Merge develop back into ewi

.github/workflows/tests.yml

@@ -0,0 +1,94 @@
+name: Django Tests
+
+on:
+  pull_request:
+    branches: [ develop ]
+  push:
+    branches: [ develop ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    services:
+      mysql:
+        image: mysql:8.0
+        env:
+          MYSQL_DATABASE: badgr
+          MYSQL_USER: badgr
+          MYSQL_PASSWORD: badgr
+          MYSQL_ROOT_PASSWORD: root
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd="mysqladmin ping -h localhost"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=5
+
+      memcached:
+        image: memcached:1.6
+        ports:
+          - 11211:11211
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Wait for MySQL
+        run: |
+          until mysqladmin ping -h "127.0.0.1" --silent; do
+            echo "Waiting for MySQL..."
+            sleep 2
+          done
+
+      - name: Grant MySQL test database privileges
+        run: |
+          mysql -h 127.0.0.1 -u root -proot <<'EOF'
+          GRANT ALL PRIVILEGES ON test_badgr.* TO 'badgr'@'%';
+          FLUSH PRIVILEGES;
+          EOF
+
+      - name: Run Django tests
+        env:
+          DJANGO_SETTINGS_MODULE: apps.mainsite.settings_tests
+          DOMAIN: 0.0.0.0:8000
+          DEFAULT_DOMAIN: http://0.0.0.0:8000
+          SITE_ID: "1"
+          ACCOUNT_SALT: test
+          ROOT_INFO_SECRET_KEY: test
+          UNSUBSCRIBE_SECRET_KEY: test
+          EXTENSIONS_ROOT_URL: http://localhost/static
+          TIME_STAMPED_OPEN_BADGES_BASE_URL: http://localhost/
+          UI_URL: http://localhost:8080
+          DEFAULT_FROM_EMAIL: test@example.com
+          EMAIL_BACKEND: django.core.mail.backends.locmem.EmailBackend
+          EMAIL_HOST: localhost
+          EMAIL_PORT: "1025"
+          EMAIL_USE_TLS: "0"
+          BADGR_DB_HOST: 127.0.0.1
+          BADGR_DB_PORT: "3306"
+          BADGR_DB_NAME: badgr
+          BADGR_DB_USER: badgr
+          BADGR_DB_PASSWORD: badgr
+          DISABLE_EXTENSION_VALIDATION: "true"
+          EDUID_PROVIDER_URL: https://connect.test.surfconext.nl/oidc
+          EDUID_REGISTRATION_URL: https://login.test.eduid.nl/register
+          EDU_ID_CLIENT: edubadges
+          EDU_ID_SECRET: supersecret
+          SURF_CONEXT_CLIENT: test.edubadges.nl
+          SURF_CONEXT_SECRET: supersecret
+          OIDC_RS_ENTITY_ID: test.edubadges.rs.nl
+          OIDC_RS_SECRET: supersecret
+        run: |
+          python manage.py test --noinput

.github/workflows/trivy.yml

@@ -0,0 +1,45 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: trivy
+
+on:
+  push:
+    branches: [ "develop" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop" ]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          version: 'v0.69.2'
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: 'trivy-results.sarif'
+

.gitignore

@@ -55,3 +55,8 @@ pyrightconfig.json
 start.fish
 sourceandcharm.sh
 .serena
+.zed
+
+# secrets
+/secrets
+!/secrets/.keep

CHANGELOG.md

@@ -5,6 +5,144 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [8.4.1] - 2026-02-05
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.4...v8.4.1</br>
+
+- Merge branch 'develop'
+- Merge pull request #261 from edubadges/feature/add-terms-to-direct-award-endpoint
+- Add required terms to direct award detail view
+- Merge pull request #258 from edubadges/feature/populate-institution-email
+- Merge pull request #260 from edubadges/bugfix/fix-institution-mobile-endpoint-filtering
+- Flip filtering logic around to make query faster
+- Merge pull request #259 from edubadges/bugfix/institution-mobile-endpoint-use-correct-related-name
+- Use correct related name for badgeclass issuer FK
+- Add datamigration to populate institution email
+- Merge pull request #257 from edubadges/dependabot/pip/django-4.2.28
+- Bump django from 4.2.27 to 4.2.28
+- Merge pull request #255 from edubadges/feature/add-mobile-institution-api-endpoint
+- Add mobile institution api endpoint
+- Merge pull request #256 from edubadges/feature/add-mobile-api-endpoint-for-badge-class-detail
+- Add mobile api endpoint for badge class detail
+- Merge pull request #254 from edubadges/feature/add-terms-to-mobile-catalog
+- Add boolean for whether user has accepted the terms
+- Add terms to catalog badge class serializer
+- Added endpoint to make a badge instance public
+- Merge pull request #253 from edubadges/bugfix/fix-entity-id-for-direct-award
+- Use entity id for direct awards
+- Merge pull request #252 from edubadges/bugfix/fix-creation-of-audit-trail-objects-in-signal
+- Merge pull request #251 from edubadges/feature/update-filters-for-mobile-api-catalog-endpoint
+- Find direct award and badgeclass on id and not entity_id
+- Added grade_achieved in the BadgeInstanceDetailSerializer
+- Remove q filter and replace is_micro with institution_type filter
+- Updated CHANGELOG for release 8.4
+- Updated CHANGELOG for 8.3.3 release
+- Merge pull request #250 from edubadges/bugfix/fix-swagger-ui-for-filterable-fields
+- Add filter backend globally and locally
+- Annotate correct related objects (badgeinstances) #2
+- Annotate correct related objects
+- Remove source from terms_agreed
+- Merge pull request #249 from edubadges/feature/mobile-profile-add-extra-metadata
+- Add registration and consent data to user profile
+- Replace profile api view with custom one for mobile api
+- Merge pull request #248 from edubadges/feature/mobile-catalog-endpoint-with-filtering-and-pagination
+- Add schema example
+- Add filter class so endpoint can be filtered with query params
+- Add catalog list view with pagination
+- Merge pull request #247 from edubadges/improve_mobile_api_swagger
+- Prefetch related badge instances to minimize queries
+- Use slug related field instead of serializer method field
+- fix: have badge instance PUT method only allow acceptance and public field
+- fix: use for badge-instances/entity_id path one view (BadgeInstanceDetail) and add logic to support PUT method in BadgeInstanceDetail
+- chore: improved the swagger doc by adding full models of badge instances, direct award, and collections
+- fix: return entity_id's instead of id's of badgeinstances within collections
+- fix: mobile API auth to return 401 instead of 403
+- Adding .zed to gitignore
+- Feat: improve mobile api swagger, initial commit
+- Added badge_class_type in mobile API
+- Merge pull request #244 from edubadges/bugfix/fix-audittrail-errors
+- Add a one-off management command to backfill badgeclass ids
+- Select related institution through issuer and faculty
+- Fix migration to filter on actual ids
+- Merge pull request #243 from edubadges/feature/improve-performance-of-direct-award-audit-trail-endpoint
+- Update audit trail signal receiver to set fk relations properly
+- Improve performance with select_related and extra filter
+- Refactor audit trail api view into a ListAPIView
+- Refactor charfields to foreign key relationships
+- Added stackable to the badgeclass serializer
+- Added grade_achieved to mobile seerializer
+- Updated CHANGELOG for release 8.4
+- Merge pull request #242 from edubadges/feature/add-linkedin-url-to-mobile-badgeinstance-api-endpoint
+- Retrieve faculty directly fro badgeclass issuer
+- Add linkedin_url field to badge instance detail serializer
+
+## [8.4] - 2026-01-14
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.3.3...v8.4</br>
+
+- Merge pull request #239 from edubadges/dependabot/pip/urllib3-2.6.3
+- Merge pull request #241 from edubadges/chore/run-django-tests-in-ci-cd
+- Update import of urllib
+- Bump urllib3 from 1.26.19 to 2.6.3
+- Grant privileges to test db user
+- Add workflow to run django tests
+- Merge pull request #240 from edubadges/chore/fix-tests
+- Fix tests for removed constraint for badgeclass
+- Fix request data that was no valid json
+- Add required badgeclass type to request data
+- Disable extension validation in tests
+- Fix assertion for showing archived badges in issuer response
+- Fix urls and expected response code in institution test
+- Remove edit directaward functionality from tests
+- Assert correct type
+- Fix staff permission in test to show issuers
+- Fix broken test helpers for enrollment setup
+- Disable auth signals and logging in tests
+- Add dedicated settings for testing
+- Suppress cssutils CSS validation errors in test environment
+- Fix naive datetime defaults in legacy migrations
+- Remove setlocale usage and localize email dates in templates
+- Fix for MA7QDbnn Added expiration date based on the badgeclass when a user claims a DA See https://trello.com/c/MA7QDbnn/1143-vervallen-edubadge-werkt-niet
+- WIP for https://trello.com/c/tsJHRy6A/ After the user is created, the correct staffs can be added as super-user
+- Added delete account endpoint for mobile API https://trello.com/c/WYW0JiGA/1105-changes-needed-for-making-apis-mobile-app-ready
+- Merge pull request #226 from edubadges/feature/remove-imported-badge-functionality
+- Fixes remove-imported-badge-functionality See https://trello.com/c/W4o0VLeC/1132-remove-imported-badge-functionality
+- Not needed anymore to increase MAX_URL_LENGTH as Django 4.2.27 fixes this.
+- Merge pull request #220 from edubadges/dependabot/pip/django-4.2.27
+- Ignore .serena directory
+- DA audit traiL: action instead of method
+- Filter DA audit trail with method CREATE
+- Merge pull request #224 from edubadges/feature/da_audittrail_view
+- feat: adding direct award audit trail API used by super users
+- Bump django from 4.2.26 to 4.2.27
+- Updated CHANGELOG for 8.3.3 release
+
+## [8.3.3] - 2025-12-02
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.3.2...v8.3.3</br>
+
+- Update to Django 4.2.26
+- Updating swagger annotations
+- Remove referer header requirement from auth provider views
+- Merge pull request #215 from edubadges/feature/reduce_error_logs
+- Only allow for super-users to perform impersonation
+- Added extra logging to MobileAPIAuthentication
+- Slug fields were removed in 2020 from all models
+- Catch TypeError when trying to load JSON from imported badge
+- Adding DIRS var to TEMPLATES object
+- Return 404 in case badgr app is none
+- Added is_authenticated checks
+- Increase MAX_URL_LENGTH even more, to 16384
+- Increased MAX_URL_LENGTH times 4 to be able to exceed 2048 chars which is to low for our use-cases
+- Quick fix for Unsafe redirect exceeding 2048 characters
+- Do not use SIS authentication for mobile flow
+
 ## [8.3.2] - 2025-11-14
 
 #### Full GitHub changelogs:

Dockerfile

@@ -20,6 +20,7 @@ COPY . /app
 # Set execute permissions on entrypoint script
 RUN chmod +x /app/docker/entrypoint.sh
 
+RUN pip install --upgrade pip setuptools wheel
 # Install any needed packages specified in requirements.txt
 RUN pip install --no-cache-dir -r requirements.txt
 

apps/badgeuser/migrations/0068_auto_20200820_1138.py

@@ -4,6 +4,7 @@
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
+from django.utils import timezone
 
 
 class Migration(migrations.Migration):
@@ -16,7 +17,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='termsagreement',
             name='created_at',
-            field=models.DateTimeField(default=datetime.datetime.now),
+            field=models.DateTimeField(default=timezone.now),
         ),
         migrations.AddField(
             model_name='termsagreement',
@@ -26,7 +27,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='termsagreement',
             name='updated_at',
-            field=models.DateTimeField(default=datetime.datetime.now),
+            field=models.DateTimeField(default=timezone.now),
         ),
         migrations.AddField(
             model_name='termsagreement',

apps/badgeuser/migrations/0079_delete_importbadgeallowedurl.py

@@ -0,0 +1,16 @@
+# Generated by Django 4.2.28 on 2026-02-05 15:10
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('badgeuser', '0078_importbadgeallowedurl'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='ImportBadgeAllowedUrl',
+        ),
+    ]

apps/badgeuser/migrations/0080_termsagreement_agreed_at.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.28 on 2026-02-09 10:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('badgeuser', '0079_delete_importbadgeallowedurl'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='termsagreement',
+            name='agreed_at',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+    ]

apps/badgeuser/migrations/0081_populate_termsagreement_agreed_add.py

@@ -0,0 +1,23 @@
+# Generated by Django 4.2.28 on 2026-02-09 10:06
+
+from django.db import migrations
+from django.db.models import F
+
+
+def populate_termsagreement_agreed_add(apps, schema_editor):
+    TermsAgreement = apps.get_model('badgeuser', 'TermsAgreement')
+    TermsAgreement.objects.filter(
+        agreed=True,
+        agreed_at__isnull=True
+    ).update(agreed_at=F("updated_at"))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('badgeuser', '0080_termsagreement_agreed_at'),
+    ]
+
+    operations = [
+        migrations.RunPython(populate_termsagreement_agreed_add, migrations.RunPython.noop),
+    ]