Currently, it uses an endpoint similar to OpenID Connect UserInfo but with some differences. The endpoint does not require the "openid" scope for example. There is an ongoing effort to replace the OAuth 2.0 authorization server with a more standard compliant one which would break the endpoint (since it would require the "openid" scope). It is currently not possible to request the "openid" scope to future-proof since Spring would act differently if that scope is present and assume full OpenID Connect. That leads to requiring an id token to have been issued which the current authorization server does not do.
To get around this the implementation is changed to use a standard compliant Token Introspection endpoint to get access to the subject of the access token (which is the only part that's necessary right now). Since the endpoint is standard compliant it will work with any future authorization server.
It may be necessary to run `docker compose up --build` to get the latest version of the Toker containers.
Reviewed-on: #141
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
The new version has upgraded `json-smart` so the override is no longer necessary.
## How to test
1. Log in and click around as different users
2. Enable Daisy integration (both `DEV` and `DAISY-INTEGRATION` Maven profiles)
3. Go to "Admin / Users / Import" and import someone (verify JSON parsing)
Reviewed-on: #140
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
So far no rules are activated and it just puts the infrastructure in place.
Rules can be added in separately after discussion among the developers,
along with fixing any violations of the rules.
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #138
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Allows deleting (your own) forum replies.
Fixes#90
## How to test
1. Log in as `eric@example.com` (supervisor) or as `sture@example.com` (author)
2. Open the forum in project "Putting the it in supervising"
3. Create a new thread
4. Post some replies as the different users
5. Delete the replies
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #137
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Allows a way to solve #119
Reviewed-on: #134
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#129
## How to test
1. Log in as `evan@example.com`
2. Go to "My groups"
3. Click "Create new group"
4. Select some projects but do *not* fill in the "Title"
5. Click save
6. Error message should be presented
7. Project selection should be maintained
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #133
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
The seemingly unused library `jersey-hk2` that got removed in #118 is used, if present, internally by the Jersey client to find and register Jackson modules (such as those that provide `java.time` support).
## How to test
1. Turn on the `DAISY-INTEGRATION` Maven profile (alongside `DEV`)
2. Configure some projects and their authors to have a Daisy connection
3. Log in as the supervisor
4. Go to the "Finishing up" tab in the project
5. See that it works compared to `develop` branch
Reviewed-on: #132
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Read #119 for context first
When authors select supervisor ideas during an open application period they are only allowed to select ideas corresponding to their degree type classification. This limitation can be lifted by giving the author an exemption for "Project type limitation" on the corresponding application period. However, this limitation is still enforced for any potential partner *even if* the have been given the same exemption. This change makes it so the exemption applies to any selected partner as well and not just the author selecting the supervisor idea.
## How to test
1. Log in as `oskar@example.com`
2. Go to "Ideas / My ideas" page
3. Click "Select from available ideas" on the application period "Supervisor ideas"
4. Open the one available idea
5. Try to select it with "Johan Student" as a partner
6. Log in as admin
7. Go to "Match / Application periods"
8. Click "Edit exemptions" on the "Supervisor ideas" period
9. Give "Johan Student" an exemption to "Project type limitation"
10. Repeat steps 1-5
Reviewed-on: #128
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
The research area column show the string "null" instead of being an empty cell for projects without a research area. This has been fixed everywhere and not just on the project export.
The reviewer column showed weird technical details (`User#toString()`) instead of the reviewers name.
## How to test
1. On `develop` branch
2. Log in as the default admin
3. Go to "Project management / Projects"
4. Click "Excel export" under the table
5. Open the file and see
6. Repeat 1-5 on this branch
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #126
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#94Fixes#93
## How to test
1. Log in as the default admin
2. Go to "Project management / Projects"
3. Click "Download as Excel" under the table
4. See that it's still a valid Excel-file
Reviewed-on: #125
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Since SciPro is now a Spring Boot-based application it is counter-productive to manage our own dependency versions.
* They could conflict with what Spring Boot assumes
* All libraries that are managed by Spring Boot are tested to work together
QueryDSL and JPA version properties are left in because they're needed for annotation processors (they can't be dependency managed).
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #124
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
The main problem was that the supervisor did not get enough information about each project, mainly who the authors were, when selecting them in the dropdown.
To remedy this, the dropdown has been completely replaced with a checkbox based approach showing the title as well as project type, authors, and start date for each project. The projects are sorted first by start date (descending) and then title, based on the assumptions that newly created projects are the most relevant when setting up groups.
In addition extra "quick buttons" have been added in an effort to reduce the number of clicks required to accomplish varying tasks.
Fixes#89
## How to test
1. Log in as `evan@example.com`
2. Go to "My groups"
3. Click "Create new group"
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #123
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#36
## How to test
1. (Optional) Log in as `sid@example.com` and submit an opposition report
1. Go to the tab "Opposition & Active participation"
2. Open the opposition "Putting the it in supervising" on the right
3. Submit the report
2. Log in as `eric@example.com`
3. Go to the final seminar in the "Putting the it in supervising" project (or follow the notification if you did step 1)
4. Request improvements
5. Log in as `sid@example.com`
6. Follow the notification to submit the new opposition report
Click the "Re-run all jobs" button (top right) on https://gitea.dsv.su.se/DMC/scipro/actions/runs/457 to reset the database. It takes a few minutes.
Reviewed-on: #78
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Since there is no populator yet Spring fails when trying to inject since it does not support empty collections. Mark the dependency as optional until we have at least one populator at which point we can simply the code again.
Reviewed-on: #122
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Currently there is only one class used to add test data; [`DataInitializer`](b9f7dd5a49/core/src/main/java/se/su/dsv/scipro/DataInitializer.java). That class is already very large and causes a lot of merge conflicts when multiple changes are in the pipeline as noted by #109.
This change makes it possible to have multiple classes adding test data so that each change adds its own class and thus there are no conflicts. It also has the benefit of making each class smaller and more self-contained for testing a specific feature.
Some additional infrastructure was added in the form of the `BaseData` and `Factory` (naming improvements notwithstanding) interfaces to help each class add its own test data and re-use common data.
Finally all test data related classes have been moved to their own module so they can be properly excluded when building for production but are included by default while developing.
Fixes#109
## Future work
* Add a mechanism to work with date and time.
Many processes (and therefore service method implementations) rely on the time between certain events. For example a final seminar must be scheduled a set amount of days in advance. In the ideal world, the test data is populated using these service methods to more accurately represent an achievable real world state. Therefore there must be a way to manipulate time when adding test data.
* Add more methods to the `Factory` interface as we discover more common steps that many populators must take.
* Add more base data available through the `BaseData` interface as we discover more common data that many populators need
Care must be taken that this data is final and useful in its base state since populators will rely on that state.
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #112
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#68
## How to test
1. Log in as admin
2. Go to "Match / Application periods"
3. Click the edit icon (6th column)
4. Click "Save"
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #117
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
When re-deploying the application, or restarting Tomcat, it will attempt to serialize the active sessions to prevent users from getting logged out and losing in-progess work. This requires that all attributes that are stored in the session implement `java.io.Serializable`. Spring stores the entire security context in the session which includes a reference to the principal, and that principal may be of type "WicketControlledPrincipal" and it must therefore be serializable.
## How to test
1. Be on the `develop` branch
2. Make sure session preservation is turned on (in IntelliJ check "Preserve sessions across restarts and redeploys", or read https://tomcat.apache.org/tomcat-10.0-doc/config/manager.html#Persistence_Across_Restarts)
3. Log in as the default admin `dev@localhost`
4. Switch to "Sture Student" under "Admin / Users / Switch user"
5. Restart Tomcat
6. Refresh page and you'll be prompted to log in again
7. Switch to this branch and repeat step 1-6
Reviewed-on: #121
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
They display old hard-coded text that does not reflect the current template.
Fixes#97
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Reviewed-on: #98
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-committed-by: Tom Zhao <tom.zhao@dsv.su.se>
Previously when we wanted to change supervisor we had to make two calls against the daisy api.
A DELETE and a POST, this was brittle because if one of the calls failed we didn't have a good way of handling that.
This could leave the application in a state where a project could end up with 2 different supervisors.
This caused side effects and forced us to manually go into the databases and clean up the errors.
Now the daisy api is updated and we only need to do a POST to change the supervisor. See further documentation here
[POST /thesis/{id}/contributor](https://apitest.dsv.su.se/resource_Theses.html#resource_Theses_postContributor_id_projectParticipant_POST)
### IMPORTANT: Release needs to be synced with Daisy API
Reviewed-on: #114
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Co-committed-by: Nico Athanassiadis <nico@dsv.su.se>
The overriding should be removed once Spring Security updates its dependencies.
Fixes#104
## How to test
1. Run `mvnw install org.owasp:dependency-check-maven:12.1.0:check --fail-at-end -DnvdApiDelay=60000 -DskipTests -DfailBuildOnCVSS=7`
2. Wait a very long time (can be sped up be [requesting an NVD API key](https://nvd.nist.gov/developers/request-an-api-key) and adding `-DnvdApiKey=<key>`
3. Check the build succeeds
Reviewed-on: #116
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#62
## How to test
1. Log in as admin
2. Go to "Admin / Match / Application periods"
3. Click "Edit exemptions" on the period
4. Add the same exemption twice to "Sture Student"
Reviewed-on: #115
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Previously if an author resubmitted their final thesis to the supervisor fora re-submission to the examiner the date of submission was the first submitted final thesis. And the status text only showed "Waiting for grading". This caused a lot of confusion for the authors when the dates and status of the final thesis was divergent from their perceived view of dates and changes.
Fixes#79
Reviewed-on: #113
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Co-committed-by: Nico Athanassiadis <nico@dsv.su.se>
Fixes#67
Reviewed-on: #96
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-committed-by: Tom Zhao <tom.zhao@dsv.su.se>
Before, after scheduling a first meeting, they had to refresh the entire page to show the information in the table.
Fixes#82
Reviewed-on: #105
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Previously deadline was only visible at the Reviewer start page, tab 'Rough draft approvals'.
Now the deadline is also shown when you go to the detail page of a rough draft.
Fixes issue #99
Reviewed-on: #106
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Co-committed-by: Nico Athanassiadis <nico@dsv.su.se>
Fixes#48
The `getReflectionText` method was calling `getString` when no reflection has been submitted. This is not a relevant case for the editing form since it can not be accessed when there is no reflection. Inlined the method call and removed the non-submitted case, the default will be an empty string.
## How to test
1. Log in as a supervisor
2. Open a project that has a Daisy connection (`identifier`is non-null on the `Project`)
3. Go to the "Finishing up" tab
4. Go to the tab for the author with no reflection submitted
5. See that no warning is logged
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #101
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
The updated versions should fix CVE-2024-45801.
Was forced to update spring-boot 3.4.1 to be able to use the latest version of springdoc as per the
springdoc compability matrix.
The compability matrix can be found [here](https://springdoc.org/#what-is-the-compatibility-matrix-of-springdoc-openapi-with-spring-boot)
fixes issue #80
Reviewed-on: #91
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Co-committed-by: Nico Athanassiadis <nico@dsv.su.se>
Require authors to fill in background, literature, method, problem, and interests when submitting an idea.
Fixes#37
## How to test
1. Navigate to https://scipro-student-idea-form-required-fields.branch.dsv.su.se/
2. Log in as `stig@example.com`
3. Go to "Ideas" / "My ideas"
4. Attempt to submit an idea without either of background, literature, method, problem, or interests
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #72
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#73
In daisy.xsd there are two datatypes, one is called STATUS and another one is called Status. Since Windows file system is case insensitive, file STATUS.java and Status.java are considered as same name. This makes build on Windows impossible.
Solution: in XJC binding file, rename Status.java to Status2.java (the Status2.java belongs to Examination is endpoint/resource which is not used by Scipro).
Other small improvments:
- package name 'se.su.dsv.scipro.daisyExternal' is renamed to 'se.su.dsv.scipro.daisyexternal'.
- single import statements are applied.
Reviewed-on: #74
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-committed-by: Tom Zhao <tom.zhao@dsv.su.se>
Reviewed-on: #76
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Reviewed-on: #70
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
https://nvd.nist.gov/vuln/detail/CVE-2024-49203https://github.com/querydsl/querydsl/issues/3757
Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection.
I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement.
Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause.
Fixes#45
Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/71
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fix#63
**Requirements**
On supervisor's start page, a overview of the projects being supervised is shown as a table. One of columns is a flag and on clicking action the browser is redirected to forum page of that project.
Two improvements were asked:
1. If there is unread messages, show a tooltip if mouse is placed over the flag.
2. A number is shown to indicate number of unread messages.
**How to test**
1. Go to https://scipro-3470-forum-msg-ui-improvement.branch.dsv.su.se/
2. Log in as `eric@example.com`
3. Go to the project overview
4. Write something in the forum
5. Mark as unread (click the flag)
6. Go back to overview
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Reviewed-on: #61
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Fix#64
Reviewed-on: #65
Reviewed-by: Andreas Svanberg <andreass@dsv.su.se>
Co-authored-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-committed-by: Tom Zhao <tom.zhao@dsv.su.se>
Click link and see that system is working. Log in using the principal `admin@example.com`. Change something in the deployed system. Re-run the action. See that the database has reset.
**Major change** Added OAuth 2 login so no longer need modified web.xml with filter. Run `docker compose up` to start the local OAuth 2 authorization server to log in. Use the custom ticket form and enter the username you want to log in as in the "Principal" field.
Squashed all migrations since there are faulty ones that can't be applied to an empty database.
Reviewed-on: #15
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
This is one requirement in bringing #15 to reality.
Currently the way to log in to SciPro is by having a locally modified `web.xml` that emulates being authenticated via single sign-on (SSO). This method can not work on an automatically deployed test server. It is also not possible to have real SSO configured for the test servers due to their dynamic nature and that they are given a new hostname each time. Our current SSO solution requires there to be certificate issued to specific hostnames. Even if it were possible to get SSO set up how would the username received from SSO match to test data? We would have to have real usernames in our test data which is not desirable.
To solve both of the problems described above - requiring a locally modified version of a git tracked file and needing an authentication mechanism that works for dynamic test servers - a change of the authentication mechanism from Tomcat controlled SSO to application controlled OAuth 2 is proposed. There is already an OAuth 2 authorization server running in production which itself is authenticates users via SSO that will be used in production and for the permanent test servers. In development and for the dynamic test servers a local authorization server running in Docker is provided.
For "regular" users there will be no noticeable change, they will be prompted to log in via SSO and then they get access to the system. For users with high developer access they will, on the permanent test servers, be prompted to "issue token". On that page they can use the top form to authenticate as themselves based on their SSO authentication, or use the bottom form to issue a completely custom authentication and log in as whatever username they deem necessary. The temporary test servers and during local development will work similarly with the only difference being that there is no SSO log in first and you will be prompted to issue a token immediately. The default authentication (top form) will be a local sys-admin level user.
## How to test
1. Start the local OAuth 2 authorization server with `docker compose up`
2. Start SciPro
3. Attempt to log in
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #27
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
There was a missing bean definition that was responsible for marking certain milestones based on system events.
Fixes#53
## How to test
1. Log in as an author
2. Go to "Peer" tab within a project
3. Request a peer review
4. [If needed] Switch to another author and request another review
5. Perform a peer review
6. See that the peer reviewer completed milestone (first or second depending) is marked as completed
Reviewed-on: #54
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Currently our integration tests run against an in-memory HSQLDB whose schema is created by Hibernate based on our JPA annotations. This has differences from the MariaDB schema created by our Flyway migrations. It is also a completely different database engine so who knows what other differences there are.
This proposal changes this so that it will instead use [Testcontainers](https://testcontainers.com/) to spin up a MariaDB Docker container that then has the Flyway migrations ran before being used in tests.
Pros:
* Same database engine in tests as production
* Flyway migrations are tested
* Database schema is the same in tests as production (`NOT NULL` constraints, foreign keys, and so on)
Cons:
* *Much* slower test executions and they will get slower over time as more migrations are added
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #57
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
IntelliJ requires Node.js to be installed for it to be able to run Prettier and format the code.
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #55
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
If you have FormComponents in a ListView you need to call setReuseItems(true) on the ListView. Otherwise the ListItems will be recreated before rendering which results in them losing their "converted input" (what Wicket calls the submitted value).
Instead of simply calling setReuseItems(true) on the ListView, which would've solved the problem, it was instead replaced by a proper FormComponent for dealing with this exact case (a CheckboxMultipleChoice component). This reduces the amount of code required and more clearly communicates intent. The change required some minor test refactoring.
Fixes#33
---
Now requires at least one project type to be selected before saving.
Fixes#34
---
## How to test
1. Go to "Admin" / "Match" / "Application periods"
2. Click create new
3. Submit without selecting any types
4. See that there's proper feedback
5. Leave name blank and select some types
6. Submit
7. See that the project type selection sticks around
Co-authored-by: Nico Athanassiadis <nico@dsv.su.se>
Reviewed-on: #47
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
The new calculator that's based on templates has a reference to the @Entity for the template which should not be serialized.
Fixes#40
## How to test/replicate
1. Log in as a supervisor
1. Open a project that's new enough to use a grading report template with grade limits
1. Go to the "Finishing up" tab
1. Go to the sub-tab for an individual author
Reviewed-on: #59
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#28 ([CVE-2024-38809](https://spring.io/security/cve-2024-38809)), #29 ([CVE-2024-38816](https://spring.io/security/cve-2024-38816)), and #46 ([CVE-2024-38820](https://spring.io/security/cve-2024-38820))
Chose to stay on the 3.2 Spring Boot train despite 3.4 being out. Waiting for a more conscious to do the upgrade in case there are other changes required.
Luckily none of the preconditions of the vulnerabilities were true for SciPro so they could not be exploited.
Reviewed-on: #52
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Fixes#43 by introducing [Prettier](https://prettier.io/).
Prettier is an extremely opinionated formatter. It will reformat every single line according to its style. There are virtually no configuration options so there can be no discussion about formatting rules.
There are two parameters that are configurable; indent length and line length. Indent length has been set to 4 because that's the Java standard.
Line length defaults to 80 but has been increased to 100. The rational for this is that Prettier was created for JavaScript which is much less verbose than Java. Not only does every Java line start with 8 spaces of indentation vs. JavaScripts 0 or 2, it also has types wile JavaScript does not and uses `const` for variable declarations. Compare the two below examples as well as an actual example from the source code that is too long for the default 80 characters. I have no problem dropping down to the default 80 if that is preferred I just felt that with the average length of a line of Java code being pretty long, excessive wrapping would reduce readability.
```javascript
const attributes = {
...
};
```
```java
Map<String, String> attributes = Map.of(
...
);
```
Or the following real code which is 97 characters long.
```java
Set<ProjectParticipant> contributors = daisyAPI.getContributors(project.getIdentifier());
```
Reviewed-on: #44
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
Daisy's API does not support the function "change supervisor" and only what comes down to SQL INSERT and DELETE on a specific table. If the removal of the previous supervisor(s) failed the new one was still added. This change makes it so that if the removal of any (there is no limit in the API) current supervisor fails it will not attempt to add the new supervisor.
Fixes#39
## How to test
1. Configure the Daisy integration in SciPro
2. Enable it (Maven profile)
3. The only currently known way to make removing a supervisor fail is to use a project where they've sent the thesis to the examiner
4. Find one such project in the test server for Daisy (or send one for examination from SciPro)
5. Change the supervisor of the project in SciPro
6. Run the job "Export projects to daisy" (System / Maintenance)
7. See that it logs the failure and that no duplicate supervisors were added to Daisy
Reviewed-on: #26
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
With the migration to Spring it is much stricter in requiring @Transactional for all methods that write to the database.
Fixes#22
Co-authored-by: Tom Zhao <tom.zhao@dsv.su.se>
Reviewed-on: #23
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
This is one requirement in bringing #15 to reality.
Currently there are some 450 migration scripts that have been added over the past 11 years. Unfortunately some of these migration scripts have some defects. Either from the fact that they are very old and from another database engine (MySQL vs currently MariaDB), make assumptions about the database name, or its contents. Due to these defects trying to bring an empty schema up-to-date by running all migrations will fail with [372](ff4c5b58b4/core/src/main/resources/db/migration/V372__update_and_insert_grading_criterion_template_master.sql) being the main blocker.
If it is not possible to bring an empty schema up-to-date it is a major hindrance to the plan of automatically deploying test servers for every pull request (#15). These changes makes it possible to bring an empty schema up to the latest version by squashing all migration scripts to a single new baseline with the necessary fixes to work on an empty schema.
There is a downside with the way it accomplishes this, it requires any non-empty schema to already be at version [392.2](ff4c5b58b4/core/src/main/resources/db/migration/V392_2__reflection_comment_by_supervisor.sql). [Flyway](https://www.red-gate.com/products/flyway/), the product we use for database migrations, does not support new baseline scripts in the free version, only in the paid edition. To get around this, Flyway is tricked into thinking the database has never used Flyway before by changing which database table stores the information about applied migrations. This is the reason the database has to be at the latest (392.2) version before deploying the new version of SciPro that include this change, because Flyway will have no way to see which of the old migrations have been applied.
An alternative would be to fix the old migrations so they would work on an empty schema. However, since every migration script is checksummed to see that the applied version is the correct one every database would have to be ["repaired"](https://documentation.red-gate.com/fd/repair-184127461.html) to update its checksums. This choice was not taken for two reasons:
* It would require manual work in the database before deploying the new version of SciPro with the fixed migrations, similar to the requirement to first deploy the version of SciPro that includes the 392.2 migration.
* Running all the migrations taken a lot of time, especially the new [391](ff4c5b58b4/core/src/main/resources/db/migration/V391__harmonize_table_attribute_name.sql). Squashing all migrations avoid this and makes spinning up new databases very quick
## How to test with an existing schema
1. Deploy commit [ff4c5b58b40db5fcb7754c259c3854194668c1e1](ff4c5b58b4) (current `develop` branch as of 2024-11-22)
2. Start the system to apply migrations up to and including 392.2
3. Switch to this branch
4. Start the system and see that the database will be considered baselined at version 2
5. Click around in the system and see that it still works
## How to test with an empty schema
1. Empty your database schema
2. Switch to this branch
3. Deploy the system
4. See that it migrates the schema and creates all the necessary tables
5. Log in as `admin@example.com` that is created by the `DataInitializer`
Reviewed-on: #24
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
