Update to Meteor 0.8.1.1

Conflicts:
	docs/client/api.html
	docs/client/api.js
	docs/client/concepts.html

.mailmap

@@ -8,7 +8,10 @@
 # For any emails that show up in the shortlog that aren't in one of
 # these lists, figure out their GitHub username and add them.
 
+GITHUB: aldeed <[email protected]>
 GITHUB: AlexeyMK <[email protected]>
+GITHUB: apendua <[email protected]>
+GITHUB: arbesfeld <[email protected]>
 GITHUB: DenisGorbachev <[email protected]>
 GITHUB: EOT <[email protected]>
 GITHUB: FooBarWidget <[email protected]>
@@ -20,10 +23,12 @@ GITHUB: awwx <[email protected]>
 GITHUB: cmather <[email protected]>
 GITHUB: codeinthehole <[email protected]>
 GITHUB: dandv <[email protected]>
+GITHUB: davegonzalez <[email protected]>
 GITHUB: emgee3 <[email protected]>
 GITHUB: icellan <[email protected]>
 GITHUB: jacott <[email protected]>
 GITHUB: jfhamlin <[email protected]>
+GITHUB: justinsb <[email protected]>
 GITHUB: marcandre <[email protected]>
 GITHUB: mart-jansink <[email protected]>
 GITHUB: meawoppl <[email protected]>
@@ -33,7 +38,9 @@ GITHUB: mitar <[email protected]>
 GITHUB: mizzao <[email protected]>
 GITHUB: mquandalle <[email protected]>
 GITHUB: nathan-muir <[email protected]>
+GITHUB: Neftedollar <[email protected]>
 GITHUB: paulswartz <[email protected]>
+GITHUB: Pent <[email protected]>
 GITHUB: queso <[email protected]>
 GITHUB: rdickert <[email protected]>
 GITHUB: rgould <[email protected]>
@@ -50,10 +57,12 @@ METEOR: dgreensp <[email protected]>
 METEOR: estark37 <[email protected]>
 METEOR: estark37 <[email protected]>
 METEOR: glasser <[email protected]>
+METEOR: glasser <[email protected]>
 METEOR: gschmidt <[email protected]>
 METEOR: karayu <[email protected]>
 METEOR: n1mmy <[email protected]>
 METEOR: sixolet <[email protected]>
 METEOR: Slava <[email protected]>
 METEOR: stubailo <[email protected]>
 METEOR: ekatek <[email protected]>
+

History.md

@@ -1,5 +1,149 @@
 ## v.NEXT
 
+
+## v0.8.1.1
+
+* Fix 0.8.1 regression preventing clients from specifying `_id` on insert. #2097
+
+* Fix handling of malformed URLs when merging CSS files. #2103, #2093
+
+* Loosen the checks on the `options` argument to `Collection.find` to
+  allow undefined values.
+
+
+## v0.8.1
+
+#### Meteor Accounts
+
+* Fix a security flaw in OAuth1 and OAuth2 implementations. If you are
+  using any OAuth accounts packages (such as `accounts-google` or
+  `accounts-twitter`), we recommend that you update immediately and log
+  out your users' current sessions with the following MongoDB command:
+
+    $ db.users.update({}, { $set: { 'services.resume.loginTokens': [] } }, { multi: true });
+
+* OAuth redirect URLs are now required to be on the same origin as your app.
+
+* Log out a user's other sessions when they change their password.
+
+* Store pending OAuth login results in the database instead of
+  in-memory, so that an OAuth flow succeeds even if different requests
+  go to different server processes.
+
+* When validateLoginAttempt callbacks return false, don't override a more
+  specific error message.
+
+* Add `Random.secret()` for generating security-critical secrets like
+  login tokens.
+
+* `Meteor.logoutOtherClients` now calls the user callback when other
+  login tokens have actually been removed from the database, not when
+  they have been marked for eventual removal.  #1915
+
+* Rename `Oauth` to `OAuth`.  `Oauth` is now an alias for backwards
+  compatibility.
+
+* Add `oauth-encryption` package for encrypting sensitive account
+  credentials in the database.
+
+* A validate login hook can now override the exception thrown from
+  `beginPasswordExchange` like it can for other login methods.
+
+* Remove an expensive observe over all users in the `accounts-base`
+  package.
+
+
+#### Blaze
+
+* Disallow `javascript:` URLs in URL attribute values by default, to
+  help prevent cross-site scripting bugs. Call
+  `UI._allowJavascriptUrls()` to allow them.
+
+* Fix `UI.toHTML` on templates containing `{{#with}}`.
+
+* Fix `{{#with}}` over a data context that is mutated.  #2046
+
+* Clean up autoruns when calling `UI.toHTML`.
+
+* Add support for `{{!-- block comments --}}` in Spacebars. Block comments may
+  contain `}}`, so they are more useful than `{{! normal comments}}` for
+  commenting out sections of Spacebars templates.
+
+* Don't dynamically insert `<tbody>` tags in reactive tables
+
+* When handling a custom jQuery event, additional arguments are
+  no longer lost -- they now come after the template instance
+  argument.  #1988
+
+
+#### DDP and MongoDB
+
+* Extend latency compensation to support an arbitrary sequence of
+  inserts in methods.  Previously, documents created inside a method
+  stub on the client would eventually be replaced by new documents
+  from the server, causing the screen to flicker.  Calling `insert`
+  inside a method body now generates the same ID on the client (inside
+  the method stub) and on the server.  A sequence of inserts also
+  generates the same sequence of IDs.  Code that wants a random stream
+  that is consistent between method stub and real method execution can
+  get one with `DDP.randomStream`.
+  https://trello.com/c/moiiS2rP/57-pattern-for-creating-multiple-database-records-from-a-method
+
+* DDP now has an implementation of bidirectional heartbeats which is consistent
+  across SockJS and websocket transports. This enables connection keepalive and
+  allows servers and clients to more consistently and efficiently detect
+  disconnection.
+
+* The DDP protocol version number has been incremented to "pre2" (adding
+  randomSeed and heartbeats).
+
+* The oplog observe driver handles errors communicating with MongoDB
+  better and knows to re-poll all queries after a MongoDB failover.
+
+* Fix bugs involving mutating DDP method arguments.
+
+
+#### meteor command-line tool
+
+* Move boilerplate HTML from tools to webapp.  Change internal
+  `Webapp.addHtmlAttributeHook` API.
+
+* Add `meteor list-sites` command for listing the sites that you have
+  deployed to meteor.com with your Meteor developer account.
+
+* Third-party template languages can request that their generated source loads
+  before other JavaScript files, just like *.html files, by passing the
+  isTemplate option to Plugin.registerSourceHandler.
+
+* You can specify a particular interface for the dev mode runner to bind to with
+  `meteor -p host:port`.
+
+* Don't include proprietary tar tags in bundle tarballs.
+
+* Convert relative URLs to absolute URLs when merging CSS files.
+
+
+#### Upgraded dependencies
+
+* Node.js from 0.10.25 to 0.10.26.
+* MongoDB driver from 1.3.19 to 1.4.1
+* stylus: 0.42.3 (from 0.42.2)
+* showdown: 0.3.1
+* css-parse: an unreleased version (from 1.7.0)
+* css-stringify: an unreleased version (from 1.4.1)
+
+
+Patches contributed by GitHub users aldeed, apendua, arbesfeld, awwx, dandv,
+davegonzalez, emgee3, justinsb, mquandalle, Neftedollar, Pent, sdarnell,
+and timhaines.
+
+
+## v0.8.0.1
+
+* Fix security flaw in OAuth1 implementation. Clients can no longer
+  choose the callback_url for OAuth1 logins.
+
+
 ## v0.8.0
 
 Meteor 0.8.0 introduces Blaze, a total rewrite of our live templating engine,

LICENSE.txt

@@ -561,6 +561,65 @@ html5: https://github.com/aredridel/html5
 Copyright (c) 2010 Aria Stewart <[email protected]>
 
 
+----------
+node-aes-gcm: https://github.com/xorbit/node-aes-gcm
+----------
+
+Copyright (c) 2013 Patrick Van Oosterwijck
+
+
+----------
+nan: https://github.com/rvagg/nan
+----------
+
+Copyright 2013, NAN contributors:
+  - Rod Vagg <https://github.com/rvagg>
+  - Benjamin Byholm <https://github.com/kkoopa>
+  - Trevor Norris <https://github.com/trevnorris>
+  - Nathan Rajlich <https://github.com/TooTallNate>
+  - Brett Lawson <https://github.com/brett19>
+  - Ben Noordhuis <https://github.com/bnoordhuis>
+(the "Original Author")
+All rights reserved.
+
+MIT +no-false-attribs License
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+Distributions of all or part of the Software intended to be used
+by the recipients as they would use the unmodified Software,
+containing modifications that substantially alter, remove, or
+disable functionality of the Software, outside of the documented
+configuration mechanisms provided by the Software, shall be
+modified such that the Original Author's bug reporting email
+addresses and urls are either replaced with the contact information
+of the parties responsible for the changes, or removed entirely.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+
+Except where noted, this license applies to any and all software
+programs and associated documentation files created by the
+Original Author, when distributed with the Software.
+
+
 
 ==============
 Apache License
@@ -1509,6 +1568,39 @@ OTHER DEALINGS IN THE SOFTWARE.
 For more information, please refer to <http://unlicense.org/>
 
 
+----------
+npm-install-checks: https://github.com/npm/npm-install-checks
+----------
+
+Copyright (c) Robert Kowalski and Isaac Z. Schlueter ("Authors")
+All rights reserved.
+
+The BSD License
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
 ----------
 tough-cookie: https://github.com/goinstant/tough-cookie
 ----------

docs/.meteor/release

@@ -1 +1 @@
-0.8.0
+0.8.1.1

docs/client/api.html

@@ -1711,6 +1711,11 @@ <h2 id="accounts_api"><span>Учетные записи</span></h2>
         Session.set('errorMessage', err.reason || 'Unknown error');
     });
 
+Login service configuration is sent from the server to the client over DDP when
+your app starts up; you may not call the login function until the configuration
+is loaded. The function `Accounts.loginServicesConfigured()` is a reactive data
+source that will return true once the login service is configured; you should
+not make login buttons visible or active until it is true.
 
 
 {{> api_box currentUser}}
@@ -1861,7 +1866,15 @@ <h2 id="accounts_api"><span>Учетные записи</span></h2>
 При каждой попытке логина вызываются все зарегистрированные колбэки, даже
 если один из них ее запретил. Но в этом случае для всех последующих колбэков
 поле `allowed` будет принимать значение `false`, т.к. данная попытка уже
-будет неудачной.
+будет неудачной. Это позволяет последуюшим колбэкам переопределять ошибки
+предыдущих. Например, заменить сообщение "Incorrect password" на любое другое.
+
+Тем колбэкам, которые не собираются заменять сообщения об ошибках, как правило,
+нет смысла отрабатывать в случае, когда попытка логина была уже запрещена.
+Поэтому такие колбэки должны начинаться с
+
+    if (!attempt.allowed)
+      return false;
 
 
 {{> api_box accounts_onLogin}}

docs/client/api.js

@@ -59,14 +59,15 @@ Template.api.settings = {
   id: "meteor_settings",
   name: "Meteor.settings",
   locus: "Везде",
-  descr: ["`Meteor.settings` содержит настройки приложения. Их можно указать " +
-          "либо передав опцию `--settings` (содержащую путь к JSON-файлу) " +
-          "команде `meteor run` или `meteor deploy`, либо указав их в переменной " +
-          "среды `METEOR_SETTINGS` в виде JSON-строки. Если вы не укажите " +
-          "никаких настроек, то `Meteor.settings` будет пустым объектом. Если " +
-          "объект содержит ключ `public`, то `Meteor.settings.public` будет " +
-          "доступен как на сервере, так и на клиенте. Все остальные ключи " +
-          "будут доступны только на сервере."]
+  descr: ["`Meteor.settings` содержит настройки приложения. Их можно указать, " +
+          "передав опцию `--settings` (содержащую путь к JSON-файлу) " +
+          "команде `meteor run` или `meteor deploy`. При запуске приложения " +
+          "напрямую (например, из пакета), эти настройки необходимо указать " +
+          "в переменной среды `METEOR_SETTINGS` в виде JSON-строки." +
+          "Если вы не укажите никаких настроек, то `Meteor.settings` будет " +
+          "пустым объектом. Если объект содержит ключ `public`, то " +
+          "`Meteor.settings.public` будет доступен как на сервере, так и на" +
+          "клиенте. Все остальные ключи будут доступны только на сервере."]
 };
 
 Template.api.release = {
@@ -1161,6 +1162,11 @@ Template.api.accounts_config = {
       name: "loginExpirationInDays",
       type: "Number",
       descr: "Количество дней после логина пользователя, спустя которое его токен будет инвалидирован и он будет разлогинен. По-умолчанию равняется 90. Укажите `null`, чтобы отключить срок действия логина."
+    },
+    {
+      name: "oauthSecretKey",
+      type: "String",
+      descr: "При использовании пакета `oauth-encryption` здесь указывается 16-ти байтовый ключ, необходимый для зашифровки конфиденциальных учетных данных, хранящихся в БД. Эту опция может быть указана только на сервере. Подробнее об этом можно узнать в файле packages/oauth-encryption/README.md."
     }
   ]
 };
@@ -1681,7 +1687,7 @@ Template.api.httpcall = {
   args: [
     {name: "method",
      type: "String",
-     descr: 'The HTTP method to use: "`GET`", "`POST`", "`PUT`", or "`DELETE`".'},
+     descr: 'The [HTTP method](http://en.wikipedia.org/wiki/HTTP_method) to use, such as "`GET`", "`POST`", or "`HEAD`".'},
     {name: "url",
      type: "String",
      descr: 'The URL to retrieve.'},
@@ -1716,7 +1722,7 @@ Template.api.httpcall = {
      descr: "Maximum time in milliseconds to wait for the request before failing.  There is no timeout by default."},
     {name: "followRedirects",
      type: "Boolean",
-     descr: "If true, transparently follow HTTP redirects.  Cannot be set to false on the client."}
+     descr: "If `true`, transparently follow HTTP redirects. Cannot be set to `false` on the client. Default `true`."}
   ]
 };
 

docs/client/concepts.html

@@ -736,7 +736,7 @@ <h3 class="nosection">Выкладка на собственные сервер
 
 Она создаст полноценное приложение на Node.js в виде архива (tarball). Для
 запуска этого приложения вам потребуется Node.js 0.10 и сервер MongoDB.
-(Текущая версия Meteor была протестирована под Node 0.10.25; предыдущие 
+(Текущая версия Meteor была протестирована под Node 0.10.26; предыдущие 
 версии содержат серьезный баг, который может привести к зависанию боевых 
 серверов). После этого вы можете запустить приложение с помощью node, указав
 HTTP-порт и URI доступа к MongoDB. Если у вас еще нет сервера MongoDB,