chore : Release v1.11 (#6768)

chore : Release v1.11

Co-authored-by: Areeb Jamal <[email protected]>
Co-authored-by: Suneet Srivastava <[email protected]>
Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Prateek Jain <[email protected]>
Co-authored-by: Amit Aronovitch <[email protected]>
Co-authored-by: D.Rohit <[email protected]>
Co-authored-by: Ritik Jain <[email protected]>
Co-authored-by: Nitin Kumar <[email protected]>
Co-authored-by: Sai Charan <[email protected]>

Author: 9 people

.env.example

@@ -2,9 +2,9 @@ DATABASE_URL=postgresql://open_event_user:[email protected]:5432/oevent
 INTEGRATE_SOCKETIO=false
 TEST_DATABASE_URL=postgresql://open_event_user:[email protected]:5432/opev_test
 APP_CONFIG=config.DevelopmentConfig
-ENABLE_ELASTICSEARCH=false
-ELASTICSEARCH_HOST=localhost:9200
 
 POSTGRES_USER=open_event_user
 POSTGRES_PASSWORD=opev_pass
 POSTGRES_DB=open_event
+
+FLASK_APP=app.instance

.github/PULL_REQUEST_TEMPLATE.md

@@ -18,7 +18,7 @@ Fixes #
 
 - [ ] I have read the [Contribution & Best practices Guide](https://blog.fossasia.org/open-source-developer-guide-and-best-practices-at-fossasia) and my PR follows them.
 - [ ] My branch is up-to-date with the Upstream `development` branch.
-- [ ] The unit tests pass locally with my changes <!-- use `nosetests tests/all` to run all the tests -->
+- [ ] The unit tests pass locally with my changes <!-- use `nosetests tests/` to run all the tests -->
 - [ ] I have added tests that prove my fix is effective or that my feature works
 - [ ] I have added necessary documentation (if appropriate)
 <!-- If an existing function does not have a docstring, please add one -->

.travis.yml

@@ -21,7 +21,7 @@ install:
   - pip3 install -r requirements/tests.txt
 
 env:
-  - APP_CONFIG="config.TestingConfig" PATH=$PATH:${HOME}/google-cloud-sdk/bin
+  - APP_CONFIG="config.TestingConfig" SECRET_KEY="super secret key" PATH=$PATH:${HOME}/google-cloud-sdk/bin
 
 before_script:
   - psql -c 'create database test;' -U postgres
@@ -30,7 +30,7 @@ before_script:
   - bash scripts/test_multiple_heads.sh
 
 script:
-  - nosetests tests/all -v --with-coverage
+  - nosetests tests/ -v --with-coverage
 
 after_success:
   - 'bash <(curl -s https://codecov.io/bash)'

CHANGELOG.md

@@ -1,5 +1,19 @@
 ## Changelog
 
+#### v1.11.0 (2020-01-23):
+
+- **BREAKING:** Fix security issues related to secret key. You **MUST** add the current secret key set in DB as `SECRET_KEY` environment variable before upgrading. After upgrading, the column will be removed from DB 
+- Fix count query of tickets used to reserve tickets
+- Support event statistics in include query
+- Restrict deletion of orders except by admin
+- Fix missing fields and incorrect column value in session csv export
+- Addition of field for Promoted Events, Instagram Speaker URL, Age Groups for Attendee
+- Replaced jobs running with APS to celery-beat
+- Fix sessions can be edited after CFS has ended
+- Removed elasticsearch initialisation and redundant APIs
+- Change country field type to select in forms
+- Other minor fixes
+
 ##### v1.10.0 (2019-12-22):
 
 - Fix event and speaker image resizing, and add management command to resize event and speaker images which remained to be resized.  

Dockerfile

@@ -26,4 +26,4 @@ WORKDIR /data/app
 ADD . .
 
 EXPOSE 8080
-CMD ["sh", "scripts/container_start.sh"]
+ENTRYPOINT ["sh", "scripts/container_start.sh"]

README.md

@@ -234,13 +234,13 @@ export APP_CONFIG=config.TestingConfig
 
 * Then go to the project directory and run the following command:
 ```
-python3 -m unittest discover tests/all/
+python3 -m unittest discover tests/
 ```
 * It will run each test one by one.
 
 * You can also use the following command to run tests using nosetests:
 ```
-nosetests tests/all/
+nosetests tests/
 ```
 
 #### Running robot framework tests

app.json

@@ -12,6 +12,9 @@
         "APP_SECRET_TOKEN": {
             "generator": "secret"
         },
+        "SECRET_KEY": {
+            "generator": "secret"
+        },
         "ON_HEROKU": "true",
         "FORCE_SSL": "true",
         "INVITATION_CODE": {

app/api/attendees.py

@@ -1,10 +1,8 @@
-from datetime import datetime
+import datetime
 
-from flask import Blueprint, request, jsonify, abort, make_response
 from flask_jwt_extended import current_user
 from flask_rest_jsonapi import ResourceDetail, ResourceList, ResourceRelationship
-from flask_rest_jsonapi.exceptions import ObjectNotFound
-from sqlalchemy.orm.exc import NoResultFound
+from sqlalchemy import or_, and_
 
 from app.api.bootstrap import api
 from app.api.helpers.db import safe_query, get_count
@@ -13,7 +11,6 @@
     ForbiddenException,
     UnprocessableEntity,
 )
-from app.api.helpers.mail import send_email_to_attendees
 from app.api.helpers.permission_manager import has_access
 from app.api.helpers.permissions import jwt_required
 from app.api.helpers.query import event_query
@@ -25,7 +22,23 @@
 from app.models.ticket_holder import TicketHolder
 from app.models.user import User
 
-attendee_misc_routes = Blueprint('attendee_misc', __name__, url_prefix='/v1')
+from app.settings import get_settings
+
+
+def get_sold_and_reserved_tickets_count(event_id):
+    order_expiry_time = get_settings()['order_expiry_time']
+    return db.session.query(TicketHolder.id).join(Order).filter(TicketHolder.order_id == Order.id) \
+        .filter(Order.event_id == int(event_id),
+                Order.deleted_at.is_(None),
+                or_(Order.status == 'placed',
+                    Order.status == 'completed',
+                    and_(Order.status == 'initializing',
+                         Order.created_at + datetime.timedelta(
+                             minutes=order_expiry_time) > datetime.datetime.utcnow()),
+                    and_(Order.status == 'pending',
+                         Order.created_at + datetime.timedelta(
+                             minutes=30 + order_expiry_time) > (datetime.datetime.utcnow()))
+                    )).count()
 
 
 class AttendeeListPost(ResourceList):
@@ -56,8 +69,7 @@ def before_post(self, args, kwargs, data):
                 "Ticket belongs to a different Event"
             )
         # Check if the ticket is already sold out or not.
-        if get_count(db.session.query(TicketHolder.id).
-                     filter_by(ticket_id=int(data['ticket']), deleted_at=None)) >= ticket.quantity:
+        if get_sold_and_reserved_tickets_count(ticket.event_id) >= ticket.quantity:
             raise ConflictException(
                 {'pointer': '/data/attributes/ticket_id'},
                 "Ticket already sold out"
@@ -257,34 +269,3 @@ class AttendeeRelationshipOptional(ResourceRelationship):
     schema = AttendeeSchema
     data_layer = {'session': db.session,
                   'model': TicketHolder}
-
-
-@attendee_misc_routes.route('/attendees/send-receipt', methods=['POST'])
-@jwt_required
-def send_receipt():
-    """
-    Send receipts to attendees related to the provided order.
-    :return:
-    """
-    order_identifier = request.json.get('order-identifier')
-    if order_identifier:
-        try:
-            order = db.session.query(Order).filter_by(identifier=order_identifier).one()
-        except NoResultFound:
-            raise ObjectNotFound({'parameter': '{identifier}'}, "Order not found")
-
-        if (order.user_id != current_user.id) and (not has_access('is_registrar', event_id=order.event_id)):
-            abort(
-                make_response(jsonify(error="You need to be the event organizer or order buyer to send receipts."), 403)
-            )
-        elif order.status != 'completed':
-            abort(
-                make_response(jsonify(error="Cannot send receipt for an incomplete order"), 409)
-            )
-        else:
-            send_email_to_attendees(order, current_user.id)
-            return jsonify(message="receipt sent to attendees")
-    else:
-        abort(
-            make_response(jsonify(error="Order identifier missing"), 422)
-        )

app/api/auth.py

@@ -16,8 +16,6 @@
 from healthcheck import EnvironmentDump
 from sqlalchemy.orm.exc import NoResultFound
 
-from app import get_settings
-from app import limiter
 from app.api.helpers.db import save_to_db, get_count
 from app.api.helpers.auth import AuthManager, blacklist_token
 from app.api.helpers.jwt import jwt_authenticate
@@ -28,11 +26,13 @@
 from app.api.helpers.notification import send_notification_with_action
 from app.api.helpers.third_party_auth import GoogleOAuth, FbOAuth, TwitterOAuth, InstagramOAuth
 from app.api.helpers.utilities import get_serializer, str_generator
+from app.extensions.limiter import limiter
 from app.models import db
 from app.models.mail import PASSWORD_RESET, PASSWORD_CHANGE, \
     PASSWORD_RESET_AND_VERIFY
 from app.models.notification import PASSWORD_CHANGE as PASSWORD_CHANGE_NOTIF
 from app.models.user import User
+from app.settings import get_settings
 
 
 logger = logging.getLogger(__name__)

app/api/custom/attendees.py

@@ -0,0 +1,45 @@
+from flask import Blueprint, request, jsonify, abort, make_response
+from flask_jwt_extended import current_user
+from sqlalchemy.orm.exc import NoResultFound
+
+from app.api.helpers.mail import send_email_to_attendees
+from app.api.helpers.permissions import jwt_required
+from app.api.helpers.errors import (
+    UnprocessableEntityError,
+    NotFoundError,
+    ForbiddenError,
+)
+from app.api.helpers.permission_manager import has_access
+
+from app.models.order import Order
+from app.models import db
+
+attendee_blueprint = Blueprint('attendee_blueprint', __name__, url_prefix='/v1')
+
+
+@attendee_blueprint.route('/attendees/send-receipt', methods=['POST'])
+@jwt_required
+def send_receipt():
+    """
+    Send receipts to attendees related to the provided order.
+    :return:
+    """
+    order_identifier = request.json.get('order-identifier')
+    if order_identifier:
+        try:
+            order = db.session.query(Order).filter_by(identifier=order_identifier).one()
+        except NoResultFound:
+            return NotFoundError({'parameter': '{order_identifier}'}, "Order not found").respond()
+
+        if (order.user_id != current_user.id) and (not has_access('is_registrar', event_id=order.event_id)):
+            return ForbiddenError({'source': ''},
+                                  'You need to be the event organizer or order buyer to send receipts.').respond()
+        elif order.status != 'completed':
+            abort(
+                make_response(jsonify(error="Cannot send receipt for an incomplete order"), 409)
+            )
+        else:
+            send_email_to_attendees(order, current_user.id)
+            return jsonify(message="receipt sent to attendees")
+    else:
+        return UnprocessableEntityError({'source': ''}, 'Order identifier missing').respond()