Version 4.4.3

Announcements Releases
1

Released: February 11, 2023

Status: Stable

Changes

Converter

The transformation views’ URLs were updated to always specify which
content object’s transformations are being manipulated. This ensures
the permission system work correctly on all situations such as when deep
ACLs are used to grant access to transformation from a document type.

The transformation and decoration links were updated to take advantage
of the new link dynamic attributes features.

Dependencies

Support for Python 3.7 and Python 3.8 was dropped for the version 4.4
release. Python 3.9 is now the minimum version supported. This change
happened in version 4.4 but was not documented.

Navigation

The Link class added support for for dynamic view keyword arguments,
icon, resolved object, and permissions. Instead of accessing the
properties directly the respective get_... method needs to be used
instead. For example, instead of accessing the link icon with
link.icon use link.get_icon(). The .get_ method accept a context
arguments to allow the overload method to return different values that
can depend on the view context contents.

Redactions

The transformation and decoration links were updated to take advantage
of the new link dynamic attributes features. Redaction access control
now works properly on complex access control scenarios.

Tags

The tag labels are now sanitized when generating the Select2 user
interface widget template. This closes the XSS weakness reported in
CVE-2022-47419: Mayan EDMS Tag XSS.

This is a limited scope weakness of the tagging system markup that can
be used to display an arbitrary text when selecting a tag for attachment
to or removal from a document.

It is not possible to circumvent Mayan EDMS access control system or
expose arbitrary information with this weakness.

Attempting to exploit this weakness requires a privileged account and is
not possible to enable from a guest or an anonymous account. Visitors to
a Mayan EDMS installation cannot exploit this weakness.

Any usage of this weakness remains logged in the event system making it
easy to track down any bad actors.

Due to all these factors, the surface of attack of this weakness is very
limited, if any.

There are no known actual or theoretical attacks exploiting this
weakness to expose or destroy data.

Other

  • Move transformation and redactions links to either their own
    links.py module. In the case of the documents app, the module is
    named miscellaneous_links.py.
  • Improve transformation and redaction link testing.

Removals

Backward incompatible changes

Deprecations

Issues closed