feat(mfa): replace trench forms DEV-750 #6414
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#6407) ### π£ Summary Always send files with a `Content-Disposition: attachment` header to ensure proper download behavior. ### π Description This change enforces the `Content-Disposition` header to be set to attachment for all downloadable responses. Some files were previously displayed inline by browsers instead of being downloaded. By forcing this header, all files are now consistently offered as downloads.
### π£ Summary Fixes a bug where org admins were no longer allowed to view xforms or make submissions. ### π Notes Similar issue to #6397. We were calculating permissions based on the action name but the action name changed. Will fix unit tests as part of DEV-1188 ### π Preview steps 1. βΉοΈ have an MMO and a project owned by the MMO 2. Add a user to the MMO and make them an admin 3. Try to open the form for submission 4. π΄ [on release] Error 5. π’ [on PR] Form loads and you are able to make a submission
β¦1105 (#6409) ### π£ Summary Fixes an issue where anonymous users received a 500 error when accessing the asset snapshots list endpoint. Anonymous requests now safely return an empty response instead of causing a server error. ### π Description Previously, the `/api/v2/asset_snapshots/` endpoint raised a server error when accessed anonymously, because the code attempted to access `organization.is_admin_only()` even when no organization was associated with the user. This PR updates the filtering logic to handle anonymous users gracefully and adds a unit test to ensure no 500 error occurs in such cases.
### π Notes Fix race condition in user reports test.
### π Notes Update XForm list api tests to be more sensitive to changes in the request flow. Recently we had a few bugs make it into production that had to do with how the request is handled before it gets to the view. Since the existing tests were only at the view level, it did not catch the errors. While including the whole request processing in test makes it less of a "unit" test, it makes the tests more likely to catch errors that occur as a result of the combination of view code and request processing code. Since the view code relies on information set by django's request processing, it makes sense to test them together. There is more consolidation that could be done on these tests as many are probably redundant (especially testing anonymous access to various endpoints) but that is outside the scope of this work. ### π Preview steps Unit-test only, but a good verification is to locally revert the changes from #6412 and #6397, and run the test suite. Several tests should fail, then succeed when the changes are put back in.
β¦group (#6387) Bumps the actions-deps group with 1 update: [actions/setup-node](https://github.com/actions/setup-node). Updates `actions/setup-node` from 5 to 6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <p><strong>Breaking Changes</strong></p> <ul> <li>Limit automatic caching to npm, update workflows and documentation by <a href="https://github.com/priyagupta108"><code>@βpriyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1374">actions/setup-node#1374</a></li> </ul> <p><strong>Dependency Upgrades</strong></p> <ul> <li>Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by <a href="https://github.com/dependabot"><code>@βdependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1336">#1336</a></li> <li>Upgrade prettier from 2.8.8 to 3.6.2 by <a href="https://github.com/dependabot"><code>@βdependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1334">#1334</a></li> <li>Upgrade actions/publish-action from 0.3.0 to 0.4.0 by <a href="https://github.com/dependabot"><code>@βdependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1362">#1362</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v5...v6.0.0">https://github.com/actions/setup-node/compare/v5...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-node/commit/2028fbc5c25fe9cf00d9f06a71cc4710d4507903"><code>2028fbc</code></a> Limit automatic caching to npm, update workflows and documentation (<a href="https://redirect.github.com/actions/setup-node/issues/1374">#1374</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/13427813f706a0f6c9b74603b31103c40ab1c35a"><code>1342781</code></a> Bump actions/publish-action from 0.3.0 to 0.4.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1362">#1362</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/89d709d423dc495668cd762a18dd4a070611be3f"><code>89d709d</code></a> Bump prettier from 2.8.8 to 3.6.2 (<a href="https://redirect.github.com/actions/setup-node/issues/1334">#1334</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/cd2651c46231bc0d6f48d6b34433b845331235fe"><code>cd2651c</code></a> Bump ts-jest from 29.1.2 to 29.4.1 (<a href="https://redirect.github.com/actions/setup-node/issues/1336">#1336</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-node/compare/v5...v6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
β¦r-and-patch group across 1 directory (#6415) Bumps the minor-and-patch group with 1 update in the / directory: [validator](https://github.com/validatorjs/validator.js). Updates `validator` from 13.15.15 to 13.15.20 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/validatorjs/validator.js/releases">validator's releases</a>.</em></p> <blockquote> <h2>13.15.20</h2> <h3>Fixes, New Locales and Enhancements</h3> <ul> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2556">#2556</a> <code>isMobilePhone</code>: add <code>ar-QA</code> locale <a href="https://github.com/WardKhaddour"><code>@βWardKhaddour</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2576">#2576</a> <code>isAlpha</code>/<code>isAlphanuneric</code>: add Indic locales (<code>ta-IN</code>, <code>te-IN</code>, <code>kn-IN</code>, <code>ml-IN</code>, <code>gu-IN</code>, <code>pa-IN</code>, <code>or-IN</code>) <a href="https://github.com/avadootharajesh"><code>@βavadootharajesh</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2574">#2574</a> <code>isBase64</code>: improve padding regex <a href="https://github.com/KrayzeeKev"><code>@βKrayzeeKev</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2584">#2584</a> <code>isVAT</code>: improve <code>FR</code> locale <a href="https://github.com/iamAmer"><code>@βiamAmer</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2608">#2608</a> <code>isURL</code>: improve protocol detection. Resolves CVE-2025-56200 <a href="https://github.com/theofidry"><code>@βtheofidry</code></a></li> <li><strong>Doc fixes and others:</strong> <ul> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2563">#2563</a> <a href="https://github.com/stoneLeaf"><code>@βstoneLeaf</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2581">#2581</a> <a href="https://github.com/camillobruni"><code>@βcamillobruni</code></a></li> </ul> </li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/stoneLeaf"><code>@βstoneLeaf</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2563">validatorjs/validator.js#2563</a></li> <li><a href="https://github.com/WardKhaddour"><code>@βWardKhaddour</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2556">validatorjs/validator.js#2556</a></li> <li><a href="https://github.com/avadootharajesh"><code>@βavadootharajesh</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2576">validatorjs/validator.js#2576</a></li> <li><a href="https://github.com/KrayzeeKev"><code>@βKrayzeeKev</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2574">validatorjs/validator.js#2574</a></li> <li><a href="https://github.com/iamAmer"><code>@βiamAmer</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2584">validatorjs/validator.js#2584</a></li> <li><a href="https://github.com/camillobruni"><code>@βcamillobruni</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2581">validatorjs/validator.js#2581</a></li> <li><a href="https://github.com/theofidry"><code>@βtheofidry</code></a> made their first contribution in <a href="https://redirect.github.com/validatorjs/validator.js/pull/2608">validatorjs/validator.js#2608</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/validatorjs/validator.js/compare/13.15.15...13.15.20">https://github.com/validatorjs/validator.js/compare/13.15.15...13.15.20</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md">validator's changelog</a>.</em></p> <blockquote> <h1>13.15.20</h1> <h3>Fixes, New Locales and Enhancements</h3> <ul> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2556">#2556</a> <code>isMobilePhone</code>: add <code>ar-QA</code> locale <a href="https://github.com/WardKhaddour"><code>@βWardKhaddour</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2576">#2576</a> <code>isAlpha</code>/<code>isAlphanuneric</code>: add Indic locales (<code>ta-IN</code>, <code>te-IN</code>, <code>kn-IN</code>, <code>ml-IN</code>, <code>gu-IN</code>, <code>pa-IN</code>, <code>or-IN</code>) <a href="https://github.com/avadootharajesh"><code>@βavadootharajesh</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2574">#2574</a> <code>isBase64</code>: improve padding regex <a href="https://github.com/KrayzeeKev"><code>@βKrayzeeKev</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2584">#2584</a> <code>isVAT</code>: improve <code>FR</code> locale <a href="https://github.com/iamAmer"><code>@βiamAmer</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2608">#2608</a> <code>isURL</code>: improve protocol detection. Resolves CVE-2025-56200 <a href="https://github.com/theofidry"><code>@βtheofidry</code></a></li> <li><strong>Doc fixes and others:</strong> <ul> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2563">#2563</a> <a href="https://github.com/stoneLeaf"><code>@βstoneLeaf</code></a></li> <li><a href="https://redirect.github.com/validatorjs/validator.js/pull/2581">#2581</a> <a href="https://github.com/camillobruni"><code>@βcamillobruni</code></a></li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/validatorjs/validator.js/commit/30d4fe02c16d36ed471f12da658c4b5d843781e0"><code>30d4fe0</code></a> 13.15.20</li> <li><a href="https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809"><code>cbef508</code></a> fix(isURL): improve protocol detection. Resolves CVE-2025-56200 (<a href="https://redirect.github.com/validatorjs/validator.js/issues/2608">#2608</a>)</li> <li><a href="https://github.com/validatorjs/validator.js/commit/6f436be36945e460ee624bf72a935a06daded859"><code>6f436be</code></a> Fix typo in validators.test.js (<a href="https://redirect.github.com/validatorjs/validator.js/issues/2581">#2581</a>)</li> <li><a href="https://github.com/validatorjs/validator.js/commit/3c857088d58197453957a2b924dfedea328003b6"><code>3c85708</code></a> Fix: correct French VAT (FR) validation regex and add tests (<a href="https://redirect.github.com/validatorjs/validator.js/issues/2584">#2584</a>)</li> <li><a href="https://github.com/validatorjs/validator.js/commit/eee525cd117d24ac905b9432f3f5a27e96aa9719"><code>eee525c</code></a> <a href="https://redirect.github.com/validatorjs/validator.js/issues/2491">#2491</a> <a href="https://redirect.github.com/validatorjs/validator.js/issues/2573">#2573</a> Simplify isBase64 to prevent stack overflow (<a href="https://redirect.github.com/validatorjs/validator.js/issues/2574">#2574</a>)</li> <li><a href="https://github.com/validatorjs/validator.js/commit/abcc8ecb8569b531f8951d9f6343d2b156268e0c"><code>abcc8ec</code></a> feat(isAlpha, isAlphanumeric): add support for Indic locales (ta-IN, te-IN, k...</li> <li><a href="https://github.com/validatorjs/validator.js/commit/72573b3d1d8ab2e6575e6bba1cbe2b01f95f4935"><code>72573b3</code></a> Add Qatar phone number validation (<a href="https://redirect.github.com/validatorjs/validator.js/issues/2556">#2556</a>)</li> <li><a href="https://github.com/validatorjs/validator.js/commit/243f6c5fe467d464deff1981275e9fc4403e84f9"><code>243f6c5</code></a> docs(isMACAddress): improve ambiguous option description (<a href="https://redirect.github.com/validatorjs/validator.js/issues/2563">#2563</a>)</li> <li>See full diff in <a href="https://github.com/validatorjs/validator.js/compare/13.15.15...13.15.20">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kobotoolbox/kpi/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
β¦-1206 (#6419) ### π£ Summary This PR fixes an error when loading form builder containing a group. ### π Notes The type `group` doesn't contain the attribute `rowType`, which is being accessed when calculating the `isSupportedByUI`. The fix just adds an optional chaining, which lets the attribute resolve to `undefined` and fall into the default clause of being true. ### π Preview steps 1. βΉοΈ have an account 2. Create a project with a group. e.g: [audio_demo.xlsx](https://github.com/user-attachments/files/23193243/audio_demo.xlsx) 3. open the form builder to edit the project 4. π΄ [on main] notice an error on console and infinite loading 5. π’ [on PR] editor opens as expected with no errors
β¦-1108 (#6410) ### π£ Summary Prevent password reset emails from being sent to unregistered email addresses while keeping the same non-revealing message on the reset page. ### π Description Previously, Kobo would send a password reset email even when the entered email address was not associated with any existing account. This behavior, inherited from django-allauth defaults, could lead to unsolicited emails being sent to arbitrary addresses. This PR updates the configuration to: - Set `ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False`, ensuring no email is sent if the address doesnβt match any account. - Preserve the existing UI message to avoid exposing valid accounts and maintain account-enumeration protection.
β¦6423) ### π£ Summary Fixes a server error in bulk update by handling `None` results gracefully. ### π Description If a `backend_result` result is `None`, the response now returns a proper 400 instead of causing a 500. See: #6281 (comment)
β¦1 DEV-947 (#6090) ### π Notes Refactor organization member and invites endpoints to use generated react-query helpers fully with invalidations and optimistic updates. Use `setMutationDefaults` as a means to centralize invalidations and optimistic update logic. ### π Preview steps 1. have local env with a project 2. in django admin panel create and enable organization for the super user 2. in django admin panel create another user 3. login as superuser, go to http://kf.kobo.local/#/account/organization/members 4. invite the user 5. π’ notice that invite is in the list 6. in devtools, set throttling to "GPRS" 7. edit the invite's role 8. π’ [on pr] notice that invite in the list updates immediately - that's [optimistic updates](https://tanstack.com/query/latest/docs/framework/react/guides/optimistic-updates) working 8. π’ [on pr] notice that api request is sent and succeeds but doesn't re-render the page - that's react-query's auto-reconciliation [structural sharing](https://tanstack.com/query/latest/docs/framework/react/guides/render-optimizations#structural-sharing) working to avoid unnecessary re-renders 9. in devtools, set throttling to "offline" 10. edit the invite's role again 8. π’ [on pr] notice that role in the list updates immediately.. - that's optimistic updates working 8. π’ [on pr] ..but the API request fails.. 9. π’ [on pr] ..and the role reverts to previous value - that's rolling back optimistic updates working --------- Co-authored-by: Leszek Pietrzak <[email protected]>
Guitlle
requested review from
jnm,
noliveleger,
olive-KTB and
rgraber
as code owners
Guitlle
requested review from
Akuukis,
jamesrkiger,
magicznyleszek and
p2edwards
as code owners
Guitlle
removed request for
Akuukis,
jamesrkiger,
magicznyleszek and
p2edwards
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ποΈ Checklist
#Support Docs Updates, if any<type>(<scope>)<!>: <title> DEV-1234Front endand/orBack endorworkflowπ Notes
The MFA token authentication form is replaced by a version based on allauth MFA feature.
π Preview steps