-
v0.10.8 Stable
Fletcher released this
2026-03-14 00:27:24 +00:00 | 183 commits to main since this releaseAdded
- General calendar feed: Add a general calendar feed that features all public events, page styling/name adjusted to accommodate
- Training booking messages: Backend page to directly control posting of booking posts to Slack (including refreshing the post)
Changed
- Slack auth: Migrate from OAuth2 to OpenID, including scheduled token refresh task 🖥️
- Training booking suggestions: Suggested training weighting now factors in bookings -14d +30d and endorsement breadth (wider=lower ranking)
- Manual booking: UI streamlined, options now restrict based on selected dropdowns
- Manual Training Slack messages: Posting selector improved, added support for whole day posts
- General calendar feed: Presented as alternate info source on all event lists 🖥️
Fixed
- Training in calendar feeds: Fixed error with description generation 🖥️
- Manual training bookings: Bookings created at the confirmed stage no longer send assigned notifications as well
- Training booking notifications: Assigned notifications no longer ask users to confirm bookings
- Notification drafts: Added missing
short_textcolumn toNotificationDraftmodel so draft list and save use the attribute correctly 🖥️ - Committee training pending bookings: Fix the "Use this" button
- Training post: Rendering is now triggered on all relevant changes 🖥️
- Merge accounts tool: The merge tool now correctly transfers training bookings 🖥️
Security
- Event feeds (subscriptions): Force https for ics url regardless of proxy config 🖥️
-
v0.10.7 Stable
2026-03-11 16:40:46 +00:00 | 198 commits to main since this releaseAdded
- SSO account creation: Shared helper to create User + OAuthAccount from a provider identity; used by OAuth callbacks and Slack App Home, and reusable for other SSO routes 🖥️
- UserProfile from OAuth: New users created via the provider-identity helper now get a Celery task enqueued to populate UserProfile from their OAuth account profile data (TidyHQ, Slack, etc.) 🖥️
Changed
- Committee training pending bookings: Added delete button, restyled assign buttons, removed placeholder bulk assign
- Training bookings: Trim available slot display in booking modal for readability
- Material scan mode: Add camera border and modal to reflect scanner status
- Material scan mode: Add an optional "Also update last used date" toggle (off by default)
- Material scan mode: Add a scan history table showing recently scanned items with status colouring
- Committee materials: Allow manual updates of last seen/used timestamps from the view/edit modal, plus quick actions to mark as used/consumed and reprint labels
Fixed
- Committee materials: Delete confirmation modal deletes the material rather than opening another modal
- User settings: Don't create user_settings for user IDs that aren't in the users table (fixes FK violations for stale or Slack-only sessions) Underlying cause fixed below but change added to prevent issues in core functionality in the future 🖥️
- Slack App Home: User ID is no longer half created if the first interaction with the portal is generating a Slack app home 🖥️
- Committee tokens cumulative chart: Removed leading zero-padding in "Total individual hours over time" so each line begins at the first recorded contribution
- Material scan mode: Treat organisation-owned material as member-owned for scan status colouring, and skip unused-threshold warnings for organisation-owned material
- Committee material creation: Fix transparency on user search results
- Material scan mode: Only log location changes when the location actually changes; otherwise log a "committee scanned" audit entry
- Training bookings: Only show competency check indicator on inductions that have it enabled
- Training bookings waitlist: Exclude incompatible events from request list
-
v0.10.6 Stable
2026-03-09 20:02:49 +00:00 | 207 commits to main since this releaseThis release focuses on preparing the application for wider usage within the test org.
Security
- Clickjacking: Prevent iframes 🖥️
- Image endpoint: Implement access control for image endpoint based on reference keys 🖥️
- Volunteer tokens approval UI: Escape entry descriptions when rendering to prevent stored XSS for approvers viewing the tokens page 🖥️
- Admin concessions CRN: Sanitise CRN to alphanumeric only before display and copy to prevent XSS 🖥️
- Forgejo webhook: Reject webhook requests when no secret is configured instead of skipping verification 🖥️
- Post-login redirect: Further restrict post-login redirect targets 🖥️
- Form statistics charts: Escaped chart titles in bar charts so user-controlled text cannot break out of script context 🖥️
- Volunteer token authorisation: Restricted token user search endpoints to volunteer and approval roles, and blocked non-approvers from reassigning token entries 🖥️
- Notification tracking links: Encrypted notification tracking tokens to prevent exposing notification IDs in forwarded emails 🖥️
- Remote image fetching: Blocked private-network and non-public image URLs during server-side image imports to reduce SSRF risk 🖥️
- Training wiki rendering: Removed Jinja template evaluation from wiki content responses to reduce server-side template injection risk 🖥️
- Markdown rendering: Added
nh3sanitisation to rendered markdown 🖥️ - OAuth login flow: Added
stateprotection for SSO sign in and linking flows 🖥️ - API key authentication: Remove query support for api keys 🖥️
- Request forgery protection: Added CSRF protection for browser-based mutating requests and changed logout to use POST 🖥️
-
v0.10.5 Stable
2026-03-09 16:53:50 +00:00 | 217 commits to main since this releaseAdded
- Forms: Add custom form framework
- Slack forms shortcut: Added a
/formslash command that opens a modal linking to Member Portal forms (Replacing functionality from previous form app)
-
v0.10.4 Stable
2026-03-08 20:59:40 +00:00 | 219 commits to main since this releaseAdded
- Carpool Optimiser: Added a route optimiser for group pickup/dropoffs
- Event name badges: Event managers can print name badges for event attendees
- Material statistics: Added material statistics page showing material distribution, ownership, and usage over time
- Material lists: Add system explainer
- Trainer availability: Added explainers for system
- Food orders pickup: Volunteers can generate a shareable link with order details to allow non-volunteers to pick up food
- Others personal volunteering stats: Committee can now view volunteering stat pages as other users rather than relying on the data on the overall page
Changed
- Minification configuration: Asset minification is now configurable 🖥️
- Material lists: Added creation date/last seen to tables, make columns sortable, add pagination
- Material lists: Added confirmation before printing bulk labels
- Non member interaction with material system: Disable creation and claiming for non members
- Trainer availability: Dismissal of available slots is now stored server side. Prompt cards are now rendered regardless of presented options 🖥️
Fixed
- Training availability: Improved error handling for adding availability to ensure success messages are properly displayed 🖥️
- Training availability: Fixed bookmarked events collapse state being lost when confirming availability
-
v0.10.3 Stable
2026-03-05 12:44:12 +00:00 | 238 commits to main since this releaseAdded
- Label printer support: Added the backend functionality to send text and images to a label printer
- Material labels: Added material label printing
- Total individual hours chart: Added a graph showing total individual hours over time to volunteering stats
- Organisation locker assignments: Added the ability to assign lockers to the organisation as a whole, in addition to individual users
Changed
- Request logging: Request logs now include user display names alongside truncated user IDs 🖥️
- App home logging: Slack app home render logs now include portal display name if set 🖥️
- Trainer endorsements table: Table formatting cleaned up
- Event restrictions table: Support wider screens
Fixed
- Failure to delete material: Database conflict caused materials to not delete
- Material bulk operations selector: Material selections weren't cleared after a bulk operation
- Material browser prompts: Browser prompts on the material pages have been replaced with modals
- Event managers past events visibility: Event managers can now see all past events, not just events they created or hosted
- Member type mapping: Correctly map community memberships
-
v0.10.2 Stable
2026-03-03 21:24:28 +00:00 | 251 commits to main since this releaseAdded
- Material management: Add system to track material storage of users/org
-
v0.10.1 Stable
2026-03-03 05:51:50 +00:00 | 253 commits to main since this releaseAdded
- Training bookings in calendar feeds: Training bookings now appear in personalised ICS calendar feeds for both trainers and trainees.
- Configuration option
base_url_short: Addedbase_url_shortconfiguration option inconfig.jsonfor generating shorter URLs for QR codes.
Changed
- Logging filters: Excluded anonymous requests to site root
/, all requests to/pages, and WordPress scanning patterns (wp-login, wp-admin, .php) from access logs 🖥️ - Manual training booking UI: Induction selector now includes the induction level, pending bookings no longer require a trainer, booking end time field now feeds off of start time and selected induction length
- Personal token submission page: Added warning info box for users with volunteer access directing them to the full volunteer tool
- QR code generation: Centralised QR code generation in
util/qr.pyand added endpoint for front end rendering 🖥️
-
v0.10.0 Stable
2026-02-27 18:42:39 +00:00 | 261 commits to main since this releaseAdded
- Training Booking System: Rough training system that allows for "parametric" training bookings. Possible inductions are added by open training slots and trainer availability. Inductions are excluded based on trainer endorsements, event restrictions, and location conflicts
Changed
- Induction metadata: Extra induction metadata has been added including: how long inductions take (+competency checks), induction restrictions, induction precursors
-
v0.9.8 Stable
2026-02-25 16:23:45 +00:00 | 263 commits to main since this releaseAdded
- HTTP GET cameras: Add support for external cameras that retrieve snapshots via HTTP GET requests
- Test suite: Add user test/timing script for all endpoints listed in navigation menus 🖥️
- Training QR code: Add QR code to personal training page to direct trainers to the add induction modal and keyholders to a page that allows them to grant a visitor induction if the corresponding workflow is complete
- Dark Reader auto disable: Add meta tag to disable Dark Reader extension when site is in dark mode 🖥️
- Probationary trainer endorsements: Added a third state for trainer endorsements (endorsed, probationary, or not endorsed). Probationary trainers are displayed with a 🅿️ symbol in the overall view and cannot sign people off on inductions
Changed
- Active users: Add IP addresses to active users, may not be accurate depending on networking
- Camera performance: Increase front/backend camera performance
- PWA install button: Move app install button to the top of the homepage
- API documentation: Hide "Manage API keys" link on API docs page for users without admin group
Fixed
- Contribution graph mobile overflow: Github style heat map on personal token page no longer overflows horizontally on mobile