:tada: Improvements

• Use more verbose page titles in management/admin areas (#6300)
• Prioritize exact matches when searching for users (#6254)
• Show document templates from non-parent categories and other events for cloning as long as the user has management access (#6232)
• Warn about conflicts from concurrent edits of minutes (#3410, #6193)
• Include up to two months (up from one week) of past events in dashboard iCal export (#6304)

:bug: Bugfixes

• Fix adding additional event keywords when some keywords have already been set (#6264, thanks @SegiNyn)
• Fix overlapping times in some room booking timelines when using a locale with a 12-hour time format (#6263)
• Fix error when printing badges referencing a linked regform picture field that contains no picture (#6276)
• Fix error when creating a reminder for exactly one week before the event (#6283)
• Fix error when unassigning the editor of an editable that has no editor (#6284)
• Fix error when judging an editable from the list of editables (#6284)
• Fix validation error when using a mailto: link in an email body (#6286)
• Clear the flags indicating that registrations or a registration form field have been purged when cloning an event (#6288)
• Use English locale when formatting dates for room booking log entries (#6295)
• Fix date validation in room booking failing in certain timezones

:wrench: Internal Changes

• Allow plugins to fully replace the data in a ticket QR code with a custom string instead of just modifying/extending the JSON dict (#6266)
• Replace deprecated pkg_resources with importlib from standard library (#6272, #6273, thanks @maxnoe)

:bug: Bugfixes

• Fix sending emails when using TLS (SMTP_USE_TLS) (#6261)

:warning: Linux versions & Python 3.12 :snake:

This release moves from Python 3.9 to Python 3.12. 🐍 It also drops support for legacy (and nearly end-of-life) operating systems, in particular CentOS 7.

Because of this, make sure to read the 3.x to 3.3 upgrade guide if you plan to upgrade an existing instance.

If you need any help with the upgrade after reading the docs, don't hesitate to ask in our forum.

:trophy: Major Features

• A new "Document Templates" module was added which supports the generation of fully customizable PDF documents for event participants such as receipts and certificates of attendance.
• The Room Booking module now supports recurring bookings that repeat on specific weekdays. For example, a room can be booked every Monday and Wednesday over a set period of time.
• Badge and ticket templates can now be linked to a registration form. This makes it possible to reference custom registration fields when creating the template.
• The existing Indico Check-in app has been completely rewritten as a PWA (Progressive Web App). Please note that the old Check-in app has been deprecated and is not compatible with the new version of Indico. The new app can be found here.
• A new badge/ticket setting has been added which, when enabled, makes it possible to print badges and/or tickets for accompanying persons in addition to the main registrant.
• Users can now export all their data stored in Indico. This includes personal data and any data they are linked to such as registrations, minutes and files uploaded to Indico.
• Users can now be anonymized in Indico; this means that all personal identifiers associated with a user will be removed from Indico, whilst only keeping the data that is required for Indico to function properly, in an anonymized manner. This operation can only be performed by Indico system administrators through the indico command-line interface.
• Administrators now have the option to require users to accept the Terms of Use during signup and after the terms have been updated.
• Event managers can require participants to accept the event's Privacy Policy when registering.
• Event tickets can now be added to Google Wallet using the new experimental Google Wallet integration. You can enable this feature using the ENABLE_GOOGLE_WALLET config setting and then configure it on the category level.
• The category calendar view has been improved with new week/day views and new filtering options for category, venue, room or keywords.
• Managers can now change the registration fee for selected registrations in bulk.
• Lots of new accessibility improvements, including improved keyboard navigation, better color contrast, and better screen reader support.

:flags: Internationalization

• New locale: English (Canada) (#6063, thanks @omegak)

:tada: Improvements

• Invalidate password reset links once the password has been changed (#5878)
• Add full ACLs for custom conference menu items, instead of just being able to restrict them to speakers or registrants (#5670, thanks @kewisch)
• Make editing timeline display much more straightforward (#5674)
• Allow event managers to delete editables from contributions (#5778, #5892)
• Allow room managers to add internal notes to bookings (#5746, #5791)
• Support generating tickets and badges for each of the registrant's accompanying persons (#5424)
• Add keyboard shortcut (CTRL-SHIFT-A) to toggle room booking admin override (#5909)
• Improve login page UI, allow overriding the logo URL (LOGIN_LOGO_URL config option) and using custom logos for auth providers (logo_url in the auth provider settings) (#5936, thanks @openprojects)
• Show only active registration counts on the registration form management dashboard, and add an inactive registration count to the registration list (#5990)
• Store creation date of users and show it to admins (#5957, thanks @vasantvohra)
• Add option to hide links to Room Booking system for users who lack access (#5981, thanks @SegiNyn)
• Support weekly room bookings that take place on multiple weekdays (#5829, #6000, #5806)
• Hide events marked as invisible from builtin search results unless the user is a manager (#5947, thanks @openprojects)
• Support sessions that expire at a certain date (specified by the used flask-multipass provider) regardless of activity when using an external login method (#5907, thanks @cbartz)
• Allow configuring future months threshold for categories (#2984, #5928, thanks @kewisch)
• Allow editors to edit their review comments on editables (#6008)
• Auto-linking of patterns in minutes (e.g. issue trackers, Github repos...) (#5998)
• Log editor actions in the Editing module (#6015)
• Grant subcontribution speakers submission privileges by default in newly created events (#5905, #6025)
• Stop overwhelmingly showing past events in the 'Events at hand' section in the user dashboard (#6049)
• Add document templates to generate PDF receipts, certificates, and similar documents for event participants (#751, #5060, #6246, #5123, #6078, #6250)
• Show which persons are external in the user search dialog (#6074)
• Add feature for users to export all data linked to them (#5757)
• Add Outlook online calendar button to share widget (#6075, #6077)
• Remove Facebook and Google+ share widgets and make Twitter share button privacy-friendly (#6077)
• Do not bother people registering using an invitation link with a CAPTCHA (#6095)
• Add option to allow people to register using an invitation link even if the event is restricted (#6094)
• Improve editing notifications emails (#6027, #6042, #6154)
• Add a picture field for registration forms which can use the local webcam to take a picture in addition to uploading one, and also supports cropping/rotating the picture (#5922, thanks @SegiNyn)
• Use a more compact registration ticket QR code format which is faster to scan and less likely to fail in poor lighting conditions (#6123)
• Add a legend to the category calendar, allowing to filter events either by category, venue, room or keywords (#6105, #6106, #6128, #6148, #6149, #6127, #6110, #6158, #6183, thanks @Moliholy, @unconventionaldotdev)
• Allow to configure a restrictive set of allowed keywords (#6127, #6183, thanks @Moliholy, @unconventionaldotdev).
• Add week and day views in the category calendar and improve navigation controls (#6108, #6129, #6107, #6110, thanks @Moliholy, @unconventionaldotdev).
• Add the ability to clone privacy settings (#6156, thanks @SegiNyn)
• Add option for managers to change the registration fee of a set of registrations (#6132, #6138)
• Add setting to configure whether room bookings require a reason (#6150, #6155, thanks @Moliholy, @unconventionaldotdev)
• Add a "Picture" personal data field to registrations. When used, it allows including the picture provided by the user on badges/tickets (#6160, thanks @vtran99)
• Support ~~text~~ to strike-out text in markdown (#6166)
• Add experimental support for creating Google Wallet tickets (opt-in via ENABLE_GOOGLE_WALLET indico.conf setting) (#6028, thanks @openprojects)
• Add option to exceptionally grant registration modification privileges to some registrants (#5264, #6152, thanks @Thanhphan1147)
• Add option to require users to agree to terms during signup or after they have been updated (#5923, #5925, thanks @kewisch)
• Add indico user delete CLI to attempt to permanently delete a user (#5838)
• Add indico user anonymize CLI to permanently anonymize a user (#5838)
• Add possibility to link room reservations to multiple events, session blocks and contributions (#6113, #6114, thanks @omegak, @unconventionaldotdev)
• Store editable list filters in the browser's local storage (#6192)
• Take visibility restrictions into account in the atom feed (#5472, thanks @bpedersen2)
• Allow linking badge templates to registration forms in order to use custom fields in them (#6088)
• Allow filtering the list of editables by tags (#6195, #6197)
• Warn users with a dialog before their session expires and let them extend it (#6026, thanks @SegiNyn)

:bug: Bugfixes

• Prevent room booking sidebar menu from overlapping with the user dropdown menu (#5910)
• Allow cancelling pending bookings even if they have already "started" (#5995)
• Disallow switching the repeat frequency of an existing room booking from weekly to monthly or vice versa (#5999)
• Ignore deleted fields when computing the number of occupied slots for a registration (#6035)
• Show the description of a subcontribution in conference events (#5946, #6056)
• Only block templates containing a QR code via is_ticket_blocked (#6062)
• Use custom map URL in event API if one is set (#6111, thanks @stine-fohrmann)
• Use the event timezone when scheduling call for abstracts/papers (#6139)
• Allow setting registration fees larger than 999999.99 (#6172)
• Populate fields such as first and last name from the multipass login provider (e.g. LDAP) during sign-up regardless of synchronization settings (#6182)
• Hide redundant affiliations tooltip on the Participant Roles list (#6201)
• Correctly highlight required "yes/no" registration form field as invalid (#6109, #6242)
• Include comments in the Paper Peer Reviewing JSON export (#6253)
• Fail with a nicer error message when trying to upload a non-UTF8 CSV file (#6085, #6259)
• Do not include unnecessary user data in JSON exports (#6260)

:wheelchair: Accessibility

• Include current language in page metadata (#5894, thanks @foxbunny)
• Make language list accessible (#5899, #5903, thanks @foxbunny)
• Add accessible label to the main page link (#5934, #5935, thanks @foxbunny)
• Add bypass block links (#5932, #5939, thanks @foxbunny)
• Make search fields more accessible (#5948, #5950, thanks @foxbunny)
• Make search result status messages more accessible (#5949, #5950, thanks @foxbunny)
• Make search results tabs accessible (:issues:5964, #5965, thanks @foxbunny)
• Make timezone list accessible (#5908, #5914, thanks @foxbunny)
• Make "Skip access checks" checkbox in search keyboard-accessible (#5952, #5953, thanks @foxbunny)
• Prevent icons from being announced to screen readers as random characters (#5985, #5986, thanks @foxbunny)
• Add proper labels to the captcha play and reload buttons (#6064, #6080, :thanks:foxbunny)
• Associate form labels with form controls in the registration form (#6059, #6073, #6076, thanks @foxbunny)
• Make dropdown menu fully accessible (#5896, #5897, thanks @foxbunny)
• Improve registration form color contrast and font sizes (#6098, thanks @foxbunny)

:wrench: Internal Changes

• Support and require Python 3.12 - older Python versions are no longer supported (#5978, #6249)
• Use (dart-)sass instead of the deprecated node-sass/libsass for CSS compilation (#5734)
• Add event.is_field_data_locked signal, allowing plugins to lock registration form fields on a per-registration basis (#5424)
• Replace WYSIWYG (rich-text) editor with TinyMCE, due to the license and branding requirements of the previous editor (#5938)
• Add a new Indico design system (#5914, thanks @foxbunny)
• Add event.registration_form_field_deleted signal, allowing plugins to handle the removal of registration form fields (#5924)
• Add a tool bin/managemnent/icons_generate.py to generate CSS for icomoon icons based on selection.json (#5986, thanks @foxbunny)
• Pass form class arguments to core.add_form_fields signal handlers (#6020, thanks @vtran99)
• Remove watchman reloader support, use watchfiles instead (#5978)
• Improve indico i18n CLI to support plugin-related i18n operations (#5906, #5961, thanks @SegiNyn)
• Use ruff for linting Python code (#6037)
• Add <ind-menu> custom element for managing drop-down menus (#5896, #5897, thanks @foxbunny)
• Allow plugins to add extra fields to the room booking form (#6126, thanks @VojtechPetru)

:warning: Security fixes

• Update Werkzeug library due to a DoS vulnerability while parsing certain file uploads (CVE-2023-46136)
• Fix registration form CAPTCHA not being fully validated (#6096)

:tada: Improvements

• Add placeholders for accompanying persons to the badge/ticket designer (#6033)

:bug: Bugfixes

• Fix meeting timetable not showing custom locations when all top-level timetable entries are session blocks inheriting the custom location from its session (#6014)
• Always show exact matches when searching for existing videoconference rooms to attach to an event (#6022)
• Include materials linked to sessions in the material package (#6024)
• Use the correct locale when sending sending email notifications to others in an event (#5987, #6021)
• Fix the author/speaker selector (e.g. for abstracts) breaking when submitting the form and getting a validation error (#6043, #6053)
• Do not cancel past linked room bookings when deleting an event (#6032, #6051)
• Fix contribution list filters being obscured by the action dialog (#6055)
• Fix emailing Paper Peer Reviewing and Editing teams (#6145)

:warning: Security fixes

• Update Pillow library due to vulnerabilities in libwebp (CVE-2023-4863)

:flags: Internationalization

• New translation: Italian

:bug: Bugfixes

• Fix error when sending registration invitation reminders (#5879, #5880, thanks @bpedersen2)
• Fix accessing the conference overview page when the default conference home page is set to a custom page (#5882)
• Show percentages for multi-choice survey answers based on number of answers instead of total number of choices selected (#5930)

:bug: Bugfixes

• Fix not being able to remove the last entry from a room ACL (#5863, thanks @SegiNyn)
• Fix conditional fields remaining hidden in abstract judgment form (#5873)

:warning: Security fixes

• Fix an XSS vulnerability in various confirmation prompts commonly used when deleting things. Exploitation requires someone with at least submission privileges (such as a speaker) and then rely on someone else to attempt to delete this content. However, considering that event organizers may indeed delete suspicious-looking content when encountering it, there is a non-negligible risk of such an attack to succeed. Because of this it is strongly recommended to upgrade as soon as possible (#5862, CVE-2023-37901, GHSA-fmqq-25x9-c6hm)

:flags: Internationalization

• New translation: Czech

:tada: Improvements

• Show which files were added or modified on each editing timeline revision (#5802)
• Support rendering Japanese, Chinese & Korean letters in PDFs (#3120, #5842, thanks @adamjenkins)
• Add button to adapt columns widths on the reviewing area's abstracts list (#5837)
• Allow cloning category-level badge/poster templates into another category (#5775, thanks @SegiNyn)
• Allow using a custom link text in the {event_link} email placeholder, using the {event_link:something-else-here} syntax (#5858, #5860)
• Add option to add "event cancelled" semantics for event labels, which will disable reminders for events having this label (#5285, #5861)

:bug: Bugfixes

• Use correct name formatting in person link fields (#5835)

:wrench: Internal Changes

• Support Python 3.11

:warning: Security fixes

• Fix an XSS vulnerability in the LaTeX \href macro when rendering it client-side. Previously, it was possible to embed arbitrary JavaScript there using the javascript: protocol. The underlying MathJax library has now been updated to version 3 which allows blacklisting certain protocols, thus allowing only http, https and mailto links in \href macros (#5818)

:tada: Improvements

• Show actual recipient data in the email preview instead of the that of the event creator (#5794)
• Add an option to set a maximum number of choices in a multi-choice field (#5800)

:bug: Bugfixes

• Fix width of time column in PDF timetable when using 12-hour time format (#5788)
• Fix wrong date in email subject for room booking occurrence cancellations (#5790)
• Fix excessive queries being sent in meetings that have registration form with limited places and many registrants (#5799)
• Fix extremely slow query when retrieving list of registration forms in conferences with many registrants while not logged in (#5799)
• Fix title of session conveners being always empty in HTTP API with XML serialization (#5813)
• Fix editable filters not working simultaneously with editable search (#5796)
• Fix missing icons in Abstract Markdown editor (#5815)
• Fix text overflow in event manage button (#5816)
• Fix undone revisions being used instead of the latest valid one when downloading revision files as a ZIP archive (#5820)
• Fix custom actions not showing on revisions if the latest revision has been undone (#5820)

:warning: Security fixes

• Set Vary: Cookie header when session data is present and used. This ensures that data linked to a (logged-in) session cannot leak between requests even in case of a poorly-configured caching proxy in front of Indico (#5753)

:tada: Improvements

• Use the revision's timestamp when downloading its files as a ZIP archive (#5686)
• Use more consistent colors on the editing judgment button (#5687, #5697)
• Keep history when undoing judgments on editables (#5630)
• Add search field to the abstracts list for reviewers (#5698, #5703)
• Align status box colors with judgment dropdown (#5699, #5706)
• Use a gender-neutral chairperson icon (#5710)
• Add option to set the abstracts' primary authors as the default submitters for the corresponding contributions (#5711)
• Allow commenting on accepted/rejected editables (#5712, #5722)
• Hide deleted sections and fields from registration summary (#5716)
• Add support for authorized submitters in Call for Papers (#5728)
• Display abstract submission comment in the list of abstracts (#5733)
• Allow searching for contributions by author in the management area (#5742)
• Include start/end dates of the whole booking in the timeline tooltip of recurring room bookings (#5730, #5740)
• Add day of the week to room booking details modal and timeline (#5718, #5743)
• Allow acceptance and rejection of editables in the editable list (#5721)
• Email verification attempts during signup now trigger rate limiting to prevent spamming large amounts of confirmation emails (#5727)
• Allow bulk-commenting editables in the editable list (#5747)
• Allow emailing contribution persons that have not yet made any submissions to a given editable type (#5755)
• Show only "ready to review" editables on the "get next editable" list (#5765)
• Disallow uploading empty files (#5767)
• Include non-speaker authors in the timetable export API (#5412, #5738)
• Add setting to force track selection when accepting abstracts (#5771)
• Log detailed changes when editing contributions (#5777)
• Allow managers to ignore required field restrictions in registration forms (#5644, #5682, thanks @kewisch)
• Allow selecting the global noreply address as the sender for event reminders (#5784)

:bug: Bugfixes

• Fix creating invited abstracts (#5696)
• Fix error on contribution page when there is no paper but the peer reviewing module is enabled and configured to hide accepted papers
• Clone all protection settings (in particular submitter privileges) when cloning events (#5702)
• Fix searching in single-choice dropdown fields in registration forms (#5709)
• Fix uploading files in registration forms where the user only has access through the registration's token (#5719)
• Fix being unable to set the "speakers and authors" as the default contribution submitter type (#5711)
• Check server-side if Call for Papers is open when submitting a paper (#5725)
• Fix room notification email list showing up empty when editing it (#5729, #5731)
• Fix performance issues in paper assignment list (#5736)
• Fix performance issues in event export API with large events when including contributions (#5736)
• Fix error when a search query matches content from unlisted events (#5759, #5761)
• Fix ToS and Privacy Policy links in room booking module not working when using an external URL (#5774)
• Do not apply default values to new registration form fields when editing an existing registration (#5781)
• Allow 0 for a required registration form numbe field (unless a higher minimum value is set) (#5781)

:wrench: Internal Changes

• Update Python & JavaScript dependencies (#5726, #5752)
• Add support for the watchfiles live reloader (#5732)
• Add an endpoint to allow resetting the state of an accepted editable to "ready to review" (#5758)
• Add RESTful endpoints for custom contribution fields (#5768)

:warning: Security fixes

• Sanitize HTML in global announcement messages
• Update cryptography library due to vulnerabilities in OpenSSL (CVE-2023-0286)
• Update werkzeug library due to a potential Denial of Service vulnerability (CVE-2023-25577)

Note: The risk of malicious HTML (e.g. scripts) in the global announcement is minimal as only Indico administrators can set such an announcement anyway. However, in the unlikely case that an administrator becomes malicious or is compromised, they would have been be able to perform XSS against their Indico instance.

:tada: Improvements

• Include co-authors in abstract list columns and spreadsheet exports (#5605)
• Include speakers in abstract list columns and spreadsheet exports (#5615)
• Add an option to export all events in a series to ical at once (#5617, #5620)
• Make it possible to load more events in series management (#5629)
• Check manually entered email addresses of speakers/authors/chairpersons to avoid collisions and inconsistencies (#5478)
• Add option to use review track as accepted track when bulk-accepting abstracts (#5608)
• Add setting to only allow managers to upload attachments to events and contributions (#5597)
• Support Markdown when writing global announcement and apply standard HTML sanitization to the message (#5640)
• Add BCC field on contribution email dialogs (#5637)
• Allow filtering by location in room booking (#4291, #5622, thanks @mindouro)
• Add button to adapt column widths in paper & contribution lists (#5642)
• Add event language settings to set default and additional languages (#5606, #5607, thanks @vasantvohra)
• Fail nicely when trying to import an event from another Indico instance (#5619, #5653)
• Add option to send reminders to invited registrants who have not yet responded (#5579, #5654)
• Hide the top box with the latest files of an editable until it has been accepted and published (#5660, #5665)
• Allow uploading files when requesting changes on the editing timeline (#5612)
• Add locked_fields to the identity provider settings in indico.conf to prevent non-admin users from turning off their profile's personal data synchronization (#5648)
• Add an option to sync event persons with users (#5677)
• Disallow repeated filenames in editing revisions (#5681)
• Add setting to hide peer-reviewed papers from participants even after they have been accepted (#5666, #5671)
• Prevent concurrent assignment of editors to editables (#5684)
• Add color labels to the filter dropdown (#5675, #5680)

:bug: Bugfixes

• Correctly show contribution authors in participant roles list (#5603)
• Disable Sentry trace propagation to outgoing HTTP requests (#5604)
• Include token in notification emails for private surveys (#5618)
• Fix some API calls not working with personal access tokens (#5627)
• Correctly handle paragraphs and linebreaks in plaintext conversion (#5623)
• Send manager notifications and email participant if they withdraw from an event (#5633, #5638, thanks @kewisch)
• Do not break registrations with purged accommodation fields (#5641, #5643)
• Do not show blocked rooms as available on the very last day of the blocking (#5663)
• Do not show blocked rooms as available for admins unles they have admin override mode enabled (#5663)
• Fix roles resetting to the default ones when editing person data in an abstract or contribution (#5664)
• Correctly show paragraphs in CKEditor fields (#5624, #5656, thanks @kewisch)
• Fix empty iCal file being attached when registering for a protected event (#5688)

:wrench: Internal Changes

• Add rh.before-check-access signal (#5639, thanks @omegak)
• Add indico celery --watchman ... to run Celery with the Watchman reloader (#5667)
• Allow overriding the cache TTL for remote group membership checks (#5672)
• Allow a custom editing workflow service to mark new editables as ready-for-review without creating a new replacement revision (#5668)
• Update Python dependencies (#5689)