⚠️ Security fixes

• Set Vary: Cookie header when session data is present and used. This ensures that data linked to a (logged-in) session cannot leak between requests even in case of a poorly-configured caching proxy in front of Indico (#5753)

🎉 Improvements

• Use the revision's timestamp when downloading its files as a ZIP archive (#5686)
• Use more consistent colors on the editing judgment button (#5687, #5697)
• Keep history when undoing judgments on editables (#5630)
• Add search field to the abstracts list for reviewers (#5698, #5703)
• Align status box colors with judgment dropdown (#5699, #5706)
• Use a gender-neutral chairperson icon (#5710)
• Add option to set the abstracts' primary authors as the default submitters for the corresponding contributions (#5711)
• Allow commenting on accepted/rejected editables (#5712, #5722)
• Hide deleted sections and fields from registration summary (#5716)
• Add support for authorized submitters in Call for Papers (#5728)
• Display abstract submission comment in the list of abstracts (#5733)
• Allow searching for contributions by author in the management area (#5742)
• Include start/end dates of the whole booking in the timeline tooltip of recurring room bookings (#5730, #5740)
• Add day of the week to room booking details modal and timeline (#5718, #5743)
• Allow acceptance and rejection of editables in the editable list (#5721)
• Email verification attempts during signup now trigger rate limiting to prevent spamming large amounts of confirmation emails (#5727)
• Allow bulk-commenting editables in the editable list (#5747)
• Allow emailing contribution persons that have not yet made any submissions to a given editable type (#5755)
• Show only "ready to review" editables on the "get next editable" list (#5765)
• Disallow uploading empty files (#5767)
• Include non-speaker authors in the timetable export API (#5412, #5738)
• Add setting to force track selection when accepting abstracts (#5771)
• Log detailed changes when editing contributions (#5777)
• Allow managers to ignore required field restrictions in registration forms (#5644, #5682, thanks @kewisch)
• Allow selecting the global noreply address as the sender for event reminders (#5784)

🐛 Bugfixes

• Fix creating invited abstracts (#5696)
• Fix error on contribution page when there is no paper but the peer reviewing module is enabled and configured to hide accepted papers
• Clone all protection settings (in particular submitter privileges) when cloning events (#5702)
• Fix searching in single-choice dropdown fields in registration forms (#5709)
• Fix uploading files in registration forms where the user only has access through the registration's token (#5719)
• Fix being unable to set the "speakers and authors" as the default contribution submitter type (#5711)
• Check server-side if Call for Papers is open when submitting a paper (#5725)
• Fix room notification email list showing up empty when editing it (#5729, #5731)
• Fix performance issues in paper assignment list (#5736)
• Fix performance issues in event export API with large events when including contributions (#5736)
• Fix error when a search query matches content from unlisted events (#5759, #5761)
• Fix ToS and Privacy Policy links in room booking module not working when using an external URL (#5774)
• Do not apply default values to new registration form fields when editing an existing registration (#5781)
• Allow 0 for a required registration form numbe field (unless a higher minimum value is set) (#5781)

🔧 Internal Changes

• Update Python & JavaScript dependencies (#5726, #5752)
• Add support for the watchfiles live reloader (#5732)
• Add an endpoint to allow resetting the state of an accepted editable to "ready to review" (#5758)
• Add RESTful endpoints for custom contribution fields (#5768)