From 0bb6f5215d7a8cd6ca050d5d8cdf49ee28137a55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <osd@foosel.net>
Date: Mon, 12 Sep 2016 09:25:34 +0200
Subject: [PATCH 1/5] "prerelease" key might not be in check if tracking stable
 releases

---
 src/octoprint/plugins/softwareupdate/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/octoprint/plugins/softwareupdate/__init__.py b/src/octoprint/plugins/softwareupdate/__init__.py
index a503f832..f391ad72 100644
--- a/src/octoprint/plugins/softwareupdate/__init__.py
+++ b/src/octoprint/plugins/softwareupdate/__init__.py
@@ -778,7 +778,7 @@ class SoftwareUpdatePlugin(octoprint.plugin.BlueprintPlugin,
 						# if we are using the update_script, we need to set our update_branch and force
 						# to install the exact version we requested
 
-						if check["prerelease"]:
+						if check.get("prerelease", None):
 							# we are tracking prereleases => we want to be on the correct prerelease channel/branch
 							channel = check.get("prerelease_channel", None)
 							if channel:

From 8b99c89acf9487b0e2513219c93f6886e240c99f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <osd@foosel.net>
Date: Mon, 12 Sep 2016 11:32:15 +0200
Subject: [PATCH 2/5] Return 400 Bad Request if a multipart request lacks the
 boundary

It's mandatory according to RFC2046, section 5.1

See also #1486
---
 src/octoprint/server/util/tornado.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/octoprint/server/util/tornado.py b/src/octoprint/server/util/tornado.py
index ed9aca2d..c167a75f 100644
--- a/src/octoprint/server/util/tornado.py
+++ b/src/octoprint/server/util/tornado.py
@@ -145,6 +145,9 @@ class UploadStorageFallbackHandler(tornado.web.RequestHandler):
 			if suffix_type in self._suffixes and suffix is not None:
 				self._suffixes[suffix_type] = suffix
 
+		# multipart boundary
+		self._multipart_boundary = None
+
 		# Parts, files and values will be stored here
 		self._parts = dict()
 		self._files = []
@@ -181,7 +184,7 @@ class UploadStorageFallbackHandler(tornado.web.RequestHandler):
 			if self.is_multipart():
 				if not self._bytes_left:
 					# we don't support requests without a content-length
-					raise tornado.web.HTTPError(400, reason="No Content-Length supplied")
+					raise tornado.web.HTTPError(400, log_message="No Content-Length supplied")
 
 				# extract the multipart boundary
 				fields = self._content_type.split(";")
@@ -194,7 +197,14 @@ class UploadStorageFallbackHandler(tornado.web.RequestHandler):
 							self._multipart_boundary = tornado.escape.utf8(v)
 						break
 				else:
-					self._multipart_boundary = None
+					# RFC2046 section 5.1 (as referred to from RFC 7578) defines the boundary
+					# parameter as mandatory for multipart requests:
+					#
+					#     The only mandatory global parameter for the "multipart" media type is
+					#     the boundary parameter, which consists of 1 to 70 characters [...]
+					#
+					# So no boundary? 400 Bad Request
+					raise tornado.web.HTTPError(400, log_message="No multipart boundary supplied")
 		else:
 			self._fallback(self.request, b"")
 			self._finished = True

From 0167015b4670a37612a9965bb9d989f96c3e0d31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <osd@foosel.net>
Date: Mon, 12 Sep 2016 12:28:07 +0200
Subject: [PATCH 3/5] Fix generate/delete API key functionality in user
 settings

Closes #1491
---
 .../static/js/app/viewmodels/usersettings.js       | 14 ++++++++++++++
 .../templates/dialogs/usersettings/access.jinja2   |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/octoprint/static/js/app/viewmodels/usersettings.js b/src/octoprint/static/js/app/viewmodels/usersettings.js
index 68a5f369..9bd9bad4 100644
--- a/src/octoprint/static/js/app/viewmodels/usersettings.js
+++ b/src/octoprint/static/js/app/viewmodels/usersettings.js
@@ -68,6 +68,20 @@ $(function() {
             });
         };
 
+        self.generateApikey = function() {
+            if (!CONFIG_ACCESS_CONTROL) return;
+            self.users.generateApikey(self.currentUser().name, function(response) {
+                self.access_apikey(response.apikey);
+            });
+        };
+
+        self.deleteApikey = function() {
+            if (!CONFIG_ACCESS_CONTROL) return;
+            self.users.deleteApikey(self.currentUser().name, function() {
+                self.access_apikey(undefined);
+            });
+        };
+
         self.updateSettings = function(username, settings, callback) {
             if (!CONFIG_ACCESS_CONTROL) return;
 
diff --git a/src/octoprint/templates/dialogs/usersettings/access.jinja2 b/src/octoprint/templates/dialogs/usersettings/access.jinja2
index 38788c9e..6cb7e2f9 100644
--- a/src/octoprint/templates/dialogs/usersettings/access.jinja2
+++ b/src/octoprint/templates/dialogs/usersettings/access.jinja2
@@ -25,8 +25,8 @@
             <div class="controls">
                 <div class="input-append">
                     <input type="text" class="input-block-level uneditable-input" id="userSettings-access_apikey" data-bind="value: access_apikey, valueUpdate: 'input', attr: {placeholder: '{{ _('N/A') }}'}">
-                    <a class="btn" title="Generate new Apikey" data-bind="click: function() { users.confirmGenerateApikey(); }"><i class="icon-refresh"></i></a>
-                    <a class="btn btn-danger" title="Delete Apikey" data-bind="click: function() { users.confirmDeleteApikey(); }"><i class="icon-trash"></i></a>
+                    <a class="btn" title="Generate new Apikey" data-bind="click: generateApikey"><i class="icon-refresh"></i></a>
+                    <a class="btn btn-danger" title="Delete Apikey" data-bind="click: deleteApikey"><i class="icon-trash"></i></a>
                 </div>
 
             </div>

From 2fc86e095f2d29b0bd86f6e22244423474ca5055 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <osd@foosel.net>
Date: Mon, 12 Sep 2016 12:49:04 +0200
Subject: [PATCH 4/5] 1.2.16rc1 was actually pushed out on 2016-09-09, not -08

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 33a55f01..b80ed419 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # OctoPrint Changelog
 
-## 1.2.16rc1 (2016-09-08)
+## 1.2.16rc1 (2016-09-09)
 
 ### Improvements
 

From 26fb208f4845229339a6f2f4bd48d684db9cb462 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <osd@foosel.net>
Date: Fri, 16 Sep 2016 12:54:48 +0200
Subject: [PATCH 5/5] Preparing release of 1.2.16rc2

---
 CHANGELOG.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b80ed419..3039cb41 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # OctoPrint Changelog
 
+## 1.2.16rc2 (2016-09-16)
+
+### Improvements
+
+  * Return a "400 Bad Request" instead of a "500 Internal Server Error" if a `multipart/form-data` request (e.g. a file upload) is sent which lacks the `boundary` field.
+
+### Bug Fixes
+
+  * [#1491](https://github.com/foosel/OctoPrint/issues/1491): Fixed generate/delete API key in the user settings
+  * [#1492](https://github.com/foosel/OctoPrint/issues/1492): Fixed a bug in the software update plugin depending on the presence of the ``prerelease`` flag which is only present when added manually or using a non stable release channel.
+
+([Commits](https://github.com/foosel/OctoPrint/compare/1.2.16rc1...1.2.16rc2))
+
 ## 1.2.16rc1 (2016-09-09)
 
 ### Improvements