Planet Plone - Where Developers And Integrators Write

Plone selected for 2022 Google Summer of Code

Posted by PLONE.ORG on March 07, 2022 08:41 PM

Once again this year members of the Plone open source community will mentor students and other young people interested in learning how to develop their skill and to contribute to an open source project. Plone has benefited greatly from the contributions of GSOC students since it began participating in the program in 2006. Many of those GSOC students have gone on to become core contributors to Plone as well as productive members of other open source software communities.

Students whose applications are accepted will work with a senior Plone programmer on one of a list of projects with the goal of making a contribution to the Plone code base or a related project. The Plone Foundation supports successful GSOC students by providing support for attending the annual Plone conference and for meeting other members of the diverse Plone / Python / Zope community.

Visit the GSOC home page and learn how to apply for the program

Check out our list of potential student projects for Plone in 2022

Student applications will open on April 4, 2022.

Join us !

Programmers report out at sprint in Sorrento, Italy

The Plone Newsroom Podcast Episode #06

Posted by PLONE.ORG on February 28, 2022 12:40 PM

The Plone Newsroom is a monthly podcast brought to you by Philip Bauer and Fred van Dijk. They cover technical and non-technical topics including Plone, the Plone community, and whatever else they come up with to keep us informed!

Episode #06 on 28 February 2022 featured news about new Foundation members and the 2022 Plone Conference dates, a discussion of the plone.org relaunch work and issues encountered, Volto, Classic and collective.exportimport development news, and a follow up to the composite page builders discussion in episode #05. Plus Philip and Fred issued a call for Volto translators and a call for World Plone Day talks. Go to the Newsroom page to view other episodes.

Welcome to Three New Members of the Plone Foundation

Posted by PLONE.ORG on February 23, 2022 10:25 PM

The Plone Foundation welcomes two new members after unanimous confirmation by the Foundation's Board of Directors on February 17, 2022.

Membership in the Foundation is conferred for significant and enduring contributions to the Plone project and community. The Plone Foundation Membership Committee overwhelmingly recommended each applicant for their ongoing contributions to Plone.

Giulia Ghisini turning world upside down

Giulia Ghisini

Giulia is a frontend developer who works on the Volto development team. She has sprinted at Sorrento once and has participated in Plone conferences since 2019.Giulia works at Red Turtle and lives in Ferrara, Italy.

Piero Nicolli

Piero also works with Red Turtle in Ferrara. He has been using Plone since 2015 and has made occasional contributions since then. Piero's focus has shifted to Volto after beginning with contributions on plonetheme.barceloneta and plone.staticresources. He is currently part of the Volto Team.

Piero attended Plone Conferences 2018, 2019 and 2021, and he helped organize the 2019 Ferrara conference. In addition to several sprints, Piero gave a talk about frontend development at PloneConf 2019 and about a use case for a repeatable Volto themes at PloneConf 2021. He is active on Discord from time to time and answer questions there when available.

Alessandro Pisa

Alessandro works remotely for Syslab from Ferrara (Italy) and has been
a Plone user and developer since 2008. He has been a Framework Team member since 2017. He is a Plone core developer and contributes and maintains some packages in the Plone ecosystem.

Alessandro is a long-time contributor to the community and helps to manage the collective organization on GitHub. He has attended many sprints and makes sure to reach out to newcomers when conference time comes around.

The Plone Foundation encourages applications from long time contributors to the Plone project and community. Learn more about the Foundation membership and the application process.

Custom Volto configuration to fix Babel problems with react-leaflet

Posted by PloneExpanse on February 06, 2022 04:05 PM

I’ve started working on a new Leaflet-powered Volto map block and the first thing that happened while loading react-leaftlet was an error reported by the browser: Module parse failed: Unexpected token (10:41) in @react-leaflet/core/esm/path.js ... const options = props.pathOptions ?? {}; ... The problem is that is, for some reasons, the transpiled JS bundle includes code using the nulish coalescing operator This is already a problem reported in react-leaflet and it happens because the distributed transpiled library includes that code.

Questions for the Feburary Steering Circle?

Posted by PLONE.ORG on February 02, 2022 06:05 PM

As described in the Foundation's July 2020 discussion of Plone governance, a series of Steering Circle meetings is being held to discuss our organizational structure and processes, and any hot topics of the moment. This is part of the Foundation's initiative to solicit ideas for changes that will better serve the needs of our community, our projects, and our teams. The meetings will be held every two months, and the next one will be Feburary 15th at 14:00 UTC (15:00 CEST). Each Plone team will send one or two representatives, including the Zope, Volto, RestAPI and Guillotina teams.

The Steering Circle meetings will include a discussion of questions from community members. Please use this form to submit any questions you have and we will put them on the agenda.

Thank you for being an awesome community and for helping to move Plone forward into its third decade!

Plone 6.0.0a3 and Plone 5.2.7 Released

Posted by PLONE.ORG on January 31, 2022 07:50 PM

Important security fix applied

See forum post for more details and easy workaround:
https://community.plone.org/t/security-fix-for-image-view-fullscreen-cache-poisoning/14757

Plone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning.
Any later visitor can get redirected when clicking on a link on this page. Usually, only anonymous users are affected, but this depends on your cache settings.

All Plone versions are vulnerable. It depends on your Plone version and the Image content type which package is vulnerable: Products.CMFPlone, plone.app.contenttypes or Products.ATContentTypes.

The Plone Security Team has released fixes for Plone 5.2:

plone.app.contenttypes 2.2.3 (see advisory)
Products.ATContentTypes 3.0.6 (see advisory. If you are on Python 3 you will not be using this package.

and for Plone 6:

plone.app.contenttypes 3.0.0a9 (see advisory)

Today, Plone 5.2.7 and 6.0.0a3 have been released with these updated packages. Separate announcements will follow.

If you have any questions or comments about this advisory, email us at [email protected]. This is also the correct address to use when you want to report a possible vulnerability. See our security report policy.

Highlights of the Plone 6 Alpha 3 Release

https://plone.org/download/releases/6.0.0a3

Changes since 6.0.0a2:

plone.app.contenttypes: Security fix: prevent cache poisoning with the Referer header.
See security advisory.
Updated the versions of the build requirements: setuptools to 59.6.0, zc.buildout to 3.0.0rc1, pip to 21.3.1.
Zope 5.4:
- Add support for Python 3.10 (Plone does not have this yet).
- WebDAV fixes.
- https://zope.dev is now the canonical Zope developer community site.
plone.volto: Removed collective.folderishtypes dependency.
Products.CMFEditions:
- Got rid of the skins directory. Most items in here have been moved to browser views. Some were no longer used, or had an alternative, and were removed.
- The VersionView class is deprecated because it contained just one method that is now part of the @@plone view.
plone.app.linkintegrity: Track integrity of video and audio files in HTML source tags.
plone.app.uuid: Speed up uuidToPhysicalPath and uuidToObject.
plone.namedfile:
- Make DefaultImageScalingFactory more flexible, with methods you can override.
- Drop support for Python 2.7. Main target is now Plone 6, but we try to keep it running on Plone 5.2 with Python 3.
diazo: Removed FormEncode test dependency.
Pillow updated to 9.0.0
plone.app.content: Deprecate the human_readable_size method of the ContentStatusHistoryView class because the one from the @@plone view should be used.
plone.app.layout: Improved the Global section viewlet:
- Catalog based navigation.
- Allow more customization by adding methods as hooks.
- Various performance optimizations.
- Deprecate now unused navtree_depth property.
plone.app.layout: Removed deprecated methods.
plone.app.layout: Add viewlet to display customizable favicon. See the Site Settings.
Various packages: No longer use deprecated property types ulines, utext, utoken, and ustring, but their non-unicode variants, without a u at the beginning. See issue 3305.
plone.restapi:
- Enhance @addons endpoint to return a list of upgradeable addons.
- Add support for DX Plone Site root in Plone 6. Remove blocks behavior hack for site root in Plone 6.
Products.CMFPlacefulWorkflow: Removed the CMFPlacefulWorkflow skin layer.

Plone 6 editing experience combines the robust usability of Plone with a blazingly fast JavaScript frontend

Plone 6 editor

Plone 5.2.7 released

Specific release notes for Plone 5.2.7:

Some highlights of this release are:

`plone.app.contenttypes` and `Products.ATContentTypes`: Security fix: prevent cache poisoning with the Referer header. See security advisory.
`plone.app.linkintegrity`: Track integrity of video and audio files in HTML source tags.
`plone.app.z3cform` and `plone.app.textfield`: Enable multiple wysiwyg editors (use default editor registry setting).
`plone.namedfile`: Make `DefaultImageScalingFactory` more flexible, with methods you can override.
`plone.app.layout`: Improved the Global section viewlet:
- Catalog based navigation.
- Allow more customization by adding methods as hooks.
- Various performance optimizations.
- Deprecate now unused navtree_depth property.
`diazo`: Removed `FormEncode` test dependency.
`plone.restapi`: Be permissive when testing the schema of the querystring endpoint.

https://plone.org/download/releases/5.2.7

World Plone Day 2022 Is Coming - Submit Talks

Posted by PLONE.ORG on January 30, 2022 03:55 PM

World Plone Day is a 24-hour streaming event, with the goal was to promote and educate the public about the benefits of using Plone and of being part of the Plone community.

The Plone community is organizing this year's World Plone Day activities on April 27, beginning at 00h00 CET.

Take this opportunity to share your accomplishments with a worldwide group of Plone users. This event is organized to support presentations in your native language if that's your preference.

We are looking for presentations for the event, both pre-recorded talks or live streaming, whatever suits you:

Case studies - share your success stories
Technical talks - share your findings and challenges
Plone 6 talks - What's new with the latest and greatest of Plone releases
Plone Community - discuss the importance and friendliness of Plone community
Any discussion - grab a few friends and just chat about Plone-related stuff (no matter how remotely)

Once you've identified what you'd like to share, submit your topic using our easy proposal form to let the Plone marketing team know what you have in mind. If you have any questions, please contact [email protected].

Streaming will be done using the Streamyard platform, and all you need to do is to show up with your talk.

World Plone Day 2021 Was a Great Success

Last year we managed to gather:

56 videos
50 speakers
16 countries
11 languages

Let's make this year even bigger!

All content is available on the Plone YouTube channel. Play the videos on the World Plone Day 2021 playlist to relive the entire event.

Remember to subscribe while you are there!

Follow Plone and Join the Community!

Stay up to date with Plone and join us:

Follow Plone on Twitter at twitter.com/plone
Subscribe to the Plone YouTube channel
Join the community forum at community.plone.org/
Get started with Plone at plone.org/get-started

Plone Foundation Priorities for 2022

Posted by PLONE.ORG on January 26, 2022 10:44 PM

The Plone Foundation Board has identified five priorities for focused attention and effort during the coming year :

Communication: Addressing all Plone audiences, not only developers
Embrace hybrid model for all gatherings, meetups, sprints and the conference
Improve and enhance documentation and marketing/positioning of the Plone CMS
Nurture new participation and leadership in the community
Contributor agreement modernization via the adoption of digital signature

A consensus emerged around the importance of including user communities as much as possible. Plone meetings of every sort benefit when some or all of the participants can be together in a room. So much of this has been lost during the past two years, and we would like to find ways to meet safely using hybrid solutions.

Development of our existing documentation is actively proceeding and one of our goals for the year will be to work through any challenges and then apply the new product to marketing.

Our community is diverse in every direction, and participation from each group adds value to our ultimate product, as well as generates enthusiasm for Plone

We will also work to simplify the Contributor agreement process.

The Plone Newsroom Podcast Episode #05

Posted by PLONE.ORG on January 21, 2022 12:40 PM

Episode #05 on 21 January 2022 featured an update on the state of Plone 6 and Plone 6 Classic development, a discussion of page composition tools (plone.app.mosaic, collective.cover, collective.contentsections, collective.modules, and older add-ons like Collage, CMFContentPanels, ContentWellPortlets), and news of the plone.org relaunch effort, Plone 6 documentation, Google Summer of Code, and collective.easyformplugin.registration. Go to the Newsroom page to view other episodes.

Plone Conference 2021 Videos Available

Posted by PLONE.ORG on January 08, 2022 06:30 PM

Plone Conference 2021 Online

The conference provided insight into the long history (20 years!) of Plone CMS as well as the latest, future-proof features and visions.

Plone - The original, open-source, enterprise-grade, all-in-one content management system written in Python.
Zope - The original Python web application server - the foundation for Plone and inspiration for Guillotina.
Volto - Plone 6's snappy, modern React front end powered by the RestAPI.
Guillotina - A re-imagined asynchronous back end compatible with Plone's RestAPI.
Pyramid - A small, fast, down-to-earth Python web framework.

https://2021.ploneconf.org/

All videos available

Every training, talk, keynote and lightning talk presentation was recorded and is now available online on

Plone YouTube channel
Ploneconf2021 playlist
Easily browsable also on https://2021.ploneconf.org

Next time: Plone Conference 2022 in Namur, Belgium!

With the help of our sponsors, like Six Feet Up, iMio, and many others, the 2021 conference was held 100% Online, using LoudSwarm platform by Six Feet Up.

Next year the conference will be held in Namur, Belgium!

So mark your calendars and stay tuned for Plone Conference 2022 news! Follow @ploneconf and #ploneconf2022 on Twitter and Instagram.

Volto 14.0.0 released!

Posted by PLONE.ORG on December 23, 2021 12:43 PM

The Plone community, in particular the Volto team, is happy to announce that Volto 14 is ready and shipped!

It's been almost four months since the first 14.0 alpha release (2021-09-08), with more than 40 alpha releases since then, and yet the number of contributions keeps growing. This release puts Volto 14 on the same level with another memorable one, version 4. Being back on a regular release cycle is good and essential to the communication between the project and community members.

Volto 14 Highlights

Volto is Plone's snappy, modern React front end powered by the RestAPI, and the default for Plone 6.

Volto 14 grid block

Some of the highlights of Volto 14 include:

Production-ready seamless mode deployment
A significant performance boost to the listing block. Add as many as you want on a page!
And if you’re worried that the crawlers won’t see them, Volto now ships with server-side rendering support for the async blocks, including the listing blocks.
A new Search block was added. Build your own customized facet-powered Plone search engine directly from the browser.
Volto integration with Plone’s content locking

And many more changes to support the growing number of Volto developers and integrators:

Improved Storybook component documentation
Improvements to the forms implementation, now with support for default values
Further advancements to the Volto blocks extensibility. Now blocks can define a schema and are ready to be extended by default.
Volto’s main application scaffold generator now ships ready to display the stories included with the add-ons.

Releasing a major version of any software is hard. The nature of a major release is to accommodate and prepare the community for breaking changes, so it needs to be done with appropriate care and must be carefully crafted. It takes a lot of effort to keep every building block in the stack playing well with the other blocks, and, as you can imagine, the complexity of the Plone 6 stack is already high and is continuously on the move.

What's Next

Where do we go from here? Plone 6! Right now, the only major feature missing is content rules. The rest of Plone’s features are covered in Volto 14.

So the work is not over yet. We still need helping hands and contributors to continue the effort to make Plone 6 a reality. Everybody is welcome!

Thanks

We would like to thank all the people involved in creating Volto 14. It is amazing how much we were able to accomplish as a team, and as a community, these last four months.

@avoinea

@bloodbare

@cekk

@ericof

@erral

@fredvd

@giuliaghisini

@ichim-david

@iRohitSingh

@jackahl

@jimbiscuit

@kreafox

@ksuess

@MarcoCouto

@nileshgulia1

@nzambello

@pnicolli

@reebalazs

@rpatterson

@terapyon

@tiberiuichim

@timo

@thet

@sneridagh

Breaking Changes

Remove compatibility for old configuration (based on imports) system. Migrate your configuration to the new configuration system for your project before upgrading to Volto 14. See https://docs.voltocms.com/upgrade-guide/#volto-configuration-registry @sneridagh
Content locking is not a breaking change, but it's worth noting that Volto 14 comes with locking support enabled by default. Latest `plone.restapi` version is required. @avoinea
Use the block's title as the source of the translation instead of using the id of the block. See upgrade guide for more information @sneridagh
New i18n infrastructure in the new `@plone/scripts` package @sneridagh
Removed `src/i18n.js` in favor of the above change @sneridagh
Adjusted main `Logo` component styling @sneridagh
Fix logout action using the backend @logout endpoint, effectively removing the `__ac` cookie. It is recommended to upgrade to the latest p.restapi version to take full advantage of this feature @sneridagh
Revisited, rethought and refactored Seamless mode @sneridagh
- For more information, please read the deploying guide https://docs.voltocms.com/deploying/seamless-mode/
Improve mobile navigation menu with a nicer interaction and a fixed overlay with a drawer (customizable via CSSTransitionGroup) animation @sneridagh
Use title instead of id as a source of translation in "Variation" field in block enhancers @sneridagh
Listing block no longer use `fullobjects` to retrieve backend data. It uses the catalog data instead. @plone/volto-team
Removed pagination in vocabularies widgets (SelectWidget, ArrayWidget, TokenWidget) and introduced subrequest to vocabulary action. @giuliaghisini
Move `theme.js` import to top of the client code, so it take precedence over any other inline imported CSS. This is not an strict breaking change, but it's worth to mention it as might be important and kept in mind. @sneridagh

See https://docs.voltocms.com/upgrade-guide/ for more information about all the breaking changes.

Volto 14 Features

Support Node 16 @timo
Content locking support for Plone (`plone.locking`) @avoinea
Add the new search block @tiberiuichim @kreafox @sneridagh
Add `volto-guillotina` addon to core @sneridagh
Make `VocabularyTermsWidget` orderable @ksuess
Get widget by tagged values utility function in the `Field` decider @ksuess
In the search block, allow editors to specify the sort on criteria. @tiberiuichim
Enable to be able to use the internal proxy in production as well @sneridagh
`FormFieldWrapper` accepts now strings and elements for description @nzambello
Image block:
- When uploading an image or selecting that from the object browser, Image block will set an empty string as alternative text @nzambello
- Adds a description to the alt-tag with w3c explaination @nzambello
Provide Server-Side Rendering capabilities for blocks with async-based content (such as the listing block). A block needs to provide its own `getAsyncData` implementation, which is similar to an `asyncConnect` wrapper promise. @tiberiuichim @sneridagh
Defaults are observed in block data if `InlineForm` or `BlockDataForm` are used. @sneridagh @tiberiuichim
Support TypeScript usage in Volto projects @pnicolli
Added `LinkMore` component and link more in `HeroImageLeft` block. @giuliaghisini
Apply form defaults from RenderBlocks and block Edit using a new helper, `applyBlockDefaults` @tiberiuichim
Now each block config object can declare a schema factory (a function that can produce a schema) and this will be used to derive the default data for the block @tiberiuichim
Added `.storybook` setup in the Volto `app` generator. Volto projects generated from this scafolding are now ready to run Storybook for the project and develop addons (in `src/addons` folder).
Add new listing block option "fullobjects" per variation @ksuess
Style checkboxes @nileshgulia1
Add runtime configuration for `@babel/plugin-transform-react-jsx` set to `automatic`. This enables the new JSX runtime: https://reactjs.org/blog/2020/09/22/introducing-the-new-jsx-transform.html So no longer `import React from 'react'` is needed anymore. @sneridagh
Allow loading .less files also from a Volto project's `src` folder. @tiberiuichim
Add `autocomplete` Widget component - It holds off the vocabulary endpoint pull until you search (more than 2 chars). Useful when dealing with huge vocabularies @sneridagh @reebalazs
Add catalan translation @bloodbare @sneridagh
Updated Volto production sites list @giuliaghisini
Japanese translation updated @terapyon
German translations updated @tisto
Updated italian translation @pnicolli
Updated Brazilian Portuguese translations @ericof

Bugfixes

Fix `SelectWidget` vocabulary load on second component mount @avoinea #2655
Fix `/edit` and `/add` `nonContentRoutes` to fix `isCmsUi` fn @giuliaghisini
Register the dev api proxy after the express middleware @tiberiuichim
Fix on form errors in block editor, not changing to metadata tab @sneridagh
Fix SSR on `/edit` with dev proxy @tiberiuichim
Fix logout action, removing the `__ac` cookie as well, if present. @sneridagh
Do not show lead image block when the content type does not have the behavior enabled @sneridagh
Missing default messages from JSON EN language file @sneridagh
Show correct fieldname and not internal field id in Toast error messages on Add/Edit forms @jackahl
`sitemap.xml.gz` obeys Plone Search settings @erral
Get `blocks` and `blocks_layout` defaults from existing behavior when enabling TTW editable DX Layout @avoinea
Yet another attempt at fixing devproxy. Split the devproxy into a separate devproxy verbose @tiberiuichim
Add spinner on sharing View Button @iRohitSingh
Fixed `SelectWidget`: when there was a selected value, the selection was lost when the tab was changed. @giuliaghisini
Bugfixes to search block. By default search block, when empty, makes a simple query to the nav root, to list all content. Fix reading search text from URL. Implement a simple compression of URL. Don't count searched text as filter. Fix an edge case with showSearchInput in schema. Rename title to Section Title in facet column settings. Avoid double calls to querystring endpoint. @tiberiuichim
Use correct shade of black in Plone logo @sneridagh
Fix loading of cookie on SSR for certain requests, revert slight change in how they are loaded introduced in alpha 16 @sneridagh
Prevent `ua-parser-js` security breach. See: https://github.com/advisories/GHSA-pjwm-rvh2-c87w @thet
Fix storybook errors in the connected components, api is undefined. Using now a mock of the store instead of the whole thing @sneridagh
CSS fix on `QueryWidget` to prevent line jumping for clear button when the multi selection widget has multiple items @kreafox
Fix disable mode of `QuerystringWidget` when all criteria are deleted @kreafox
Fix reset pagination in searchblock when changing facet filters @tiberiuichim
Fix the selection of Maps Block @iRohitSingh
`UniversalLink`: handle direct download for content-type File if user is not logged. @giuliaghisini
Fixed `ObjectBrowserWidget` when is multiple or `maximumSelectionSize` is not set @giuliaghisini
Fix full-width image overlaps the drag handle @iRohitSingh
Fix move item to top of the folder when clicking on move to top action button @iRohitSingh
Fix `downloadableObjects` default value @giuliaghisini
Folder contents table header and breadcrumbs dropdown now appear only from the bottom, fixing an issue where the breadcrumb dropdown content was clipped by the header area @ichim-david
Folder contents sort dropdown is now also simple as the other dropdowns ensuring we have the same behavior between adjecent dropdown @ichim-david
Fix documention on block extensions, replace `render` with `template` to match Listing block @tiberiuichim
Fix `isInternalURL` when `settings.internalApiPath` is empty @tiberiuichim
Fix external link not supported by Navigation component #2853. @ericof
Get Add/Edit schema contextually #2852 @ericof
Fix regression in actions vocabularies calls because the change to use contextual schemas @sneridagh
Include block schema enhancers (main block schema enhancer + variation schema enhancer) when calculating block default data @tiberiuichim
Fixed object browser selected items number. @giuliaghisini
Fix action vocabularies call avoiding regex look behind @nzambello
Use subrequest in hero block to not lost locking token. @cekk
Always add lang attr in html @nzambello
Fix time widget position on 24h format @nzambello
QuerystringWidget more resilient on old schemas @nzambello
In search block, read SearchableText search param, to use it as search text input @tiberiuichim
Fix missing translation in link content type @iRohitSingh
Fixed drag-and-drop list placeholder issues @reebalazs
Update demo address @ksuess
Update list of trainings documentation @ksuess
Scroll to window top only when the location pathname changes, no longer take the window location search parameters into account. The search page and the listing block already use custom logic for their "scroll into view" behaviors. @tiberiuichim
Add missing layout view for `document_view` @MarcoCouto
Add missing `App.jsx` full paths @jimbiscuit

Internal Changes

Upgrade to react 17.0.2 @nzambello
Update to latest `plone.restapi` (8.16.2) @sneridagh
Upgrade to `@plone/scripts` 1.0.3 @sneridagh
Remove built workingcopy fixture environment based on local, back to docker based one @sneridagh
Add `omelette` to the local Plone backend build @sneridagh
Optimize npm package by adding `docs/` `cypress/` and `tests/` to .npmignore @avoinea
Use released `@plone/scripts`, since the builds are broken if it's a local package @sneridagh
Use `plone.volto` instead of `kitconcept.volto` @tisto
Silence customization errors, they are now behind a `debug` library namespace @sneridagh
Add development dependency on `use-trace-update`, useful for performance debugging @tiberiuichim
Improved developer documentation. Proof read several chapters, most importantly the upgrade guide @ichim-david
Use Plone logo (Closes #2632) @ericof
Footer: Point to `plone.org` instead of `plone.com` @ericof
Fix `make start-frontend` @tisto
Update all the tests infrastructure for the new `volto-guillotina` addon @sneridagh
Add locales to existing block variations @sneridagh
Add RawMaterial website in Volto production sites @nzambello
Removing the hardcoded default block type from text block @iRohitSingh
Updated Volto sites list @giuliaghisini
Cleanup dangling virtualenv files that should not be committed @pnicolli
Remove bundlesize @tisto
Upgrade stylelint to v14 (vscode-stylelint requires it now) @sneridagh
Add several more stories for Storybook @tiberiuichim
Add 2 new Volto websites by Eau de web for EEA @tiberiuichim
Fix references to old configuration style in apiExpanders documentation @tiberiuichim
Add `applySchemaDefaults`, in addition to `applyBlockDefaults`, to allow reuse in object widgets and other advanced scenarios @tiberiuichim
Fix select family widgets stories in storybook @sneridagh
Remove getNavigation from `Login.jsx` @iRohitSingh
Allow listing block to be used in non-content pages (when used in a slot it shouldn't crash on add/edit pages) @tiberiuichim
Fix typo "toolbalWidth" @iRohitSingh
Update all requirements and the reasoning behind them in builds @sneridagh
Update Plone version in api backend to 5.2.6. Update README and cleanup @fredvd
Document CI changelog verifier failure details that mislead contributors @rpatterson

Try Plone 6 with Volto today

Feel free to try out Plone 6 with Volto 14:

On The Road to Plone 6 - Volto 14 Released

Posted by kitconcept GmbH on December 22, 2021 09:24 PM

Volto continues to innovate at a fast pace towards Plone 6. Today we released another major milestone on our road to Plone 6: Volto 14.

Volto 14 was in the making since September 2021 and it is in active use in various projects at Eau de Web, Red Turtle, Rohberg, kitconcept, and others.

Volto 14 comes with a set of new exiting features: a new search block that supports faceted search, locking support, a new seamless mode that makes deploying Volto easier, a new mobile navigation and support for Node 16.

Faceted Search Block

The new search block allows editor to create sophisticated faceted searches through the web without writing a single line of code.

Editors can define criteria for the content that is listed, like in the existing listing block in Volto.

Then editors can then choose arbitrary facets that are displayed to the users to choose from to narrow down the search.

Locking

Locking in a Content Management System is a mechanism to prevent users from accidentially overriding each others changes.

When a user edits a content object in Plone, the object is locked until the user hits the save or cancel button. If a second user tries to edit the object at the same time, she will see a message that this object is locked.

Content object in Volto 14 that is locked by another user

Locking requires at least plone.restapi 8.9.0 or plone.restapi 7.4.0 to be installed.

Seamless Mode

The new “seamless mode” allows zero configuration deployment by avoiding hardcoded environment variables in builds involved, and establishing good sensible defaults when setting up deployments (and also in development). So the developer/devOps doesn’t have to overthink their setups.

These are its main features:

Runtime environment variables
Unified traversal ++api++
Use Host header to auto-configure the API_PATH

and these immediate benefits:

Avoid having to expose and publish the classic UI if you don’t really need it
If possible, avoid having to rewrite all API responses, since it returns paths that do not correspond to the original object handled and “seen” from Volto, so you have to adjust them (via a code helper) in a lot of call responses.
Simplify Docker builds, making all the configuration via the runtime environment variables

Seamless Mode requires at least plone.rest 2.0.0a1 to be installed.

New Mobile Navigation

We polished the mobile navigation for Volto 14 to improve the user experience on mobile.

New mobile navigation in action on the Plone Conference 2021 website

Node 16

Volto 16 will support Node 16 in addition to Node 14 and Node 12. Node 16 will receive security updates until April 2024.

Node 16 release schedule from nodejs.org

Plone 6

Volto 14 is an important step towards Plone 6. Volto 15 will switch the default editor from DraftJS to Slate editor and it is planned to be ready in Q1/Q2 2022. This is the last big step for Volto before Plone 6 can be released.

The Plone Newsroom Podcast Episode #04

Posted by PLONE.ORG on December 10, 2021 12:40 PM

Episode #04 on 10 December 2021 featured a discussion of the plone.org relaunch effort including content migration using collective.exportimport, a demo of Plone 6 alpha including how to install Volto add-ons, news about the Plone Foundation and the Plone Shop (offering vintage conference tee shirts), some notable add-ons (collective.taxonomy, collective.revisionmanager, collective.impersonate, plone.pdfexport), and a remembrance of Max Jakob, a dear friend of the Plone community. Go to the Newsroom page to view other episodes.

Questions for the December Steering Circle?

Posted by PLONE.ORG on December 06, 2021 12:05 PM

As described in the Foundation's July 2020 discussion of Plone governance, a series of Steering Circle meetings is being held to discuss our organizational structure and processes, and any hot topics of the moment. This is part of the Foundation's initiative to solicit ideas for changes that will better serve the needs of our community, our projects, and our teams. The meetings will be held every two months, and the next one will be December 14th at 13:00 UTC (15:00 CEST). Each Plone team will send one or two representatives, including the Zope, Volto, RestAPI and Guillotina teams.

The Steering Circle meetings will include a discussion of questions from community members. Please use this form to submit any questions you have and we will put them on the agenda.

Thank you for being an awesome community and for helping to move Plone forward into its third decade!

Plone Conference 2021 Recap

Posted by PLONE.ORG on November 27, 2021 08:15 PM

Plone Conference 2021 Online

This year's conference was a 9-day event for the Plone, Zope, Volto, Guillotina & Pyramid communities and consisted of training, talks, and sprints. The conference provided insight into the long history (20 years!) of Plone CMS as well as the latest, future-proof features and visions.

Plone - The original, open-source, enterprise-grade, all-in-one content management system written in Python.
Zope - The original Python web application server - the foundation for Plone and inspiration for Guillotina.
Volto - Plone 6's snappy, modern React front end powered by the RestAPI.
Guillotina - A re-imagined asynchronous back end compatible with Plone's RestAPI.
Pyramid - A small, fast, down-to-earth Python web framework.

https://2021.ploneconf.org/

With 295 attendees from 30+ countries from over the world, from Jamaica to Japan, USA to the UK, Germany to Finland, to Austria, Brasil and Australia, the conference attracted many newcomers to the community, in addition to long-time contributors since the early days of Plone.

With the help of our sponsors, like Six Feet Up, iMio, and many others, the conference was held 100% Online, using LoudSwarm platform by Six Feet Up. LoudSwarm nicely combined video streaming, recordings, schedules, and chat discussion.

Every training, talk, and presentation was recorded and will be available online on Plone YouTube channel later.

Participants

Group Photo of Plone Conference 2021 Online.

Training

As in previous years, the conference included over 30 hours of free training, with topics including Mastering Plone, Volto Addons, Pyramid, and Guillotina.

https://2021.ploneconf.org/schedule/training

The training videos are already publicly available on YouTube.

Talks and Open Spaces

The 4 days of talks included almost 60 professional presentations, ranging from addressing specialized use cases to building and managing projects and into very technical talks about some aspect of a certain technology. Many of the talks focused on Volto, Plone 6's new React-based frontend, and there was also a lot of discussion about the future of Plone 6.

With Open Spaces and 5 min lightning talks, it was possible to bring into focus many other aspects and topics.

Some highlights of talks:

Plone community
Plone 6, Volto
Plone 6 Classic
Plone.org renewal
Volto Add ons
Plone Migrations
Abfab, Frontend development
Quanta - new style for Plone
Plone in Brazil
7 things to surprise you with Plone development
Guillotina
Accessibility

And many more! https://2021.ploneconf.org/schedule/talks

Keynote speakers

Sprints

Every Plone Conference includes at least two days of sprinting, so after the conference talks, people continued to meet, working to improve and develop the Plone ecosystem.

Sprint topics included e.g.

Plone 6 roadmap
Volto
Documentation
Image handling
Docker support for installers
Plone.org renewal

Community

The Plone community aims to be the most welcoming and friendly community towards new users and veterans alike. We are happy to report that this conference brought many new faces and we sincerely hope that everyone felt the love.

Chrissy Wainwright addressed some of these communal aspects in her first keynote: https://2021.ploneconf.org/schedule/state-of-the-plone-community

Every conference has a party, and this was no different, except for the fact that everyone was online this time.

Thank you, everyone, sponsors, organizers, trainers, presenters, and especially participants for making this year's conference one to remember!

Next year: Plone Conference 2022 in Namur, Belgium!

Next year the conference will be held in Namur, Belgium!

So mark your calendars and stay tuned for Plone Conference 2022 news! Follow @ploneconf and #ploneconf2022 on Twitter and Instagram.

Plone Foundation Board for 2021-2022

Posted by PLONE.ORG on November 24, 2021 04:42 AM

The Plone Foundation exists to further the development, marketing, and legal affairs of Plone and the Plone community.

Among many tasks, the Plone Foundation board:

supports development of the Plone ecosystem by coordinating team efforts and identifying vital sprint targets;
protects the integrity of the Plone ecosystem by monitoring rights and assuring the continued value of the ecosystem intellectual property;
coordinates marketing of the Plone ecosystem and provides funding for representation at conferences and related events;
coordinates World Plone Day and an Annual Conference to encourage community connections and the enjoyment of the world's best CMS.

Read more about the governance process at https://plone.org/foundation/governance-process

Board members for the next year are:

Érico Andrei (President)
Jens Klein (Vice President)
Andy Leeb (Secretary)
Paul Roeland
Víctor Fernández de Alba
William Fennie
Kim Paulissen (new board member)

You can email the entire board at [email protected]

The Plone Newsroom Podcast Episode #03

Posted by PLONE.ORG on November 11, 2021 12:40 PM

Episode #03 on 11 November 2021 featured a recap of the Plone Conference and the Conference Fanzone in Sorrento, Italy, plus information about Plone 6 development status, volto-eea-kitkat, and the add-on collective.taxonomy. Go to the Newsroom page to view other episodes.

David Ichim: What's new in Plone 6 frontend for developers

Posted by Maurits van Rees on November 08, 2021 11:18 AM

Distilled from the latest work done in Volto, we're showcasing some patterns, features, or enhancements that have landed in Volto from the last year to the present. We will also have a glimpse of what is ahead in the future of Volto with the new features roadmap.

In the past year we had four major releases, 40 minor releases, 36 alpha releases, 25 patch releases, for a total of 105 releases. Plus some new tooling and tool releases, like plone i18n and plone generator.

New Volto config, dubbed as Volto's Configuration Registry, introduced to fix circular import dependency problems. Hot Module Reloader was fixed. Read the upgrade guide.

New i18n (internationalisation) infrastructure. This is now a separate package. Same is used for generation of i18n in add-ons.Read the upgrade guide.

Forms as schema. Forms should be constructed from schemas instead of by hand. InlineForm allows us to create forms for blocks from a schema. Blocks can have variations, or we can extend it. Read the edit component documentation.

New widgets:

Object List Widget. Similar to the original DataGridField. Used in core by the Search Block facets.
Object Browser Widget is now a separate widget, instead of part of a block, and now allows the addition of external content.
Querystring Widget. Behaves like its counterpart from plone.app.querystring. Allows to create search criteria, used by the search block.
URL Widget. Used on text inputs, it knows to validate their value as a url, both internal and external.
Vocabulary Terms Widget for a JSONField, acts as a source for a SimpleVocabulary or Choice field. Play with it in the storybook.

New core blocks:

Search block
Teaser block (ongoing work).

Pluggable framework, similar to React's Portal component. See the talk by Tiberiu and see the Pluggables development recipe.

Storybook provides a sandbox to build and test visual components in isolation. Currently it is only setup to be used by Volto core. We need help with work to have storybook setup with adding. See the Storybook talk held by Victor, and see the storybook itself.

Critical CSS: inline the critical CSS for improved performance. Run critical-cli to output critical.css. This is then inlined in the headers, while regular CSS is moved to the bottom of the body. See the deployment documentation.

Lazy Loading utilities. Introduced injectLazyLibs HOC wrapper to inject lazy-loaded libraries as properties to your components. These components are only loaded once all your main libs are loaded.

Express.js middleware. Volto uses this for SSR and static resources serving. You can now write custom middleware and add it to settings.expressMiddleware.

API expanders allow the expansion of different API endpoints from Volto with calls from your custom endpoints. Avoid adding too many expanders if they are not critical to the initial page.

External routes: useful when another application is published under the same top domain as Volto. If Volto would fetch the content for that path, it will break. You can disable this path in config.settings.externalRoutes. You can also use regular expressions.

Seamless mode, introduced in Volto 13, enhanced in Volto 14, which has already seen a lot of alpha releases. Originally, we tried to unify both frontend and backend servers under the same path, but this was tricky, causing various problems. We settled on a new ++api++ traversal for getting information from the backend. Also, to come closer to zero config, you can now pass environment variables at runtime instead of build time. This means you can generate one build, and use this in all environments (testing, production). Read the deployment documentation.

Context navigation component. This is a navigation portlet component, similar to Classic Plone. The view is there, but you need to enable it. See the development recipe.

There is some work in progress:

Slots are Volto's answer to portlets, see the Volto Slots talk by Tiberiu Ichim for more details.
Image proxy: image scale generation done by a middleware instead of plone.scale.
Authentication from backend.
Replace Draft.js editor with Volto Slate. What is missing is a migration tool from one to the other. But work has started on a block conversion tool.
Async blocks that work with SSR.
Defaults in blocks form.

Future work:

Defaults in all widgets
Enable blocks enhancers in all blocks
Storybook in add-ons
Use newest react-intl package
Refactor the folder contents component
Form editing text enhancements, making it easier to modify text inputs.
A "group block" included with Volto
Quanta toolbar

I did nothing, I just brag about what others have done. So thank you Volto early adopter community!

Tiberiu Ichim: Volto Pluggables

Posted by Maurits van Rees on November 08, 2021 09:55 AM

This presentation is an introduction to the new Volto developer-targeted feature, the Pluggables framework. It is more an argument for extensibility in CMS UI and in Volto.

Basically, with Pluggable a central component provides a pluggable slot that other components can fill, like this:

<div className="toolbar">
  <Pluggable name="toolbar-main" />
</div>
// ...
<Plug id="quicklinks" pluggable="toobar-main">
  <Button />
</Plug>

This is a Volto port of https://github.com/robik/react-view-slot.

The big picture:

I work with Eaudeweb Romania
Our client EEA is an early adopter of Volto
The strategy is: move everything to Volto
But the EEA sites are less brochure, the CMS side is really strong.
We build powerful UIs for power users.
The EEA already has 91 Volto repositories on GitHub. How can we scale that? Can we write an add-on to make it easier to write an add-on?

In React, data flow is top to bottom. A parent component passes properties to children and children communicate with the parent by emitting events. This makes sense and works well. For "out of tree" data you need Redux. There is no protocol for add-hoc communication between components.

UI state is fluid. Extensibility means reusability and scalability. This is hard. You need to design upfront. Plone backend uses the Zope Component Architecture, which means pluggability is baked in, it is very natural. You can view Pluggables as viewlets-on-demand, but they are really not. But yes, you can think about a Pluggable as a viewletmanager and a Plug as a viewlet.

You can overwrite a Plug with a Plug, by registering it with the same id. So if the original Plug gives you color blue, you can overwrite it with color red.
You can do custom rendering of Plugs within your Pluggable, by iterating over all Plugs and for example wrapping each in a div with a class name.

Showcase: volto-workflow-progress (main toolbar plugin) and volto-editing-progress ("sidebar" for plugin).

Limitations:

No Server Side Rendering
Watch out for dependency lists.
Limited adoption for now.

Implementation in pseudocode:

First the context:

<PluggablesProvider>
  <Pluggable name="top" />
  <Plug name="delete" />
</PluggablesProvider>

Then the dumb version of the Plug:

const Plug = ({id, children}) => {
  const { register } = useContext(PluggablesProvider.Context);

  React.useEffect(() => {
    register(id, () => children);
  });

  return null;
}

Takes a bit of study, but in the end it is not so hard.
The Pluggable becomes a bit simpler:

const Pluggable = (name) => {
  const { getPlugs } => useContext(PluggablesProvider.Context);
  return getPlugs(name).map(f => f());
}

Site updated from Plone 2.5 to Plone 6.0

Posted by Maurits van Rees on November 04, 2021 11:34 AM

I am one of the Plone Release Managers, and have been working on Plone 6, which is now in alpha stage. But my personal website was still using the ancient Plone 2.5:

Screenshot maurits.vanrees.org Plone 2.5

Often I have made plans to update my site to:

Plone 3
Grok
Plone 4
Plone 5
Plone 5.2
finally Plone 6

Long ago it was clear to me that an inline migration would not be practical. It would take too many steps: update the code to Plone 3.3, migrate the data, to Plone 4.3, migrate data, to Plone 5.2 Python 2.7, migrate data, Plone 5.2 Python 3, migrate data, Plone 6, migrate data.

Additionally, the question was how to handle the weblog, which is the main content. This was using Products.Quills, a Plone add-on for blogs. Updating to Plone 3 could have worked at the time, but this was made harder by some some custom code I added. This enabled me to use it as a podcast. I used this to enrich some of my summaries of sermons from my church with the actual audio of the sermon. I doubted whether to even include this content in Plone 6, as the last sermon was from 2008. I hate breaking links, so I kept it, although a bit hidden.

Another point that needed some extra attention, was that most, if not all, blog entries were not written in html, but in ReStructuredText. I make a lot of summaries of talks when there is a Plone Conference. The html editor on Plone 2.5 did not work anymore, or I disabled it to a simple textarea. I always open up the same text editor that I use for programming (previously Emacs, currently VSCode), and type the summary there. I much prefer writing ReStructuredText there, especially when I simply need text without any markup. I then paste it in Plone, without fear of losing all my work when my internet connection dies.

Lastly, I have an RSS/atom feed which is used by planet.plone.org and maybe others to stay updated when I add a new blog entry. I did not want this url to change.

Anyway, about six years ago I decided that I would use collective.jsonify to export my site, and then import it using transmogrifier. But time passed without any progress. This year, collective.exportimport was shaping up to be the preferred way to import the data. For export you can use it in Plone 4.3 as well, but definitely not in Plone 2.5.

At the beginning of this week I looked at jsonify. Didn't I have a local copy of my website on my laptop, with collective.jsonify installed? No! And it was not installed on the live site either. And installation would be hard, because the site uses Python 2.4, and currently you cannot even reach PyPI with older versions of Python 2.7.

Mildly panicked, I started on a custom script to export the content, still as json. Some details aside, this actually was not so hard. I looked at what collective.exportimport expected, and created the Python list of dictionaries accordingly. Then do a simple json.dumps() call and you are done. Except that this gave an ImportError: the json module is not available in Python 2.4. Okay, install simplejson package. But you need PyPI access for that, which does not work. Workaround:

Manually download an egg of Python 2.4-compatible simplejson 1.7 and save it in the buildout directory.
cp bin/instance bin/instance-json
Edit the new script and add the simplejson egg to the system path.
bin/instance-json run export_mvrsite25.py

After that, it was not too hard anymore. I used plonecli to create a new add-on with Plone 6.0.0a1. I actually do not yet use the add-on code, except for loading a minor patch that I added, but this gave a reasonable, modern Plone 6 buildout. Create a Classic Plone site, tweak a few settings (let Folder use folder_workflow, allow English and Dutch, navigation depth 1, enable syndication, configure caching and mail), import the content with collective.exportimport, edit a bit, and done.

The weblog now consists of standard Folders and Pages. To improve the view, I added a Collection, showing the latest pages first, and showing all content of the last seven blogs. I enabled syndication here, so it has an RSS/atom feed.

The weblog has always advertised two atom feeds:

One for all weblog entries, at https://maurits.vanrees.org/weblog/atom.xml
One for weblog entries with keyword 'plone' at https://maurits.vanrees.org/weblog/topics/plone/@@atom.xml

In the new site, the first one kind-of worked out of the box, but it only showed the items that were directly in the weblog folder, and this is not where my weblog entries are. I solved this with a patch to Products.CMFPlone.browser.syndication.views.FeedView: when atom.xml is viewed on a folder, check if it has a default page, and show the atom.xml of this default page instead. In this case, the default page is a Collection with the correct settings. So the general feed will keep working.

For the second one, my first idea was to create a folder 'topics' and within it a Collection with id 'plone'. Problem: 'plone' is a reserved word and cannot be used as id of a content item, so the id became 'plone-1'. Solution here: create the 'plone-1' collection directly in the weblog folder, and do a redirect in the frontend server (nginx):

 rewrite ^/weblog/topics/plone/@@atom.xml /weblog/plone-1/atom.xml last;

And that's it! My website is now on Plone 6.0.0a1:

Screenshot maurits.vanrees.org Plone 6.0

There are some more details that I could go into, like splitting up the buildout into multiple parts, with tox as main way to build everything, in preparation for moving more and more parts to pip-only. But that will have to be for another time.

Meanwhile: have a look around, and enjoy the fresh look!

Steering Circle

Posted by Maurits van Rees on October 31, 2021 02:39 PM

Volto 14 alpha 23 is out. So still in alpha, but companies are using it in production. Should be final soon. Some plans for Volto 15. Created plone.volto integration package, where we try to give an easy transition from earlier company-specific versions. plone.restapi as always is pretty boring, stable. Erico worked on Docker integration.

Plone 6 alpha 1 is out. Eric sent an email for some coordination, like docs, training, accessibility, installers. If you want to be involved, let me know.

Franco has stepped out of the Framework Team, thank you for all your work. There is discussion about the role of the Framework Team. Plan is to keep it running, some more people have been asked.

Membership team: we have some people in sight as new members. Erico is stepping down as team lead, Victor is stepping up.

Security: Plone 6 will have 5 years security support. Synchronizing with Zope team. Some new members may be coming.

Marketing: busy with conference, also after the conference. Busy with plone.org renewal.

Installers: see the talk by Jens Klein earlier. Plone 6: no more installer, but we do have tooling. There are Docker images. We may want to reduce the role of buildout, and focus more on pip.

Plone Conference: you are looking at it. Some tasks to do afterwards. If anyone is interested in getting a certificate for following a training, ask us, and we can send it.

Internationalization: new branches for Plone 6, so Plone 5 uses different branch. New releases for 5 and 6. Updating po files, looking at i18n in Mockup.

Admin/Intrastructure: servers are still running. Cat herding sysadmins for doing stuff, keeping things up to date.

Trainings: relaunch is complete. We have three new trainings: Theming Plone Classic, Deploying Plone 6, Getting Started with Plone 6 (that one only in video). Various have seen major updates. Need to work on landing pages (we have two), remove the number 5 from the url, update some more trainings. Maybe Mastering Plone Classic training, but hard with navigation due to duplicate section targets when copying. Migration training would be good. We need to prune and tag some.

Plone Classic: We did polishing on Barcelonate, it is pretty ready. Focussing on bobtemplates before the trainings, making theming easier. JavaScript/ES6 is the remaining big issue. Plan is to finish it this year, we are quite far. We need other people helping us out.

Documentation: will be releasing a new Plone 5 branch today. For the new stuff, the tech stack is ready. New version of automated screen shot is about ready. We don't want a duplicate of the training, but we can automatically include code of it, so there is only one source of truth. The style guide is not always followed, seeing what we can do about that. Biggest point is missing documentation. There are now branches where the various teams can add and edit their content. We may change things, but we take this as input for the final structure.

Fred van Dijk: 7 things that can surprise you when you start customising or developing for Plone

Posted by Maurits van Rees on October 29, 2021 09:06 AM

This is a basic rundown and summary of our beloved subjects like ZODB persistence. Traversal. The view/viewlet/portlet trinity. How is a call handled in Plone. The differences between zcml and generic setup. Utilities and the ZCA. restrictedTraverse. The Plone catalog.

These are surprises that I have encountered myself, or that I have seen on faces of people I have trained or worked with during the years.

Everything can or could be done through the web (TTW).

Zope vision from the nineties. Why don't we use this dynamic language called Python so we can change things TTW? It's so easy.

The learning curve.

It starts easy, but then you hit what we call a Z-shaped learning curve. Dynamic Python makes things easy, and then it makes things hard, at least when you put Zope on it, then CMF, then Plone. Plone the product on top of a CMS on top of a framework on top of a language. We have a product, a framework, a stack, so it is hard.

Five levels of conceptual complexity.

It helps to teach all the levels. Give new users a drawer for each level, so they have a box that they can put some info in.

You have:

browser: html, css, js
frontend: transforms, templates, zpt, metal, diazo
application logic: views, viewlets, portlets, adapters, Zope Component Architecture
dynamism: GenericSetup, zcml, xml, zope schema
programming language: Python, buildout, pip
package WorkManager (OS): apt, rpm

4 Same language/formats on different levels:

XML is used for the ZCA, GS, zope.schema, Diazo rules
package manager: buildout, pip, setuptools, GS

But: there is no magic. It is just advanced technology.

Startup:

Python uses sys.path modules to start bin/instance
ZCA loads site.zcml, package includes, other zcml to change configuration.
Then we have a runtime environment with objects and classes, the ZODB. GenericSetup is then some XML that you can use to change the ZODB.

So the ZCA overrides components in runtime. The alternative is to edit core files, maybe compile them, and restart. Much less nice and not sustainable.

So now we have a Plone process running.

Zope is not that complicated.

Over HTTP Zope gets a request, does traversal, finds an object in the ZODB, loads it in memory. Then on top of this object we show a browser view / template. The template hooks into a main template, maybe does some sub requests, some Diazo, and we end up with some html and we are done.

This is all still 'lies to children'. It is simplified until we are able to understand more. With increment exposure to these concepts, it will stick more. It is complicated, but there is no magic.

Acquisition.

It is traversal in the wrong direction.

When you try to explain things, you improve your own understanding.

There is so much Plone content online: training, docs, youtube, github, discourse. We all learn in different ways, with own preferences, reading, viewing. There are so many repositories on github that you can explore for new ideas. Just yesterday Philip did a talk about exportimport and afterwards I did it, but from a different angle. It helps.

The community is our biggest asset.

Annette Lewis and Will Gwin: From Zope to Plone: Thinking User-First During Migration

Posted by Maurits van Rees on October 28, 2021 02:39 PM

Migrating a site is always a challenging task, but when you have dozens of subsites with specific brand standards and custom user functionality, the challenge becomes mammoth. Six Feet Up worked hand-in-hand with Purdue's College of Engineering to migrate their existing Zope site and its subsites into a new Plone instance running on Plone 5.2 / Python 3. Throughout the migration process, we considered the project scale, timelines, and limiting the impact on end users, all while managing the balance between user needs and best practices. During this presentation, you will learn:

why it matters to think user-first during migration,
about creative solutions for translating content and functionality into Plone, and
how to successfully migrate subsites.

An overview of the project:

HigherEducation always seems to go a bit slower, certainly with migrations.
Our previous CMS was built in Zope and was getting extremely old.
We have been using Python since 2001.
There were security concerns and modernization issues.

The impact:

Only 15+ content editors.
40+ public facing subsites
30,000 total pages.
20+ departments and units

Why did we select Plone as the next CMS?

It is a modern CMS solution
Python-based, so that fit what we currently have.
It is built on top of the Zope web framework that we were already using.
We looked at Drupal, Wordpress, and more, but that would have been a too big undertaking.

This was in 2018.

Laying out the solution. From requirements to action. Who are our users and what do they want? Not just our direct client (Will and his team) but their clients/users.

Challenges during development:

Purdue University changed its brand look. We had to seamlessly blend subsites into the existing parent site.
Convert all content types and templates from Zope to Plone.
Keep sight of the user experience in both environments. Could they use the new environment without too much training, or needing to have too much tech knowledge?

Determine the project essence. Distill the requirements down into broad categories: accessibility, usability, flexibility, security.

What is the path to successful collaboration?

The absolute best might not be the right answer.
It's okay to say no to an idea, but you dhouls have an alternative ready.
Aim for the best, avoid the dangerous, end up somewhere in the middle sometimes.

On to our development goals:

Do things in a Plone way. Plone uses Zope, but Zope may do some things in a different way than is the best way in Plone.
So observe best practices.
Make it intuitive and keep it familiar for the editors.

Solutions at a glance

Migrating site content:

We wanted to move subsites one by one, as needed.
Translate existin content to Plone content types
We could re-import content over existing content non-destructively.

Theming: retrofitting Plone into an existing theme. That is what Diazo was made for, bridging the gap between Plone and the theme, especially since the theme is 'living', with subtle changes coming in often.

Each subsite had a browser view named local.css to change some things. Not really what you want in Plone, but they really needed it, as a way to make subsites or sections look different. So we added an action to edit the local css, inheriting from parent folders.

We created a subsite settings control panel. We used lineage.registry for this. All kinds of customizations can be done based on that, for example add extra text and links in the navigation menu. They used to be able to do this in Zope as well, but that was with various properties, and much more code oriented.

We use Mosaic for flexibility of layout. In Zope we had blocks for layout. Mosaic took this a step further into a nice UI with drag and drop. It gives faster site prototyping and development.

The sandbox: we wanted to have safe spaces for content experimentation. Completely separate from production environment. It is used for new user training and testing. It is quick and easy to reset.

This migration project has been a constant collaboration between the Purdue communications office, Engineering Computer Network, and Plone company Six Feet Up. The content editors feel empowered to make complex changes, without constant oversight from my team.

Alan Runyan: Building a Secure Cross Platform Mobile/Tablet Application (Flutter) using Plone as Backend Server

Posted by Maurits van Rees on October 28, 2021 01:44 PM

Enfold has been working on a secure cross platform mobile application the past eight months. Walk through of the Requirements, Security, Flutter framework, Backend configuration of Plone, Authentication and Lessons Learned. Our goal is to have a free public release of a limited version of the application Q4 2021.

It was an adventure for us. The core team never built a large mobile application. We did not know what we did not know.

The big picture:

A mix of devices (Android, iOS) needs to synchronize files to and from Plone.
All services are self-hosted in GovCloud. So we have no central database or server that we control.
If this becomes a success, then future phases may require a lot of certification of the codebase, code reviews.
Initially we worked with 15k devices, supporting 40k would be a success, the ceiling that we might support is 300k.
Users are completely offline for longer times.

We used Flutter to create a React native app, see https://flutter.dev It is a UI toolkit. Why did we use Flutter?

It is cross platform mobile.
It uses Dart, which is statically typed, making code analysus much easier.
Google seems to be prioritizing developer user experience, it really shows of quite a bit.

Dart has asynchronous code as a first class citizen. Quite different from Python. Runtime reflection (pdb) is unavailable. It has good ergonomics, with generics and closures. It is a driving force behind the Flutter toolkit.

Thoughts on mobile development:

It is a lot to take in.
You need to understand lots of languages, for us: kotlin/java, swift/obj-c, and Dart.
No idea how to test platform integration.
Native libraries are managed using Cocoapods/Gradle. Flutter drives those. Setting it up is yet another new thing to learn.
There are lots of inconveniences, like how do you read sqlite off a device, because that is how we store some of the info?
Also inconsistencies: if the app works on an emulator, that does not mean it works on a device.

On the server side:

Plone operating as a Webdav server
We need to support OIDC (mod_openids/oauth2)
Not many writes, maybe 100-1000 per day, but lots of reads.
20k+ devices daily

Alternatives to the server/protocol could be nice:

Honestly, are there any standards other than WebDav?
An S3 api would be reasonable.
So ideas are welcome, let me know.
We have been working on prototypes with guillotina_webdav + openidc.

The good parts of Flutter:

UI/UX development is very fast, with lots of widgets. We had two developers who were used to Angular, and they took it up quite fast.
The bridge to native code (Pigeon) is straight forward.
Drift is an amazing sqlite library.
Riverpod for state management
Dependency management is good (flutter pub). You can tell that they learned a ton from others, like pip. Except that very occasionally the package cache is broken so you need to clean it.
They have a good community, with add-ons.

The not so good parts of Flutter:

Inconsistent platform features, like WorkManager (Android) versus NSUrlSession (iOS)
Dependency churn: often new versions come in, which you then need to check.

The mobile app:

We are still wrapping up the remote file operations.
After we deploy into production, we will improve the UI.

Yes, we hope to open source the synchronization framework, and maybe the foreground/background transferring subsystem. Yes, we have built a Flutter web-app of this, but it looks just like the mobile app currently. Needs a separate layout really. No, we have not done a Desktop app.

Lightning talks Wednesday

Posted by Maurits van Rees on October 27, 2021 08:35 PM

Peter Holzer: My first Plone 6 site

This was in April 2020. I friend wanted a shop for his post cards. Lots of search filters.

We create a new Plone theme on Bootstrap 5. Updated our bda.shop stack.

See https://www.fotoeigenart.ch

Michael McFadden: Web developer confessions

I had a web form up where people could submit confessions, totally anonymous.

I used Perl
I sometimes test things in production.
I voted against removing the tag from HTML.
I store user passwords, as we often need to login as a user to fix their... stuff. We take precautions, but still.
I allowed editors to add css at a top level in the site.
I have a marquee tag on our site.
I am using iframes to include those who are unwilling to move into our big Plone Site. It is a way to do imports.
I use pdb on production all the time with a client instance.
I use for my page layout.
I don't setup the whole translation machinery on our Plone Site. Hello USA!
I use heavily duplicated code. What's wrong with coding with copy and paste.
I did not backup my data, and I knew the RAID aray was bad.
I think downtime is good for mental health.
I still hate javascript. And now we have node.
I don't always do web development. But when I do, I do it through Zope using plone_custom.css on a production site.
I fixed it with css. .class {display: none !important}
I suggested to a user to try it in another browser, like Edge. I am still ashamed.
I am not trained in UX or web design, but I do it anyway, because I just know what's right.

Fulvio Casali: Plone sponsorships

We are looking for financial sponsorship on a regular basis. Open source is a labor of love, but we also need money. The Plone Foundation supports the community financially for sprints, conferences, releases. We have administrative costs, like for trademarks, lawyers, hosting.

So you support independent media producers via Patreon, Substack, Medium, Youtube? How much? If not, maybe your boss does? Have you watched listened to the Plone podcasts?

Sponsors can be providers, customers, universities, companies that somehow use Plone. We couldn't do it without you.

Mail [email protected].

Dylan Jay: Why Drupal won down under

Two stories of government websites, in this case UK and Australia, where other CMSes won the day. Maybe with Plone 6 we can gain some ground back.

PreviousNext is a Drupal shop in Australia. In 2012 aGov launched, a distribution of Drupal specifically for Australian Government websites. That was cleverly done. They organized a Drupal conf in Canberra, the capitol. Most of the stuff could not have been done without support by Acquia, the behemoth company behind Drupal. It helps to be able to say that they have got you backed.

Then the UK. In 2012 Gov.uk launched. 2013 Service manual published.

Ideas for Plone:

Open CMS for a specific government.
Acquia equivalent
How to sell o governments that have been burnt by Plone?
Target internal React developers.
Use a better term than 'enterprise'. Governance CMS for React Developers?
Concentrate on services, not websites?

Maik Derstappen: Current state of Mockup

We are moving Mockup and Patternslib to ES6. We replaced some Mockup patterns with patterns from Patternslib. Most mockup patterns are finished, just a few left that need a bit of work. Plone Classic UI frontend works basically, some issues left in control panels mostly.

Things will get easier. No more RequireJS yelling at you. Add-ons can provide, require and ship any javascript module. Plone will only load everything once, thanks to Webpack module federation.

Timeline: ES6 branch will be merged in the coming months.

Give it a try using the buildout.coredev repository and:

./bin/buildout -c plips/plip-3211-mockup-redone.cfg

Help us! Join us during the conference sprint or every Thursday on Discord, the classic-ui voice channel.

Johannes Raggam: Javascript integration

This is about Webpack module federation.

Goals:

add-on without recompiling
No or negligable code duplication, small bundle size

Hard to achieve with Plone 5 and RequireJS.

New concept: Webpack module federation, or actually just module federation, as it is not tied to webpack.

separate bundles
dependencies between each other
define shared bundles
define exported and remote modules
fallback to own dependency

David Glick: Snowfakery

Snowfakery is a tool for generating fake data that has relations between tables. Every row is faked data, but also unique and random, like a snowflake. To tell Snowfakery what data you want to generate, you need to write a Recipe file in YAML.

You may want realistic data in tests, but not production data.

I write a yaml file and tell it how many folders and documents to create. I let snowfakery export this to json. Actually, I have defined a slightly different format for Plone. This outputs a json file that can be used by collective.exportimport.

Snowfakery documentation: https://snowfakery.readthedocs.io/en/docs/

Philip Bauer: One small VS Code trick

For the training this year for the first time I used one editor for both Volto and Classic. This is because of one VS Code trick.

I use the Pylance language server for VS Code, which is fine, but it cannot initially find the Plone code. Simple fix for that: I have a script zopepy in my bin folder. Find it, copy the path, in VS code configuration go to 'Python: Select interpreter', and paste the path. After a few seconds, or maybe reloading an open file, it works, and VS Code finds all packages and modules.

Erico - New Docker images

Plone loves containers. Some have had a love/hate relationship with Docker, but we are over it. Maybe Docker is over it too.

We have a new generation of Plone Docker images:

- ``plone/plone-backend`` 5.2.6 and 6.0.0a1
- ``plone/plone-frontend`` Volto 14.0.0-alpha
- ``plone/plone-zeo`` is still available (5.2)
- ``plone/plone-haproxy``

Use your own Plone image, with an example extra add-on:

FROM plone/plone-backend:6.0.0a1
RUN ./bin/pip install "pas.plugins.authomatic --use-deprecated legacy-resolver"

The use-deprecated option should hopefully not be needed in the near future. Maurits has opened a [PR in pip](https://github.com/pypa/pip/pull/10574) for that.

All these images are based on pip. One point: do not use autoIncludeDependencies in your zcml, as this does not work with pip.

Examples for Docker compose: https://github.com/plone/plone-frontend#using-docker-compose

Thank you to the installers team: Jens, Alin, Silvio, Steve, Kim, Erico.

Thomas Schorr: Pyruvate WSGI Server Status Update

Posted by Maurits van Rees on October 27, 2021 07:23 PM

At last year's Plone conference, I presented Pyruvate, a WSGI server implemented in Rust (and Python). Since then, Pyruvate has served as the production WSGI server in a couple of projects. In this talk I will give a project status update and show how to use Pyruvate with Zope/Plone and other Python web applications and frameworks. I will also present some use cases along with benchmark results and performance comparisons.

WSGI is the Python webserver gateway interface. It is the default way for Python apps to talk with a webserver.

During the Python 3 migration of Zope and Plone, WSGI replaced ZServer as the default, since Plone 4. The ZODB is not thread-safe. This means there is a limited choice of WSGI servers. The Zope docs recommend only two: waitress and Bjoern. Other popular servers showed poor performance for Zope.

Rust is a new, popular programming language. It can also be used to extend Python packages. The cryptography package does this, and we all use this package.

Pyruvate from a user perspective:

pip install pyruvate

Then create an importable Python module:

import pyruvate

def application(environ, start_response):
    """WSGI application"""
    ...

pyruvate.serve(application, "0.0.0.0:7878", 3)

Using pyruvate with Zope/Plone. In buildout you add pyruvate to the eggs of your instance, and use a different wsgi-ini-template.

Pyruvate supports active Python versions, currently 3.6-3.10.
Using Mio to implement I/O event loop.
Worker pool based on threadpool, 1:1 threading.
A PasteDeploy entry point.
It is stable since 1.1.0.
Supports Linux and MacOS
Hosted on Gitlab
There are binary packages for Linux, so there you don't need a Rust compiler to install it.

Let's see about performance. As starting point: Performance analysis of WSGI servers by Omed Habib, see Appdynamics blog. This is a performance comparison of 6 WSGI servers, published in 2016. Tested were: Bjoern, CherryPy, Gunicorn, Meinheld, mod_wsgi and uWSGI.

Benchmarking tool was wrk. The test WSGI application simply returns some headers, and the text "OK".

I changed the original setup. Swapped Meinheld and mod_wsgi for Pyruvate and Waitress, swapped CherryPy for Cheroot. Use Python 3 only. Now we look at the metrics.

Number of requests served:

Bjoern is by far the best.
Pyruvate does not do so well with lower number of simultaneous connections, but with higher numbers, it jumps to second place after Bjoern.

CPU usage:

Bjoern is single threaded, so is 100 percent, the others can do more.
Gunicorn starts the best, but drops in performance with more simultaneous connections.
Pyruvate starts slightly below it, but sustains it better.

Memory usage:

More or less okay for all.
Except uWSGI, where memory usage steadily goes up.

Errors:

With increasing load, all servers show errors on higher load.
Except waitress and Pyruvate.
uWGI always shows errors for every single request, so something is wrong. But it still serves the request. So maybe an issue of the benchmarking tool.

Why is Bjoern so much faster?

Good implementation, many optimizations.
It is single threaded. Switching from single to multi-threaded comes with benefits and costs.
Shared access to resources adds to complexity.
Offloading requests to worker threads only makes sense when there is something to work on, which is not the case in this benchmark.
Python's GIL generally makes multithreading less effective.

Let's look at benchmarking Plone 5.2.5. Testing with Bjoern, Pyruvate and Waitress. All three serve the Zope root about 600 requests per second, and this stays the same when simultaneous connections increase. Serving the Plone root: all three about 27 requests per second.

Number of errors, mostly socket errors:

Bjoern starts giving errors a bit earlier, starting from ten simultaneous connections, but it holds up well.
Pyruvate and waitress start giving errors at 50 simultaneous connections.
With 100, Pyruvate does a lot worse than Bjoern, and waitress even more than that.
So you really can't have that many simultaneous requests to Plone.

CPU usage is the same, all 100 percent. In this setup I have used one worker for each server.

Serving /Plone as json: Bjoern is slightly better than Pyruvate, which is slightly better than waitress, but all are around 500 requests per second, quite close to each other.

The most interesting is number of requests served when getting a 5.2 MB blob from blobstorage. Bjoern is around 200, Pyruvate 180, so close, and waitress a lot worse, dropping from about 80 to 40.

Next setup: 2 threads for Pyruvate and waitress. Pyruvate is then better than Bjoern. Waitress starts better, but cannot keep up.

Using 2 threads but 4 CPU, Both Pyruvate and waitress are a bit better than Bjoern, and keep it up.

Conclusions from benchmarking:

Bjoern is the winner when using a single worker for all URLs except /Plone.
When serving a more complex page such as /Plone, there is no real difference in the number of requests served, but Bjoern is showing errors a bit earlier.
Adding one thread plus sufficient resources lets both Pyruvate and waitress perform better than Bjoern.
All configurations failed to sustain higher loads, more than 50 connections.
Bjoern and Pyruvate are serving blobs a lot faster than waitress.
Pyruvate can challende waitress in all scenarios.
When adding worker threads, Pyruvate seems to make better use of resources than waitress.

As test I setup Apache for fair balancing between two ZEO clients on Plone 5.2, one served by Pyruvate, one by waitress. Consistently more requests are sent to Pyruvate (53 percent).

Code: https://gitlab.com/tschorr/pyruvate

Tiberiu Ichim: Volto slots, portlets on steroids

Posted by Maurits van Rees on October 27, 2021 03:55 PM

Problem: Volto has no equivalent of a viewlet. Solution: slots. They can be management slots, presentation slots, below-footer slots.

One reason: we try not to customize the main template.

Volto also does not have portlets. Well, if you really want them badly enough, you can have them. There is a PR in plone.restapi to export portlets, so you could render them in Volto.

Idea: reuse Volto blocks for layout.

Plone has had portlets for a long time, and it is very useful, especially for smaller sites. You should not have to be a web developer to change the website layout. Portlets give site administrators some power to influence the look of their own site. We should keep that possibility.

Volto's slot proposition:

Simplify configuration. Portlets in Classic need too many files.
Volto blocks are very expressive.
Require Modify Portal Content permission for slots.
UI Power: give more capabilities: - atomic blocking of parent blocks - override parent blocks

How can we use them?

Sidebars: listings, info boxes, navigation
section headers, content

Current status: big PRs on plone.restapi and Volto. Overall the basic functionality is 60-70 percent ready. I will do a live demo.

Questions for the October Steering Circle?

Posted by PLONE.ORG on October 25, 2021 06:35 PM

As described in the Foundation's July 2020 discussion of Plone governance, a series of Steering Circle meetings is being held to discuss our organizational structure and processes, and any hot topics of the moment. This is part of the Foundation's initiative to solicit ideas for changes that will better serve the needs of our community, our projects, and our teams. The meetings will be held every two months, and the next one will be October 29th at 13:00 UTC (15:00 CEST). Each Plone team will send one or two representatives, including the Zope, Volto, RestAPI and Guillotina teams.

The Steering Circle meetings will include a discussion of questions from community members. Please use this form to submit any questions you have and we will put them on the agenda.

Thank you for being an awesome community and for helping to move Plone forward into its third decade!

Plone 6.0.0a1 Alpha Is Here!

Posted by PLONE.ORG on October 22, 2021 07:50 PM

Plone community proudly presents the first alpha release of Plone 6 - feel free to try it out!

https://plone.org/download/releases/6.0.0a1

Some Highlights of the Alpha Release

The big one: Volto as new front-end, using React, built with modern JavaScript tools.
The backend is now called Plone Classic. It generally works the same as Plone 5.2, so if you are not ready for Volto yet, you can just use this.
Support only for Python 3.7, 3.8 and 3.9.
Zope 5.3
Extensive overhaul of Plone UI elements based on Bootstrap 5 components.
Barceloneta LTS theme
Add control panel for relations
Add plone.api.relation module to ease using relations.
Use Dexterity for the Plone Site root object.

Plone 6 editing experience combines the robust usability of Plone with a blazingly fast JavaScript frontend

Plone 6 editor

Plone 6 Uses the Latest Web Technologies

The Plone 6 user experience has been redesigned from scratch to be awesome for power users and occasional users alike. It's easy to create adaptive layouts using a flexible and powerful blocks system built from the latest web technologies. There's no need for in-depth knowledge of how the web works or how the page will look on thousands of different devices - editors can split individual blocks into multi-column content that will automatically adapt to any device. Building complex, responsive pages with Plone 6 is effortless.

The blocks system is not limited to rich text. It will come with a faceted search block that allows editors to easily create sophisticated searches that make use of content metadata. Other blocks can present collections of content dynamically generated from a search. Plone has always included search, now the blocks system allows the search to be harnessed in new ways.

Form Builder, No-Code Content Types, Rich Ecosystem

Plone 6 also includes:

A powerful form builder. Editors can create forms via drag and drop and define actions such as sending form data via email or storing it in CSV format for later use;
No-code custom content types that can be created through the web, including metadata fields, behaviors and view templates;
A rich ecosystem with more than 100 add-ons, even before it has been launched; an active and enthusiastic community of developers and companies is creating new add-ons every day.

The quick growth of the Plone 6 community is the result of developer-friendly technology choices. It is built with the two most popular programming languages (Python and JavaScript) and an open-source software stack that powers some of the largest websites in the world.

Read more about Plone 6.

Try Plone 6 and learn more at the Plone Conference 2021 Online

Try Plone 6 at https://plone.org/what-is-plone/plone/try-plone
Install the Plone 6 Alpha at https://plone.org/download/releases/6.0.0a1
Learn more about Plone 6 at Plone Conference 2021 Online starting October 23rd - Get your tickets at https://2021.ploneconf.org/

Plone Conference 2021 - Schedule, Trainings and Participation Info

Posted by PLONE.ORG on October 19, 2021 05:05 PM

Taking place over 9 days, from 25th to 31st October 2021, the Plone Conference 2021 Online will feature training, keynotes, talks, open spaces, sprints, and social activities.

Schedule

Important dates:

Training will happen over the weekend - October 23 & 24
4 days of keynotes and talks + 1 day of open spaces - October 25 - 29
Sprint - October 30 & 31

All information can be found at: https://2021.ploneconf.org

Check the full schedule at Schedule with precise starting times (CET).

Training

Two days of training is included in the ticket price. Learn about topics like:

Mastering Plone 6
Volto Add-On Develoment
React and Volto
Plone 6 Classic UI Theming
Volto and Plone Deployments
Getting started with your Plone 6 site
Guillotina React
And more!

All training info can be found at https://2021.ploneconf.org/schedule/training

All trainers are friendly professionals from the Plone community.

Important! Remember to register to training at using registration form.
(Just make sure you have a ticket first).

Keynotes

We will have three amazing keynotes:

State of the Plone Community by Chrissy Wainwright, Plone Foundation President
Plone 6 Power and Control by Timo Stollenwerk, founder of kitconcept and Volto evangelist
From Opaque to Open: Untangling Apparel Supply Chains with Open Data by Katie Shaw, Chief Programme Officer, Open Apparel Registry

Check the schedule at https://2021.ploneconf.org/schedule

Talks and speakers

There will be over 40 professional talks by speakers from all over the world. Topics will range from Plone 6 and Volto to theming, migrations, case studies, documentation, and much more. Talks about Guillotina, React, Python, Accessibility, Open Source, Community, UX, Frontend and Backend development are scheduled.

Talk audience level is clearly described, so there will be something for everyone through 3 tracks. All talks will be streamed live and will be available as recordings immediately after. Participants will be able to discuss with the speakers after every presentation.

https://2021.ploneconf.org/schedule/talks

https://2021.ploneconf.org/speakers

The conference will also feature one day of lightning talks and open spaces for bringing up ideas and innovation!

Get your tickets

Only 100$ per ticket, and only 25$ for people from developing countries

https://2021.ploneconf.org/tickets

How to participate

This year’s conference will be entirely online, through the LoudSwarm virtual platform, the same as with the 2020 conference.

Each registered person will get an email about how to access the system. Rest assured it will be very easy, and the level of interaction will be high! This is a community event, with lots of discussion and friendly emojis :)

Join the Slack spaces

The Plone Conference Slack Workspace is where all information about the event will be shared. This is also where you will be able to chat with speakers, attendees, and organizers. If you haven't already, join the Plone Slack now and navigate to channel #conf2021_hallway.

If you have a question during the event, please visit the #conf2021_help_desk channel and our team will be available to assist.

Code of conduct

The Plone Foundation is dedicated to providing a respectful, harassment-free community for everyone.

https://2021.ploneconf.org/code-of-conduct

Follow Plone Conference

Follow Plone Conference https://twitter.com/ploneconf
Follow Plone at https://twitter.com/plone
Contact the organizers at [email protected]

https://2021.ploneconf.org/

Contact the organizers at [email protected].

The Plone Newsroom Podcast

Posted by PLONE.ORG on October 18, 2021 12:40 PM

The Plone Newsroom is a monthly podcast brought to you by Philip Bauer and Fred van Dijk. Technical and non-technical topics will be covered, including Plone, the Plone community, and whatever else they come up with to keep us informed!

Suggest a topic to include in the next episode by sending an email to Philip or Fred (first name 'at' plone dot org).

The premier episode featured a discussion of Plone Open Garden and a roundup of conference and release news, plus information about collective explicit acquisition and the Volto Search Block. Go to the Newsroom page to view other episodes.

Plone Store Is Now Open - Get Your Plone Gear!

Posted by PLONE.ORG on October 13, 2021 12:00 AM

The Plone Foundation proudly presents:

https://store.plone.org

The new shop for all Plone-related gear from T-shirts and hoodies to stickers and such is now open!

For now, you can get:

The shop is built on the TeeMill platform by the Plone Marketing Team, and we will be adding more Plone-themed gear over the coming weeks and months.

We made an extra effort to bring the site online before the Plone Conference 2021 online, so if you order your conference T-shirt now you might get it just in time before the conference opens 23rd October!

The Plone Foundation provides all items in the store without any markup, so the prices should be relatively low (Shipped from UK, so take note of customs and shipping fees).

All clothing items are high-quality certified organic products, made from post-consumer remanufactured organic cotton in a renewable energy-powered factory, audited for a wide range of social and sustainability criteria. Read more at https://plone.teemill.com/the-journey.

The Plone Foundation Welcomes Two New Members

Posted by PLONE.ORG on October 12, 2021 12:00 AM

The Plone Foundation welcomes two new members after unanimous confirmation by the Foundation's Board of Directors on September 30, 2021.

Nicola Zambellos presenting at Plone conference

Nicola Zambello

Nicola has been developing with Plone since 2016 and has become an important contributor to the Volto project. He started RawMaterial, a Plone-based company, last year and will present his vision for a practical Green Web strategy at this year's conference. "I love Plone," he writes. "I feel at home with the community and I strongly want to support and invest in Plone, taking it to new horizons while maintaining what makes it so good."

Nicola will present one of the trainings at this year's conference; he lives in Ferrara, Italy.

Tiberiu Ichim

Tiberiu works with EauDeWeb and has been a member of the Plone community since 2004. Since 2019 he has been focused on Volto, and is a member of the Volto Core Developers team. He is the initial author or major contributor for several Volto add-ons, including volto-slate (alternative rich text editor) and volto-block-style (generic styling for Volto blocks).

Tiberiu lives in Oradea, Romania.

The Plone Foundation encourages applications from long time contributors to the Plone project and community. Learn more about the Foundation membership and the application process.

Nominations Open for Plone Foundation Board of Directors

Posted by PLONE.ORG on September 27, 2021 07:00 AM

If you have an interest in helping the governance of Plone, and particularly the energy and time to pitch in, please consider nominating yourself to serve on the Plone Foundation board of directors for 2021-2022.

Nomination Process

Log in on plone.org and go here:
https://plone.org/foundation/meetings/membership/2021-membership-meeting/nominations
Add a page there with your name in the title.
For the body, discuss:
- Who you are
- Why you're interested
- What you think you can add to the Plone Foundation
- Most importantly, the name(s) of one or more Plone Foundation members who "second" your nomination
Once ready, click "submit" in the workflow drop-down menu to get a reviewer to look at your nomination.
Nominations will be accepted until October 22 2021, 23.59, UTC. The election will be conducted in conjunction with the annual meeting, which will take place during the Plone Conference 2021. All active members of the Plone Foundation will be eligible to vote.

About Board Membership

The Plone Foundation is a not-for-profit, public-benefit corporation with the mission to "promote and protect Plone". That has meant that the board is involved in:

protecting the trademark, copyrights and other intellectual property, including considering licensing and usage issues;
hiring the release manager;
working with sub-communities like Zope, Guillotina, and Volto
working with various committees, including marketing and membership;
handling "other stuff in the community" as needed
but not: directing Plone development. The board facilitates, but does not direct, the development of Plone itself.

While there's lots of work that happens online, much of the critical business of the board is conducted during video meetings every two weeks — typically, board meetings last about an hour to 90 minutes though occasionally they can run over to handle time-critical issues. Please consider whether this fits your schedule, since missing more than an occasional meeting severely limits the ability of the board to reach quorum and conduct business.

Historically, board meetings have been organized to occur during daytime hours in America and evening hours in Europe, currently at Thursday nights, 19.00 UTC in northern hemisphere summer and 20.00 UTC in northern hemisphere winter. That can always change with new board members.

In addition, there is a board mailing list (private), where we discuss things in addition to the meetings.

This is a working board. Be ready to regularly take on and complete responsibilities for board business.

The board writes no code and makes no development decisions. It is much more concerned with marketing, budgets, fundraising, community process and intellectual property considerations.

You do not need to be a Foundation member to serve on the board (in fact, board leadership is an excellent way to become a Foundation member). All you need is to get an active Foundation member to second your nomination.

The Plone Foundation is interested in broadening the diversity of our leadership, with regards to gender, ethnicity, and geography.

If you have questions about the nomination process, contact the board: [email protected]

Plone.org Is Getting a Facelift

Posted by PLONE.ORG on September 16, 2021 04:21 PM

Years have passed since the 2016 sprint at Penn State where a team of community members worked on a new theme and madly reorganized content on the Plone 5 version of plone.org. The site dates back to 2002 and the Plone 1 days, and the software and content had been upgraded in place over the years with only minor theme changes - to Plone 2 and 2.5, then Plone 3, then Plone 4, and finally Plone 4.3. It served us well, but because Plone 5 brought many changes, including a new out-of-the-box theme (Barceloneta), we mounted a major effort to refresh the design as well as upgrade the content and software.

What was new then is now looking old, and the marketing team has embarked on a modernization effort. The ultimate goal is to upgrade to Plone 6 and create a React-based theme using the new front end. But meanwhile we've been having a series of mini-sprints to improve what we have now.

Our first major initiative was to improve the News section, which holds an amazing collection of content. Browsing it can take you back in time - to the Plone 1.0 RC1 release announcement for example, or Alan's 2002 thoughts on what Plone should be, or approval of the Plone Foundation as a 501(c)(3) organization. It was already possible to browse news items by year, but we thought categorization by topic would also be useful. So we tagged every news item, and now you can browse news items by category. Fulvio Casali chronicled this effort in his 2020 Plone Conference talk Oh the Places We've Been!

A not very attractive display of news items and listings was another issue. So we sketched out a cleaner look, with a standardized lead image aspect ratio and a more useful byline. Then the more technically adventurous members of the marketing team (Norbert, Fulvio, Érico) strapped on helmets and figured out how to make changes to the site's theme. You are looking at our initial improvements, and there's more to come.

Our other major initiative is to move the contents of the plone.com site over to plone.org. Over the years plone.com became very difficult to maintain, so we have discontinued it. (Contact the marketing team if you need to retrieve any plone.com content.) With that in mind, we created a What is Plone? section on plone.org which is oriented towards the plone.com audience. It is also a place for us to describe all the pieces of the Plone ecosystem and how they fit together.

In addition to these bigger jobs we've been making lots of little improvements during our mini-sprints, including fixing bugs old and new as recorded on the plone.org issue tracker.

Would you like to help with this effort?

We'd love to have you!

Join our effort to promote Plone by publishing regular plone.org news items - successes, new developments, controversies, generally telling a broad audience what's happening in the Plone world
Do you have design skills? We don't and we need help with design improvements and eventually a new theme for Plone 6
If you are a theming wizard please help us modernize the site styles - more 2021 and less 2016
Show off Plone's built in search by creating a beautiful search results listing
Help us with our ongoing efforts to fix bugs and curate content
Help us migrate plone.org to Plone 6

Please contact the marketing team to get involved. Anyone with technical, design or content editor skills is welcome.

The Plone Foundation Welcomes Two New Members

Posted by PLONE.ORG on September 09, 2021 10:09 PM

The Plone Foundation welcomes two new members after unanimous confirmation by the Foundation's Board of Directors on September 2nd, 2021.

Cléber J. Santos

With over 15 years of Plone experience, Cléber is an important member of the Brazilian Plone community. He was part of the team that helped organize three editions of the Plone Symposium South America and the Plone Conference in Brasilia.

Cléber lives in São Paulo, Brazil.

Steve Piercy

Contributor of many projects under the Pylons Project, including Pyramid, WebOb, Waitress, Colander, Peppercorn, and WebTest, Steve is also a constant presence in Plone community chats and forums. In recent years, he has collaborated with the Plone Documentation and Training materials teams and attended Plone Conferences as a speaker and a trainer.

In his spare time, Steve volunteers technical support for bicycling and environmental activist organizations. He lives in Eugene, Oregon, USA.

The Plone Foundation encourages applications from long time contributors to the Plone project and community. Learn more about the Foundation membership and the application process.

Podcast "The Plone Newsroom" launched

Posted by Starzel.de on September 02, 2021 10:02 AM

Brought to you by Philip Bauer of https://www.starzel.de and Fred van Dijk of https://zestsoftware.nl

Watch it on Youtube Channel https://www.youtube.com/channel/UCPo8CirtIfvt8GO4rm-dD4g

Plone Conference 2021 Online - Tickets for Sale Now!

Posted by PLONE.ORG on August 19, 2021 07:38 PM

The annual conference is a chance for the Plone community to come together to share new developments, success stories, and the future of the community. Taking place over 8 days, the conference will feature training, keynotes, talks, open spaces, sprints, and social activities.

This year’s conference will be entirely online, through the LoudSwarm virtual platform. No matter where you are, you can participate!

Plone Conference website now online

Behold https://2021.ploneconf.org/

The conference website is, of course, built with Plone.

Tickets are now available

Discounted tickets, available until September 30th, also a special price for developing countries.

Get your tickets here.

Submit your talk proposal

The topics can range from Plone, Zope, Volto, and Guillotina to Python and Pyramid or from fancy JavaScript to cool case studies and beyond.

There are many kinds of talk slots, from 5 min lightning talks to 30 and 45 minutes long, and you can target your talk to different audiences too.

Submit your talk proposal!

Stay tuned for more info

Follow Plone Conference at Twitter https://twitter.com/ploneconf

Follow Plone at https://twitter.com/plone

Questions for the August Steering Circle?

Posted by PLONE.ORG on August 11, 2021 11:55 AM

As described in the Foundation's July 2020 discussion of Plone governance, a series of Steering Circle meetings is being held to discuss our organizational structure and processes, and any hot topics of the moment. This is part of the Foundation's initiative to solicit ideas for changes that will better serve the needs of our community, our projects, and our teams. The meetings will be held every two months, and the next one will be August 17th at 2:00 PM UTC. Each Plone team will send one or two representatives, including the Zope, Volto, RestAPI and Guillotina teams.

The Steering Circle meetings will include a discussion of questions from community members. Please use this form to submit any questions you have and we will put them on the agenda.

Thank you for being an awesome community and for helping to move Plone forward into its third decade!

Plone 5.2.5 Released!

Posted by PLONE.ORG on August 06, 2021 07:10 PM

General notes

Plone 5.2.5 is a bug fix release of Plone 5.2. The release Manager for this version is Maurits van Rees.

Note: this is a fresh release. Installers are not ready yet but will be made available.

Experienced users can update their buildout config by pointing to https://dist.plone.org/release/5.2.5/versions.cfg.

For the Plone 5.2 upgrade guide, see https://docs.plone.org/manage/upgrading/

See https://plone.org/download/release-schedule for the planned release schedule.

Plone 5.2.5

Plone 5.2.5 is a release of Plone 5.2.

Download Plone 5.2.5

Experienced users can update their buildout config by pointing to https://dist.plone.org/release/5.2.4/versions.cfg.

Useful links:

Some highlights of this release are:

Security fixes in AccessControl and Products.isurlinportal.
Security fixes from Products.PloneHotfix20210518 taken over in core.
Zope: 4.5.5 to 4.6.3
Products.CMFPlone: Add PLONE52MARKER Python marker.
plone.app.iterate: Add proper support for Dexterity folderish content.
plone.folder: restore webdav support.
plone.registry: Allow plone.schema.JSONField to be stored in registry (dictionary-like).
plone.namedfile: Cache stable image scales strongly.
plone.recipe.zope2instance: customize WSGI, profiling, python-env.
plone.restapi: JSONField, sub blocks, use_site_search_settings.
Lots of bugfixes, especially improving Python 3 compatibility.

For detailed changelog, go to https://plone.org/download/releases/5.2.5

Join Plone Chat, Now at Discord!

Posted by PLONE.ORG on August 05, 2021 03:13 PM

There are many ways to reach out to other Plone developers and users. The two most important platforms are the Community forum at https://community.plone.org/ and our chat platform, which has been moved from Gitter to Discord.

Online Chat at Discord

Discord is now the best way to chat with members of the friendly Plone community. There are various channels to choose from.

Join the Plone Discord.

Please remember that you will be chatting with volunteers. Read more about chat info.

Please do not use chat to ask for support. Support questions should be directed to either the volunteers in the Plone forum or commercial providers.

Guillotina and its contributors

Posted by PLONE.ORG on July 01, 2021 08:18 PM

Guillotina is a modern, asynchronous back end designed for building high-performance, horizontally scaling JavaScript applications.

Who are the Guillotina contributors?

First, let’s introduce our new contributors: Roger Boixader and Joan Antoni. They both work at Iskra which is a well-known company in the Plone community as they have been actively using and supporting Plone for years (for decades actually!).

Roger was kind enough to answer few questions about his involvement in Guillotina:

Q: As a developer, where are you coming from and what do you do? How much Python has been in your career until now? 

Roger: My name is Roger Boixader Güell, I come from Berga, Barcelona, Catalunya and I am 28 years old. I studied computer engineering in Girona, Catalunya. I had never used Python before entering Iskra and for the first year I have mainly used JavaScript. My first steps with Python were with Django and then with Guillotina. 

Q: Why is using Guillotina relevant in your technical context?

Roger: Because it is the main framework that we use in Iskra on the backend side. 

Q: What is the thing you like the most in Guillotina? 

Roger: The simplicity to create an application, with a few lines of code of Python or with a YAML file you can start a project easily .

Q: What do you think should be improved in Guillotina?

Roger: Documentation and transactions. 

Q: Have you been involved in an open source community before?

Roger: No, it's my first time. 

Q: What would you expect from the Plone Community?

Roger: I think the Plone Community can help recruiting more Guillotina contributors, and the more contributors we have, the better Guillotina will get!

As we could expect, Guillotina attracts people who are not necessarily connected to the CMS world, but it is quite interesting to see Guillotina is considered as a valuable alternative to Django by young Python developers.

How is the core project managed?

The Guillotina project belongs to the Plone Foundation, just like the Plone project does, but it is obviously much younger and does not have (yet) all the Plone development and decision-making workflows.

So far, there is a periodic meeting every three weeks which allows us to discuss evolutions, important pull requests, and new use cases. Currently there are six participants in this meeting.

The repository is in the Plone Github organization.

When they join, Guillotina contributors do sign the Plone Contributor Agreement (as does any contributor to any Plone Foundation project), but they are not core contributors immediately (unlike Plone contributors). At the moment, there are three core contributors: Ramon Navarro Bosch, Nathan Van Gheem, and Jordi Massip. Their review and approval is needed to merge any pull request.

Apart from the core repository, Guillotina has a full ecosystem, managed in the Guillotinaweb GitHub organization; the most important elements are:

guillotina_elasticsearch
guillotina_gcloudstorage
guillotina_ldap
guillotina_react
guillotina_s3storage
guillotina_stripe
guillotina_volto

Each of these projects has an official manager (not necessarily a Guillotina core contributor).

Sprints

We organize a sprint in southern Europe every year when there is no global pandemic! We are also often involved in Volto sprints (and these happen usually in northern Europe, but also when there is no global pandemic).

You should join!

Security patch 20210518 version 1.5 released

Posted by PLONE.ORG on July 01, 2021 08:05 PM

This is a routine patch. There is no evidence that the issues fixed here are being used against any sites.

Version 1.5 of the hotfix is available from:

https://plone.org/security/hotfix/20210518 – if you grab the zip from here, please check that the version.txt contains 1.5 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 to the URL if this happens.
https://pypi.org/project/Products.PloneHotfix20210518/

This version is a recommended upgrade for all users.

Zope users are advised to upgrade to Zope 4.6.1 or 5.2.1. If this is not possible, you can try this new version of the hotfix.

See the original 20210518 hotfix announcement

From the changelog:

1.5 (2021-06-28)

Fixed new XSS vulnerability in folder contents on Plone 5.0 and higher.
Added support for environment variable STRICT_TRAVERSE_CHECK.
- Default value is 0, which means as strict as the code from version 1.4.
- Value 1 is very strict, the same as the stricter code introduced in Zope 5.2.1 and now taken over in Zope 4.6.2. There are known issues in Plone with this, for example in the versions history view.
- Value 2 means: try to be strict, but if this fails we show a warning and return the found object anyway. The idea would be to use this in development or production for a while, to see which code needs a fix.
Fix Remote Code Execution via traversal in expressions via string formatter. This is a variant of two earlier vulnerabilities in this hotfix. This was fixed in Zope 4.6.2, which takes over the already stricter code from Zope 5.2.1.

Note: we don't usually release another version almost six weeks after the original one, and three weeks after the previous version, and including a fix for a vulnerability which was only reported last week. However, this contains a fix for a close variant of one of the original vulnerabilities and needs a fix in the same code, so it seemed easiest for the security team and for Plone users who patch their sites to release a newer version.

Security patch 20210518 version 1.4 released

Posted by PLONE.ORG on June 14, 2021 04:11 PM

This is a routine patch. There is no evidence that the issues fixed here are being used against any sites.

Version 1.4 of the hotfix is available from:

https://plone.org/security/hotfix/20210518 – if you grab the zip from here, please check that the version.txt contains 1.4 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 to the URL if this happens.
https://pypi.org/project/Products.PloneHotfix20210518/

This version is a recommended upgrade for all users.
Zope users are advised to upgrade to Zope 4.6.1 or 5.2.1. If this is not possible, you can try this new version of the hotfix.

See the original 20210518 hotfix announcement

From the changelog:

1.4 (2021-06-08)

Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
(Note: I forgot to add this to the changelog on PyPI/plone.org).
With PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1 in the OS environment, use a denylist for determining which mimetypes can be displayed inline. By default we use an allowlist with the most used image types, plain text, and PDF. The denylist contains svg, javascript, and html, which have known cross site scripting possibilities.
By popular request, allow showing PDF files inline. Note: browser preference plays a part in what actually happens.
In untrusted path expressions with modules, check that each module is allowed. In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for example random._itertools. But if random.itertools without underscore would have been available, it was still allowed, even though itertools has not been explicitly allowed. (itertools might be fine to allow, it is just an example.)

Security patch 20210518 version 1.4 released

Posted by PLONE.ORG on June 14, 2021 04:11 PM

This is a routine patch. There is no evidence that the issues fixed here are being used against any sites.

Version 1.4 of the hotfix is available from:

https://plone.org/security/hotfix/20210518 – if you grab the zip from here, please check that the version.txt contains 1.4 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 to the URL if this happens.
https://pypi.org/project/Products.PloneHotfix20210518/

This version is a recommended upgrade for all users.
Zope users are advised to upgrade to Zope 4.6.1 or 5.2.1. If this is not possible, you can try this new version of the hotfix.

See the original 20210518 hotfix announcement

From the changelog:

1.4 (2021-06-08)

Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
(Note: I forgot to add this to the changelog on PyPI/plone.org).
With PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1 in the OS environment, use a denylist for determining which mimetypes can be displayed inline. By default we use an allowlist with the most used image types, plain text, and PDF. The denylist contains svg, javascript, and html, which have known cross site scripting possibilities.
By popular request, allow showing PDF files inline. Note: browser preference plays a part in what actually happens.
In untrusted path expressions with modules, check that each module is allowed. In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for example random._itertools. But if random.itertools without underscore would have been available, it was still allowed, even though itertools has not been explicitly allowed. (itertools might be fine to allow, it is just an example.)

Plone Powers a New Registration Portal

Posted by PLONE.ORG on June 04, 2021 03:55 PM

Challenge

The Open University of the University of Jyväskylä in Finland faced a daunting challenge: With a robust offering of international studies courses and a student audience beyond the usual set of university enrollees, registration needed to be faster, less complicated, and more flexible. For example :

Students from countries other than Finland needed a flexible authentication protocol
Students part-way through the registration process needed to get quickly back to the place where they had stopped
Coursework needed to be quickly and easily browsable, and purchase through university systems needed to be seamless
Course administrators needed a system where course listings could be updated with ease
Every step of the process needed to be loggable so that administrators could identify choke points and eliminate them

Solution

The development team at the University of Jyväskylä drew upon the strong core foundation of Plone to handle the all-essential data storage and management in a secure and accessible framework. Using Plone's modern RestAPI, the team was able to integrate, first, a wicked fast front end for managing data entry and browsing. Next, they used similar APIs to link to university systems for payment, user management, and the learning management system involved in course delivery. The ReactJS-based Volto front end (which will be standard on Plone 6) made dedicated and custom layouts very easy for the developers to create and even easier for administrators to add, edit, and organize.

One last integration using the RestAPI addressed the logging challenge. The team incorporated an open-source business process management tool, BPMN, into the platform to provide a window on every transaction, including how long each registration required and when and where registration ran into trouble.

Continuous improvement of the Plone framework has resulted in a fast, easy-to-use front end that editors love, deeply integrated with Plone's highly secure CMS backend built on Python and Zope. Based on Plone's unbeatable security record, the team knew they could trust the data to be safe. What's more, the framework's granular permission management was harnessed to allow teachers to access some areas, while students only got to see their own dashboard.

Feedback

User feedback has been overwhelmingly positive from both teachers and students at Open University. Problems with the identification and registration process have diminished greatly and, surprisingly, this had the side effect of improving the atmosphere in the courses.

More Information

Visit the English language version of the portal.

Read a technical blog post about the business process management integration.

Security patch released 20210518

Posted by PLONE.ORG on May 18, 2021 10:00 AM

This is a routine patch with our standard 14 day notice period. There is no evidence that the issues fixed here are being used against any sites.

CVE numbers: CVE numbers have been assigned; see the individual pages.

Versions Affected: All supported Plone versions (4.3.20 and any earlier 4.3.x version, 5.2.4 and any earlier 5.x version).

Versions Not Affected: None.

Zope: Zope is also affected. See details below.

Nature of vulnerabilities:

The patch will address several security issues:

Remote Code Execution via traversal in expressions. Reported by David Miller.
Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton.
Various information disclosures: mostly installation logs. Reported by Calum Hutton.
Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
Reflected XSS in various spots. Reported by Calum Hutton.
XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
Stored XSS from user fullname. Reported by Tino Kautschke.
Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree.
Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller.
Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller.

Thank you to all who contacted the Plone security team to report problems!

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.3.20, 5.0.10, 5.1.7, 5.2.4. Previous versions, like 4.2, could be affected but have not been tested. On such old versions, the hotfix might have worse side effects than what it tries to fix.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 5.2.5 and greater should not require this hotfix.

Warning: The hotfix has not been tested with Python 2.6. Originally Plone 4.3 was supported on Python 2.6, but since a few releases this is no longer the case since. It gets ever more difficult to test on Python 2.6. By now, you may have trouble installing any package with Python 2.6.

Zope support:

Zope is also affected. New versions for Zope and other packages are available. Upgrading to those is the recommended way.

If you cannot upgrade yet, you can try the Plone hotfix. It has not been tested on Zope only, but we try not to let the Plone-specific code get in the way, so it should be okay.

These vulnerabilities mentioned above are relevant for Zope:

Remote Code Execution via traversal in expressions via aliases.
Fixes released in Zope 4.6 and 5.2.
Remote Code Execution via traversal in expressions (no aliases).
Fixes released in Zope 4.6.1 and 5.2.1.
Various information disclosures.
Fixes released in Products.PluggableAuthService 2.6.0, Products.GenericSetup 2.1.1, and Zope 4.5.5.
Reflected XSS in various spots.
Fixes released in Products.CMFCore 2.5.1 and Products.PluggableAuthService 2.6.2.

The patch was released at 2021-05-18 15:00 UTC.

Installation

Full installation instructions are available on the HotFix release page.

Standard security advice

Make sure that the Zope/Plone service is running with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories. Plone sites installed through our installers already do this.
Use an intrusion detection system that monitors key system resources for unauthorized changes.
Monitor your Zope, reverse-proxy request and system logs for unusual activity.
Make sure your administrator stays up to date, by following the special low-volume Plone Security Announcements list via email, RSS and/or Twitter

These are standard precautions that should be employed on any production system, and are not tied to this fix.

Extra Help

If you do not have in-house server administrators or a service agreement for supporting your website, you can find consulting companies at plone.com/providers

There is also free support available online via the Plone forum and the Plone chat channels.

Q: When will the patch be made available?
A: The Plone Security Team released the patch at 2021-05-18 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the products folder of a buildout installation (for Plone 5.1.x and earlier only) and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

Q: How were these vulnerabilities found?
A: The vulnerabilities were found by users submitting them to the security mailing list.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all administrators at the same time. There are no exceptions.

Q: If the patch has been developed already, why isn't it made available to the public now?
A: The Security Team is still testing the patch against a wide variety of configurations and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.

Q: Is my Plone site at risk for this vulnerability? How do I know if my site has been exploited? How can I confirm that the hotfix is installed correctly and my site is protected?

A: Details about the vulnerability will be revealed at the same time as the patch.

Q: How can I report other potential security vulnerabilities?

A: Please email the Plone Security Team at [email protected] rather than publicly discussing potential security issues.

Q: How can I apply the patch without affecting my users?

A: Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html

Q: How do I get help patching my site?

A: Plone service providers are listed at plone.com/providers There is also free support available online via the Plone forum and the Plone chat channels

Q: Who is on the Plone Security Team and how is it funded?

A: The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.

Q: How can I help the Plone Security Team?

A: The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at http://plone.org/sponsors

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums If you have specific questions about this vulnerability or its handling, contact the Plone Security Team at [email protected]

To report potentially security-related issues, email the Plone Security Team at [email protected] We are always happy to credit individuals and companies who make responsible disclosures.

Information for Vulnerability Database Maintainers

We will apply for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) will be available at the full vulnerability list.

Security vulnerability pre-announcement: 20210518

Posted by PLONE.ORG on May 05, 2021 11:00 PM

This is a routine patch with our standard 14 day notice period. There is no evidence that the issues fixed here are being used against any sites.

CVE numbers not yet issued.

Versions Affected: All supported Plone versions: 4.3, 5.0, 5.1 and 5.2. Previous versions could be affected but have not been tested.

Versions Not Affected: None.

Zope: Zope is also affected. A new version of Zope, or a related package, will be available around the time of the hotfix. If you cannot upgrade to this new version, you can try the Plone hotfix on your Zope site.

Nature of vulnerability: High, possible data exposure and remote code execution for already privileged users, various XSS (Cross Site Scripting) vulnerabilities.

The patch will be released at 2021-05-18 15:00 UTC.

Preparation

This is a pre-announcement of availability of this security fix.

The security fix egg will be named Products.PloneHotfix20210518 and its version will be 1.0. Further installation instructions will be made available when the fix is released.

Standard security advice

Make sure that the Zope/Plone service is running with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories. Plone sites installed through our installers already do this.
Use an intrusion detection system that monitors key system resources for unauthorized changes.
Monitor your Zope, reverse-proxy request and system logs for unusual activity.
Make sure your administrator stays up to date, by following the special low-volume Plone Security Announcements list via email, RSS and/or Twitter

These are standard precautions that should be employed on any production system, and are not tied to this fix.

Extra Help

Should you not have in-house server administrators or a service agreement for supporting your website, you can find consulting companies at plone.com/providers

There is also free support available online via the Plone forum and the Plone chat channels.

Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 2021-05-18 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as Python packages that may be installed by editing a buildout configuration file and running buildout. For Plone 5.1 and lower they are also available as tarball-style archives that may be unpacked into the products folder of a buildout installation. Patching is generally easy and quick to accomplish.

Q: How were these vulnerabilities found?
A: The vulnerabilities were found by users submitting them to the security mailing list.

Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.

Q: Is my Plone site at risk for this vulnerability? How do I know if my site has been exploited? How can I confirm that the hotfix is installed correctly and my site is protected?

A: Details about the vulnerability will be revealed at the same time as the patch.

Q: How can I report other potential security vulnerabilities?

A: Please email the Plone Security Team at [email protected] rather than publicly discussing potential security issues.

Q: How can I apply the patch without affecting my users?

Q: How do I get help patching my site?

A: Plone service providers are listed at plone.com/providers There is also free support available online via the Plone forum and the Plone chat channels

Q: Who is on the Plone Security Team and how is it funded?

Q: How can I help the Plone Security Team?

To report potentially security-related issues, email the Plone Security Team at [email protected] We are always happy to credit individuals and companies who make responsible disclosures.

Information for Vulnerability Database Maintainers

World Plone Day 2021 - Over 50 Videos from 16 Countries

Posted by PLONE.ORG on May 04, 2021 03:34 PM

World Plone Day, held on April 28th 2021, was a worldwide 24-hour online streaming event. The goal was to promote and educate the public about the benefits of using Plone and being part of the Plone community.

The event was a massive success! The amazing Plone community produced 56 videos totaling 22 hours of content, now available on our YouTube channel. More than 50 speakers from 16 countries presented case studies, tech tips and community insights in 11 languages. This includes an introduction to Plone 6 in EN, DE, NL, CA, IT, PT-BR, FI, and soon JP, ES, and EU.

How to Access World Plone Day Videos

All content is available on the Plone YouTube channel. Play the videos on the World Plone Day 2021 playlist to relive the entire event.

Remember to subscribe while you are there!

Highlights

General Interest

Plone 6

Technical Talks

Case Studies

...and if you speak Italian

World Plone Day in Italy features 3 hours of topics!

Follow Plone and Join the Community!

Stay up to date with Plone and join us:

Follow Plone on Twitter at twitter.com/plone
Subscribe to the Plone YouTube channel
Join the community forum at community.plone.org/
Get started with Plone at plone.org/get-started

On The Road to Plone 6 - Plone REST API 7 and Volto 12 Released

Posted by PLONE.ORG on April 23, 2021 07:16 PM

Here are two important releases on the road to Plone 6:

Plone REST API 7 introduces a new link-integrity feature for blocks-based pages.
Volto 12 improves the add-on ecosystem by introducing a new configuration registry to avoid circular dependencies.

This is a short version of a full blog post at Kitconcept site.

Plone REST API 7

Keeping links within a website intact is one of the core features of any Content Management System. In Plone, editors can copy and move single pages as well as large content trees without breaking internal links to other parts of the site. This is accomplished by using unique IDs (UUIDs) instead of relative or absolute paths when adding a link to another page.

Volto introduces blocks-based page layouts that store a JSON structure internally instead of HTML. This more structured way of storing page content and layout information allows more complex page layouts. Though, because of this change, the existing portal-transforms mechanism that rewrites links to UUIDs did not work any longer.

Many participants joined to improve this feature in a community-wide effort:

Werkbank, a Plone agency from Bochum, Germany, stepped up to sponsor the development of link integrity in 2020
Timo Stollenwerk from Kitconcept started to draft a possible solution and wrote the first prototype
Thomas Buchenberger from 4teamwork picked up that work at the Plone Conference sprint in Ferrara, Italy
Andrea Cecchi from RedTurtle joined the effort and refactored the resolveUID algorithm into a blocks transformer that made the resolveUID transformer more generic and flexible
After that, a first plone.restapi 7 alpha was released and entered a period of quality assurance and testing

After the first alpha release, the ResolveUID transformation was added to links and images. In addition, plone.restapi 7 comes with a new blocks serialization mechanism and an important fix that makes sure files are opened directly by Plone for anonymous users.

Additionally, a "smart fields" concept allows integrators to mark a blocks field as searchableText.

Also, a new @contextnavigation endpoint was added that allows for local navigations.

Plone REST API 7 was included in Plone 5.2.4 release.

Volto 12

A new Volto configuration registry is the new central point to store and retrieve Volto configurations. The configuration registry ensures a setting only exists once.

You can find more details about it in the Volto docs and in the Volto 12 upgrade guide.

Volto is the new React front end for Plone, communicating with the back end through the RestAPI.

Road to Plone 6

Plone REST API 7 and Volto 12 are two very important releases on the road to Plone 6. Next will come another Plone REST API 8 branch and release for Plone 6 supporting Python 3 only.

Volto will continue to move at a very high pace towards Plone 6. A series of Plone 6 “Micro-Sprints” will be organized to push things further.

Check out the Volto Roadmap on Github for more details.