Misago 0.19 is a feature release focused on making compliance with GDPR easier for forum admins, as well as to store less data about the users and treat stored data better.
This is also the release that moves documentation from main repo to dedicated one, named Misago-Docs, making amount of data needed to checkout from GitHub smaller, and opening the way for including screenshots in our guides.
MISAGO_ADDRESS
setting
In past Misago relied on the HttpRequest
(or just request
) Django object to build links in emails sent to users. However this approach has tied email sending to the duration of request-response cycle.
Misago 0.19 solves this issue by introducing the MISAGO_ADDRESS
setting, making it possible to send-emails from management commands and (in future) celery tasks, opening the road for implementing new notification mechanisms in future, such as notifying the categories watchers about new threads.
Legal agreements have been revamped
Misago now provides dedicated admin interface for managing the agreements, located in the "Users" section. This interface enables site administrators to have multiple versions of agreements defined at single time, as well as decide which version should be used.
In addition to above Misago will now keeps track of which agreements users have accepted, and will require user to accept new agreement if they haven't done so.
Automatic deletion of inactive accounts
Misago allows administrators to require registering users to activate their accounts via activation link in e-mail message or have their accounts activated by admin manually. Both of those have different purposes, such as making sure that users specify valid e-mail addresses or access to community is only allowed for those that pass admin review.
Unintended side-effect of requiring activation is site accumulating inactive ("abandoned") user accounts. In era of GDPR those accounts may be considered liability to site administrators responsive for processing user data.
Misago 0.19 provides deleteinactiveusers
management command that deletes of accounts that weren't activated in time specified in the MISAGO_DELETE_NEW_INACTIVE_USERS_OLDER_THAN_DAYS
setting.
This command is intended to be ran periodically in cron.
IP addresses handling
GDPR considers IP addresses personal data and while Misago already anonymized user's personal address, overwriting it with 0.0.0.0
when user's account is being deleted, but this release takes this further by limiting number of places where IPs are stored to two and removing user IPs altogether instead of overwriting them with zeroes. If you wish so, you may also delete IPs when they are older than specified number of days to keep your IP record small.
Updating instructions
To update Misago from 0.18 to 0.19 use PIP to uninstall old Misago and install new one:
pip uninstall misago
pip install misago
Next, run following commands to make sure your forum database and static files are up to date with latest changes:
python manage.py migrate
python manage.py updatepostschecksums
python manage.py collectstatic
Misago relies on management commands to remove old IP's, delete new user account's that weren't activated in long time, process new data download requests and expire old ones. If you plan to use those features (and you should because it helps keep amount of personal data processed by site in check), please add following lines to your crontab (please note that you will likely need to enter custom path to manage.py
or your python):
25 1 * * * python manage.py deleteinactiveusers
0 2 * * * python manage.py removeoldips
0 2 * * * python manage.py expireuserdatadownloads
0 7 * * * python manage.py prepareuserdatadownloads
Next, open your settings.py and add following code to it:
# Complete HTTP address to your Misago site homepage. Misago relies on this address to create
# links in e-mails that are sent to site users.
# On Misago admin panel home page you will find a message telling you if you have entered the
# correct value, or what value is correct in case you've didn't.
MISAGO_ADDRESS = 'http://my-misago-site.com/'
You will need to replace the http://my-misago-site.com/
with valid http address to your Misago site's main page.
Data download feature requires temporary directory where it will be able to collect files to for archivization. Create directory named userdata
in same directory that you have media
and static
, then add this line to your settings.py
:
# Path to the directory that Misago should use to prepare user data downloads.
# Should not be accessible from internet.
MISAGO_USER_DATA_DOWNLOADS_WORKING_DIR = os.path.join(BASE_DIR, 'userdata')
Next, also add:
# Specifies the number of days that IP addresses are stored in the database before removing.
# Change this setting to None to never remove old IP addresses.
MISAGO_IP_STORE_TIME = 50
By default Misago will delete IPs that are older than 50 days, but you may make this number larger or smaller by changing it there.
If you wish to use automatic deletion of inactive accounts, you will need to add following setting:
# Automatically delete new user accounts that weren't activated in specified time
# If you rely on admin review of new registrations, make this period long, disable
# the "deleteinactiveusers" management command, or change this value to zero. Otherwise
# keep it short to give users a chance to retry on their own after few days pass.
MISAGO_DELETE_NEW_INACTIVE_USERS_OLDER_THAN_DAYS = 2
Misago 0.19 removes LastIpField
profile field. If your site is using it, you will have to find and remove 'misago.users.profilefields.default.LastIpField',
from your MISAGO_PROFILE_FIELDS
setting in settings.py
.
New features
- 1002 - Added
removeoldips
management command that removes old IP addresses from the database. - 1019 - Users and administrators may now request data download with their data stored on Misago site.
- 1045 - Added
deleteinactiveusers
management command that deletes newly registered user accounts that weren't activated in specified time. - 1047 - Legal agreements are more explicit, support versions, ask site user's to accept new agreement when those are created (or terminate user account if they decline).
Theme changes
none
Bugs fixed
- 1023 - Private thread invitation has unescaped markup around thread title.
- 1043 - Avatar galleries implementation assumed that avatars are stored locally, breaking feature for sites storing static files on separate storage such as S3.
- 1053 - Lock dev docker to Python 3.5 so it doesn't explode when new python version gets released.
Implementation and API changes
- 1012 - Moved IP storage to dedicated model named
AuditTrail
. - 1037 - Added
MISAGO_ADDRESS
setting and changed themisago.core.mail
functions to don't takerequest
argument. - 1044 - Renamed
anonymize_content
toanonymize_data
for user model method and signal.
Documentation changes
- 1010 - Moved documentation to dedicated repo and updated from gitbook legacy to newest and bestest version.
- 1013 - Added basic GDPR compliance guide for forum administrators.
Localization changes
none