5.0.1

• Include images in the package archives (#872)

5.0.0

It's been a while since we didn't issue a major release. So here we go! This contains a lot of improvements, new features and fixes.

Thanks to everyone involved! 🥳

Breaking changes

• Include project code into project authentication token. This invalidates all existing API tokens and invitation links from previous versions (#802 #843)
• Drop support for Python 2 (#483)
• Drop support for Python 3.5 (#571)
• Drop support for MySQL (#743)
• Require MariaDB version 10.3.2 or above (#632)
• Enable session cookie security by default (#845)
• Change token path authentication to /{project}/join/{token} (#843)

The minimum supported version is now Python 3.6, and the project is tested with up to Python 3.9

See the upgrade instructions to make sure the upgrade goes smoothly.

Security

• Add CSRF validation on destructive actions (#796)
• Ask for private code to delete project or project history (#796)
• Add headers to mitigate Clickjacking, XSS, and other attacks: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy (#845)
• Add URL validation to external link to prevent XSS (#846)

Added

• Allow to import previously exported json data (#518)
• Add new optional field "external link" in bill form (#429)
• Add optional currencies to project and bills (#541, #864)
• Add new statistics showing monthly expenses (#526)
• Add pagination to the list of bills (#480)
• Add sorting, pagination, and searching to the admin dashboard (#538)
• Add Project History page that records all changes (#553)
• Add token-based authentication to the API (#504)
• Add illustrations as a showcase, currently only for French (#544)
• Add a page for downloading mobile application (#688)
• Add optional support for a simple CAPTCHA (#844)
• Add translations for Greek, Esperanto, Italian, Japanese, Portuguese and Swedish
• Publish an official docker image

Changed

• Use the external debts lib to solve settlements (#476)
• Remove balance column in statistics view (#323)
• Make language choice persistent (#547)
• Localize date strings in the current language (#590)
• Differentiate "flash alerts" notifications (#594)
• Display "flash messages" persistently instead of making them disappear (#856)
• Improve menu bar spacing, put history and settings in a submenu (#739)
• Change Dockerfile to install python dependencies at build time (#793)
• Updating project settings doesn't require to enter or update project code (#774)
• Bump dependencies: WTForms (#768) jinja2 (#753) itsdangerous (#756) flask (#755 #757 #764)
• Remove requirements files in favor of setup.cfg pinning (#558)
• Make language choice persistent (#547)
• Flash messages must be dismissed manually (#856)
• Increased the font size of the logo (#828)

Fixed

• Improve input of email addresses when inviting people to join a project (#133)
• Fix order of participants in the statistics page (#608)
• Clarify project edition form: private code is not required (#774)
• Fix Python dependency constraints to be less strict
• Improve documentation (#781 #819 #821)
• Fix datepicker that was displayed twice on some browsers (#221)
• Members weight are now rounded to 2 decimal (#838)

Documentation

• Reorganize "Contributing" documentation to be more accessible to new contributors
• Improve documentation regarding database migrations (#569)
• Added a page about the security model (#858)

4.1.5 - 2020-07-26

This release fixes a serious security issue (CVE-2020-15120).

All users are encouraged to upgrade.

Fixed

• Fix unauthorized access and modification of project data (CVE-2020-15120) (#663)

Changed

• Change mobile icon link (#598)
• Improve French translation of email templates (#593)

Added

• Add translations for Portuguese (Brazil), Tamil, Hindi

4.1.4 - 2020-06-07

This is a bugfix-only release. It is almost certainly the last release to support Python 2: you should upgrade to Python 3!

Fixed

• Fix failed installation because dependencies were not being pinned (#540, #545, #558)
• backend: Trim usernames to remove leading or trailing spaces. This avoids a situation where different names can be visually identical (#367)
• backend: Fix API to forbid project creation when the ALLOW_PUBLIC_PROJECT_CREATION setting is set to false (#496)
• backend: Fix crash when a localized email template is missing (#592)
• backend: Fix language code parsing (#589)
• backend: Improve error handling when sending emails (#595)
• UI: Fix datepicker that was being displayed twice on some browsers (#221)
• UI: Fix "Submit and add a new one" button that had no effect when adding a bill (#498)
• UI: Prevent bill cancellation when cancelling autocomplete (#506)
• UI: Fix responsive width of homepage on small screns (#549)
• UI: Fix color of the "Add a member" button (#499)
• UI: Fix missing HTML tag (#583)
• UI: Fix a small typo in the french project-reminder email (#486)
• UI: Fix typo on message displayed when adding a member (#575)
• UI: Fix incorrect tool-tip message about the private code (#623)

Added

• Add translations for German, Spanish (latin-america), Norwegian (bokmål), Indonesian, Polish, Russian, Chinese, Turkish, Ukrainian
• Update translations for all languages

4.0

Added

Add CORS headers in the API (#407)
Document database migrations (#390)
Allow basic math operations in amount field (#413)
Add bill.creation_date field (#327)
Document PostgreSQL configuration (#415)

Fixed

Do not allow negative weights on users (#366)
Fix docker image (#398)
minor documentation changes

Changed

Update API project list (#405)