Plone 2.5.1 - September 20, 2006
=========================

The following is a list of important things to note when installing or upgrading
to Plone 2.5.1:

* The recommended Zope version for this release is now 2.9.5+ (which is not yet
released), it will work out of the box with Zope 2.9.4, and can be used with
Zope 2.8.7 by replacing the included ``Five`` product with the latest "Five
1.2.x release":http://codespeak.net/z3/five  **Note:  This has changed from
the previous release**

* When used with Zope 2.9.5+ the included ``Five`` product should be removed
as a newer version is included with Zope.

* This release includes a number of important fixes addressing Cross Site
Scripting vulnerabilities in user uploaded content, including member portraits.
Details on the issues and steps for cleaning up any existing content exploiting
the member portrait issue can be found in the document "How to clean up link
spam on your site":http://plone.org/documentation/how-to/clean-up-link-spam-on-your-site.

* **This release requires PIL (the Python Imaging Library) due to the member
portrait bugfix.  You must install it before starting Plone.**

* PIL is included in the installers, and is available from most linux
distributions.  It can be "downloaded from the PIL site":http://www.pythonware.com/products/pil/
or installed using the command
'easy_install -f http://www.pythonware.com/products/pil/ Imaging'
if you have the python setuptools and necessary PIL dependencies installed.

* Sites which have migrated from Plone 2.1.x and had local roles assigned to
groups in parts of the portal may find that those roles are now invalid because
they have the previously mandatory ``group_`` prefix.  There is an
``External Method`` included with Plone 2.5.1 which will reassign these roles
to the proper groups.  You may run this method on the portal to clean up any
folders or objects with invalid group roles.  You should not use this method
if you have groups on your site that are intentionally named with a ``group_``
prefix. The following are the steps needed to  apply this ``External Method``
to the portal:

    1) Go to the ZMI for your portal and select ``External Method` from the
       ``Add`` dropdown menu.

    2) Use ``stripGRUFLocalRolePrefix`` for the id, ``Strip Local Role
       Group Prefixes`` for the title, ``CMFPlone.stripGRUFLocalRolePrefix``
       for the module name, and ``do`` for the function name.

    3) Click the ``Save Changes`` button.

    4) Click the ``Test`` tab at the top of the screen.

Plone 2.5 - June 17, 2006
=========================

The following is a short summary of changes in Plone 2.5 which may impact
existing deployments or products:

* The main_template and various portlets lookup and call various Zope 3-style
  views.  This means that any object which needs to be viewed through the
  Plone interface (i.e. using some template that inherits main_template),
  will need to be made traversable via the Five zcml declaration::

    <five:traversable class="dotted.path.to.class" />

  Fortunately, the most common base classes (OFS.Folder.Folder and
  OFS.SimpleItem.SimpleItem) have already been marked traversable.  This means
  that nearly all persistent objects, including all AT types, will have no
  issues.  Products using non-persistent objects which need in-Plone views,
  or custom persistent objects which don't inherit (directly or indirectly)
  from one of the above listed classes, will need to make this declaration.
  This requirement will go away in Plone 3.0 because it will no longer be
  needed for Zope 2.10.

* Plone 2.5 now uses the GenericSetup Product for portal creation.  The
  preferred method for 3rd-party products to make customizations to the
  portal is also using GenericSetup.  Unfortunately, the dramatic changes
  required to transition to this new technology have made it impossible to
  continue supporting the prior means of portal customization using
  Customization Policies.  We feel the advantages provided by GenericSetup
  (customizable XML based portal setup, configuration import/export) far
  outweigh this unfortunate loss.  However, very little work is needed to
  make your existing Customization Policies work as GenericSetup extension
  profiles; this will provide the same functionality.  Instructions for doing
  so are available in Rob Miller's excellent `Tutorial on GenericSetup and
  Plone <http://plone.org/documentation/tutorial/understanding-and-using-genericsetup-in-plone>`_.

* Plone 2.5 now handles user/member management using the Pluggable
  Authentication Service (PAS) via the product PlonePAS.  This provides a lot
  of additional flexibility for integrators to use heterogenous sources for
  authentication, user info, group info, role assignments, and other
  authentication and membership related information.  As a result, existing
  products which depend heavily on the occasionally byzantine internals of the
  former standard authentication product (GRUF) are likely to no longer work
  with Plone.  These products include CMFMember, GRUFSpaces, Teamspaces, and
  likely a few others.  There is an unsupported option to allow existing
  instances which use these products to migrate to Plone 2.5 without
  installing PlonePAS; this may allow you to obtain some of the benefits of
  Plone 2.5 without having to throw out existing work.  To use this option
  you must set an environment variable in your shell before starting your
  Zope instance to perform the Plone migration.  The environment variable is
  ``SUPPRESS_PLONEPAS_INSTALLATION`` and must be set to ``YES``.  Work on
  compatible updates/replacements for these important products is underway.
