This document describes changes between each past release.
- Include project code into project authentication token. This invalidates all existing API tokens and invitation links from previous versions (#802 #843)
- Drop support for Python 2 (#483)
- Drop support for Python 3.5 (#571)
- Drop support for MySQL (#743)
- Require MariaDB version 10.3.2 or above (#632)
- Enable session cookie security by default (#845)
- Change token path authentication to /{project}/join/{token} (#843)
The minimum supported version is now Python 3.6, and the project is tested with up to Python 3.9
See upgrade instructions to make sure the upgrade goes smoothly.
- Add CSRF validation on destructive actions (#796)
- Ask for private code to delete project or project history (#796)
- Add headers to mitigate Clickjacking, XSS, and other attacks: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy (#845)
- Add URL validation to external link to prevent XSS (#846)
- Allow to import previously exported json data (#518)
- Add new optional field "external link" in bill form (#429)
- Add optional currencies to project and bills (#541, #864)
- Add new statistics showing monthly expenses (#526)
- Add pagination to the list of bills (#480)
- Add sorting, pagination, and searching to the admin dashboard (#538)
- Add Project History page that records all changes (#553)
- Add token-based authentication to the API (#504)
- Add illustrations as a showcase, currently only for French (#544)
- Add a page for downloading mobile application (#688)
- Add optional support for a simple CAPTCHA (#844)
- Add translations for Greek, Esperanto, Italian, Japanese, Portuguese and Swedish
- Publish an official docker image
- Use the external debts lib to solve settlements (#476)
- Remove balance column in statistics view (#323)
- Make language choice persistent (#547)
- Localize date strings in the current language (#590)
- Differenciate "flash alerts" notifications (#594)
- Display "flash messages" persistently instead of making them disappear (#856)
- Improve menu bar spacing, put history and settings in a submenu (#739)
- Change Dockerfile to install python dependencies at build time (#793)
- Updating project settings doesn't require to enter or update project code (#774)
- Bump dependencies: WTForms (#768) jinja2 (#753) itsdangerous (#756) flask (#755 #757 #764)
- Remove requirements files in favor of setup.cfg pinning (#558)
- Make language choice persistent (#547)
- Flash messages must be dimissed manually (#856)
- Increased the font size of the logo (#828)
- Improve input of email addresses when inviting people to join a project (#133)
- Fix order of participants in the statistics page (#608)
- Clarify project edition form: private code is not required (#774)
- Fix Python dependency contraints to be less strict
- Improve documentation (#781 #819 #821)
- Fix datepicker that was displayed twice on some browsers (#221)
- Members weight are now rounded to 2 decimal (#838)
- Reorganize "Contributing" documentation to be more accessible to new contributors
- Improve documentation regarding database migrations (#569)
- Added a page about the security model (#858)
This release fixes a serious security issue.
All users are encouraged to upgrade.
- Fix unauthorized access and modification of project data (CVE-2020-15120) (#663)
- Change mobile icon link (#598)
- Improve French translation of email templates (#593)
- Add translations for Portuguese (Brazil), Tamil, Hindi
This is a bugfix-only release. It is almost certainly the last release to support Python 2: you should upgrade to Python 3!
- Fix failed installation because dependencies were not being pinned (#540, #545, #558)
- backend: Trim usernames to remove leading or trailing spaces. This avoids a situation where different names can be visually identical (#367)
- backend: Fix API to forbid project creation when the ALLOW_PUBLIC_PROJECT_CREATION setting is set to false (#496)
- backend: Fix crash when a localized email template is missing (#592)
- backend: Fix language code parsing (#589)
- backend: Improve error handling when sending emails (#595)
- UI: Fix datepicker that was being displayed twice on some browsers (#221)
- UI: Fix "Submit and add a new one" button that had no effect when adding a bill (#498)
- UI: Prevent bill cancellation when cancelling autocomplete (#506)
- UI: Fix responsive width of homepage on small screns (#549)
- UI: Fix color of the "Add a member" button (#499)
- UI: Fix missing HTML tag (#583)
- UI: Fix a small typo in the french project-reminder email (#486)
- UI: Fix typo on message displayed when adding a member (#575)
- UI: Fix incorrect tool-tip message about the private code (#623)
- UI : Fix bug on tool-tip message (#635)
- Add translations for German, Spanish (latin-america), Norwegian (bokmål), Indonesian, Polish, Russian, Chinese, Turkish, Ukrainian
- Update translations for all languages
- Fix packaging. Previous (4.1) release wasn't pip-installable on all systems.
- Fix readme and requirements.txt to upload to PyPI.
- Display password reminder message on a new page rather than on a flash message (#455, #469)
- Add a
compress_assetstarget in the makefile to compress PNG (#459) - Document how to use systemd (#435)
- Add support for python 3.7
- Add links to documentation, mobile app and git repository in the footer (#445)
- Use weblate to handle translations
- Add dutch translation
- Add project switcher on login page if already logged (#445)
- Documentation has been cleaned and reorganised.
- Display a placeholder when no entries are present in the bill list. (#457)
- Disable the "add bill" action until members are present (#457)
- Improve invitations UX (#451)
- In the bills list, display the "added on" column as a tooltip (#443)
- Updated bootstrap to latest stable (#440)
- Improved "project already exists" message (#442)
- Improve usability specially for small screen (#441)
- Replace export forms by links (#450)
- Rework homepage design (#445)
- Docker now downloads IHM from PyPI or the reference git repo (#446)
- Arrange navbar items by functions (#445)
- Add CORS headers in the API (#407)
- Document database migrations (#390)
- Allow basic math operations in amount field (#413)
- Add bill.creation_date field (#327)
- Document PostgreSQL configuration (#415)
- Do not allow negative weights on users (#366)
- Fix docker image (#398)
- minor documentation changes
- Update API project list (#405)
- Fix broken install with pip ≥ 10 (#340)
- Fix the generation of the supervisord template (#309)
- Fix Apache conf template (#359)
- Regenerate translations and improve fr translations (#338)
- Fix the validation of the hashed password (#310)
- Fix infinite loop that happened when accessing / (#358)
- Fix email validation when sending invites
- Fix double-click when deleting a bill (#349)
- Fix error escaping (#388)
- Fix form error on already existing participant (#370)
- Fix documentation for create bills via api (#391)
- Fix docker ADMIN_PASSWORD configuration (#384)
- Fix docker bug where conf is duplicated at each run (#392)
- Fix cffi installation in Dockerfile (#364)
- Document MySQL setup (#357)
- Add a favicon.ico (#381)
- Document external mail server configuration (#278)
- Improve settings documentation styling (#251)
- Add a ihatemoney delete-project command to delete a project (#375)
- Add nice 404 error pages (#379)
- Enhance translation tooling (#360)
- Improve Makefile (#387)
- Sort members alphabetically in the new bill form. (#374)
- Underline actions links on hover (#377)
- Remove Sentry, as it's not used anymore on prod. (#380)
- Use flask-restful instead of deprecated flask-rest for the REST API (#315)
- Make sidebar scrollable. Usefull for large groups (#316)
- Fix the "IOError" crash when running ihatemoney generate-config (#308)
- Made the left-hand sidebar scrollable (#318)
- Fix and enhanche Docker support (#320, #321)
- Statistics API (#343)
- Allow to disable/enable member via API (#301)
- Enable basic Apache auth passthrough for API (#303)
ADMIN_PASSWORDis now stored hashed. Theihatemoney generate_password_hashcommand can now be used to generate a proper password HASH (#236)- Turn the WSGI file into a python module, renamed from budget/ihatemoney.wsgi to ihatemoney/wsgi.py. Please update your Apache/Gunicorn configuration! (#218)
- Admin privileges are now required to access the dashboard (#262)
- password field has been removed from project API GET views (#289)
- Logged admin can see any project (#262)
- Simpler and safer authentication logic (#270)
- Use token based auth to reset passwords (#269)
- Better install doc (#275)
- Use token based auth in invitation e-mails (#280)
- Use hashed passwords for projects (#286)
ihatemoney generate-configto give working examples of config files (#275)- Statistics tab (#257)
- Python3.6 support (#259)
- ALLOW_PUBLIC_PROJECT_CREATION setting (#262)
- Projects can be edited/deleted from the dashboard (#262)
- ACTIVATE_ADMIN_DASHBOARD setting (#262)
- Link to the dashboard in the navigation bar (#262)
- Dockerfile
- Documentation explaining the upgrade process
- Fix PUT api/project/:code/members/:id API endpoint (#295)
- Fix member name uniqueness validation on API (#299)
- Remove unused option in the setup script
- Apache WSGI Support (#191)
- Brush up the Makefile (#207, #201)
- Externalize the settings from source folder (#193)
- Makefile: Add new rule to compile translations (#207)
- Project creation can be restricted to admin (#210)
- More responsive layout (#213)
- Some README enhancements
- Move tests to budget.tests (#205)
- The demo project can be disabled (#209)
- Fix sphinx integration (#208)
- First release of the project.