Fixed asset collection download

Added missing CsrfToken in the download portal for downloading the asset collection as zip file.

(CMS-18477)

Workaround Solr bug that leads to unhealthy Solr Server after index creation

Added a workaround for Solr bug https://issues.apache.org/jira/browse/SOLR-14969 . In rare cases, the bug could cause the Solr server to become unhealthy, when Elastic Social search indices were created in Solr, for example when a new Elastic Social tenant was created. Only a restart of the Solr server helped in such a case. The newly introduced workaround avoids this problem.

(CMS-18366)

Third-Party Update: Apache Ant 1.10.9

Apache Ant has been updated to version 1.10.9, which fixes security vulnerability CVE-2020-11979.

(CMS-18365)

Prevent duplicate URLs for preview allow list and connect sources

Previously the automatically generated connect sources and allowed preview urls may have contained many duplicates, if they were identical in all provider setting documents. This lead to a problem while loading the studio, because the corresponding http header became to large. This fix filters the list for duplicate entries.

(CMS-18345)

Adding ID to all PageGrid related Elements

These ids are required when trying to cache a PageGrid, a PageGridRow or a PageGridPlacement using apollo-client.

(CMS-18313)

Updated to latest Spring Framework 5.2.9, Spring Boot 2.2.10, and others

The following third party party libraries have been updated to fix CVE-2020-5421 :

(CMS-18305)

Content Server Flag useStrictWorkflow No Longer Prevents Withdraw Operations In Studio

We fixed a bug where the content server flag useStrictWorkflow prevented place approvals in Studio (e.g. withdraw) whereas it should only prevent version approvals.

(CMS-18300)

Fixed CAE Feeder to Index Correct Navigation Path

Fixed a bug in the CAE Feeder that the Solr index field navigationpath was not correctly set after withdrawal and re-publication.

(CMS-18278)

Resolve dependency on examples-thirdparty-bom

Fixed dependencies of module examples.blueprint.

(CMS-18265)

cm restoreusers: Exit Code != 0 on Failure

If there any error is detected while restoring users, the tool cm restoreusers will now exit with an exit code different to 0 (zero).

(CMS-18225)

StructPropertyField Can Deal With Sub-Structs and Studio Tab Reuse

We fixed a bug where the StructPropertyField took on wrong values on Studio tab-reuse when the StructPropertyField pointed to a sub-struct of a first-level document property.

(CMS-18219)

Richtext transformation ignored superscript elements

The richtext transformation rule to parse superscript elements <sup> contained a bug which led to the situation, that superscript elements were ignored completely and the contained subelements and characters were ignored also. The rule was fixed.

(CMS-18216)

Catalog types moved to extension headless-server-catalog

The catalog types (CMProduct, CMProductImpl) have moved to extension headless-server-catalog. Now these types are only available, if extension catalog is activated. Before, the types were always present, what lead to an error, when extension catalog was deactivated.

(CMS-18212)

Quote parameter in management-tools entrypoint chain

In order to run the management tools with parameters containing spaces, such as content paths, all scripts part of the chain must quote their parameters on the exec call.

If for example one wants to use the serverexport tool with a path containing a space this works now also as a part of the chain.

docker run --rm coremedia/management-tools \
  tools/bin/cm serverexport -u admin -p admin \
  "/Sites/Chef Corp"

(CMS-18185)

Library catalog tree fixed when categories have multiple parents

In some catalogs it is possible to put a category to multiple places within the catalog tree. That led to a broken tree. The unique parent of the catalog object defines the home of such a category. If there are more occurrences of that category in the tree it is shown as a link.

(CMS-18169)

Added error message for misconfigured TaxonomyCondition editors

The TaxonomyCondition editor required the config parameter taxonomyId . If not set, the taxonomy selection dialog simply remains empty. We have added an exception with a corresponding message in that case.

(CMS-18167)

'SiteService' in Documentation is wrong

Replaced siteService with sitesService .

(CMS-18150)

Removed erroneous warning about missing cache capacity for java.lang.Object

DataClientConfiguration occasionally logged the following warning:

Cache configuration seems to be missing. Setting capacity of java.lang.Object to 10 to avoid stack overflow errors due to recomputation.

The code issuing this warning was run while initializing beans without considering cache capacity configuration applied by independent beans such as commonCacheCapacityConfigurer defined in bpbase-uapi-cache-services.xml . Hence, the warning was removed from DataClientConfiguration .

(CMS-18142)

Snakeyaml has been updated to version 1.26

The dependency org.yaml:snakeyaml has been updated from 1.13 to 1.26 for the headless-server and from 1.25 to 1.26 for studio (editorial comments). This fixes a security vulnerability which was present in former versions of this library.

(CMS-18138)

Fixed missing dependency when running headless without live context

In case of running headless without the live context extension "lc-asset" a dependency was missing, preventing the headless to start correctly.

(CMS-18029)

UAPI Reconnect

In some cases the UAPI was not able to reconnect after a Content Server restart because of HTTP response caching issues. This has been fixed.

(CMS-17996)

Commerce adapter connection log is more helpful

If a commerce client (Studio or CAE) tries to connect to a commerce adapter the message says "Commerce adapter not available" is more helpful. It names the specific endpoint that cannot be reached.

(CMS-17978)

Fixed Taxonomy Name Escaping

Fixed issue where taxonomy node names were rendered with escaped characters inside the taxonomy manager.

(CMS-17953)

LanguageId deprecated in favor for new properly named property 'locale'

The content schema of Headless Server contained the property 'languageId' but was not mapped properly to a property in content objects, thus delivering always null. The property is now deprecated in favor for the newly introduced property 'locale', which maps to the corresponding property of localized content objects. Additionally the now deprecated property 'languageId' was mapped to 'locale' in order to fix the always null issue.

(CMS-17936)

Third-Party Update: Tomcat

Tomcat has been updated to version 9.0.37 to avoid security issues of the previous version (CVE-2020-13934, CVE-2020-13935).

(CMS-17901)

WorkflowDateTimePropertyField also offers remoteIssuesCallback

The WorkflowDateTimePropertyField also offers a new property remoteIssuesCallback of type function, that can be used to react to issues produce by the field itself

(CMS-17889)

Studio Link Suggestions Exclude Deleted Content

Fixed a bug that deleted content appeared in the list of suggested contents for a link list field in Studio. Deleted content is excluded now.

(CMS-17856)

Third-Party Update: Jetty

Jetty has been updated to version 9.4.30 to avoid a security issue of the previous version (CVE-2019-17638).

(CMS-17836)

Fixed Creation of Taxonomy Root Nodes

Fixed issue where root nodes of type 'CMLocTaxonomy' have been created as 'CMTaxonomy' documents.

(CMS-17830)

Bugfix for possible escalation in translation workflows that have multiple target sites

The DerivedContentsResult was enhanced, so it guarantees only versions of unique content are stored and used in a translation workflow. Before, it was possible that two different version of the same content would be stored in the masterContentObjects variable which led to an escalation of the workflow.

This bug could only occur for translation workflows that had createWorkflowPerTargetSite set to false.

(CMS-17826)

Updated Upload Settings Documentation and Mime Type Mapping

The documentation of the Upload Settings has been updated according to the implementation. Additionally, the usage of the settings mimeTypeToMarkupPropertyMappings and mimeTypeToBlobPropertyMappings has been updated so that the primary type of a mime-type is sufficient to configure these mappings.

(CMS-17809)

Fixed Accidental Bookmark Deletion

Fixed issue where bookmarks have been deleted when the Studio tab is closed before they have been loaded.

(CMS-17804)

Headless supporting queries for localized variants of content objects

Starting with version 2010.1 headless features the ability to query for localized content objects of any localizable content and derived sites of a site object. With the new abilities it is now possible to develop more generic clients, e.g. being able to bootstrap a client for all derived sites or to crosslink to localized contents.

(CMS-17797)

Studio may leave database lock when interrupted during startup

Should the startup of a Studio-Server instance be interruped, it is possible that a lock is left on the database schema cm_editorial_comments. In this case it is necessary to remove the lock manually, either by performing the following SQL Statement:

UPDATE DATABASECHANGELOGLOCK SET LOCKED=0, LOCKGRANTED=null, LOCKEDBY=null where ID=1;

or

use liquibase to do so: "liquibase releaseLocks"

(see: https://docs.liquibase.com/concepts/basic/databasechangeloglock-table.html )

It is also possible to disable Liquibase with the configuration editorial.comments.liquibase.enabled=false . However this means that it is necessary to apply the database changesets manually after an upgrade. This is possible by activating liquibase for at least one startup of a Studio-Server, or to run liquibase manually ( https://docs.liquibase.com/tools-integrations/cli/home.html ).

Example of liquibase.properties file for command line tool (Mysql-Setup):

changeLogFile=db/changelog/db.changelog-editorial-comments.xml
username=cm_editorial_comments
password=cm_editorial_comments
driver=com.mysql.cj.jdbc.Driver
url=jdbc:mysql://localhost:3306/cm_editorial_comments?useUnicode=yes&characterEncoding=UTF-8
classpath=>pathToMySqlDriver>/mysql-connector-java-8.0.20.jar:<pathTo_editorial-comments-data-jar>editorial-comments-data-1-SNAPSHOT.jar

(CMS-17784)

Configuration property studio.security.autoLogout.delay renamed to studio.autoLogout.delay

Due to conflicts with StudioSecurityConfigurationProperties the property studio.security.autoLogout.delay in StudioConfigurationProperties was renamed to studio.autoLogout.delay.

(CMS-17731)

Improve Taxonomy Change Plugin

The mechanism to detect changes of taxonomy properties within in the taxonomy manager has been improved. The TaxonomyChangePlugin provides the additional String property properties which supports a comma separated value with the names of the taxonomy properties which should be observed. The property is optional and should only be used when property editors of Taxonomy forms are working on Structs.

Additionally, the class TaxonomyNode.as has the new boolean field _AUTO_COMMIT_ now. This allows to disable the "auto-commit" of the taxonomy manager completely. In this case, we recommend to use the Control Room for detecting and publishing changed content.

(CMS-17707)

Security problem in CORBA protocol fixed

It used to be possible to guess the object ids of objects remotely accessible through CORBA when the start time of the servers was known or, in the case of the IBM JDK, even without knowing the start time. This allowed the unauthorized access to methods that did not require the session to be passed as an argument. Session objects already used secure ids, so that most methods were not affected.

This has been fixed. Object ids contain a secure random identifier now.

By setting the system property com.coremedia.corba.server.use-insecure-oids=true or by setting the environment variable COM_COREMEDIA_CORBA_SERVER_USE_INSECURE_OIDS=true , the bugfix can be disabled in case the generation of random numbers leads to a serious performance degradation. These are stop-gap flags, only, and you should fix the configuration of SecureRandom eventually.

(CMS-17667)

Fixed Library Dragging Issue

Fixed the possibility to move the Studio library out of the browser window.

(CMS-17602)

Fixed MIME-type Detection for Calendar Files

MIME-type detection for Outlook calendar files (*.ics) has been fixed to return "text/calendar" instead of "text/html".

(CMS-17529)

Translation Auto-Merge Keeps Order of Link Lists

Fixed a bug in the auto-merge functionality of translation workflows, which sometimes caused a wrong order of contents when changes from a placement link list were merged to a derived content.

(CMS-17515)

Fixed TooManySeachResultsException

The given exception has been raised when Studio's user manager is working on a large amount of users or groups. We have introduced the new Spring property studio.usermanager.minSearchCharacters which determines the amount of characters to input until a search request against the user provider is triggered. The default value is 0 , which means that all users and groups are lazy loaded by the Studio, therefore also requested by the user provider.

(CMS-17404)

Serverexport now checks if base directory is writable

cm serverexport now checks if the base directory is writable. If not it will fail early, as no content can be exported.

(CMS-17399)

Enhanced "Delete Content Type" description

The description of the "Deleting Content Types" section in the Content Server Manual has be enhanced.

(CMS-16851)

Fix loadbalancing in Chef deployment with multiple CAEs

When the Chef deployment was configured to install multiple CAEs on a single node for loadbalancing purposes, the servlet context was missing in the proxy balancer config.

(CMS-16807)

Autofill in browsers now finds correct field types

Two autofill behaviours have been fixed.

(CMS-16773)

Multisite-validation-tools: Changed Error Code for Translation Setttings

On validation of a TranslationSettings document with the multi-site-validation-tools, the error MS_VALIDATION_4000 (Invalid property value) was returned, if the translation strategy is invalid. This error has changed to MS_VALIDATION_4022 (Invalid translation settings property value).

(CMS-16646)

Copy mysql configuration files in Dockerfile using mysql user

To prevent access rights conflicts in some environments, the configuration files should be copied using the mysql user.

(CMS-16538)

MySQL Deployment in Chef used deprecated configuration syntax

Since MySQL 5.7, the correct syntax uses underscrores _ instead of hyphens - .

(CMS-16408)

Fixed a bug which caused an error upon content server start after adding a new observed property

After adding a new observed property to a doctype (and the restart of the server) and creating a document of the doctype with a value for the new observed property the second restart of the server caused an exception:

hox.corem.exceptions.RepositoryError: ERROR: duplicate key value violates unique constraint "pk_observedvalues"

The bug is now fixed.

(CMS-15090)

Fixed recursion in ReplaceItemsPlugin

Setting recursive="true" in the ReplaceItemsPlugin was broken and has been fixed. However we do not recommend to use the recursive flag. Instead use the NestedRulesPlugin for deeper replacements.

(CMS-13931)

Add substitution model attribute for FTL Spring bind

Substitution model attributes can now also be used with the <@spring.bind /> macro in Freemarker templates.

(CMS-12747)

Solr cookbook in Chef deployment fails to update

The home directory of the solr user can only be changed to the new solr installation directory, when the service is stopped. With Chef you can model this by using the :before timing on a stop notification to the service resource.

(CMS-12223)

Sort results in UAPI queries

It is possible to sort by parent folder id, place approval date and place approver in UAPI queries now.

(CMS-11314)