Merge develop back into ewi

.github/workflows/tests.yml

@@ -0,0 +1,94 @@
+name: Django Tests
+
+on:
+  pull_request:
+    branches: [ develop ]
+  push:
+    branches: [ develop ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    services:
+      mysql:
+        image: mysql:8.0
+        env:
+          MYSQL_DATABASE: badgr
+          MYSQL_USER: badgr
+          MYSQL_PASSWORD: badgr
+          MYSQL_ROOT_PASSWORD: root
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd="mysqladmin ping -h localhost"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=5
+
+      memcached:
+        image: memcached:1.6
+        ports:
+          - 11211:11211
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Wait for MySQL
+        run: |
+          until mysqladmin ping -h "127.0.0.1" --silent; do
+            echo "Waiting for MySQL..."
+            sleep 2
+          done
+
+      - name: Grant MySQL test database privileges
+        run: |
+          mysql -h 127.0.0.1 -u root -proot <<'EOF'
+          GRANT ALL PRIVILEGES ON test_badgr.* TO 'badgr'@'%';
+          FLUSH PRIVILEGES;
+          EOF
+
+      - name: Run Django tests
+        env:
+          DJANGO_SETTINGS_MODULE: apps.mainsite.settings_tests
+          DOMAIN: 0.0.0.0:8000
+          DEFAULT_DOMAIN: http://0.0.0.0:8000
+          SITE_ID: "1"
+          ACCOUNT_SALT: test
+          ROOT_INFO_SECRET_KEY: test
+          UNSUBSCRIBE_SECRET_KEY: test
+          EXTENSIONS_ROOT_URL: http://localhost/static
+          TIME_STAMPED_OPEN_BADGES_BASE_URL: http://localhost/
+          UI_URL: http://localhost:8080
+          DEFAULT_FROM_EMAIL: test@example.com
+          EMAIL_BACKEND: django.core.mail.backends.locmem.EmailBackend
+          EMAIL_HOST: localhost
+          EMAIL_PORT: "1025"
+          EMAIL_USE_TLS: "0"
+          BADGR_DB_HOST: 127.0.0.1
+          BADGR_DB_PORT: "3306"
+          BADGR_DB_NAME: badgr
+          BADGR_DB_USER: badgr
+          BADGR_DB_PASSWORD: badgr
+          DISABLE_EXTENSION_VALIDATION: "true"
+          EDUID_PROVIDER_URL: https://connect.test.surfconext.nl/oidc
+          EDUID_REGISTRATION_URL: https://login.test.eduid.nl/register
+          EDU_ID_CLIENT: edubadges
+          EDU_ID_SECRET: supersecret
+          SURF_CONEXT_CLIENT: test.edubadges.nl
+          SURF_CONEXT_SECRET: supersecret
+          OIDC_RS_ENTITY_ID: test.edubadges.rs.nl
+          OIDC_RS_SECRET: supersecret
+        run: |
+          python manage.py test --noinput

.github/workflows/trivy.yml

@@ -28,7 +28,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.0
         with:
           version: 'v0.69.2'
           scan-type: 'fs'

.gitignore

@@ -55,3 +55,8 @@ pyrightconfig.json
 start.fish
 sourceandcharm.sh
 .serena
+.zed
+
+# secrets
+/secrets
+!/secrets/.keep

CHANGELOG.md

@@ -5,10 +5,204 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [unreleased]
+## [8.4.1] - 2026-02-05
 
-- Removed logging to loki, syslog and files. In k8s all logging goes to the default "console" - k8s then forwards to a.o. loki for us
-- Removed "public" and "private" flag for BadgeInstances. All badges are now private.
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.4...v8.4.1</br>
+
+- Merge branch 'develop'
+- Merge pull request #261 from edubadges/feature/add-terms-to-direct-award-endpoint
+- Add required terms to direct award detail view
+- Merge pull request #258 from edubadges/feature/populate-institution-email
+- Merge pull request #260 from edubadges/bugfix/fix-institution-mobile-endpoint-filtering
+- Flip filtering logic around to make query faster
+- Merge pull request #259 from edubadges/bugfix/institution-mobile-endpoint-use-correct-related-name
+- Use correct related name for badgeclass issuer FK
+- Add datamigration to populate institution email
+- Merge pull request #257 from edubadges/dependabot/pip/django-4.2.28
+- Bump django from 4.2.27 to 4.2.28
+- Merge pull request #255 from edubadges/feature/add-mobile-institution-api-endpoint
+- Add mobile institution api endpoint
+- Merge pull request #256 from edubadges/feature/add-mobile-api-endpoint-for-badge-class-detail
+- Add mobile api endpoint for badge class detail
+- Merge pull request #254 from edubadges/feature/add-terms-to-mobile-catalog
+- Add boolean for whether user has accepted the terms
+- Add terms to catalog badge class serializer
+- Added endpoint to make a badge instance public
+- Merge pull request #253 from edubadges/bugfix/fix-entity-id-for-direct-award
+- Use entity id for direct awards
+- Merge pull request #252 from edubadges/bugfix/fix-creation-of-audit-trail-objects-in-signal
+- Merge pull request #251 from edubadges/feature/update-filters-for-mobile-api-catalog-endpoint
+- Find direct award and badgeclass on id and not entity_id
+- Added grade_achieved in the BadgeInstanceDetailSerializer
+- Remove q filter and replace is_micro with institution_type filter
+- Updated CHANGELOG for release 8.4
+- Updated CHANGELOG for 8.3.3 release
+- Merge pull request #250 from edubadges/bugfix/fix-swagger-ui-for-filterable-fields
+- Add filter backend globally and locally
+- Annotate correct related objects (badgeinstances) #2
+- Annotate correct related objects
+- Remove source from terms_agreed
+- Merge pull request #249 from edubadges/feature/mobile-profile-add-extra-metadata
+- Add registration and consent data to user profile
+- Replace profile api view with custom one for mobile api
+- Merge pull request #248 from edubadges/feature/mobile-catalog-endpoint-with-filtering-and-pagination
+- Add schema example
+- Add filter class so endpoint can be filtered with query params
+- Add catalog list view with pagination
+- Merge pull request #247 from edubadges/improve_mobile_api_swagger
+- Prefetch related badge instances to minimize queries
+- Use slug related field instead of serializer method field
+- fix: have badge instance PUT method only allow acceptance and public field
+- fix: use for badge-instances/entity_id path one view (BadgeInstanceDetail) and add logic to support PUT method in BadgeInstanceDetail
+- chore: improved the swagger doc by adding full models of badge instances, direct award, and collections
+- fix: return entity_id's instead of id's of badgeinstances within collections
+- fix: mobile API auth to return 401 instead of 403
+- Adding .zed to gitignore
+- Feat: improve mobile api swagger, initial commit
+- Added badge_class_type in mobile API
+- Merge pull request #244 from edubadges/bugfix/fix-audittrail-errors
+- Add a one-off management command to backfill badgeclass ids
+- Select related institution through issuer and faculty
+- Fix migration to filter on actual ids
+- Merge pull request #243 from edubadges/feature/improve-performance-of-direct-award-audit-trail-endpoint
+- Update audit trail signal receiver to set fk relations properly
+- Improve performance with select_related and extra filter
+- Refactor audit trail api view into a ListAPIView
+- Refactor charfields to foreign key relationships
+- Added stackable to the badgeclass serializer
+- Added grade_achieved to mobile seerializer
+- Updated CHANGELOG for release 8.4
+- Merge pull request #242 from edubadges/feature/add-linkedin-url-to-mobile-badgeinstance-api-endpoint
+- Retrieve faculty directly fro badgeclass issuer
+- Add linkedin_url field to badge instance detail serializer
+
+## [8.4] - 2026-01-14
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.3.3...v8.4</br>
+
+- Merge pull request #239 from edubadges/dependabot/pip/urllib3-2.6.3
+- Merge pull request #241 from edubadges/chore/run-django-tests-in-ci-cd
+- Update import of urllib
+- Bump urllib3 from 1.26.19 to 2.6.3
+- Grant privileges to test db user
+- Add workflow to run django tests
+- Merge pull request #240 from edubadges/chore/fix-tests
+- Fix tests for removed constraint for badgeclass
+- Fix request data that was no valid json
+- Add required badgeclass type to request data
+- Disable extension validation in tests
+- Fix assertion for showing archived badges in issuer response
+- Fix urls and expected response code in institution test
+- Remove edit directaward functionality from tests
+- Assert correct type
+- Fix staff permission in test to show issuers
+- Fix broken test helpers for enrollment setup
+- Disable auth signals and logging in tests
+- Add dedicated settings for testing
+- Suppress cssutils CSS validation errors in test environment
+- Fix naive datetime defaults in legacy migrations
+- Remove setlocale usage and localize email dates in templates
+- Fix for MA7QDbnn Added expiration date based on the badgeclass when a user claims a DA See https://trello.com/c/MA7QDbnn/1143-vervallen-edubadge-werkt-niet
+- WIP for https://trello.com/c/tsJHRy6A/ After the user is created, the correct staffs can be added as super-user
+- Added delete account endpoint for mobile API https://trello.com/c/WYW0JiGA/1105-changes-needed-for-making-apis-mobile-app-ready
+- Merge pull request #226 from edubadges/feature/remove-imported-badge-functionality
+- Fixes remove-imported-badge-functionality See https://trello.com/c/W4o0VLeC/1132-remove-imported-badge-functionality
+- Not needed anymore to increase MAX_URL_LENGTH as Django 4.2.27 fixes this.
+- Merge pull request #220 from edubadges/dependabot/pip/django-4.2.27
+- Ignore .serena directory
+- DA audit traiL: action instead of method
+- Filter DA audit trail with method CREATE
+- Merge pull request #224 from edubadges/feature/da_audittrail_view
+- feat: adding direct award audit trail API used by super users
+- Bump django from 4.2.26 to 4.2.27
+- Updated CHANGELOG for 8.3.3 release
+
+## [8.3.3] - 2025-12-02
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.3.2...v8.3.3</br>
+
+- Update to Django 4.2.26
+- Updating swagger annotations
+- Remove referer header requirement from auth provider views
+- Merge pull request #215 from edubadges/feature/reduce_error_logs
+- Only allow for super-users to perform impersonation
+- Added extra logging to MobileAPIAuthentication
+- Slug fields were removed in 2020 from all models
+- Catch TypeError when trying to load JSON from imported badge
+- Adding DIRS var to TEMPLATES object
+- Return 404 in case badgr app is none
+- Added is_authenticated checks
+- Increase MAX_URL_LENGTH even more, to 16384
+- Increased MAX_URL_LENGTH times 4 to be able to exceed 2048 chars which is to low for our use-cases
+- Quick fix for Unsafe redirect exceeding 2048 characters
+- Do not use SIS authentication for mobile flow
+
+## [8.3.2] - 2025-11-14
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.3.1...v8.3.2</br>
+
+- Added enrollment endpoint for mobile API
+- Merge pull request #210 from edubadges/dependabot/pip/django-4.2.26
+- Bump django from 4.2.25 to 4.2.26
+- Also apply virtual organization name for reminders
+- Merge pull request #209 from edubadges/feature/mail-virtual-organization
+- Fix for virtual organization DA email https://trello.com/c/8xUKHT9C/1116-virtuele-organisatie-wordt-niet-getoond-in-de-e-mail
+- Fixed CMD in Dockerfile
+- Added SELinux flag to app volume, made entrypoint executable
+
+## [8.3.1] - 2025-10-28
+
+#### Full GitHub changelogs:
+
+Backend: https://github.com/edubadges/edubadges-server/compare/v8.3.0...v8.3.1</br>
+
+- WIP for 8zmfgqmL - edubadges per sector
+- Transferred openbadges-validator-core to edubadges repo
+- Wip for mobile API
+- Merge pull request #201 from edubadges/dependabot/pip/django-4.2.25
+- Updated reminder mail template to include creation date, improved ear… (#203)
+- Bump django from 4.2.24 to 4.2.25
+- Merge pull request #199 from edubadges/feature/mobile-api
+- Added more mobile endpoints
+- Added mobile DirectAward detail endpoint
+- Added mobile/api/login example responses
+- Merge branch 'develop' into feature/mobile-api
+- Merge pull request #200 from edubadges/dependabot/pip/django-4.2.24
+- WIP for provisioning users mobile API
+- Bump django from 4.2.22 to 4.2.24
+- WIP for provisioning users mobile API
+- Added default parameters in post processor
+- Merge branch 'feature/reminder_unit_test' into develop
+- Added discussion questions
+- Added endpoint for unclaimed direct awards
+- Added badge instance detail endpoint
+- First WIP commit for new mobile API https://trello.com/c/WYW0JiGA/1105-changes-needed-for-making-apis-mobile-app-ready
+- Fixed test cmd in README
+- Updated README to include how to run tests
+- Merge pull request #190 from edubadges/feature/impierce_update
+- refactor: Move logic for presenting expires_at to serializer
+- chore: move tests to the correct place in directory hierarchy
+- refactor: Ensure the ExpiresAt can be "never" which isn't a valid datetime
+- feat: Only allow unime for demo
+- fix: Bring serialized payload in line with reqs for new unime-core
+- feat: Add expires_at that is required with new impierce version
+- Added missing init file
+- Fixed unit tests, updated tests for reminders DA.
+- Need to encode string before hashing
+- Started adding tests for reminders_direct_awards
+- Merge pull request #194 from edubadges/bug/reminders-direct-awards
+- Fixed bug in reminders_direct_awards
+- Set the issued_on date for accepted assertions When a requested badge is accepted, set the issued_on date of the new assertion with the value of the creation date of the enrollment
+- Use preferred linked account for validated name
+- Added stdout messages for running reminders_direct_award directly
 
 ## [8.3.0] - 2025-07-14
 

apps/badgeuser/migrations/0068_auto_20200820_1138.py

@@ -4,6 +4,7 @@
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
+from django.utils import timezone
 
 
 class Migration(migrations.Migration):
@@ -16,7 +17,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='termsagreement',
             name='created_at',
-            field=models.DateTimeField(default=datetime.datetime.now),
+            field=models.DateTimeField(default=timezone.now),
         ),
         migrations.AddField(
             model_name='termsagreement',
@@ -26,7 +27,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='termsagreement',
             name='updated_at',
-            field=models.DateTimeField(default=datetime.datetime.now),
+            field=models.DateTimeField(default=timezone.now),
         ),
         migrations.AddField(
             model_name='termsagreement',

apps/badgeuser/migrations/0079_delete_importbadgeallowedurl.py

@@ -0,0 +1,16 @@
+# Generated by Django 4.2.28 on 2026-02-05 15:10
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('badgeuser', '0078_importbadgeallowedurl'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='ImportBadgeAllowedUrl',
+        ),
+    ]

apps/badgeuser/migrations/0080_termsagreement_agreed_at.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.28 on 2026-02-09 10:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('badgeuser', '0079_delete_importbadgeallowedurl'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='termsagreement',
+            name='agreed_at',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+    ]