.4.3

Released: February 11, 2023

Status: Stable

Changes

Converter

The transformation views' URLs were updated to always specify which content object's transformations are being manipulated. This ensures the permission system work correctly on all situations such as when deep ACLs are used to grant access to transformation from a document type.

The transformation and decoration links were updated to take advantage of the new link dynamic attributes features.

Dependencies

Support for Python 3.7 and Python 3.8 was dropped for the version 4.4 release. Python 3.9 is now the minimum version supported. This change happened in version 4.4 but was not documented.

The Link class added support for for dynamic view keyword arguments, icon, resolved object, and permissions. Instead of accessing the properties directly the respective [get_...]{.pre} method needs to be used instead. For example, instead of accessing the link icon with link.icon use link.get_icon(). The .get_ method accept a context arguments to allow the overload method to return different values that can depend on the view context contents.

Redactions

The transformation and decoration links were updated to take advantage of the new link dynamic attributes features. Redaction access control now works properly on complex access control scenarios.

Tags

The tag labels are now sanitized when generating the Select2 user interface widget template. This closes the XSS weakness reported in CVE-2022-47419: Mayan EDMS Tag XSS.

This is a limited scope weakness of the tagging system markup that can be used to display an arbitrary text when selecting a tag for attachment to or removal from a document.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Attempting to exploit this weakness requires a privileged account and is not possible to enable from a guest or an anonymous account. Visitors to a Mayan EDMS installation cannot exploit this weakness.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Other

  • Move transformation and redactions links to either their own links.py module. In the case of the documents app, the module is named miscellaneous_links.py.
  • Improve transformation and redaction link testing.

Removals

Backward incompatible changes

Deprecations

Issues closed