Title: TeamPage 6.2.66
TeamPage 6.2.66 is focused on security improvements and support for Kerberos authentication when using Microsoft Active Directory for user account management. It adds drag-and-drop support for creating TeamPage Permalinks and User References. This release also adds TeamPage Server Settings > Network configuration for HTTP Content Security Policies and Cross-Origin Resource Sharing Policy along with guidance for Configuring a Content Security Policy for TeamPage. Please read on for the full list of changes.
Bug Fixes
Entry Queries
• Fixed a bug that prevented TeamPage's native query engine from properly rewriting queries with certain combinations of search expressions. This caused the queries to run slower than necessary. One type of query that was affected was a user profile > Activity > Posts page with a space search filter applied. (Server100358)
File Queries
• Fixed a bug that caused file listings sorted in alphabetical order by name to sometimes be sorted in a case-sensitive manner. The file listings now match the case-insensitive sorting used for file name based alphabetical sorting used for the file listings that appear in Documents views. (Server100432)
Calendar
• Fixed a bug that prevented the choices of colors for holidays in the FullCalendar plug-in from taking effect in the interface. (JPBO40298)
• Fixed a bug that prevented holidays from being displayed correctly and/or to appear duplicated. (JPBO40302)
• Fixed a bug that could prevent some calendar features from working in TeamPage customizations. (JPBO40206)
• Fixed a bug related to the interaction of the calendar and the "hide side column" plug-in that could cause an error to be displayed in some cases when collapsing or expanding the side column. (JPBO40105)
Forms
• Fixed a regression introduced in a recent version of TeamPage that prevented some types of selector form fields from using the intended presentation for options. This was known, for example, to affect the "Color" field that appears in the event, task and other forms, by preventing the color swatch from being displayed next to the text of the color name. (Proteus17898)
Other
• Fixed a bug that prevented the copy-to-clipboard function from working properly when clicking the ID that appears when the cursor is placed over an individual paragraph / item. (Proteus17851)
Improvements
Microsoft Active Directory (AD) Integration and other External Directory Services.
Kerberos Authentication
• TeamPage now supports Kerberos for user authentication. This is an alternative to TeamPage's built-in support for NTLMv1, which is considered insecure; and the extra-cost option for NTLMv2, which is also a less secure technology that is being widely phased out in Windows AD environments since at least 2019 (and earlier in many places). Kerberos authentication for AD environments be set up via the user directory configuration editor, but also requires administrative access to the console of at least one Windows domain controller. TeamPage Kerberos support is free with a current TeamPage license. See Support3894: How do I configure TeamPage for Kerberos authentication with Microsoft ActiveDirectory?. (Server100093)
Other
• Improved handling of invalid ActiveDirectory user and group security principal encodings referenced by ACL entries, group member lists or user accounts (i.e., as a user security principal). This includes diagnostic logging, so that it will now be much easier to understand where an invalid GUID is coming from by reviewing TeamPage's logs. (Server100264)
• When migrating principals as part of a user directory migration process, administrators can now elect to invalidate all existing logins. This means that any user who was already logged in will have to log into TeamPage again, but this is appropriate when all active user accounts' security principals are changing. It is probably not appropriate if you are using hybrid user management -- i.e., if you still have some TeamPage user accounts that are bound to native TeamPage user security principals instead of to the security principals of accounts in the external directory service. (Server100342)
Drag-and-Drop support for Traction ID's, Permalinks, and User Names
This release adds new drag-and-drop support for creating TeamPage Permalinks and user names. For more on creating TeamPage links see Doc166: Making Links to Traction Articles.
TeamPage Traction ID Notation
Traction ID notation uses a Space name followed by an Entry number, optionally followed by a dot and an Item ID to symbolically refer to a specific TeamPage Item anywhere in your TeamPage Journal. For example Doc1813.07 refers to the current published value of Item 07 of Entry 1813 in the Doc Space of your TeamPage server. When a Traction ID references a specific item within an entry, that item link remains attached to that Item as the Entry is edited so long as that specific Item isn't deleted. A Traction ID without an Item ID refers to the entire Entry. For example Doc1813.
Drag-and-Drop Item ID
When you scroll over an Item with your web browser, an Item ID floats on the right side of the pop up menu shown below the item. An Item ID looks an integer beginning with 0, preceded by an anchor icon. This number identifies that specific Item within the Entry. Starting with this release you can drag-and-drop the floating Item ID directly from a TeamPage view into an open TeamPage Comment or Rich Text Editor to create a live TeamPage Permalink to that Item of that Entry. You can also click on the Item ID's anchor icon to copy that Item's Traction ID to your system's clipboard (see below)
Copy Item ID or Traction ID to Clipboard
If you click the Item ID's anchor, the Traction ID of that item copied to the clipboard, for example Doc1813.07. This works the same way when you click the anchor icon that follows the Entry ID in an Entry's header line. When you paste this Traction ID into an open TeamPage Comment, or the Rich Text Editor, it's automatically converted into a live two-way TeamPage Permalink to that Item, like this Doc1813.07: Configuring a Content Security Policy for TeamPage.
Drag-and-Drop Permalink reference
If you drag-and-drop a live Permalink reference from a TeamPage view into an open TeamPage Comment or Rich Text Editor, it's also automatically converted in to a live TeamPage link to that Entry.
Drag-and-Drop User Name reference
Automatic conversion also works when you drag-and-drop a TeamPage User Name reference. For example:
When you drag-and-drop Dave Shepperton it becomes the live User Name link: Dave Shepperton
and
When you drag-and-drop Doc1813 it becomes the live Permalink: Doc1813: Configuring a Content Security Policy for TeamPage
Styling Drag-and-Drop Permalinks
You can edit the Permalink after you create it if you want to change its style to show a just a Traction ID without its transcluded title. You can also set your link style preference in Personal Account Settings > Preferences > Editing > Drag-and-Drop Entry Link Style. For more on Permalink styles see Doc509: Making Links with the Link Tool.
HTTP Content Security Policies and Cross-Origin Resource Sharing Policy
• TeamPage now offers the option for administrators to configure policies related to content security and shared resources in web pages. This includes the following policies:
These policies can be configured on the server settings > Network page. These policies can be excellent countermeasures against many types of attacks, but administrators are encouraged to consult the documentation within TeamPage and from external resources (like those linked in the list above) in order ensure a proper understanding of their effects before attempting to apply them. Applying overly aggressive policies may prevent users' browsers from being able to display or otherwise make use of resources that may be important elements in TeamPage content or customizations. See Configuring a Content Security Policy for TeamPage for some important details about configuring CSP. (Server100103 / Server100394)
For Developers
SDK / SDL
• Added support for the clean=true attribute on the journalrequest and entries SDL tags (and any tags derived from these). This is equivalent to creating a "clean" JournalRequest via context.createCleanJournalRequest() as the base JournalRequest used by the tag, instead of starting by copying the current JournalRequest from the SDL evaluation Scope. A "clean" JournalRequest has its sort order set to "none", the space scoping set to all spaces, the time slice set to all time, no search applied, and so forth. Any modifications applied for the base query type or via tag attributes are then applied on top of that "clean" request, just like they would be for a JournalRequest copied from the currently scoped instance. This is appropriate for cases in which, e.g., an entries tag is being used to display results that are independent of the context in which they happen to appear. (Server100347)
• Added User and Project "permalink" SDL tags, such as user.permalink and project.permalink. The generated links aren't permalinks per se, but can be used like permalinks, in that they are simple URLs that will always refer to a user account's profile page or a space's dashboard respectively (or the first view configured in the set of tabs for the target user's preferences or the target space's settings). (Server100324)
Proteus Skin
• Added support for a new type of region in the Proteus skin to make it easy for plug-in authors to set up copy-to-clipboard operations for any text of their choosing. The region key is "y"; the content, confirmation message, etc. are provided via data- attributes. For example, an SDL designer could use the following to generate HTML to set up a copy operation for the text "Hello, world!":
<a href="javascript:" class="copy-to-clipboard"
title="Click me to copy" rg="y#"
data-copytext="Hello, world!" data-conf="Successfully copied some important text.">
<span class="display-text">Hi!</span><i class="hi"></i>
<span class="icon-text">hi</span>
</a>
(The i tags are present to offer opportunities to style with font-awesome icons.) (Proteus17890)
• Added support for custom text to be used when dragging and dropping elements from within TeamPage's Proteus skin. Custom handling is also available for elements representing users and entry IDs so that they become links or references when dragged and dropped into TeamPage's rich text editor. An author of custom SDL only needs to add the following attributes to accomplish these types of customizations, e.g.:
<a href="<htmlattributevalue.encode>__entry.url__</htmlattributevalue.encode>"
data-tractionid="__entry.tractionid__"
data-text="<htmlattributevalue.encode>__entry.titletext__</htmlattributevalue.encode>"
draggable="true"
ondragstart="Proteus.onDragStart(event, this);">__entry.tractionid__</a> -
<span data-text="<htmlattributevalue.encode>__entry.titletext__</htmlattributevalue.encode>"
draggable="true"
ondragstart="Proteus.onDragStart(event, this);">__entry.title__</a>,
by <entry.author><a href="<htmlattributevalue.encode>__user.permalink__</htmlattributevalue.encode>"
data-userhandle="<htmlattributevalue.encode>__user.handle__</htmlattributevalue.encode>"
data-userid="__user.id__" draggable="true"
ondragstart="Proteus.onDragStart(event, this);"</entry.author>
The data-copytext= attribute can also be used, so that when that is present to trigger the Proteus skin's copy region behavior, the same text will automatically be used for the drag-and-drop "text/plain" payload. The data-url= attribute will also be used for the "text/uri-list" payload if present, defaulting to the value of the href= attribute (to avoid having to duplicate a URL/URI in case the element is already an A tag that's serving as a link). (Server100290)
Plug-ins and the Newly Added Support for CSP
To ensure that plug-ins can continue to function properly when administrators apply a Content Security Policy, any plug-ins that rely on scripts, images, fonts, or other resources from servers other than the TeamPage server itself must now declare those dependencies on those other servers in the plugin.properties configuration file. These must be declared by source type. The source types supported by TeamPage at the time of writing are as follows:
- default: anything not covered by other specific source types.
- img: images.
- media: audio and video media.
- script: JavaScript resources.
- connect: use of JavaScript APIs used to make HTTP requests.
- style: CSS stylesheets.
- font: downloadable webfonts.
- object: resources loaded via OBJECT or EMBED tags.
- frame: documents loaded via FRAME or IFRAME tags.
The external_sources_* property namespace is reserved for this purpose, with the source type name completing each property name, e.g., external_sources_default= or external_sources_script=. Here is an example from TeamPage's Google Analytics plug-in configuration file:
# CSP
external_sources_default=https://*.google-analytics.com,https://*.googletagmanager.com
external_sources_script=https://*.google-analytics.com,https://*.googletagmanager.com
Any value supported in the CSP specification (see this reference) is supported here, except special keywords which TeamPage reserves for internal usage. Sources listed in any installed and enabled plug-ins will appear in the CSP configuration interface, as in the examples above.
