Aug 2023 | Kerberos Authentication; Drag-and-Drop Permalinks; Configurable Content Security Policies; Security fixes

Traction® TeamPage Release 6.2.66 includes support for Kerberos authentication with Microsoft Active Directory, new drag-and-drop support for creating TeamPage Permalink and User name references, and TeamPage administrator configurable policies relating to content security and shared resources. The release also includes FullCalendar improvements, a security fix for TeamPage, and integration of an updated Solr search engine which fully resolves its reported security vulnerabilities. The release includes over 135 bug fixes and improvements. See TeamPage Change Log for a description of this release and the point releases it consolidates since Mar 2023 | Improved Kanban, Social Media Sharing, Mobile Device Layout; New Supervised Signatures. Please read on for a consolidated summary.

Improvements

Microsoft Active Directory (AD) Integration and other External Directory Services.

Kerberos Authentication

• TeamPage now has built-in Kerberos support for Microsoft AD on premises user authentication. This is an improved and more secure alternative to TeamPage's built-in support for NTLMv1 and extra-cost support for NTLMv2 to provide Microsoft AD single sign on. TeamPage also offers Microsoft Azure AD Cloud authentication as an extra-cost option to handle unified cloud, hybrid, and on premises authentication. Kerberos authentication for Microsoft AD can be set up using the TeamPage user directory configuration editor, but also requires administrative access to the console of at least one Windows domain controller. TeamPage Kerberos support is free with a current TeamPage license. See Support3894 How do I configure TeamPage for Kerberos authentication with Microsoft ActiveDirectory?.

Other External Directory Services Improvements

• Improved handling of invalid ActiveDirectory user and group security principal encodings referenced by ACL entries, group member lists or user accounts (i.e., as a user security principal). This includes diagnostic logging, so that it will now be much easier to understand where an invalid GUID is coming from by reviewing TeamPage's logs.

• When migrating principals as part of a user directory migration process, administrators can now elect to invalidate all existing logins. This means that any user who was already logged in will have to log into TeamPage again, but this is appropriate when all active user accounts' security principals are changing. It is probably not appropriate if you are using hybrid user management -- i.e., if you still have some TeamPage user accounts that are bound to native TeamPage user security principals instead of to the security principals of accounts in the external directory service.

Drag-and-Drop support for Traction ID's, Permalinks, and User Names

This release adds new drag-and-drop support for creating TeamPage Permalinks and user names. For more on creating TeamPage links see Doc166 Making Links to Traction Articles.

TeamPage Traction ID Notation

Traction ID notation uses a Space name followed by an Entry number, optionally followed by a dot and an Item ID to symbolically refer to a specific TeamPage Item anywhere in your TeamPage Journal. For example Doc1813.07 refers to the current published value of Item 07 of Entry 1813 in the Doc Space of your TeamPage server. When a Traction ID references a specific item within an entry, that item link remains attached to that Item as the Entry is edited so long as that specific Item isn't deleted. A Traction ID without an Item ID refers to the entire Entry. For example Doc1813.

Drag-and-Drop Item ID

When you scroll over an Item with your web browser, an Item ID floats on the right side of the pop up menu shown below the item. An Item ID looks an integer beginning with 0, preceded by an anchor icon. This number identifies that specific Item within the Entry. Starting with this release you can drag-and-drop the floating Item ID directly from a TeamPage view into an open TeamPage Comment or Rich Text Editor to create a live TeamPage Permalink to that Item of that Entry. You can also click on the Item ID's anchor icon to copy that Item's Traction ID to your system's clipboard (see below)

Copy Item ID or Traction ID to Clipboard

If you click the Item ID's anchor, the Traction ID of that item copied to the clipboard, for example Doc1813.07. This works the same way when you click the anchor icon that follows the Entry ID in an Entry's header line. When you paste this Traction ID into an open TeamPage Comment, or the Rich Text Editor, it's automatically converted into a live two-way TeamPage Permalink to that Item.

Drag-and-Drop Permalink reference

If you drag-and-drop a live Permalink reference from a TeamPage view into an open TeamPage Comment or Rich Text Editor, it's also automatically converted in to a live TeamPage link to that Entry.

Drag-and-Drop User Name reference

Automatic conversion also works when you drag-and-drop a TeamPage User Name reference. For example:

• When you drag-and-drop Dave Shepperton it becomes the live User Name link: @shep
• When you drag-and-drop Doc1813 it becomes the live Permalink.

Styling Drag-and-Drop Permalinks

You can edit the Permalink after you create it if you want to change its style to show a just a Traction ID without its transcluded title. You can also set your link style preference in Personal Account Settings > Preferences > Editing > Drag-and-Drop Entry Link Style. For more on Permalink styles see Doc509 Making Links with the Link Tool.

HTTP Content Security Policies and Cross-Origin Resource Sharing Policy

• TeamPage now offers the option for administrators to configure policies related to content security and shared resources in web pages. This includes the following policies:

• Content Security Policy (CSP)
• Cross-Origin Resource Sharing (CORS)
• Cross-Origin Resource Policy (CORP)
• Cross-Origin Embedder Policy (COEP)
• Cross-Origin Opener Policy (COOP)
• Referrer-Policy

These policies can be configured on the server settings > Network page. These policies can be excellent countermeasures against many types of attacks, but administrators are encouraged to consult the documentation within TeamPage and from external resources (like those linked in the list above) in order ensure a proper understanding of their effects before attempting to apply them. Applying overly aggressive policies may prevent users' browsers from being able to display or otherwise make use of resources that may be important elements in TeamPage content or customizations. See Doc1813 Configuring a Content Security Policy for TeamPage for some important details about configuring CSP.

HTTP Server

• Added support for the "Strict-Transport-Security" HTTP response header for TeamPage servers that use TLS (HTTPS). Administrators must opt into this feature by selecting "yes" for the "Send Strict-Transport-Security HTTP Response Header" setting under server settings > Network > Features / Tuning. Administrators can also choose the desired age associated with this header via the "Strict-Transport-Security Maximum" setting.

• Made the "Server" HTTP response header optional. By default, this response header will no longer be sent. To have TeamPage send it, administrators can choose "yes" for the 'Send "Server" HTTP Response Header' setting under server settings > Network > Features / Tuning.

• TeamPage no longer sends the "MIME-version" HTTP response header.

The FullCalendar Plug-in

• Cleaned up some old plug-ins that have been subsumed by the FullCalendar plug-in.

• Added support for optionally displaying the end time of events

• Added support for optionally displaying the containing space, associated project, associated milestone, and tags to calendar items.

Other Improvements

• Made some minor adjustments to the Copy Project form (which is in an optional plug-in), including making the form wider and changing the space selection to be saved as a user preference in order to have it automatically re-selected as the default value if no other default is present the next time the user uses the form.

• The bounce messages sent by TeamPage when it fails to process an incoming message it reads from a mailbox are now clearer and simpler.

Security

We strongly advise on premises TeamPage customers to update their TeamPage and Solr installations as soon as possible. Downloads require a (free) TeamPage Support server account. You will be prompted to log in or create an account when you follow any non-public TeamPage Support server link. TeamPage Solr search requires a paid permanent or subscription TeamPage license. Traction Software has already updated the TeamPage and Solr software used by all TeamPage Cloud customers as soon as these issues were resolved.

TeamPage Security

• Fixed a bug involving failure to sanitize a request parameter of one specific TeamPage View. This could, in limited circumstances, be leveraged by an attacker to create a URL that would cause JavaScript of their choice to be run by the user's browser.

Apache Solr Advanced Search Module Security

These items are related to a vulnerability in Apache Solr registered as CVE-2017-12629. See:

• NVD: nvd.nist.gov/vuln…
• Mitre: cve.mitre.org/cgi…

• TeamPage disables the Apache Solr XML Query parser to guard against exploitation of a vulnerability in some versions of the Solr server software.

• The Apache Solr installers Traction Software offers to customers licensed for the Solr Advanced Search module have been updated to install a version of Solr that fully resolves the reported vulnerabilities.

• TeamPage no longer presents the details of errors from Solr to end users, including server administrators (who can of course review the logs from TeamPage or Solr to discover what may be causing problems with a particular search query).

Bug Fixes

External Directory Service Integration

• Fixed a rare bug that could prevent TeamPage from working properly in certain cases when a reference was included in a TeamPage group to a security principal defined in Microsoft ActiveDirectory, but using an incomplete or otherwise incomplete version of the principal's GUID string. This type of invalid security principal is now handled gracefully. (Administrators should still try to fix invalid references to externally defined security principals, either by replacing them with the correct intended reference, or by removing them completely, as may be applicable.)

• Fixed some problems with TeamPage's support for plain LDAP external user directory service integration that prevented users from logging in.

HTTP Server

• Added support for the "Strict-Transport-Security" HTTP response header for TeamPage servers that use TLS (HTTPS). Administrators must opt into this feature by selecting "yes" for the "Send Strict-Transport-Security HTTP Response Header" setting under server settings > Network > Features / Tuning. Administrators can also choose the desired age associated with this header via the "Strict-Transport-Security Maximum" setting.

• Made the "Server" HTTP response header optional. By default, this response header will no longer be sent. To have TeamPage send it, administrators can choose "yes" for the 'Send "Server" HTTP Response Header' setting under server settings > Network > Features / Tuning.

• TeamPage no longer sends the "MIME-version" HTTP response header.

Entry Queries

• Fixed a bug that prevented TeamPage's native query engine from properly rewriting queries with certain combinations of search expressions. This caused the queries to run slower than necessary. One type of query that was affected was a user profile > Activity > Posts page with a space search filter applied.

File Queries

• Fixed a bug that caused file listings sorted in alphabetical order by name to sometimes be sorted in a case-sensitive manner. The file listings now match the case-insensitive sorting used for file name based alphabetical sorting used for the file listings that appear in Documents views.

Calendar

• Fixed a bug that prevented the choices of colors for holidays in the FullCalendar plug-in from taking effect in the interface.

• Fixed a bug that prevented holidays from being displayed correctly and/or to appear duplicated.

• Fixed a bug that could prevent some calendar features from working in TeamPage customizations.

• Fixed a bug related to the interaction of the calendar and the "hide side column" plug-in that could cause an error to be displayed in some cases when collapsing or expanding the side column.

Forms

• Fixed a regression introduced in a recent version of TeamPage that prevented some types of selector form fields from using the intended presentation for options. This was known, for example, to affect the "Color" field that appears in the event, task and other forms, by preventing the color swatch from being displayed next to the text of the color name.

User and Email Lookup for Invite and Email Forms

This release includes several minor fixes and improvements in how TeamPage handles user input in the Invite form, and in forms like the Email Articles and Email Reply forms where email address fields are present.

• Fixed various issues that could, in some cases, prevent TeamPage from correctly processing user-supplied email addresses in the invite form. This might prevent the invitation from being sent to some of the targeted invitees.

• Fixed various issues with the Invite form's user field and the To, Cc and Bcc fields in various email forms to correctly handle the user typing or pasting text that represents one or more email addresses with optional "friendly" display names. In these cases, TeamPage will now correctly generate suggestions based on separate searches or matches for the email address and the name; and if the user elects to use the values that they've typed or pasted, without using the server's suggestions, each separate email will be added separately, and the display text for each separate option will correctly use the associated "friendly" display name, if any.

Other Bug Fixes

• Fixed a bug that prevented the copy-to-clipboard function from working properly when clicking the ID that appears when the cursor is placed over an individual paragraph / item.

• Fixed a bug that could cause minor layout problems in the user profile > Notifications > Watch List view.

• Fixed a bug that caused a series of confirmation dialogs to get stuck in a loop when TeamPage identified a file: URL had been used as the source of an image in the rich text editor. TeamPage now skips that warning altogether, but users can clearly see that if they try include an image from a file: URL, it will appear as broken in the editor. Users who end up with a file: URL reference in an image -- most likely as the result of pasting an image in certain browsers -- should instead drag and drop the desired image (or otherwise upload it using the insert image dialog or the attachment upload control) instead of trying to correctly attach the local file to the entry.

• Fixed a bug that could prevent a user from commenting on an entry that was in the draft state, even if they had the permissions required to do so.

• Fixed a bug that prevented users using the built-in Visitor account from seeing images they may have uploaded and inserted into the content a comment or other entry after the uploads completed. The uploads would be accepted, but the user would be improperly prompted to log in when the browser tried to show the image in the rich text editor.

• Fixed an issue that prevented TeamPage from correctly observing the "Personal Calendar Events" user preferences "Show events related to projects in which you are an Owner or a Member" and "Show events related to projects in which there is a task assigned to you".

• Fixed an issue which could, in some browsers, cause the title and checkbox of an entry in a task list to appear in the wrong location.

• Fixed a bug that prevented the error message from being displayed when TeamPage sends an error page to the user. The error message was still embedded in the page, but was not visible.

• Fixed a bug in TeamPage's forms toolkit that could, in certain unusual cases, prevent a form save operation from working when certain input (such as the name of a selected Space) contained non-ASCII characters.

• Fixed a minor issue with the HTML layout of the search skin generate pages for search engines and other automated systems. This issue could cause some text in the details block that appears at the bottom of the HTML page to run together.

• Fixed a bug in TeamPage's user search code that could, in certain cases, prevent a matching user from being found when searching for a user account by their security principal for a user account that uses the built-in "Traction" security principal (instead of a principal from an external directory service).

• Fixed a bug that prevented TeamPage from generating the requested Text-only version of entries for the Email Articles feature, when the user requested either "Both" or "Text-only" for the format of the message.

• Fixed a bug that could prevent filtering from working properly if the query text contained wildcards (e.g., a prefix match such as foo*).

• Fixed a problem with the layout of the "Work in Progress" box that appears in the side column of most pages that caused the work in progress icon and title to appear on separate lines.

• Fixed some issues that could, in certain cases, prevent some form field controls from correctly displaying selected values due to improper handling of the associated display text.

• Restored the margin around the checkbox for each milestone in a Tasks > Milestones view, which was accidentally removed in a recent release.

For Developers

SDK / SDL

• Added support for the clean=true attribute on the journalrequest and entries SDL tags (and any tags derived from these). This is equivalent to creating a "clean" JournalRequest via context.createCleanJournalRequest() as the base JournalRequest used by the tag, instead of starting by copying the current JournalRequest from the SDL evaluation Scope. A "clean" JournalRequest has its sort order set to "none", the space scoping set to all spaces, the time slice set to all time, no search applied, and so forth. Any modifications applied for the base query type or via tag attributes are then applied on top of that "clean" request, just like they would be for a JournalRequest copied from the currently scoped instance. This is appropriate for cases in which, e.g., an entries tag is being used to display results that are independent of the context in which they happen to appear.

• Added User and Project "permalink" SDL tags, such as user.permalink and project.permalink. The generated links aren't permalinks per se, but can be used like permalinks, in that they are simple URLs that will always refer to a user account's profile page or a space's dashboard respectively (or the first view configured in the set of tabs for the target user's preferences or the target space's settings).

• Added the following methods to com.traction.sdk.SdkFactory:

• User createUserFromPrincipalEncoding(String principalEncoding)
• Principal createPrincipal(Context context, String principalEncoding)

This avoids having to use the UnifiedSearch interface to perform these types of mappings from within the public SDK. (Server99718)

• Added the SDL tags entry.thumbnail.image.url, entry.thumbnail.image.width and entry.thumbnail.image.height so that an entry's thumbnail can be referenced other than by generating an IMG tag (via entry.thumbnail.html.image). (Server99727)

Proteus Skin

• Added support for a new type of region in the Proteus skin to make it easy for plug-in authors to set up copy-to-clipboard operations for any text of their choosing. The region key is "y"; the content, confirmation message, etc. are provided via data- attributes. For example, an SDL designer could use the following to generate HTML to set up a copy operation for the text "Hello, world!":

<a href="javascript:" class="copy-to-clipboard" 
    title="Click me to copy" rg="y#" 
    data-copytext="Hello, world!" data-conf="Successfully copied some important text.">
    <span class="display-text">Hi!</span><i class="hi"></i>
    <span class="icon-text">hi</span>
  </a>

(The i tags are present to offer opportunities to style with font-awesome icons.)

• Added support for custom text to be used when dragging and dropping elements from within TeamPage's Proteus skin. Custom handling is also available for elements representing users and entry IDs so that they become links or references when dragged and dropped into TeamPage's rich text editor. An author of custom SDL only needs to add the following attributes to accomplish these types of customizations, e.g.:

<a href="<htmlattributevalue.encode>__entry.url__</htmlattributevalue.encode>" 
data-tractionid="__entry.tractionid__" 
data-text="<htmlattributevalue.encode>__entry.titletext__</htmlattributevalue.encode>" 
draggable="true" 
ondragstart="Proteus.onDragStart(event, this);">__entry.tractionid__</a> - 
<span data-text="<htmlattributevalue.encode>__entry.titletext__</htmlattributevalue.encode>" 
draggable="true" 
ondragstart="Proteus.onDragStart(event, this);">__entry.title__</a>, 
by <entry.author><a href="<htmlattributevalue.encode>__user.permalink__</htmlattributevalue.encode>" 
data-userhandle="<htmlattributevalue.encode>__user.handle__</htmlattributevalue.encode>" 
data-userid="__user.id__" draggable="true" 
ondragstart="Proteus.onDragStart(event, this);"</entry.author>

The data-copytext= attribute can also be used, so that when that is present to trigger the Proteus skin's copy region behavior, the same text will automatically be used for the drag-and-drop "text/plain" payload. The data-url= attribute will also be used for the "text/uri-list" payload if present, defaulting to the value of the href= attribute (to avoid having to duplicate a URL/URI in case the element is already an A tag that's serving as a link).

Plug-ins and the Newly Added Support for CSP

To ensure that plug-ins can continue to function properly when administrators apply a Content Security Policy, any plug-ins that rely on scripts, images, fonts, or other resources from servers other than the TeamPage server itself must now declare those dependencies on those other servers in the plugin.properties configuration file. These must be declared by source type. The source types supported by TeamPage at the time of writing are as follows:

• default: anything not covered by other specific source types.
• img: images.
• media: audio and video media.
• script: JavaScript resources.
• connect: use of JavaScript APIs used to make HTTP requests.
• style: CSS stylesheets.
• font: downloadable webfonts.
• object: resources loaded via OBJECT or EMBED tags.
• frame: documents loaded via FRAME or IFRAME tags.

The external_sources_* property namespace is reserved for this purpose, with the source type name completing each property name, e.g., external_sources_default= or external_sources_script=. Here is an example from TeamPage's Google Analytics plug-in configuration file:

# CSP
external_sources_default=https://*.google-analytics.com,https://*.googletagmanager.com
external_sources_script=https://*.google-analytics.com,https://*.googletagmanager.com

Any value supported in the CSP specification (see this reference) is supported here, except special keywords which TeamPage reserves for internal usage. Sources listed in any installed and enabled plug-ins will appear in the CSP configuration interface, as in the examples above.

Related

Mar 2023 | Improved Kanban, Social Media Sharing, Mobile Device Layout; New Supervised Signatures

Mar 2021 | Microsoft Azure AD Cloud support for cloud and on-premises authentication and user management; Impi! Coaching and Mentoring support

The Work Graph Model: TeamPage style Understand how TeamPage connects people and their work.

A Fabric, not a Platform Making work actionable as well as observable: Objects, context, conversation, connection.