Update

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 3.1.2
+current_version = 4.0.1
 commit = True
 tag = True
 

.github/workflows/check-codestyle.yml

@@ -13,10 +13,10 @@ jobs:
     steps:
     - uses: actions/checkout@v2
 
-    - name: Set up Python 3.9
+    - name: Set up Python 3.13
       uses: actions/setup-python@v2
       with:
-        python-version: 3.9
+        python-version: 3.13
 
     - name: Install dependencies via apt
       run: |

.gitignore

@@ -12,6 +12,9 @@ Session.vim
 # PyCharm
 .idea
 
+# macOS
+.DS_Store
+
 # python/django
 *.pyc
 *.pyo

.pre-commit-config.yaml

@@ -2,14 +2,14 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.2.0
+  rev: v4.4.0
   hooks:
   - id: trailing-whitespace
   - id: end-of-file-fixer
   - id: check-yaml
   - id: check-added-large-files
 - repo: https://github.com/psf/black
-  rev: 22.3.0
+  rev: 23.7.0
   hooks:
   - id: black
 - repo: local

CONTRIBUTORS

@@ -1,3 +1,6 @@
+Konrad Gößmann
+Dominik Rimpf
+franztv82
 Johannes Walcher
 Johannes Ostner
 Sebastian Faul

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye
+FROM debian:trixie
 
 ARG CONTAINER_VERSION="unknown"
 
@@ -9,14 +9,15 @@ ENV HELFERTOOL_CONFIG_FILE="/config/helfertool.yaml"
 RUN apt-get update && apt-get full-upgrade -y && \
     apt-get install --no-install-recommends -y \
         supervisor nginx rsyslog pwgen curl \
-        python3 python3-pip python3-dev uwsgi uwsgi-plugin-python3 \
-        build-essential libldap2-dev libsasl2-dev libmariadb-dev libmagic1 \
+        python3 python3-venv python3-dev uwsgi uwsgi-plugin-python3 \
+        build-essential pkg-config ldap-utils libldap2-dev libsasl2-dev libmariadb-dev libpq-dev libmagic1 \
         texlive-latex-extra texlive-plain-generic texlive-fonts-recommended texlive-lang-german && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /usr/share/doc/* && \
     # add user, some directories and set file permissions
     useradd --shell /bin/bash --home-dir /helfertool --create-home helfertool --uid 10001 && \
     mkdir -p /config /data /log /helfertool/run && \
+    chmod 0755 /helfertool/ && \
     chmod -R 0777 /helfertool/run && \
     # nginx always writes to /var/log/nginx/error.log before reading the config
     # so we redirect it to a writable location
@@ -34,13 +35,13 @@ COPY deployment/container/healthcheck.sh /usr/local/bin/healthcheck
 RUN echo $CONTAINER_VERSION > /helfertool/container_version && \
     # install python libs
     cd /helfertool/src/ && \
-    pip3 install -U pip && \
-    pip3 install -r requirements.txt -r requirements_prod.txt && \
+    python3 -m venv /helfertool/venv/ && \
+    /helfertool/venv/bin/pip install wheel -r requirements.txt -r requirements_prod.txt && \
     rm -rf /root/.cache/pip/ && \
     # generate compressed CSS/JS files
-    HELFERTOOL_CONFIG_FILE=/dev/null python3 manage.py compress --force && \
+    HELFERTOOL_CONFIG_FILE=/dev/null /helfertool/venv/bin/python manage.py compress --force && \
     # copy static files
-    HELFERTOOL_CONFIG_FILE=/dev/null python3 manage.py collectstatic --noinput && \
+    HELFERTOOL_CONFIG_FILE=/dev/null /helfertool/venv/bin/python manage.py collectstatic --noinput && \
     chmod -R go+rX /helfertool/static && \
     # fix permissions
     chmod +x /usr/local/bin/helfertool /usr/local/bin/healthcheck

README.md

@@ -26,7 +26,7 @@ Please feel free to create issues here in Github!
 
 # License
 
-Copyright (C) 2015-2022  Sven Hertle and contributors
+Copyright (C) 2015-2026  Sven Hertle and contributors
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as

deployment/container/etc/nginx.conf

@@ -50,6 +50,8 @@ http {
             uwsgi_pass django;
             include /etc/nginx/uwsgi_params;
 
+            client_max_body_size 50M;
+
             # CSP is set here, not in django
             add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'";
         }

deployment/container/etc/supervisord.conf

@@ -42,7 +42,7 @@ stderr_logfile_backups=2
 priority=10
 
 [program:celery]
-command=celery -A helfertool worker -c %(ENV_HELFERTOOL_TASK_WORKERS)s --pidfile=/helfertool/run/celery.pid
+command=/helfertool/venv/bin/celery -A helfertool worker -c %(ENV_HELFERTOOL_TASK_WORKERS)s --pidfile=/helfertool/run/celery.pid
 directory=/helfertool/src
 autostart=true
 autorestart=true
@@ -53,7 +53,7 @@ stderr_logfile_backups=2
 priority=20
 
 [program:celerybeat]
-command=celery -A helfertool beat --schedule=/data/tmp/celerybeat-schedule --pidfile=/helfertool/run/celerybeat.pid
+command=/helfertool/venv/bin/celery -A helfertool beat --schedule=/data/tmp/celerybeat-schedule --pidfile=/helfertool/run/celerybeat.pid
 directory=/helfertool/src
 autostart=true
 autorestart=true

deployment/container/etc/uwsgi.conf

@@ -1,7 +1,8 @@
 [uwsgi]
-plugin          = python39
+plugin          = python313
 
 chdir           = /helfertool/src
+venv            = /helfertool/venv
 wsgi-file       = /helfertool/src/helfertool/wsgi.py
 
 socket          = /helfertool/run/uwsgi.sock

deployment/container/healthcheck.sh

@@ -12,7 +12,7 @@ die () {
 
 # check webserver (with a host header that is allowed)
 cd /helfertool/src
-host="$(python3 manage.py shell -c "from django.conf import settings ; print(settings.ALLOWED_HOSTS[0] if settings.ALLOWED_HOSTS else '')")"
+host="$(/helfertool/venv/bin/python manage.py shell -c "from django.conf import settings ; print(settings.ALLOWED_HOSTS[0] if settings.ALLOWED_HOSTS else '')")"
 curl --fail --silent --output /dev/null -H "Host: $host" http://localhost:8000 || die "Error on HTTP query"
 
 # check supervisord

deployment/container/helfertool.sh

@@ -34,7 +34,7 @@ mkdir -p /data/media /data/tmp /helfertool/run/tmp
 # command: init
 if [ "$1" = "init" ] ; then
     # initialise database with default settings
-    python3 manage.py loaddata toolsettings
+    /helfertool/venv/bin/python manage.py loaddata toolsettings
 
 # command: reload
 elif [ "$1" = "reload" ] ; then
@@ -54,7 +54,7 @@ elif [ "$1" = "postrotate" ] ; then
 # command: manage
 elif [ "$1" = "manage" ] ; then
     shift
-    python3 manage.py $@
+    /helfertool/venv/bin/python manage.py $@
 
 # command: run
 elif [ "$1" = "run" ] ; then
@@ -82,8 +82,8 @@ elif [ "$1" = "run" ] ; then
     sed "s/will_be_replaced/$(pwgen 40 1)/g" /helfertool/etc/supervisord.conf > /helfertool/run/supervisord.conf
 
     # run migrations and go
-    python3 manage.py migrate --noinput
-    python3 manage.py createcachetable
+    /helfertool/venv/bin/python manage.py migrate --noinput
+    /helfertool/venv/bin/python manage.py createcachetable
     exec supervisord --nodaemon --configuration /helfertool/run/supervisord.conf
 
 # help message

scripts/container.sh

@@ -63,8 +63,9 @@ set -u
 # command: build
 if [ "$action" = "build" ] ; then
     # build without cache and with updated base image
-    container_version="$(date --utc --iso-8601=seconds)"
+    container_version="$(date -u -Iseconds)"
     podman build --no-cache --pull \
+        --arch=amd64 \
         --build-arg CONTAINER_VERSION="$container_version" \
         --format docker \
         -t "$container_name:$container_tag" .
@@ -73,6 +74,7 @@ if [ "$action" = "build" ] ; then
 elif [ "$action" = "fastbuild" ] ; then
     # build with cache, as fast as possible
     podman build \
+        --arch=amd64 \
         --build-arg CONTAINER_VERSION="fastbuild" \
         --format docker \
         -t "$container_name:$container_tag" .

src/account/forms/__init__.py

@@ -1,3 +1,4 @@
 from .account import CreateUserForm, EditUserForm, DeleteUserForm, MergeUserForm
 from .agreement import AgreementForm, UserAgreementForm
 from .delete import DeleteForm
+from .password_reset import CustomPasswordResetForm, CustomSetPasswordForm

src/account/forms/account.py

@@ -3,7 +3,8 @@
 from django.contrib.auth import get_user_model
 from django.contrib.auth.forms import UserCreationForm
 from django.contrib.auth.models import Group
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
+from django.views.decorators.debug import sensitive_variables
 
 from django_select2.forms import Select2Widget
 
@@ -15,6 +16,7 @@
 
 from ..templatetags.globalpermissions import has_adduser_group, has_addevent_group, has_sendnews_group
 
+import secrets
 import logging
 
 logger = logging.getLogger("helfertool.account")
@@ -88,18 +90,44 @@ class Meta:
             ),
         }
 
+    no_password = forms.BooleanField(
+        label=_("Do not set password now"),
+        help_text=_("The user is notified via email and can set the password (via the password reset)"),
+        required=False,
+    )
+
     def __init__(self, *args, **kwargs):
         super(CreateUserForm, self).__init__(*args, **kwargs)
 
+        # compared to the django default, we need some data
         for f in ("email", "first_name", "last_name"):
             self.fields[f].required = True
 
+        # if no_password is set, the password is not required, see clean() for more validation
+        for f in ("password1", "password2"):
+            self.fields[f].required = False
+
+        self.fields["no_password"].widget.attrs["onChange"] = "handle_password()"
+
+    @sensitive_variables("password")
     def clean(self):
         # add LOCAL_USER_CHAR to the beginning
         char = settings.LOCAL_USER_CHAR
         if char and not self.cleaned_data.get("username").startswith(char):
             self.cleaned_data["username"] = char + self.cleaned_data.get("username")
 
+        # if no_password is set, set a randomly generated password
+        # otherwise, check if password is set
+        if self.cleaned_data["no_password"]:
+            password = secrets.token_urlsafe(100)
+            self.cleaned_data["password1"] = password
+            self.cleaned_data["password2"] = password
+        else:
+            if not self.cleaned_data["password1"]:
+                self.add_error("password1", _("Password is required"))
+            if not self.cleaned_data["password2"]:
+                self.add_error("password2", _("Password is required"))
+
         return super(CreateUserForm, self).clean()
 
 
@@ -113,9 +141,15 @@ def __init__(self, *args, **kwargs):
 
         super(EditUserForm, self).__init__(*args, **kwargs)
 
-        # set required fields
+        # set attributes for name/email fields
+        # if user is local, the fields are required
+        # if users is from external idp, the fields cannot be changed
         for f in ("first_name", "last_name", "email"):
-            self.fields[f].required = True
+            if self.instance.has_usable_password():
+                self.fields[f].required = True
+            else:
+                self.fields[f].help_text = _("Managed by external identity provider")
+                self.fields[f].disabled = True
 
         # adjust labels of active and superuser flags
         self._active_initial = self.instance.is_active

src/account/forms/agreement.py

@@ -1,8 +1,6 @@
 from django import forms
 from django.conf import settings
-from django.utils.translation import ugettext_lazy as _
-
-from ckeditor.widgets import CKEditorWidget
+from django.utils.translation import gettext_lazy as _
 
 from helfertool.forms import DatePicker
 
@@ -20,13 +18,6 @@ class Meta:
             "end": DatePicker,
         }
 
-        # According to the documentation django-modeltranslations copies the
-        # widget from the original field.
-        # But when setting BLEACH_DEFAULT_WIDGET this does not happen.
-        # Therefore set it manually...
-        for lang, name in settings.LANGUAGES:
-            widgets["text_{}".format(lang)] = CKEditorWidget()
-
     def __init__(self, *args, **kwargs):
         super(AgreementForm, self).__init__(*args, **kwargs)
 

src/account/forms/password_reset.py

@@ -0,0 +1,75 @@
+from django.conf import settings
+from django.contrib.auth.forms import PasswordResetForm, SetPasswordForm
+from django.core.mail import EmailMessage
+from django.template.loader import get_template
+
+from axes.helpers import get_client_ip_address
+
+from captcha.fields import CaptchaField
+from helfertool.forms import CustomCaptchaTextInput
+
+import logging
+
+logger = logging.getLogger("helfertool.account")
+
+
+class CustomPasswordResetForm(PasswordResetForm):
+    def __init__(self, *args, **kwargs):
+        super(CustomPasswordResetForm, self).__init__(*args, **kwargs)
+
+        if not settings.CAPTCHAS_PASSWORD_RESET:
+            self.fields.pop("captcha")
+
+    def save(self, *args, **kwargs):
+        super(CustomPasswordResetForm, self).save(*args, **kwargs)
+
+        # log password reset attempt
+        email = self.cleaned_data["email"]
+        ip_address = get_client_ip_address(kwargs.get("request"))
+        logger.info(
+            "password resetattempt",
+            extra={
+                "email": email,
+                "ip": ip_address,
+            },
+        )
+
+    captcha = CaptchaField(widget=CustomCaptchaTextInput)
+
+
+class CustomSetPasswordForm(SetPasswordForm):
+    def save(self, commit=True):
+        user = super(CustomSetPasswordForm, self).save(commit)
+
+        # log password reset
+        logger.info(
+            "password reset",
+            extra={
+                "changed_user": user.username,
+            },
+        )
+
+        # sent confirmation mail to user
+        context = {
+            "firstname": user.first_name,
+            "page_title": settings.PAGE_TITLE,
+            "contact_mail": settings.CONTACT_MAIL,
+        }
+        subject_template = get_template("account/password_reset/completed_mail_subject.txt")
+        subject = subject_template.render(context).strip()
+
+        text_template = get_template("account/password_reset/completed_mail.txt")
+        text = text_template.render(context)
+
+        # sent it and handle errors
+        mail = EmailMessage(
+            subject,
+            text,
+            settings.EMAIL_SENDER_ADDRESS,
+            [user.email],  # to
+            reply_to=[settings.EMAIL_SENDER_ADDRESS],
+        )
+
+        mail.send(fail_silently=True)
+
+        return user