Kiwi TCMS 8.6

security update, improvements and bug fixes

Posted by Kiwi TCMS Team on Sun 23 August 2020 under releases

We're happy to announce Kiwi TCMS version 8.6!

IMPORTANT: this is a high severity security update which includes improvements, bug fixes, database migrations, API changes, translation updates and new tests. It is the fourth release to include contributions via our open source bounty program. You can explore everything at!

Supported upgrade paths:

5.3   (or older) -> 5.3.1
5.3.1 (or newer) -> 6.0.1
6.0.1            -> 6.1
6.1              -> 6.1.1
6.1.1            -> 6.2 (or newer)

Docker images:

kiwitcms/kiwi       latest  f2c21b370cd9    639 MB
kiwitcms/kiwi       6.2     7870085ad415    957 MB
kiwitcms/kiwi       6.1.1   49fa42ddfe4d    955 MB
kiwitcms/kiwi       6.1     b559123d25b0    970 MB
kiwitcms/kiwi       6.0.1   87b24d94197d    970 MB
kiwitcms/kiwi       5.3.1   a420465852be    976 MB

Changes since Kiwi TCMS 8.5


  • A high severity vulnerability which allows unprivileged data access via JSON-RPC endpoints has been fixed:
    • Affects all previous versions of Kiwi TCMS
    • Instances on public networks, such as Amazon EC2, are at higher risk
    • Instances on private networks are still vulnerable to anyone who can access the same network
    • This vulnerability has been disclosed by Michael Longmire (ShastaQA) and Stone Pack (ShastaQA)
  • Update marked from 0.8.2 to 1.1.1 for a medium severity vulnerability, see SNYK-JS-MARKED-584281


  • Update django from 3.0.8 to 3.0.9

  • Update django-attachments from 1.5 to 1.6

  • Update prismjs from 1.20.0 to 1.21.0

  • Update pygithub from 1.51 to 1.53

  • Replace deprecated bleach-whitelist with bleach-allowlist

  • Make django-extensions a production dependency because it provides many useful commands

  • Enable syntax highlight for code blocks

  • Remove file attachments when related objects are deleted

  • Add image and file upload buttons to text editor. Fixes Issue #977

  • Require auth.view_user permission when trying to view user profiles. Fixes Issue #1685

  • Multiple pages now explicitly require view permissions before displaying read-only information. This gives administrators a finer grained control:

    • /bugs/<id>/ -> bugs.view_bug
    • /bugs/search/ -> bugs.view_bug
    • /cases/search/ -> testcases.view_testcase
    • /case/<id>/ -> testcases.view_testcase
    • /plans/search/ -> testplans.view_testplan
    • /plan/<id>/* -> testplans.view_testplan
    • /runs/search/ -> testruns.view_testrun
    • /runs/<id>/ -> testruns.view_testrun

    Previously these pages only required the user to be logged in


The auth.view_user permission is not granted by default because the profile page contains personal information like names and email address. Administrators can grant this permission on a group or individual basis if they are OK with sharing this information.


  • Migrations which manipulate data (contain RunPython) can now be rollbacked. See ./ migrate --plan for the order in which migrations are applied (Bryan Mutai)
  • Increase size from 64 to 255 characters


  • Remove method TestExecution.create() in favor of TestRun.add_case()
  • Add method User.add_attachment()
  • Multiple API methods now explicitly require view permissions before returning read-only information. This is in-sync with the per-page changes listed above:
    • Bug.filter() -> bugs.view_bug
    • -> testruns.view_testexecution
    • Build.filter() -> management.view_build
    • Category.filter() -> testcases.view_category
    • Classification.filter() -> management.view_classification
    • Component.filter() -> management.view_component
    • PlanType.filter() -> testplans.view_plantype
    • Priority.filter() -> management.view_priority
    • Product.filter() -> management.view_product
    • Tag.filter() -> management.view_tag
    • TestCase.get_components() -> testcases.view_testcase
    • TestCase.get_notification_cc() -> testcases.view_testcase
    • TestCase.filter() -> testcases.view_testcase
    • TestCaseStatus.filter() -> testcases.view_testcasestatus
    • TestExecution.filter() -> testruns.view_testexecution
    • TestExecution.get_links() -> linkreference.view_linkreference
    • TestExecutionStatus.filter() -> testruns.view_testexecutionstatus
    • TestPlan.filter() -> testplans.view_testplan
    • TestRun.get_cases() -> testruns.view_testrun
    • TestRun.filter() -> testruns.view_testrun
    • User.filter() -> auth.view_user
    • Version.filter() -> management.view_version

Bug fixes

  • Update documentation to reflect that test cases cannot be rearranged from within a TestRun but only from a TestPlan. Fixes Issue #1805 (@Prome88)
  • Incorrect code formatting for HTML <pre> tags. Closes Issue #1300
  • Fix a bug with the history handler when importing objects with ID field set. Resolves a crash when trying to restore backup data
  • Delete comments when Bug is removed

Refactoring & testing

  • Add linter to warn about missing backwards migrations callable in RunPython and fix all pylint offenses. Fixes Issue #1774 (Bryan Mutai)
  • Teach linter to check API for @permissions_required. Fixes Issue #1089
  • Refactor NewExecutionForm to use ModelForm (Rosen Sasov)
  • Refactor UpdateExecutionForm to use ModelForm (Rosen Sasov)
  • Add tests for tcms.bugs.api. Closes Issue #1597 (Mfon Eti-mfon)
  • Add tests for tcms.bugs.views.New. Closes Issue #1598 (Mfon Eti-mfon)
  • Add tests for tcms.rpc.api.testplan. Closes Issue #1627 (@lcmtwn)
  • Add tests for percentage() function References Issue #1602 (Mariyan Garvanski)
  • Add the migrations_order command to help test rollbacks
  • Adjust code for deprecation warnings from Django 3.1
  • Use Python 3 style super() without arguments
  • Update login page to match our new website design

Kiwi TCMS Enterprise v8.6-mt

  • Based on Kiwi TCMS v8.6

For more info see

How to upgrade

Backup first! If you are using Kiwi TCMS as a Docker container then:

cd path/containing/docker-compose/
docker-compose down
docker-compose pull
docker-compose up -d
docker exec -it kiwi_web /Kiwi/ migrate

Refer to our documentation for more details!

Happy testing!