* If set to 'modify', authentication is required to modify the wiki. * If set to 'read', atuhentication is required to view the wiki. * If set to 'none', authentication is never required, and pages can be edited anonymously. API changes: * currentUser moved to Authentication module * requireAuthentication added to Config * Added AuthenticationLevel type * requireUser renamed authenticate, parameter for AuthenticationLevel added; requireUserThat renamed authenticateUserThat
…a meaningful error message
+ Added Network.Gitit.Feed module (heavily modified from preliminary version by gwern). + Added feed handlers: - sitewide: /_feed - per-page: /_feed/path/to/page + Added caching for feeds (with a configurable expiration time). + Added use-feed, base-url, wiki-title, feed-days, and feed-refresh-time options to config file (and useFeed, baseUrl, wikiTitle, feedDays, and feedRefreshTime to Config record).
+ A POST request to /_expire/page/url will expire the page. The previous method allowed an arbitrary path to be passed in the pageName parameter, potentially allowing deletion of files outside the cache directory. This isn't possible with the new method, since page URLs cannot contain '..'. + Encode all unicode pagenames when they occur in URLs. + Don't show 'revision=' in links if revision is empty. + Eliminated unneeded 'nothead' attribute.
+ Now the currently logged in user is taken from the REMOTE_USER request header. + This can be set externally (as by mod_auth_cas) or by a gitit filter that runs before the other wiki handlers. + This gitit filter, withUser, is set in config and will differ depending on whether we're using form authentication (in which case the user will be extracted from a session) or http authentication (in which case it will be extracted from the "authorization" request header). (When we're using gitit with an external system that sets REMOTE_USER, we can set this to id.) + Config also specifies authHandler, which includes handlers for urls like _login and _logout. This can be set to use the form-based authentication handlers or a pared-down logout handler for HTTP authentication. + The requireUser combinator checks that a user is logged in before running a handler; if not, we divert to the _login page with a 'destination' parameter with the URL to return to. This replaces the old ifLoggedIn. + A GET parameter is now used for 'destination', rather than a cookie. Also, we try not to rely on 'referer' except as a fallback.
+ Config sets these appropriately. + They can be specified in a calling program. + The login/out box is now no longer hidden when non-form authentication is used.