Update `CHANGELOG.md` with the changes so far (#4393)

CHANGELOG.md

@@ -1,5 +1,37 @@
 # Develop -- TODO Change to 1.8.x.
-* ...
+### Compatibility-breaking changes
+* Authorization failures now return 403 by default instead of 401
+* The `authorize` hook is now only called after successful
+  authentication. Use the new `preAuthorize` hook if you need to bypass
+  authentication
+* The `authFailure` hook is deprecated; use the new
+  `authnFailure` and `authzFailure` hooks instead
+* The format of `ENTER`, `CREATE`, and `LEAVE` log messages has changed
+### Notable new features
+* Users can now import without creating and editing the pad first
+* Added a new `readOnly` user setting that makes it possible to create users in
+  `settings.json` that can read pads but not create or modify them
+* Added a new `canCreate` user setting that makes it possible to create users in
+  `settings.json` that can modify pads but not create them
+* The `authorize` hook now accepts `readOnly` to grant read-only access to a pad
+* The `authorize` hook now accepts `modify` to grant modify-only (creation
+  prohibited) access to a pad
+* All authentication successes and failures are now logged
+* Added a new `cookie.sameSite` setting that makes it possible to enable
+  authentication when Etherpad is embedded in an iframe from another site
+### Notable fixes
+* Fixed rate limit accounting when Etherpad is behind a reverse proxy
+* Fixed typos that prevented access to pads via an HTTP API session
+* Fixed authorization failures for pad URLs containing a percent-encoded
+  character
+* Fixed exporting of read-only pads
+### Minor changes
+* Temporary disconnections no longer force a full page refresh
+* Toolbar layout for narrow screens is improved
+* Fixed `SameSite` cookie attribute for the `language`,
+  `token`, and `pref` cookies
+* Fixed superfluous database accesses when deleting a pad
+* Expanded test coverage.
 
 # 1.8.6
 * IMPORTANT: This fixes a severe problem with postgresql in 1.8.5