Release Notes - version 2.020.25

Version 2.020.25 was deployed to https://kf.kobotoolbox.org/ on Wednesday, 17 June 2020 at 18:20 UTC, and will be deployed to https://kobo.humanitarianresponse.info/ on Wednesday, 8 July 2020 at 23:00 UTC.

This update brings large, behind-the-scenes changes to KoBoToolbox—such as upgrading KPI to Python 3 and Django 2.2 LTS—as well as many user-facing improvements and bug fixes. Below is a list of changes that likely interests the general KoBo community, followed by other changes that are primarily relevant to more technical audiences. We hope you enjoy this release of KoBoToolbox.

:information_source: If you run your own instance of KoBoToolbox, please consult these important instructions before upgrading.

New features and enhancements

PR Description Related Issues
kpi#2597 Improve autonaming of choices; allow manually setting choice names up to 40 characters in the form builder kpi#623
kpi#2567 Replace hard-coded limit on displayed map points with adjustable slider kpi#2549
kpi#2560 Increase limit on displayed map points from 5kto 20k when when filtering by response kpi#2549
kpi#2657 Allow editors to access “Sharing” in the settings panel; restrict “Media” to the owner kpi#2647
kpi#2530 Allow public sharing to be disabled on forms attached to a collection; hide denied permissions from API output; allow assignment of (all) denied permissions to AnonymousUser kpi#2528 , kpi#2529
kpi#2400 Add support for Enketo’s single-submission “once” option kpi#2398
kpi#2579 Removed red warning when group title field is empty kpi#2526
kpi#2592 Export forms as XLSX instead of XLS; use XlsxWriter instead of xlwt in to_xls_io() kpi#2591
kpi#2566 Added print button to submission view kpi#2551, kpi#2565
kpi#2553 Add clickable link in table view for all media type files in form (images, audio, video) kpi#2523
kpi#2472 Allow users with Edit Form and View Submissions permissions to add/edit/delete REST Services kpi#2461
kpi#2454 Show success/pending/failed counts for REST Services in columns instead of tooltips kpi#2452
kpi#2429 Add option to enable auditing in form builder settings kpi#2187
kpi#2426 Display API token in settings kpi#2418

Bug fixes and other improvements

PR Description Related Issues
kobocat#617 Disable the list views of users and public forms kobocat#616, kobocat#117
kobocat#592 Correctly handle identically-named form media files in different projects within the same user account; remove deleted media files from S3 storage kobocat#267, kobocat#584
kpi#2683 Fix app crashing when trying to view the map for a project without any geographic questions kpi#2670 kpi#2682
kpi#2680 Optimize queries; make the server respond more quickly kpi#2679, kpi#2671
kpi#2636 Stop incorrect button hints from appearing in the form builder
kpi#2664 Remove duplicate error notification when permissions assignment fails kpi#2527
kpi#2660 Fix white-screen crash caused by race condition when trying to load permissions config before the app
kpi#2638 Added EXIF orientation fix for viewing photo submissions kpi#2241
kpi#2512 Allow assets to be deleted even if they have active REST Services kpi#2497
kpi#2616 Added quotes around src= in copy paste for ‘Embeddable web for code’ kpi#2614
kpi#2610 Fixed bug where adding a new translation would add an extra null translation kpi#2604
kpi#2573 Avoid crash in auto report kpi#2562
kpi#2596 Protect hook endpoints against SSRF attacks
kobocat#600 Protect form media endpoints against SSRF attacks
kpi#2602 Fix group labels not saving kpi#2526
kpi#2568 Honor form_title from XLSForm settings when importing kpi#2344
kpi#2569 Ignore map_style if selectedQuestion is not ‘geopoint’ kpi#2558
kpi#2511, kobocat#599 Invalidate sessions on password change; remove change password button from KoBoCAT to avoid hash mismatches with KPI kpi#2258, kpi#2595
kpi#2583 Updated help bubble URL (use HTTPS) kpi#2582
kpi#2447 Support API access to private-storage endpoints, e.g. exported data: allow Token, Basic authentication classes with django-private-storage kpi#2338
kpi#2571 Allow users to see AnonymousUser permissions whatever their permissions
kpi#2575 Make search work reliably by parsing queries into ORM filters instead of using Whoosh kpi#2514
kpi#2565 Fix printing single submission (CSS backdrop issue) kpi#2551
kpi#2493 Fix moving library item into collection kpi#2492
kpi#2533 Show a helpful message when a map is requested for a form that has a geographic question but no responses to that question kpi#2173
kpi#2516 When assigning permissions in bulk, make sure KoBoCAT permissions are synchronized correctly
kpi#2481 Authenticated users cannot access publicly shared data without specific permissions kpi#2480
kpi#2483 Add close/back button in settings to match the rest of the UI kpi#2479
kpi#2457 Display REST Services custom wrapper errors better kpi#2456
kpi#2477 Don’t show delete option for non-owners (they couldn’t use it anyway) kpi#2466
kpi#2505 Avoid losing AnonymousUser permissions when editing some user permissions kpi#2502
kpi#2491 Fix bulk delete chevron icon
kpi#2451 Fix some UI crashes by adding safety check for id param
kpi#2441 Fix issue where with the form builder where questions dragged into group are not in the group after saving kpi#2380
kpi#2458 Fix copy team permissions kpi#2455, kpi#2453
kpi#2463 Toggle token field btw. password and text
kpi#2406 Bugfix: disaggregating map results by nested groups questions kpi#1476
kpi#2403 Limit project name to 255 characters kpi#2345
kpi#2396 Fix version list overlapping other content when a form has many versions kpi#2342
kobocat#603 Make access to notes follow permissions of their associated submissions kobocat#601
kobocat#613 Use 150K iterations when hasing passwords to match Django 2.2 kobocat#612
kobocat#589 Removed duplicate ‘media_file=’ argument when building media urls kobocat#586, kobocat#588, kobocat#590
kobocat#583 Do not allow non-granted users to get edit data link
kobocat#561 Remove Legacy Rest Services from KoBoCAT completely kobocat#560, kobocat#557, tasks#310
kobocat#541 Add small, medium, and large image URLs to submission JSON; includes management command to update old submissions
kobocat#576 Trivially change Legacy Rest Services verbiage
kobocat#575 Do not show KPI REST Services in KoBoCAT legacy list
kobocat#574 Disable adding KoBoCAT Legacy Rest Services (now handled by KPI)
kobocat#573 Fix 500 error when trying to import ZIP of submissions to inactive form kobocat#571
kobocat#562 Support bulk deletion of submissions in the API kpi#2321

Of interest to self-hosters

PR Description Related Issues
kpi#2710 Increase request body & file upload max. sizes to 10 MB (KPI only; does not affect submissions) kpi#2709
kpi#2705 Fix KoBoCAT user and digest sync when using separate databases kpi#2704
kpi#2699 Fix check for anonymous permissions when an authenticated user has no explicitly-assigned permissions kpi#2698
kpi#2694 Fix memory leak when using management command populate_kc_xform_kpi_asset_uid
kpi#2644, kobocat#609 Add note about shared-database branch to README
kpi#2632 Migrate text-based JSON fields without locking tables
kpi#2603 Fix S3 / private storage issues
kpi#2574, kobocat#596 Support special characters in MongoDB and Redis password kobo-install#72
kpi#2545 Add checks for two-database upgrade problems kpi#2543
kpi#2535 Add KPI identifier to service_health response so that health checkers can verify that KPI is responding (not KoBoCAT or some other service)
kpi#2508 Django 2 Upgrade (part 4). Upgrade to Django 2.2 LTS kpi#2489, kpi#2490
kpi#2507 Django 2 Upgrade (part 3): Force explicitly “on_delete” for foreign keys.
kpi#2504 Django 2 Upgrade (part 2): Drop Python 2 support kpi#2489
kpi#2503 Django 2 Upgrade (part 1): Drop Python2 support __future__ imports removal.
kpi#2460 Python 3 support kpi#2301, kpi#2232
kpi#2499 Preserve anonymous perms in sync_kobocat_xforms kpi#2498
kobocat#531 Database split: KoBoCAT and KPI use separate Postgres databases kobo-docker#230
kobocat#570 Check for stuck exports only once every 6 hours

Of interest to developers

PR Description Related Issues
kobocat#615 Stub settings for Django 1.10+ request body & file upload max. sizes kobocat#614, kobocat#618
kpi#2666 Less webpack output (reduce noise during tests) kpi#2665
kpi#2661 Fix Travis CI build issues
kpi#2659, kobocat#610 Stop sharing cookie for CSRF between KPI and KoBoCAT, but continue sharing the session cookie kpi#2658
kpi#2315 Include all changes that depend on Python 3 and Django 2.2 (large merge of two-databases branch into master)
kpi#2633, kobocat#606 Updated SSRF Protect version, fixed tests using it kpi#2631
kpi#2630 Temporarily revert “Protect hook endpoints against SSRF attacks” due to bug introduced
kpi#2612 KPI container cannot start in dev mode with Sentry - fix
kpi#2611 broken locale submodule fix
kpi#2589 Set the HttpOnly flag on the CSRF cookie tasks#116
kpi#2593 Use ‘secure’ flag on CRSF and Session cookies
kobocat#598 Set the secure and httpOnly flags on cookies kobocat#597
kpi#2588 Read the CSRF token from the DOM instead of cookie tasks#343 tasks#344
kpi#2585 Fix XSS when deleting
kpi#2578 Use native JSONBFields everywhere (instead of JSONFields)
kpi#2513 Pull locale when missing
kpi#2556 Fix vendors split kpi#2484
kpi#2496 Validate backend perms kpi#2343
kpi#2484 Introduce source maps and vendor splitting kpi#2469
kpi#2471 Update and fix babel building kpi#2012
kpi#2485 Remove unnecessary code duplication kpi#2467
kpi#2475 update webpack-dev-server kpi#2474
kpi#2465 Internal feedback about PR #2338
kpi#2468 Upgraded eslint-loader to ^3.0.0 in package.json
kpi#2444 Rebuild account settings state better
kpi#2436 Update few outdated dependencies
kobocat#581 Do not assume the KPI Asset.uid matches the KoBoCAT XForm.id_string when constructing internal REST Service endpoint URLs kobocat#577
4 Likes