Admin restore runs in a background thread; the finally block must not use current_app.logger outside an application context. Use the captured Flask app instance for safe_file_remove logging instead.
While restore_backup runs (extract through Alembic upgrade), set a per-app _database_restore_in_progress flag and expose is_database_restore_in_progress(). The client portal blueprint registers a global app_context_processor; get_current_client() now skips database access during restore and catches SQLAlchemy errors with session rollback so error pages and login can still render when the schema is briefly torn on PostgreSQL.
Documentation: add docs/admin/BACKUP_AND_RESTORE.md, link it from the admin index and import/export docs, cross-reference from DATABASE_RECOVERY.md, and extend IMPORT_EXPORT_GUIDE.md with concurrent-restore guidance.
CommonMark and GFM both define ~~text~~ as strikethrough, and Toast UI
emits it when the user toggles strikethrough in the WYSIWYG editor.
Python markdown's 'extra' extension does not implement strikethrough,
so the wrapping tildes leak through to the rendered HTML and the user
sees ~~text~~ instead of struck-through text on /tasks/<id>, notes,
client view, etc.
Add a regex pass to _normalize_toastui_markdown that converts
~~text~~ to <del>text</del> before markdown parsing. The bleach
sanitizer already permits <del> via the existing allowed_tags list,
so the rendered HTML survives the sanitization pass intact.
The regex is non-greedy and stays on a single line so multiple
strikethroughs on the same line each get their own pair.
Task and note descriptions saved through the Toast UI WYSIWYG editor
came back wrapped in CommonMark-style escapes that Python markdown
either does not honour (\, → literal \,) or honours in a way that
breaks rendering (line-leading \- prevents list parsing).
The visible symptom on /tasks/<id>: bullet lists rendered as a single
flat paragraph with literal backslashes peppered between words.
Add a normaliser run before _md.markdown(...) that:
- Restores line-leading bullets that the editor escaped (\-/\*/\+
followed by whitespace at start of line).
- Strips backslashes before punctuation Python markdown does not
recognise as a valid escape (commas, colons, semicolons, etc.).
This handles existing rows in the DB without any data migration. The
normaliser leaves alone backslashes before punctuation Python markdown
does handle natively (\. \( \) \+ \- mid-line, \* \_ \# etc.)
so author-intent escapes still render correctly.
Strikethrough (~~text~~) still does not render because the 'extra'
extension does not include it; that is a separate enhancement.
Same class as the projects/list.html and weekly_goals/index.html fix
shipped earlier. Both task templates had a stray </div> immediately
before the <style> block with no matching opener:
app/templates/tasks/edit.html:339
app/templates/tasks/create.html:192
The orphan close pushed the rest of the page outside the outer
.grid lg:grid-cols-3 wrapper, so the form and sidebar rendered
left-aligned and the 'Built by an independent developer' footer
floated up to the top right.
Verified by div-balance trace: both files now reach final balance 0
with no negative excursions.
The validator's last-ditch fallback (used when both project-specific
and global columns are missing) returned a hardcoded list that omitted
"on_hold". The function's own docstring on the same code path even
calls this out explicitly:
drops to globally-defined columns like "on_hold" come back as 400
"Invalid status".
The broader fix from PR #605 made the validator fall back to global
columns first, which fixes the common case. But the very last fallback
list — used during fresh migrations before the kanban_columns table is
seeded — still rejects "on_hold" tasks the user has already created.
Real installs that ship with on_hold columns enabled hit this on the
first request after a clean migration.
Add on_hold to the hardcoded list so it stays consistent with what
on_hold-enabled installs expect to validate.
Auto-lint reformatted the surrounding column declarations; the only
behavioral change is the addition of on_hold to the fallback list.
ClientApprovalStatus is defined with uppercase Python names and lowercase
string values (PENDING = "pending", etc.), but the Postgres enum type
clientapprovalstatus is defined with the lowercase values. SQLAlchemy
defaults to binding the enum *name*, so every query against the column
sent "PENDING" and Postgres rejected it with InvalidTextRepresentation.
This made get_pending_approvals_for_client raise on every client portal
request — the navbar context processor catches the exception and returns
0, but the stack trace was logged on every page load.
Pass values_callable to SQLEnum so SQLAlchemy uses the enum *value* (the
lowercase string PG actually stores).
The auto-lint hook reformatted the rest of the file; the only behavioral
change is the values_callable parameter on the status column.
The conditional invoice-unbilled-time IIFE was wrapped in its own
<script>...</script> inside an outer <script> block. Browsers do not
allow nesting; the inner </script> closed the outer script, leaving
confirmDeleteNote and the trailing </script> as raw HTML. The function
rendered as visible text at the bottom of the client detail page and
was unreachable, breaking the per-note Delete button.
Removing the nested tags lets the IIFE run inline within the outer
script and restores confirmDeleteNote.
projects/list.html had an extra </div> at line 216 (after listView's
closing tag) that pushed the rest of the page outside the projectsContainer
wrapper, causing the grid to render unstyled and the footer to bleed up
to the top-right.
weekly_goals/index.html had an extra </div> at line 223 just before
{% endblock %} with no matching open, producing the same broken-wrapper
effect.
Both pages now render centered with the standard footer position.
Companion to #603. That earlier PR added is_license_activated guards
to three donate UI gates (header support button, user-menu support
link, support modal donate/buy-license buttons). Six other donate
gates in templates were missed:
- app/templates/base.html:1187 (sidebar nav donate entry)
- app/templates/base.html:1356 (large dismissible support banner)
- app/templates/main/help.html:834, 841 (help-page donate prompts)
- app/templates/main/about.html:43 (about-page donate header)
- app/templates/main/dashboard.html:629 (dashboard donate widget)
- app/templates/reports/index.html:18 (reports-page donate prompt)
Each was gated only on `current_user.ui_show_donate` (per-user flag),
not on the instance-wide is_license_activated. So a licensed instance
where some users still had the default ui_show_donate=true would keep
showing donate prompts to those users — most prominently the big
amber-gradient banner in base.html that draws the eye on every page.
Repro: with settings.donate_ui_hidden=true (license active), log in
as a user whose ui_show_donate is still the default true, and observe
the banner at the top of every page plus the help/dashboard/reports/
about prompts — none of which respect the active license.
Fix: append `and not is_license_activated` to the six leaking
visibility guards. Mirror of the pattern in #603.
The two about.html gates at lines 189 and 196 already check
donate_ui_hidden (functionally equivalent to is_license_activated)
and are left untouched.
5 files, +7 / -7 (or +9 / -9 when combined with #603's base.html
edits in this same branch). No backend, schema, or behavioural
change beyond the template visibility guard.
Note on overlap with #603: this branch's base.html includes both
PR #603's changes and this PR's changes. If #603 lands first, the
base.html diff in this PR shrinks to the +2/-2 unique to it.
If this PR lands first, #603 is subsumed and can be closed.
Wires the OIDC groups claim into the RBAC Role table introduced by
migration 030 (super_admin, admin, manager, user, viewer).
Until now, OIDC could only set the legacy users.role="admin" column
via OIDC_ADMIN_GROUP. Nothing in the codebase ever assigned Role rows
from OIDC, which meant IdP groups could not grant super_admin,
manager, or any custom role through SSO — only the binary is_admin
flag through the legacy column.
Three new env vars, all opt-in:
OIDC_ROLE_GROUP_MAP — JSON map of OIDC group name -> Role name.
Example:
OIDC_ROLE_GROUP_MAP='{"app-admin":"admin","app-manager":"manager"}'
Empty/invalid JSON disables the feature; OIDC_ADMIN_GROUP keeps
working unchanged.
OIDC_ROLE_SYNC_MODE — "additive" (default) or "sync".
additive: only ADD Role rows matching the user's groups; never
revoke. Misconfigured map degrades to a no-op.
sync: also REMOVE mapped Role rows when the matching group
is gone from the user's claims.
OIDC_NEVER_REVOKE_USER_IDS — comma-separated user IDs that must
never have roles revoked by OIDC sync, regardless of mode.
Useful for protecting bootstrap admins against a misconfigured
map in sync mode.
Implementation in app/routes/auth.py runs after the existing
OIDC_ADMIN_GROUP block. Steps on each OIDC login:
1. Parse the user's groups claim against OIDC_ROLE_GROUP_MAP -> a
set of target Role names.
2. Look up matching Role rows in DB (silently skips names that do
not exist as Role rows).
3. ADD: any target Role the user does not already have.
4. REMOVE: only in sync mode, only Role rows whose name is in the
map's values (so manually-assigned roles outside the OIDC scope
are preserved), and only if the user id is not in
OIDC_NEVER_REVOKE_USER_IDS.
5. Commit through safe_commit; failures log a warning and continue.
Defensive JSON parsing in config.py handles empty/missing input,
invalid JSON, non-dict roots (array, null, number), and falsy
keys/values — all degrade to {} (no-op). A warning is logged on the
first OIDC callback after a parse failure so a misconfigured env var
surfaces in the app log without crashing the app.
OIDC_ROLE_SYNC_MODE defaults to "additive" for any value other than
exactly "additive" or "sync" so typos default to safe.
OIDC_NEVER_REVOKE_USER_IDS ignores non-integer entries.
Why additive default: a misconfigured OIDC_ROLE_GROUP_MAP in sync
mode would silently revoke every mapped role on the next login,
including the bootstrap super_admin if the IdP claims do not include
the configured group. Additive mode means a misconfigured map
degrades to a no-op, not a lockout.
Backward compatible: every existing OIDC deployment without these
env vars set keeps identical behaviour. OIDC_ADMIN_GROUP is
untouched.
2 files, +103 / -0. No schema change, no data migration.
Companion to #606. The route validator at tasks.py:223 already calls
KanbanColumn.get_valid_status_keys(), but two downstream spots still
silently re-introduced the old hardcoded 5-key behaviour.
1. app/services/task_service.py:46
`VALID_STATUSES = ("todo", "in_progress", "review", "done", "cancelled")`
was a class-level hardcoded tuple. create_task() at line 85 silently
coerced any status not in the tuple to TaskStatus.TODO.value. So a
user creating a task with initial status "on_hold" would have it
quietly clamped to "todo" at the service layer even though the route
accepted it.
2. app/templates/tasks/create.html and tasks/edit.html
The status preview badge — both the server-rendered Jinja chain
in create.html and the client-side updateBadge() JS map in both
templates — hardcoded the same 5 keys. Selecting "on_hold" in the
dropdown caused the JS lookup to miss and fall back to the first
map entry ("To Do"), so the preview lied even before the form was
submitted.
Fix 1 (service): create_task() now calls
KanbanColumn.get_valid_status_keys(project_id=project_id) to build
the allowed set per call. The VALID_STATUSES tuple is kept as a
last-ditch fallback for the table-not-yet-seeded path and extended
to include "on_hold" so even the fallback matches the default seed.
Fix 2 (templates): the Jinja preview chain in create.html now loops
over kanban_columns to find the matching label. The JS updateBadge()
map in both create.html and edit.html now generates entries from
{% for col in kanban_columns %}, so any configured column key works
without further code changes.
3 files, +25 / -13. No schema change, no data migration.
Two distinct fix sets in one commit, both extending the kanban validator
fix in PR #605 and the project_attachments path-resolution fix already
discussed in this repo's history.
PHASE A — five upload routes joined current_app.root_path + ".." +
"uploads/<X>", which on a deployed instance with the standard
docker-compose layout resolves to /app/uploads/<X>. That path is
outside the mounted app_uploads volume, so every upload returns 500
with PermissionError. Same defect as project_attachments.
- app/routes/team_chat.py:470 (chat attachments)
- app/routes/clients.py:1257 (client attachments)
- app/routes/comments.py:279 (comment attachments)
- app/routes/quotes.py:1120 (quote attachments)
- app/routes/client_portal.py:1330,1347 (legacy "uploads/" download
fallback branches — same join, same bug)
Fix prepends "app/static/" so the resolved path lands inside the
mounted volume at /app/app/static/uploads/<X>. Mirrors the
invoice_images and quote_images patterns elsewhere in the same files.
PHASE B — validator/UI drift bugs, same class as the kanban fix in #605.
- app/models/kanban_column.py
* new helper get_columns_with_global_fallback() — returns
project columns or falls back to globals; mirrors
get_valid_status_keys behaviour for templates
* last-ditch hardcoded fallback in get_valid_status_keys now
includes "on_hold" so the table-not-yet-seeded path matches
the keys initialize_default_columns seeds
- app/routes/tasks.py
* task_counts now initialises from kanban_columns instead of
the hardcoded 4 keys; tasks in cancelled/on_hold/custom
columns are counted in the summary cards
* create-task validator now calls get_valid_status_keys(project_id)
instead of a hardcoded 5-key tuple; users creating a task in
on_hold no longer silently get clamped to todo
* every render_template("tasks/create.html", ...) and
("tasks/edit.html", ...) now passes kanban_columns
- app/templates/tasks/create.html and tasks/edit.html
* status <option> list now loops over kanban_columns instead of
hardcoding 5 keys
- app/routes/invoices.py:832
* bulk-update validator now accepts "issued", mirroring the
single-update validator at line 623; the model supports it
- app/routes/quotes.py:920, 1026, 1320
* admin-notification queries now use User.is_admin (which
considers both the legacy role column AND Role rows) instead
of User.query.filter_by(role="admin", ...). RBAC-only admins
granted via the Role table are now notified on quote.sent,
quote.accepted, and quote.approval.requested.
10 files, +60 / -41. No schema change. No data migration.
PUT /api/tasks/<id>/status returns 400 "Invalid status" whenever the
task belongs to a project that has no project-specific kanban_columns
rows AND the user drops it into a configured global column other than
the four hardcoded fallback keys.
Reproduction:
1. Project has no project-specific kanban_columns rows.
2. The instance has 5 globals (project_id IS NULL): todo, in_progress,
review, done, on_hold.
3. The kanban UI renders the 5 globals as drop targets for that
project's tasks.
4. User drops a task into "On Hold". Frontend sends status="on_hold".
5. app/routes/tasks.py:1519 calls
KanbanColumn.get_valid_status_keys(project_id=task.project_id)
with the project's id.
6. get_active_columns(project_id=<id>) filters strictly on project_id
and returns [].
7. get_valid_status_keys then falls back to the hardcoded list
["todo", "in_progress", "review", "done", "cancelled"]
which is missing "on_hold" (and includes "cancelled", which isn't
even a configured column).
8. "on_hold" is not in that list -> 400.
Drops to the four hardcoded keys all returned 200; only "On Hold"
failed, exactly matching the live 200/400 alternation observed in
production logs.
Fix: when there are no project-specific columns, fall back to the
configured global columns from the database (which is the set the UI
is already rendering). The hardcoded list is only used as a last-ditch
fallback when even the globals table is empty - this preserves the
table-not-yet-seeded safety net during fresh migrations.
Pure validator change; no schema change, no behavioural change beyond
accepting the statuses the UI is already offering.
These were caught by the project's own flake8 step but the failing
checks have been red on a number of recent runs, suggesting it's worth
fixing the underlying defects rather than ignoring the rule.
1. app/routes/auth.py — F821: undefined name 'datetime'
`current_user.two_factor_confirmed_at = datetime.utcnow()` (line ~620)
used `datetime` without importing it. Confirming 2FA raises
`NameError: name 'datetime' is not defined` at runtime.
Adds `from datetime import datetime` to the imports.
2. app/routes/timer.py — F823: local variable '_' referenced before assignment
`from flask_babel import gettext as _` is imported at module scope.
Four functions then unpack `can_start, _ = TimeTrackingService().can_start_timer(...)`
which makes `_` a function-local for the entire enclosing scope and
shadows the i18n alias. Three earlier `flash(_("..."))` calls in the
same functions (lines 171, 449, 2019) reference the local before it
exists and raise `UnboundLocalError` at runtime.
Fix: rename the throwaway slot from `_` to `_unused` in all four
`can_start_timer` unpackings. The translation alias resolves cleanly
in every flash() call again.
Total: +6 / -4 across two files.
The header support button, the user-menu support link, and the donate /
buy-license buttons inside the support modal were rendered for every
authenticated user, including instances with `donate_ui_hidden = true`
(an activated supporter license). Other donate prompts (sidebar, dashboard,
about, reports, help) already gated on `is_license_activated`; these three
spots slipped through.
Wrap each in `{% if not is_license_activated %}` so a licensed instance
gets a clean UI. The "Love TimeTracker? Share it" button stays visible —
sharing is still useful regardless of license state. Modal title copy
already adapts via the existing `is_license_activated` branch.
Extract snapshot reload from saved-design loading and reuse it for
history restore so undo matches save semantics.
Keep a capped stack of stage.toJSON() snapshots with debounced pushes
after drags, transforms, property panel edits, alignment/layer moves,
adds, deletes, and related actions.
Wire Ctrl/Cmd+Z and Ctrl/Cmd+Y (plus Ctrl/Cmd+Shift+Z for redo)
outside focused inputs; add non-passive wheel handling on the canvas
container to zoom within existing scale limits.
Document shortcuts and wheel zoom in the editor info box (i18n-ready).
When the layout editor posts template_json with the preview request,
use it instead of loading only the saved database template. Preview
then matches unsaved canvas edits and avoids stale layouts.
Normalize page width/height from the selected page size when parsing
form JSON; fall back to the stored template if the body is missing
or invalid.
Add a regression test ensuring form JSON overrides DB content.
Fix stale build-guide links, document the implemented quotes API scopes/endpoints, and clarify quote access plus permission-denial behavior so docs match route and test-backed behavior.
Record the Unreleased note describing the quote visibility alignment for users with edit permissions and the related regression coverage so release notes stay accurate.
Ensure quote list/detail access uses shared quote scope resolution so users with quote-management permissions can view records they can edit, including post-edit redirects in web and API flows. Add regression coverage for non-admin edit_quotes behavior and document the scope-alignment requirement in advanced permissions docs.
Argos and similar MT often corrupt %(name)s (e.g. "% (horas)") or swap in
positional %s, causing ValueError during dashboard render.
- Add scripts/sanitize_po_format_strings.py to clear invalid msgstr / plural
strings so gettext falls back to English msgids.
- Run sanitizer on translations/pt; msgfmt --check-format now passes.
- Document sanitizer + msgfmt after bulk fill in TRANSLATION_SYSTEM and
fill_po_argos header.
- Fix babel.cfg with [extractors] so pybabel resolves jinja2 templates on
toolchains where babel.extractors entry points are not loaded.
- Regenerate messages from source: extract POT, update all locales, drop
obsolete entries (--ignore-obsolete). Portuguese msgstr filled with
offline Argos en→pt (machine output; human QA still recommended).
- Add scripts/fill_po_argos.py for optional first-pass locale fills.
- Gitignore root messages.pot; document extract/update/Argos in
TRANSLATION_SYSTEM and CONTRIBUTING_TRANSLATIONS.
Register Português in LANGUAGES and normalize pt-BR/pt-PT (and similar)
to pt in _normalize_locale so Accept-Language and stored preferences resolve
to translations/pt/.
Add translations/pt/LC_MESSAGES/messages.po seeded from English msgids;
translators can fill msgstr incrementally.
Extend i18n tests for pt presence and catalog file. Update translation
docs (TRANSLATION_SYSTEM, CONTRIBUTING_TRANSLATIONS, implementation note).
- Fix setup.py version string (missing quote).
- Promote CHANGELOG [Unreleased] entries to [5.5.0] (2026-04-27); leave empty [Unreleased].
- Update BUILD_CONFIGURATION.md example version to match setup.py.
Dries Peeters