dragoonaethis / coriolis Goto Github PK

Useful if users need to provide a URL, and an URL only - nice to have, not required at the moment though.

Notifications should be sent for:

• Registration confirmation to the attached email address (no mails for on-site registrations)
• Status changed on ticket (-> paid, cancelled, confirmed by orgs)
• New application submitted (notify orgs)
• Application status changed (notify submitter)

Orgs should have a simple Approve/Reject button in the Admin Panel on each Application in the Waiting for Organizers state.

Currently they're GET-based, that's no good.

They're all sent as raw text, which doesn't work so well when field labels contain HTML directly. Special characters also get encoded incorrectly. This needs to be fixed.

If someone submitted 2-3 applications for attractions, it's currently difficult to figure out what was actually accepted. Make the form name dynamic or more descriptive, plus enrich emails with some extra info.

Notes for visitors: If a dependency is marked as ❓/❌ here, it does not mean it doesn't work - we just haven't tested it yet, and changelogs/support tables don't mention Django 4.0/Python 3.10 support.

After Django 4.0 migration, we need to run makemigrations once to create a no-op migration.

Currently, all ticket types are displayed in the ticket selector under a few conditions (OK'd for online sales, in deadline, has rels), but we sometimes want to force display a ticket type even if it will no longer be available for sale. Allow force displaying a type.

Currently we're doing just SMTP via Gmail, but the next large event will outgrow that. Add Anymail with Azure ACS or AWS SES support for transactional mails.

Feedback from @baatochan: If a ticket belongs to the org, accreditation panel was accessed from the org detail list and the current user has perms on crew_accreditation + crew_orgs, redirect back to the related org detail view instead of the accreditation front.

The way ticket rendering is implemented now is that the Dramatiq service worker, running as www-data, invokes the Docker binary directly. Nothing wrong with that per se, except that if anything takes over www-data, they can call Docker, and so they can just mount, rip and tear whatever they want on the system. Figure out a way to strip that privilege from www-data cleanly.

Can be used for t-shirt sizing for VIP tickets, etc.

We want some forms to automatically show/hide optional fields based on checkbox states. Custom JS would help with that.

• We currently send orgs an email for new tickets awaiting approval/rejection.
• Admins have to manually go into the admin panel to set new notes/status.
• Templatize and send the URL in that mail too.

• Highlight fields in red whenever an invalid value is entered on the client-side
• Affects required fields left empty, phone numbers and email addresses.
• No clear way to integrate with Django forms, help needed!

• Filter tickets by (Event, Status)
• Filter applications by (Event, Status)

• We just don't store anything like that at the moment, but we could get rid of the Convention Card if we did.
• Medical data most likely needs extra security design (encrypt with pubkey on the server side, provision browsers for privileged people with priv keys for decryption?)
• Also needs a review pass on all public endpoints (maybe lock down all endpoints behind login_required, make a separate URL block for public ones only?)

Some application types should have their Reply-To set a given org's inbox, not the global event one.

• Currently we just add a event__name relation, which kinda sucks.
• Let's create a filter class that gets all active events and lookup returns ID -> event name pairs.
• https://docs.djangoproject.com/en/4.0/ref/contrib/admin/#django.contrib.admin.ModelAdmin.list_filter

• Let users pay for their tickets online, not just on-site.
• django-payments seems decent, there's also django-payments-przelewy24

Feedback from @baatochan:

• If an org has at least one used ticket, make that fact visible on the org list. (Right now you can only see how many tickets are used in the org detail view, OR on the org list if all registered org tickets are used.)
• If an org has cancelled or otherwise unusable tickets, make such tickets not count for status checks in the org list.

Currently all media is served from a /media path - we should use a separate user media domain with a proper CSP policy.

Occasionally, the SMTP server dies - and so do pages which need to send mails as a result of whatever they're doing. We should send emails on a background task queue to retry them later.

All the ON_GET features should be disabled: https://django-allauth.readthedocs.io/en/latest/configuration.html

Footer text and button e-mail address is currently hardcoded, this needs to be configurable per-event.

We just assume the form is correct - add a validator that tries to construct a DynamicForm and fails if an exception is thrown.

• Make a TicketType - PaymentProvider M2M relation.
• Make online payments redirect to a provider picker, or autoredirect to the first available if only one is enabled.
• Make the "pay on site" an explicit payment option, so that some ticket types (VIPs) may have mandatory online payment.

https://docs.djangoproject.com/en/4.2/releases/4.2/

Notable issues:

• Setting update_fields in Model.save() may now be required
• Upgrade the upstream django-dramatiq-email library for 4.2 compat
  • EmailBackend now verifies a hostname and certificates. If you need the previous behavior that is less restrictive and not recommended, subclass EmailBackend and override the ssl_context property.
• {% blocktranslate asvar … %} result is now marked as safe for (HTML) output purposes.
• The entire STORAGES migration, maybe?

Deprecations:

• Passing encoded JSON string literals to JSONField is deprecated
• The length_is template filter is deprecated
• The STATICFILES_STORAGE setting is deprecated in favor of STORAGES["staticfiles"]

CSRF protection should be enabled, along with .env-configurable trusted origins.

• On Firefox et al, uploading a new image works fine and the preview updates immediately.
• On Chrome et al, the preview does not update due to caching (Ctrl-F5 fixes it).
• Bust caching on those images whenever the ticket gets updated.

Some tickets need some sort of an action taken within a time period (for example, VIP tickets need to be paid for within a few days of their purchase).

Add a state deadline mechanism where a ticket will have a deadline + handler to execute when it's reached. Background workers should periodically collect and run triggered handlers.

The flow should more or less look like:

• Ticket Owner initiates a Transfer Session (button in ticket details).
• Ticket Owner gets a link to the Transfer session (/transfer/{id}) and sends it to the Ticket Receiver.
  • Transfer Sessions are visible to all logged-in users with a session link.
• Ticket Receiver fills in the required data (full name and email address) and requests the transfer.
  • Once requested, the Transfer Session is visible only to the Owner and Receiver.
  • Email notification is sent to the Owner that a Transfer Session is ready.
• Ticket Owner approves the transfer.
  • Email notification is sent to the Owner and Receiver that a ticket transfer has been finished.

Allow pinning 3rd party tickets to a form. This should not reveal whether such tickets exist.

Either on each Admin page or by setting a global context to one of the events.

dramatiq-crontab does not clean up after itself if it crashes or gets stopped uncleanly. All subsequent launches will fail due to a persistent lock (which we have disabled for now). Fix that.

• Timestamps (created/updated) on everything
• Creation source (admin/self-registration/crew panel)
• Tickets: Used (bool)

Global custom pages are really helpful as the mean to communicate the privacy policy, the terms of service and other, legally important, information.

Happened on an account with enforced 2FA - investigate?

The scenario:

• You pay for the ticket, everything works, yay
• P24 sends a notification to our gateway endpoint that it worked, our handler verifies/accepts the payment and marks it as confirmed.
• P24 redirects the user back to Coriolis, handler checks if the payment is confirmed and updates the ticket status accordingly.

In most cases, the event order is just that, but occasionally something goes wrong and the notification shows up late.

The problem is that it's the user's view handler doing the ticket status updates - if P24 notification shows up after the redirect, it never gets updated. While this can be fixed by clicking Pay Online again (and django-payments will just do the redirect from the 3rd step), it's not a great experience.

• An easy fix is to update ticket statuses in the gateway endpoint handler, but if the payment fails, nothing ever hits it. Not great.
• The 3rd step should redirect to a "waiting for payment" screen where we poll for ticket status updates for a few seconds.
• If that doesn't happen, a background task that asks P24 what's up should fire.

• Currently it's just a plain file picker.
• Would be nice to have a dynamic image picker with cropping.
• Needs per-event image ratio configuration.

On the event site, when people check in on the front lines, we need to notify ID handlers in the back what's about to come. People could do that manually, sure, but we can also set up a background notifier that sends messages to Discord on each used ticket. (This is partially implemented - Dramatiq, wiki docs, some local code.)

• Application details are currently just glued-together "notes" put into a <pre> with some funny CSS to make it look decent. It'd be nice to format it with HTML properly.
• To do so, we need to store application details as JSON, not just glued-together fields, then using data from the application type, format the output accordingly.
• This would also enable nicer CSV export with separate columns for each field.

They're all in English, Polish 'em.

Allow pinning a specific ticket to the dynamic form via a custom ticket selection field.

We're running on a fork right now, let's undo that.

• Timezone support disabled as of dc409a3
• There doesn't seem to be a reason we'd like to support these, as the tool generally aims at small events...
• Figure out a neat way to implement this (in Django 4.0, maybe), or decide to drop support entirely.

Feedback from HeV: In the accreditation panel, if registering a new ticket, there's a checkbox to denote if the accredited person is of age. Some accreditation volunteers ignore it entirely - convert this into an explicit, required Yes/No checkbox to make it more obvious.

• Search by Ticket Code (exact, not fuzzy), Name, Email or Phone Number.
• Use a Ticket on-site (with payment method/notes).
• Create a Ticket on-site (from allowed types).
• Metrics and Admin Ops.