Breaking Changes:
- Authorize only API tokens when 2FA is enabled (no user password)
- Disable by default plugin installer for security reasons:
- There is no code review or any approval process to submit a plugin.
- This is up to the Kanboard instance owner to validate if a plugin is legit.
Fixes and Improvements:
- Limit avatar image size
- Avoid CSRF in users CSV import
- Avoid XSS in pagination sorting
- Do not show projects dropdown when prompting the 2FA code
- Always returns a 404 instead of 403 to avoid people discovering users
- Check if user role has changed while the session is open
- Add missing CSRF check in TwoFactorController::deactivate()
- Hide edit button when user cannot edit task
- Fix permission check before "Assign to me"
- Fix permission check before showing project options
- Fix assignable users on a group with a custom role
- Fix import of automatic actions when parameters are "unassigned" or "no category"
- Update license year
- Update Docker image to Alpine 3.9
- Update translations
- Fix PHP error in task views (tag colors)
- Limit assignee drop-down selector scope