Release 3.37.0

Author: sleidig

.github/workflows/pull-request-update.yml

@@ -44,25 +44,31 @@ jobs:
   deploy-prod-image:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
+
       - name: Build and push PR image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ./
           file: ./build/Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: aamdigital/ndb-server:pr-${{ github.event.number }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
       - name: Deploy updated image
         uses: appleboy/ssh-action@master
         with:

build/Dockerfile

@@ -70,7 +70,7 @@ RUN if [ "$SENTRY_AUTH_TOKEN" != "" ] ; then \
 
 ### PROD image
 
-FROM nginx:1.25.5-alpine
+FROM nginx:1.26.1-alpine
 COPY ./build/default.conf /etc/nginx/templates/default.conf
 COPY --from=builder /app/dist/ /usr/share/nginx/html
 # The port on which the app will run in the Docker container

doc/compodoc_sources/concepts/permissions.md

@@ -111,6 +111,30 @@ The `admin_app` role simpy allows user with this role to do everything, without
 To learn more about how to define rules, have a look at
 the [CASL documentation](https://casl.js.org/v5/en/guide/define-rules#rules).
 
+It is also possible to access information of the user sending the request. E.g.:
+
+```json
+{
+  "subject": "org.couchdb.user",
+  "action": "update",
+  "fields": [
+    "password"
+  ],
+  "conditions": {
+    "name": "${user.name}",
+    "projects": {
+      "$in": "${user.projects}"
+    }
+  }
+}
+```
+
+This allows users to update the `password` property of their *own* document in the `_users` database.
+Placeholders can currently access properties that the _replication-backend_ explicitly adds to the auth user object. 
+Other available values are `${user.roles}` (array of roles of the user) and  `${user.projects}` (the "projects" attribute of the user's entity that is linked to the account through the "exact_username" in Keycloak).
+
+For more information on how to write rules have a look at the [CASL documentation](https://casl.js.org/v5/en/guide/intro).
+
 ### Implementing components with permissions
 
 This section is about code using permissions to read and edit **entities**.

doc/compodoc_sources/how-to-guides/reports.md

@@ -3,29 +3,65 @@
 The reporting module allows organizations to automatically create reports of aggregated data for a given timespan.
 This can be used to track indicators and export anonymous data.
 
+There are currently two systems available to generate reports, both using the same config documents (`ReportConfig:*`): 
+- SQL-based queries executed server-side using the SQS server
+- (legacy) client-side generator using the aggregation & query syntax below
+
+# SQL Reports
+
+For this feature, we have integrated the (optional) [structured-query-service (SQS)](https://neighbourhood.ie/products-and-services/structured-query-server)
+(this creates a read-only copy of the data in the CouchDB and allows to run Sqlite queries against it).
+SQS enables the possibility to create SQL based queries in reports.
+
+The SQS image is not available as open source and needs a licence. It is pulled from a private container registry.
+
+## Deployment
+
+To activate it for an application, simply activate "aam-backend-service" profile (`COMPOSE_PROFILES=aam-backend-service`) in the applications `.env` file and run `docker compose up -d`.
+
 ## Configuration
 
-The reports can be defined through the config of the reporting component.
+The reports can be defined as `ReportConfig:*` entities.
+
+There are different modes for `ReportConfig`:
+
+### sql
+Requirements: SQS
+
+#### Simple SQL Report
 
 ```json
-"view:report": {
-  "component": "Reporting",
-  "config": {
-    "reports": [
-      {
-        "title": "Basic Report",
-        "aggregationDefinitions": [...],
-      },
-      {
-        "title": "Event Report",
-        "aggregationDefinitions": [...]
-      }
-    ]
-  }
+// app/ReportConfig:test-report
+{
+  "_id": "ReportConfig:test-report",
+  "title": "Test Report",
+  "mode": "sql",
+  "aggregationDefinition": "SELECT c.name as name, c.dateOfBirth as dateOfBirth FROM Child c",
+  "neededArgs": []
 }
 ```
 
-## Aggregation structure
+
+#### SQL Report With Arguments
+Additional arguments for the query (like a from and to date parameter) can be used in the SQL query directly using "?". The "neededArgs" array defines what arguments are filled for the "?" placeholders in the given order.
+
+```json
+// app/ReportConfig:test-report
+{
+  "_id": "ReportConfig:test-report",
+  "title": "Test Report",
+  "mode": "sql",
+  "aggregationDefinition": "SELECT c.name as name, c.dateOfBirth as dateOfBirth FROM Child c WHERE created_at BETWEEN ? AND ?",
+  "neededArgs": [
+    "from",
+    "to"
+  ]
+}
+```
+
+# JSON-Query Reports (legacy)
+
+#### Aggregation structure
 
 Inside the `aggregationDefinitions` an array of aggregations can be added.
 The following example shows the structure of an aggregation.
@@ -52,7 +88,7 @@ The following example shows the structure of an aggregation.
 - The `aggregations` array can be filled with further aggregations with the same structure.
   They will be executed on the result of the `query` as well as on each `groupBy` result.
 
-## `query` syntax
+#### `query` syntax
 
 A full documentation can be found [here](https://github.com/auditassistant/json-query#queries).
 The most top-level aggregation has to start with the entity which should be queried.