This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

This release comes with two usability improvements: the authentication process is now easier to discover, and editing the avatar in the user profile is now easier. It also brings minor accessibility improvements, as well as technical modules that will be useful to improve security in the future.

This release contains security fixes, with the highest severity being 8.7/10.

New and Noteworthy (since XWiki 16.9.0)

Full list of issues fixed and Dashboard for 16.10.0.

For Users

Improvements for editing the user avatar

 
The button for editing the user profile avatar is now more visible, easier to find and interact than before.

This action is now placed below the picture and features a standard button that spans the length of the sidebar menu 

Updated the registration UI

 
Multiple steps of the registration process have been updated and improved in accordance with design research done earlier:

• The registration and authentification buttons for guest users have been moved from the drawer to the navigation bar.
• The registration form validation has been improved to provide a precise status on every field before trying to submit it.
• The successful registration landing page is now looking a bit more welcoming.

Miscellaneous

• PDF Export Page Order: Starting with this version, when exporting multiple pages to PDF, by selecting them from the page tree, their content will appear in the generated PDF following the order from the tree:

  • parent / ancestor pages are printed before child pages
  • child pages are printed in the order they appear in the tree

  This also means that we can now use the Pinned Child Pages feature to enforce a particular order in the PDF export.

• The default colors used in the code macro have been altered slightly, in order to fit WCAG-defined contrast values. Those changes in color only apply to some highlighting colors, and are barely noticeable.

For Admins

No changes!

For Developers

Required Rights

 
New APIs have been introduced for required rights, a new mechanism for explicitly marking which rights the content of a document needs. 

This provides two protections:

• Restricting script executions in documents where scripts haven't explicitly been enabled, 
• Preventing users without script, admin, or programming right from editing documents that require these rights. 

For now, this is a developer-only change, required rights aren't enforced by default and there is no UI (a UI is planned for a following release). Developers whose extensions depend on XWiki 16.10.0+ are encouraged to start using the new document authorization manager when checking the rights of document authors, e.g., when registering a component based on an XObject. 

Extensions can also start enforcing required rights on their documents, marking which pages need wiki admin or programming right for example and check if their extensions still work when enabling enforcing required rights for these documents. 

The XAR Format Specification has been adapted, accordingly. If not done already, required rights analyzers should be implemented for all XObjects and macros that need rights beyond what's covered by standard fields. This includes for example the interpretation of Velocity code in fields that aren't marked as containing Velocity code, or requiring wiki admin right for certain scope values. Those analyzers are necessary to allow suggesting the user all rights that are required by a page.

Upgrades

The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):

The following dependencies were upgraded for the XWiki Standalone distribution:

• Jetty 2.0.15

Translations

The following translations have been updated:

• Czech
• German
• Simplified Chinese

Security Issues

Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.

Accessibility

We are working towards WCAG 2.1 level AA compliance.

Current status:

• A total of 404125 automated tests are run.
• 99.60% of our automated WCAG tests are passing. There are 129 warnings left in the tests to fix (0.03%) and 1480 incomplete tests (0.37%). By "incomplete", it means that they need manual validation.
  • Note that the automated WCAG tests have 2 limitations: WCAG tests are executed only for UIs for which we have automated functional tests available, and the underlying library we use for testing (Axe Core) estimates that it catches only about 50% of WCAG issues. We plan to continue running regularly some manual WCAG tests in addition to all these automated tests.
  • Out of the 61 rules automatically tested on XWiki, only 4 of them return warnings. All the other tests will fail the build if violated in the future.
• Remaining accessibility violations can be seen on this filter result table.
• The progress of fixing accessibility issues vs raising them can be seen on this status chart.

Known issues

• Bugs we know about

Backward Compatibility and Migration Notes

General Notes

• When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
  • xwiki.cfg
  • xwiki.properties
  • web.xml
  • hibernate.cfg.xml
• Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 16.10.0

• With the update of the registration UI, there are some new items by default in the top navigation bar. Instances hiding the drawer from guest users will probably want to disable those two new Interface Extensions when migrating.

API Breakages

The following APIs were modified since XWiki 16.9.0:

No breakage!

Credits

The following people have contributed code and translations to this release (sorted alphabetically):

• Alex Cotiugă
• Antoine Mottier
• Clemens Robbenhaar
• Cye3s
• Lucas Charpentier
• Manuel Leduc
• Marius Dumitru Florea
• Michael Hamann
• Raphaël Jakse
• Simon Urli
• Simpel
• Thiago Krieck
• Thomas Mortagne
• Vincent Massol
• 一颗小土豆