v3.2.3

⚠️ Security fixes

• Sanitize HTML in global announcement messages
• Update cryptography library due to vulnerabilities in OpenSSL (CVE-2023-0286)
• Update werkzeug library due to a potential Denial of Service vulnerability (CVE-2023-25577)

Note: The risk of malicious HTML (e.g. scripts) in the global announcement is minimal as only Indico administrators can set such an announcement anyway. However, in the unlikely case that an administrator becomes malicious or is compromised, they would have been be able to perform XSS against their Indico instance.

🎉 Improvements

• Include co-authors in abstract list columns and spreadsheet exports (#5605)
• Include speakers in abstract list columns and spreadsheet exports (#5615)
• Add an option to export all events in a series to ical at once (#5617, #5620)
• Make it possible to load more events in series management (#5629)
• Check manually entered email addresses of speakers/authors/chairpersons to avoid collisions and inconsistencies (#5478)
• Add option to use review track as accepted track when bulk-accepting abstracts (#5608)
• Add setting to only allow managers to upload attachments to events and contributions (#5597)
• Support Markdown when writing global announcement and apply standard HTML sanitization to the message (#5640)
• Add BCC field on contribution email dialogs (#5637)
• Allow filtering by location in room booking (#4291, #5622, thanks @mindouro)
• Add button to adapt column widths in paper & contribution lists (#5642)
• Add event language settings to set default and additional languages (#5606, #5607, thanks @vasantvohra)
• Fail nicely when trying to import an event from another Indico instance (#5619, #5653)
• Add option to send reminders to invited registrants who have not yet responded (#5579, #5654)
• Hide the top box with the latest files of an editable until it has been accepted and published (#5660, #5665)
• Allow uploading files when requesting changes on the editing timeline (#5612)
• Add locked_fields to the identity provider settings in indico.conf to prevent non-admin users from turning off their profile's personal data synchronization (#5648)
• Add an option to sync event persons with users (#5677)
• Disallow repeated filenames in editing revisions (#5681)
• Add setting to hide peer-reviewed papers from participants even after they have been accepted (#5666, #5671)
• Prevent concurrent assignment of editors to editables (#5684)
• Add color labels to the filter dropdown (#5675, #5680)

🐛 Bugfixes

• Correctly show contribution authors in participant roles list (#5603)
• Disable Sentry trace propagation to outgoing HTTP requests (#5604)
• Include token in notification emails for private surveys (#5618)
• Fix some API calls not working with personal access tokens (#5627)
• Correctly handle paragraphs and linebreaks in plaintext conversion (#5623)
• Send manager notifications and email participant if they withdraw from an event (#5633, #5638, thanks @kewisch)
• Do not break registrations with purged accommodation fields (#5641, #5643)
• Do not show blocked rooms as available on the very last day of the blocking (#5663)
• Do not show blocked rooms as available for admins unles they have admin override mode enabled (#5663)
• Fix roles resetting to the default ones when editing person data in an abstract or contribution (#5664)
• Correctly show paragraphs in CKEditor fields (#5624, #5656, thanks @kewisch)
• Fix empty iCal file being attached when registering for a protected event (#5688)

🔧 Internal Changes

• Add rh.before-check-access signal (#5639, thanks @OmeGak)
• Add indico celery --watchman ... to run Celery with the Watchman reloader (#5667)
• Allow overriding the cache TTL for remote group membership checks (#5672)
• Allow a custom editing workflow service to mark new editables as ready-for-review without creating a new replacement revision (#5668)
• Update Python dependencies (#5689)