Jiglu 11.0 release notes

Highlights

  • Two-factor authentication, providing better protection for accounts by requiring the entry of an additional code generated with Google Authenticator when logging on.
  • Bulk file upload, letting you easily create multiple knowledge entries from files dragged and dropped onto a page and optionally creating editable content from suitable files.
  • User-editable themes, letting you choose the main colours of the system to match your own organisation’s branding.
  • New notice options to enable administrators to alert users to urgent information on their Radar page or when they log on.
  • Lots of smaller improvements – many customer-requested – designed to make users’ lives easier.

For end users

Logging on

  • Jiglu now supports two-factor authentication. This provides additional protection for your account by only letting you log on with an additional verification code generated by a suitable authenticator app or device, such as Google Authenticator. You can download Google Authenticator for Android from Google Play or for the iPhone / iPad from the Apple Appstore. Other apps or devices that implement RFC 6238 can also be used.

If two-factor authentication is optional on your Jiglu system then you can generate a QR code to use with Google Authenticator by going to My Preferences and then choosing the ‘Two-factor authentication’ option. Once you turn it on and enter your password you will be shown a QR code that you can use with the ‘Scan a barcode’ option in Google Authenticator to add the account. Now each time that you log on you will need to use the verification code that Google Authenticator gives you. If you later want to turn two-factor authentication off then go to the same preferences page.

If two-factor authentication is mandatory on your Jiglu system then you will be given the QR code to use with Google Authenticator the first time you log on after it was enabled. If you later want to generate a new QR code, for example if you change mobile phones, then go to My Preferences and choose the ‘Two-factor authentication’ option.

If you lose access to the app or device used to generate your verification code then you will need to ask a system administrator to clear your two-factor authentication secret key. You will then be able to generate a new code. Unlike with forgetting your password you cannot carry out this process yourself.

  • When you click on the ‘Log on’ link at the top-right of a page, the pop-up form that opens now appears in the centre of the screen.
  • If you enter the wrong username or password more than two times when logging on then you will now need to complete a captcha code on subsequent attempts.

Contributions

  • In order to have tags suggested for your blog post or knowledge entry or to browse all the existing tags you now need to click on the ‘Pick tags’ button. When adding or editing blog posts or knowledge entries on the Radar you now enter tags on the ‘Details’ tab rather than on their own tab.
  • When viewing discussion messages on the Radar, if you click on the expander button to reveal quoted text then the dialog will now be automatically resized to fit the new content size.
  • Attachments are now ordered by name in the list under a contribution, rather than in the order they were added. If there are more than five then they will be listed one per line to make viewing easier.
  • There is now a ‘Download all’ link for an item’s attachments on the Radar activity stream.
  • An issue has been fixed which in recent versions caused the ‘Download all’ feature not to work with certain types of attachment.
  • Viewing poll results for polls that have not yet ended is possible once more.

Preferences

  • The preferences index page has been improved to make it easier to see which option you might need. There is also no longer a different version of the page in a blog or space.
  • Links to join or leave a monitor or space or to follow or unfollow a blog have been moved from the preferences page to the dropdown menu next to your name at the top right of the page.
  • You can now view an activity log showing activities that you were responsible for by following the ‘My activity log’ link in My Preferences. This includes when you logged on and from what IP address.

Miscellaneous

  • The tasks sent page now shows all the tasks that you originated as a result of your actions in the system.
  • Actions that take you away from an index now all return you back to the index afterwards, with the same filter and on the same page as you were before. Previously this did not happen for some cases.
  • If you try and carry out an action that would result in you going over a limit or quota then you will now be given a message specific to what happened.
  • A number of less common errors now give specific error messages as to what happened. In particular, when you try and edit something but someone else has just deleted something your edit relies on (like a topic) then this will now be better explained.
  • On pages that require a captcha to complete, the image and audio now have the same numbers.
  • The help system now contains links to the Jiglu support site.
  • A number of minor issues have been fixed and improvements made.

For group administrators

Blogs and space contributions

  • You can now import multiple files as knowledge entries by choosing the ‘Bulk file import’ action on the blog post or knowledge entry index page. For every file dragged and dropped onto the page or chosen with the file selector a knowledge entry will be created.

If you enter text in the ‘Main text’ field on the form it will be used as the main text for each entry. If you leave it blank then the system will try and extract text from the file and use that as the main text instead. It will be able to do this for most common formats, such as Microsoft Word. You can optionally choose the main text and tags to use for each file uploaded and whether or not posts or entries created in this way are published immediately or remain in your drafts.

  • You can now withdraw or republish responses to a blog post, discussion message or knowledge entry without losing your place in the page. Withdrawn responses are now indicated by a strike-through style.
  • Some inconsistencies in the display of appropriate delete, withdraw and republish buttons and in confirming that a user really does want to delete a discussion thread or withdraw a discussion messages have been resolved.

Group settings

  • When creating a new blog or space, you now have the option afterwards to either apply a template or to choose what access is allowed to the group. Previously the system allowed both, which would then remove the permissions defined in the template.
  • You can now reset blog and space home pages back to the default sections they had when the group was first created by choosing the ‘Reset’ button on the home page settings page.
  • The home page and newsletter editors are now more forgiving of when another user has made a change at the same time.
  • Group stylesheets have been removed. Definitions in the system stylesheet will now need to be used instead.
  • The group checklist no longer includes choosing the appearance or uploading a banner.

Discussion areas

  • You can now choose the order that discussion areas are shown in the discussion index. You may want to change the ordering in any spaces that use them.
  • When you delete a discussion area the messages in it now become part of the default discussion area. Previously you had to move them out of it first.
  • It is no longer possible to delete the default discussion area unless it is the only area left. You should make another area the default first if you want to delete the current default.
  • You can now delete all the areas in the space by selecting them all. Previously after messages were added it was not easily possible to go back to not having discussion areas.
  • An issue has been resolved where repeatedly moving threads between areas caused a page not found error.
  • Changes to discussion areas are now recorded in the group activity log.

Security controls and auditing

  • It is no longer possible to ban people from blogs or spaces by email address. This functionality was little used and there are now other mechanisms in place that work better.
  • The number of discussion areas in a space, the number of sections on a group home page and the number of sections in a newsletter may now all be subject to a limit.
  • To avoid confusion with other usage, ‘View activities for…’ has been renamed to ‘View activity log for…’
  • When you first go to the application log page it will now also show everything that has recently happened rather than waiting for a valid search.
  • The current storage used by a blog or space is now shown in the sidebar on the blog or space settings page rather than on a separate page.
  • When changing resource permissions, those for the Creator and Owner roles now only appear as editable when they actually have an effect on that resource type.

Monitors

  • Monitors now have the same look as blogs and spaces. They also now have a home page with three new types of section specific to monitors: source highlights, a tag activity chart and a sentiment activity chart.
  • The content of the previous sources tab has been replaced by the content of the items tab, which has now been removed.
  • All users can now join monitors – they no longer have to be given monitor access.
  • Users can join or leave a monitor themselves if the monitor permissions allow this.
  • The task allocator role has been removed. Instead tasks may now be allocated in a monitor by any user with the add permission on tasks, by default the Group Administrator and Group Moderator roles.
  • You can now only assign tasks to members of the same monitor.
  • You can now edit the permissions and member notifications in a monitor.

For system administrators

Security controls and auditing

  • The system access settings that were previously in the ‘User limits’ settings category have now been moved into their own ‘Security’ category.
  • Control over whether two-factor authentication is off, optional or mandatory can be set in the new ‘Security’ system settings category. Following the upgrade this will be set to optional – if you do not want this then you should change it immediately.
  • You can clear the two-factor authentication secret key for a user by visiting their profile and choosing the ‘Clear key’ button. If two-factor authentication is optional then they will now be able to log on without needing to supply a verification code. If it is mandatory then they will be given a new QR code to use with Google Authenticator the next time they attempt to log on. Users cannot manage this process themselves unlike with forgotten passwords.
  • You can no longer opt to allow users to set a new password by correctly answering security questions they have previously set. This legacy feature was not used by any customers and is considered too much of a security risk to remain in the product.
  • User log-ons (including IP addresses), password changes, changes to two-factor authentication, changes to email addresses, changes to profiles and uploading of banner and icon images are now all recorded in the activity log.
  • When you first go to the application log page it will now also show everything that has recently happened rather than waiting for a valid search.
  • Some system activities were previously being logged even though they could not be seen and are not useful, such as when the system adds metadata to links that it has found in content. While this has now been resolved, because of the above change the old entries will now be visible until they expire.

Presentation

  • There are new themes available in which the colours can be customised to fit local branding. You can edit these themes from the ‘Themes’ system settings page. Note that because of the nature of this upgrade it was necessary to revert all sites and groups back to the default theme. If you are using another theme currently then please change it back following the upgrade.
  • There is a new ‘Notices’ system settings category. This contains separate notices that are given to users on the log on form, as an alert after they have logged on and on the Radar sidebar. These make it easier to give urgent information to users.

Licence keys

  • The licence key format has changed with this release. New keys will be issued to customers.
  • The licence key now optionally sets the maximum size of published content in the system. This is currently only for use with hosted customers. Once the limit is reached users will not be able to create new content until a new licence key is obtained or old content deleted. When over 90% of storage is used system administrators will be alerted when they log on.
  • The monitor user limit has been removed from the licence key.
  • The licence key page in the system settings now shows the current number of users and groups and the current storage size of published content.
  • System administrators will be informed when they logon if the licence is about to expire.

Miscellaneous

  • Administrator log on now uses a pop-up form on the page rather than taking you to a new page.
  • An issue with the administrator log on sometimes returning users to an invalid page after completion has been resolved.
  • To avoid confusion with other usage, ‘View activities for…’ has been renamed to ‘View activity log for…’
  • When changing resource permissions, those for the Creator and Owner roles now only appear as editable when they actually have an effect on that resource type.
  • When instant messages were expired the contribution statistics for the space were previously not being correctly updated. If you have used this feature then you should retag all content – contact support for how to do this.
  • Logs from Jiglu on the file system are now deleted after 28 days. This can be controlled in the bootstrap.properties configuration file.

Application security

  • Following improvements to the web application testing tool used as part of our test suite, an issue was resolved could allow a JavaScript injection attack.
  • Further improvements have been made to user input validation and sanitisation.
  • Most third party libraries have been updated to the latest recommended versions. This included fixes for security issues in two libraries dealing with compressed archives, though these should not have been exploitable as we currently only process archive metadata, not archive content.