From ba5878e7869655feda1983967ba80e7c2e811676 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Sat, 2 Feb 2019 10:50:22 -0800
Subject: Update ChangeLog

---
 ChangeLog          | 30 ++++++++++++++++++++++++++++++
 app/constants.php  |  2 +-
 config.default.php |  4 +++-
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2f93f68c..63ca34f2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,33 @@
+Version 1.2.8 (February 2, 2019)
+--------------------------------
+
+Breaking Changes:
+
+* Authorize only API tokens when 2FA is enabled (no user password)
+* Disable by default plugin installer for security reasons:
+    - There is no code review or any approval process to submit a plugin.
+    - This is up to the Kanboard instance owner to validate if a plugin is legit.
+
+Fixes and Improvements:
+
+* Limit avatar image size
+* Avoid CSRF in users CSV import
+* Avoid XSS in pagination sorting
+* Do not show projects dropdown when prompting the 2FA code
+* Always returns a 404 instead of 403 to avoid people discovering users
+* Check if user role has changed while the session is open
+* Add missing CSRF check in TwoFactorController::deactivate()
+* Hide edit button when user cannot edit task
+* Fix permission check before "Assign to me"
+* Fix permission check before showing project options
+* Fix assignable users on a group with a custom role
+* Fix import of automatic actions when parameters are "unassigned" or "no category"
+* Update license year
+* Update Docker image to Alpine 3.9
+* Update translations
+* Fix PHP error in task views (tag colors)
+* Limit assignee drop-down selector scope
+
 Version 1.2.7 (December 19, 2018)
 ---------------------------------
 
diff --git a/app/constants.php b/app/constants.php
index 21f911f7..e7d8c41c 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -21,7 +21,7 @@ defined('CACHE_DIR') or define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache'
 // Plugins settings
 defined('PLUGINS_DIR') or define('PLUGINS_DIR', ROOT_DIR.DIRECTORY_SEPARATOR.'plugins');
 defined('PLUGIN_API_URL') or define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
-defined('PLUGIN_INSTALLER') or define('PLUGIN_INSTALLER', false); // Disabled by default for security reason
+defined('PLUGIN_INSTALLER') or define('PLUGIN_INSTALLER', false); // Disabled by default for security reasons
 
 // Enable/disable debug
 defined('DEBUG') or define('DEBUG', strtolower(getenv('DEBUG')) === 'true');
diff --git a/config.default.php b/config.default.php
index d845b277..ad260cf1 100644
--- a/config.default.php
+++ b/config.default.php
@@ -24,7 +24,9 @@ define('PLUGINS_DIR', __DIR__.DIRECTORY_SEPARATOR.'plugins');
 // Plugins directory URL
 define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
 
-// Enable/Disable plugin installer (Disabled by default for security reason)
+// Enable/Disable plugin installer (Disabled by default for security reasons)
+// There is no code review or any approval process to submit a plugin.
+// This is up to the Kanboard instance owner to validate if a plugin is legit.
 define('PLUGIN_INSTALLER', false);
 
 // Available cache drivers are "file" and "memory"
-- 
cgit v1.2.3