release 4.0.0

svenhertle · svenhertle · commit e1ba89a3b635 · 2026-02-02T21:56:47.000+01:00
diff --git a/TODO b/TODO
@@ -1,5 +1,4 @@
 * Validation page
 * Check MariaDB instructions
-* Generate secret key
 * Check Apache instructions
 * Update instructions for manual installation
diff --git a/source/admin/configuration.rst b/source/admin/configuration.rst
@@ -272,10 +272,9 @@ If the ``admin`` configuration is not present, the admin privilege is not touche
                # The requested scopes
                scopes: "openid email profile"
 
-               # Controls the session cookie SameSite attribute, forcing it to "Lax". This is necessary if your OIDC provider
-               # resides on a different top level domain name than the Helfertool (error message: "Login failed")
-               # Set it to true in this case.
-               thirdparty_domain: false
+               # The claim that should be used as username
+               # Reasonable choices are email or preferred_username
+               username_claim: "email"
 
                # It could happen that the user is disabled or claims change. So we can redirect the users from time to time
                # to the OIDC provider and validate if they are still allowed to login.
@@ -284,10 +283,11 @@ If the ``admin`` configuration is not present, the admin privilege is not touche
 
                # If the session is only terminated in the application, the login via OIDC works again without asking for credentials.
                # Therefore, we can also trigger a logout at the OIDC provider.
-               # The URL is less well specified and depends on the provider (here: Keycloak)
+               # We built URLs according to the OpenID Connect RP-Initiated Logout 1.0 standard by default
                logout:
                    endpoint: "https://auth.helfertool.org/auth/realms/test/protocol/openid-connect/logout"
                    redirect_parameter: "redirect_uri"
+                   id_token_hint: true
 
            # Permissions based on claims
            claims:
@@ -424,6 +424,7 @@ Security settings
        debug: false
 
        # Unique and secret key
+       # At least 50 characters recommended, for example: pwgen -s 50 1
        secret: "change_this_for_production"
 
        # URLs that are used for the software
@@ -445,15 +446,17 @@ Security settings
        # Enable captchas
        captchas:
            # for newsletter registration (recommended)
-           newsletter: false
+           newsletter: true
+
+           # for password reset (recommended)
+           password_reset: true
 
            # for event registration
            registration: false
 
 .. note::
-   Captchas were added in version 3.3.
-   They are disabled by default, but we recommend to enable it for the newsletter registration (if you use this feature).
-   Although the newsletter registration implementes a GDPR compliant double opt-in, one mail is still sent out.
+   Captchas were added in version 3.3 and were disabled by default.
+   Starting with version 4.0, captchas for newsletter registrations and password resets are enabled by default.
 
 .. _configuration-features:
 
@@ -536,6 +539,9 @@ Badge settings
        # Maximum number of copies for special badges
        special_badges_max: 50
 
+       # Time until PDF build is aborted in minutes
+       build_timeout: 5
+
        # Time until PDF file is deleted after it was created in minutes
        pdf_timeout: 30
 
@@ -553,6 +559,27 @@ Newsletter settings
        # This setting specifies how long the link is valid (days). Afterwards, the mail address is deleted.
        subscribe_deadline: 3
 
+Admin automation settings
+-------------------------
+
+.. code-block:: none
+
+   automation:
+       # Send reminder mails to event admins that did not archive the event within time
+       # "deadline" and "interval" need to be set to enable the feature
+       event_archive:
+           # Deadline (months)
+           deadline: 6
+
+           # Interval of mails (days)
+           interval: 7
+
+           # Start this number of days before the deadline (optional)
+           start_before_deadline: 14
+
+           # Link to some documentation that is included in the mail (optional)
+           #docs: ""
+
 Additional settings without Docker
 ----------------------------------
 
diff --git a/source/admin/further/logging.rst b/source/admin/further/logging.rst
@@ -47,6 +47,10 @@ The following events are currently logged:
 +---------------------------+--------------+--------------------------------------------------------+
 | password changed          | info         |                                                        |
 +---------------------------+--------------+--------------------------------------------------------+
+| password resetattempt     | info         | Password reset was started (link sent to user)         |
++---------------------------+--------------+--------------------------------------------------------+
+| password reset            | info         |                                                        |
++---------------------------+--------------+--------------------------------------------------------+
 | user created              | info         |                                                        |
 +---------------------------+--------------+--------------------------------------------------------+
 | user deleted              | info         |                                                        |
@@ -167,4 +171,5 @@ The following events are currently logged:
 +---------------------------+--------------+--------------------------------------------------------+
 | corona cleanup            | info         |                                                        |
 +---------------------------+--------------+--------------------------------------------------------+
-
+| archiveexception changed  | info         |                                                        |
++---------------------------+--------------+--------------------------------------------------------+
diff --git a/source/admin/installation.rst b/source/admin/installation.rst
@@ -144,7 +144,7 @@ configure at least the following settings:
  * Database
  * RabbitMQ
  * Mail server
- * Secret key (``security`` > ``secret``)
+ * Secret key (``security`` > ``secret``) - at least 50 characters recommended, for example `pwgen -s 50 1`
  * Allowed hosts (``security`` > ``allowed_hosts``)
 
 .. TODO: explain, how to generate
diff --git a/source/admin/versions.rst b/source/admin/versions.rst
@@ -40,7 +40,7 @@ Latest release
 +-----------------+--------------------------------------------+------------------+
 | Relase series   | Latest release                             | Release date     |
 +=================+============================================+==================+
-| 3.3.x           | :ref:`3.3.1 <changelog-3-3-1>`             | 2025-06-03       |
+| 4.0.x           | :ref:`4.0.0 <changelog-4-0-0>`             | 2026-02-02       |
 +-----------------+--------------------------------------------+------------------+
 
 .. _versions_tags:
diff --git a/source/releases/changelog.rst b/source/releases/changelog.rst
@@ -4,6 +4,45 @@
 Changelog
 =========
 
+.. _changelog-4-0-0:
+
+4.0.0 (2026-02-02)
+------------------
+
+* Breaking changes
+
+  * Removed Corona tracing app
+  * Enforce additional parameter in validation links, that prevent guessing (added since 3.0.0)
+
+* Security fixes
+
+  * Fix wrong permission checks in badge views
+  * Add build timeout for badge PDFs
+  * Show warning about debug mode and weak secret keys on "Check installation" page
+  * Escape ``og:description`` meta property correctly
+
+* Changes in `helfertool.yaml`:
+
+  * Removed: ``language`` -> ``country``
+  * Removed: ``authentication`` -> ``oidc`` -> ``provider`` -> ``thirdparty_domain`` (not required anymore, SameSite attribute of session cookie is always ``Lax`` now)
+  * New: ``authentication`` -> ``oidc`` -> ``provider`` -> ``username_claim``
+  * New: ``badges`` -> ``build_timeout``
+  * New: ``automation`` (and config below)
+* Add password reset via mail for local users
+* New users can be added without directly setting a password - the password is then set via password reset
+* Add automated reminder mails for event archival (disabled by default)
+* Add option to ask for Matrix ID during registration
+* When using OpenID Connect, the claim used for the username can be configured now (setting: ``username_claim``)
+* When using OpenID Connect, the logout according to the "OpenID Connect RP-Initiated Logout 1.0" standard is supported now (Keycloak and Entra ID for example support that)
+* Fix performance issue on main page with list of events
+* Improve some redirects after saving a shift or job and setting the presence of helpers
+* Update of dependencies (Django, Debian 13 for container, ...) and replaced CKEditor
+
+Thanks to the participants of the practical course "Web Application Security" at TUM for analyzing the tool and providing their results:
+
+* Michael Vynogradov
+* `... more names will be added`
+
 .. _changelog-3-3-1:
 
 3.3.1 (2025-06-03)
diff --git a/source/releases/history.rst b/source/releases/history.rst
@@ -9,6 +9,8 @@ Details about relases and versions can be found in the :ref:`admin guide <versio
 +-----------------+--------------------------------------------+------------------+
 | Relase series   | Latest release                             | Release date     |
 +=================+============================================+==================+
+| 4.0.x           | :ref:`4.0.0 <changelog-4-0-0>`             | 2026-02-02       |
++-----------------+--------------------------------------------+------------------+
 | 3.3.x           | :ref:`3.3.1 <changelog-3-3-1>`             | 2025-06-03       |
 +-----------------+--------------------------------------------+------------------+
 | 3.2.x           | :ref:`3.2.3 <changelog-3-2-3>`             | 2024-04-09       |
