Release 2.6.0

.bumpversion.cfg

@@ -1,7 +1,7 @@
 [bumpversion]
 commit = False
 tag = False
-current_version = 2.6.0-alpha.0
+current_version = 2.6.0
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<pre>[a-z]+)\.(?P<build>\d+))?
 serialize = 
 	{major}.{minor}.{patch}-{pre}.{build}

.github/ISSUE_TEMPLATE/prepare-release.md

@@ -15,7 +15,9 @@ assignees: sergei-maertens
   - [ ] Haal Centraal BRP Personen bevragen
   - [ ] `src.soap.tests.test_client`
   - [ ] BRK (Kadaster)
+  - [ ] KVK
   - [ ] Ogone
+  - [ ] Objects API (registration)
 - [ ] Release new SDK version
 - [ ] Correct SDK version pinned in `.sdk-release`
 - [ ] Check translations

.sdk-release

@@ -1 +1 @@
-2.2.0-alpha.0
+2.2.0

CHANGELOG.rst

@@ -2,14 +2,190 @@
 Changelog
 =========
 
-Unreleased
-==========
+2.6.0 "Traiectum" (2024-03-25)
+==============================
 
-Upgrade procedure
------------------
+Open Forms 2.6.0 is a feature release.
+
+.. epigraph::
+
+   Traiectum is the name of a Roman Fort in Germania inferior, what is currently
+   modern Utrecht. The remains of the fort are in the center of Utrecht.
+
+Upgrade notes
+-------------
+
+* Ensure you upgrade to (at least) Open Forms 2.5.2 before upgrading to 2.6.
+
+* ⚠️ The ``CSRF_TRUSTED_ORIGINS`` setting now requires items to have a scheme. E.g. if
+  you specified this as ``example.com,cms.example.com``, then the value needs to be
+  updated to ``https://example.com,https://cms.example.com``.
+
+  Check (and update) your infrastructure code/configuration for this setting before
+  deploying.
+
+* The Objects API registration backend can now update the payment status after
+  registering an object. For this feature to work, the minimum version of the Objects
+  API is now ``v2.2`` (raised from ``v2.0``). If you don't make use of payments or don't
+  store payment information in the object, you can likely keep using older versions, but
+  this is at your own risk.
+
+* The ``TWO_FACTOR_FORCE_OTP_ADMIN`` and ``TWO_FACTOR_PATCH_ADMIN`` environment variables
+  are removed, you can remove them from your infrastructure configuration. Disabling MFA
+  in the admin is no longer possible. Note that the OpenID Connect login backends do not
+  require (additional) MFA in the admin and we've added support for hardware tokens
+  (like the YubiKey) which make MFA less of a nuisance.
+
+Major features
+--------------
+
+**📄 Objects API contract**
+
+We completely revamped our Objects API registration backend - there is now tight
+integration with the "contract" imposed by the selected object type. This makes it
+much more user friendly to map form variables to properties defined in the object type.
+
+The existing template-based approach is still available, giving you plenty of time to
+convert existing forms. It is not scheduled for removal yet.
+
+**👔 Decision engine (DMN) support**
+
+At times, form logic can become very complex to capture all the business needs. We've
+added support for evaluation of "Decision models" defined in a decision evaluation
+engine, such as Camunda DMN. This provides a better user experience for the people
+modelling the decisions, centralizes the definitions and gives more control to the
+business, all while simplifying the form logic configuration.
+
+Currently only Camunda 7 is supported, and using this feature requires you to have
+access to a Camunda instance in your infrastructure.
+
+**🔑 Multi-factor rework**
+
+We've improved the login flow for staff users by making it more secure *and* removing
+friction:
+
+* users of OIDC authentication never have to provide a second factor in Open Forms
+* you can now set up an automatic redirect to the OIDC-provider, saving a couple of
+  clicks
+* users logging in with username/password can now use hardware tokens (like YubiKey),
+  as an alternative one-time-password tokens (via apps like Google/Microsoft
+  Authenticator)
+
+**🔓 Added explicit, public API endpoints**
+
+We've explicitly divided up our API into public and private parts, and this is reflected
+in the URLs. Public API endpoints can be used by CMS integrations to present lists of
+available forms, for example. Public API endpoints are subject to semantic versioning,
+i.e. we will not introduce breaking changes without bumping the major version.
+
+Currently there are public endpoints for available form categories and available forms.
+The existing, private, API endpoints will continue to work for the foreseeable future
+to give integrations time to adapt. The performance of these endpoints is now optimized
+too.
+
+The other API endpoints are private unless documented otherwise. They are *not* subject
+to our semantic versioning policy anymore, and using these is at your own risk. Changes
+will continue to be documented in the release notes.
+
+Detailed changes
+----------------
+
+The 2.6.0-alpha.0 changes are included as well, see the earlier changelog entry.
+
+**New features**
+
+* [#3688] Objects API registration rework
+
+    - Added support for selecting an available object type/version in a dropdown instead
+      of copy-pasting a URL.
+    - The objecttype definition (JSON-schema) is processed and will be used for validation.
+    - Registration configuration is specified on the "variables" tab for each available
+      (built-in or user-defined) variable, where you can select the appropriate object
+      type property in a dropdown.
+    - Added the ability to explicitly map a file upload variable into a specific object
+      property for better data quality.
+    - Ensured that the legacy format is still available (100% backwards compatible).
+
+* [#3855] Improved user experience of DMN integration
+
+    - The available input/output parameters can now be selected in a dropdown instead of
+      entering them manually.
+    - Added robustness in case the DMN engine is not available.
+    - Added caching of DMN evaluation results.
+    - Automatically select the only option if there's only one.
+
+* Added documentation on how to configure Camunda for DMN.
+* Tweaked the dark-mode styling of WYSIWYG editors to better fit in the page.
+* [#3164] Added explicit timeout fields to services so they can be different from the
+  global default.
+* [#3695] Improved login screen and flow
+
+    - Allow opt-in to automatically redirect to OIDC provider.
+    - Support WebAuthn (like YubiKey) hardware tokens.
+
+* [#3885] The admin form list now keeps track of open/collapsed form categories.
+* [#3957] Updated the eIDAS logo.
+* [#3825] Added a well-performing public API endpoint to list available forms, returning
+  only minimal information.
+* [#3825] Added public API endpoint to list available form categories.
+* [#3879] Added documentation on how to add services for the service fetch feature.
+* [#3823] Added more extensive documentation for template filters, field regex validation
+  and integrated this documentation more into the form builder.
+* [#3950] Added additional values to the eHerkenning CSP-header configuration.
+* [#3977] Added additional validation checks on submission completion of the configured
+  formio components in form steps.
+* [#4000] Deleted the 'save and add another' button in the form designer to maintain safe
+  blood pressure levels for users who accidentally clicked it.
+
+**Bugfixes**
+
+* [#3672] Fixed the handling of object/array variable types in service fetch configuration.
+* [#3890] Fixed visually hidden fields not being sent to Objects API registration backend.
+* [#1052] Upgraded DigiD/eHerkenning library.
+* [#3924] Fixed updating of payment status when the "registration after payment is
+  received" option is enabled.
+* [#3909] Fixed a crash in the form designer when you use the ZGW registration plugin
+  and remove a variable that is mapped to a case property ("Zaakeigenschap").
+* [#3921] Fixed not all (parent/sibling) components being available for selection in the
+  form builder.
+* [#3922] Fixed a crash because of invalid prefill configuration in the form builder.
+* [#3958] Fixed the preview appearance of read-only components.
+* [#3961] Reverted the merged KVK API services (basisprofiel, zoeken) back into separate
+  configuration fields. API gateways can expose these services on different endpoints.
+* [#3705] Fixed the representation of timestamps (again).
+* [#3975,#3052] Fixed legacy service fetch configuration being picked over the intended
+  format.
+* [#3881] Fixed updating a re-usable form definition in one form causing issues in other
+  forms that also use this same form definition.
+* [#4022] Fix crash on registration handling of post-payment registration. The patch for
+  #3924 was bugged.
+* [#2827] Worked around an infinite loop when assigning the variable ``now`` to a field
+  via logic.
+* [#2828] Fixed a crash when assigning the variable ``today`` to a variable via logic.
+
+**Project maintenance**
+
+* Removed the legacy translation handling which became obsolete with the new form builder.
+* [#3049] Upgraded the Django framework to version 4.2 (LTS) to guarantee future
+  security and stability updates.
+* Bumped dependencies to pull in their latest security/patch updates.
+* Removed stale data migrations, squashed migrations and cleaned up old squashed migrations.
+* [#851] Cleaned up ``DocumentenClient`` language handling.
+* [#3359] Cleaned up the registration flow and plugin requirements.
+* [#3735] Updated developer documentation about pre-request clients.
+* [#3838] Divided the API into public and private API and their implied versioning
+  policies.
+* [#3718] Removed obsolete translation data store.
+* [#4006] Added utility to detect KVK integration via API gateway.
+* [#3931] Remove dependencies on PyOpenSSL.
+
+2.5.4 (2024-03-19)
+==================
+
+Hotfix release to address a regression in 2.5.3
 
-* ⚠️ The ``CSRF_TRUSTED_ORIGINS`` setting now requires items to have a scheme. If you
-  specify this setting, update your infrastructure code.
+* [#4022] Fix crash on registration handling of post-payment registration. The patch for
+  #3924 was bugged.
 
 2.5.3 (2024-03-14)
 ==================
@@ -70,7 +246,7 @@ Final release in the 2.2.x series.
 * [#3858] Fixed a race condition that would manifest during parallel file uploads,
   leading to permission errors.
 
-2.6.0-alpha.0 (2023-02-20)
+2.6.0-alpha.0 (2024-02-20)
 ==========================
 
 This is an alpha release, meaning it is not finished yet or suitable for production use.

README.NL.rst

@@ -2,7 +2,7 @@
 Open Formulieren
 ================
 
-:Version: 2.6.0-alpha.0
+:Version: 2.6.0
 :Source: https://github.com/open-formulieren/open-forms
 :Keywords: e-Formulieren, Common Ground, FormIO, API
 

README.rst

@@ -2,7 +2,7 @@
 Open Forms
 ==========
 
-:Version: 2.6.0-alpha.0
+:Version: 2.6.0
 :Source: https://github.com/open-formulieren/open-forms
 :Keywords: e-Formulieren, Common Ground, FormIO, API
 

docker/ci/config.json

@@ -1,36 +1,39 @@
 {
-    "supportedTags":
-    [
-        {
-            "gitRef": "master",
-            "tag": "latest",
-            "hasExtensionsVariant": true
-        },
-        {
-            "gitRef": "stable/2.5.x",
-            "tag": null,
-            "hasExtensionsVariant": true
-        },
-        {
-            "gitRef": "stable/2.4.x",
-            "tag": null,
-            "hasExtensionsVariant": true
-        },
-        {
-            "gitRef": "stable/2.3.x",
-            "tag": null,
-            "hasExtensionsVariant": true
-        }
-    ],
-    "availableExtensions":
-    [
-        {
-            "name": "Token Exchange",
-            "repo": "open-forms-ext-token-exchange"
-        },
-        {
-            "name": "Haal Centraal HR Prefill",
-            "repo": "open-forms-ext-haalcentraal-hr"
-        }
-    ]
-}
+  "supportedTags": [
+    {
+      "gitRef": "master",
+      "tag": "latest",
+      "hasExtensionsVariant": true
+    },
+    {
+      "gitRef": "stable/2.6.x",
+      "tag": null,
+      "hasExtensionsVariant": true
+    },
+    {
+      "gitRef": "stable/2.5.x",
+      "tag": null,
+      "hasExtensionsVariant": true
+    },
+    {
+      "gitRef": "stable/2.4.x",
+      "tag": null,
+      "hasExtensionsVariant": true
+    },
+    {
+      "gitRef": "stable/2.3.x",
+      "tag": null,
+      "hasExtensionsVariant": true
+    }
+  ],
+  "availableExtensions": [
+    {
+      "name": "Token Exchange",
+      "repo": "open-forms-ext-token-exchange"
+    },
+    {
+      "name": "Haal Centraal HR Prefill",
+      "repo": "open-forms-ext-haalcentraal-hr"
+    }
+  ]
+}

docs/developers/i18n.rst

@@ -16,7 +16,7 @@ For the backend, see the Django `i18n documentation`_.
     before re-generating.
 
 
-.. _i18n documentation: https://docs.djangoproject.com/en/3.2/topics/i18n/translation/
+.. _i18n documentation: https://docs.djangoproject.com/en/4.2/topics/i18n/translation/
 
 .. _`Forms Admin`:
 

docs/developers/versioning.rst

@@ -43,11 +43,10 @@ experimental feature changes (see :ref:`developers_versioning_api`).
    =========== =================== ===================
    SDK version minimum API version maximum API version
    =========== =================== ===================
-   1.3.0       2.1.0               n/a
-   1.4.0       2.2.0               n/a
    1.5.0       2.3.0               n/a
    2.0.0       2.4.0               n/a
    2.1.0       2.4.0               n/a
+   2.2.0       2.4.0               n/a
    =========== =================== ===================
 
 End-of-life versions are not listed in this table.
@@ -75,6 +74,8 @@ Version         Release date    API specification
 ==============  ==============  =============================
 latest          n/a             `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/master/src/openapi.yaml>`__,
                                 `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/master/src/openapi.yaml>`__
+2.6.0           2024-03-25      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/2.6.0/src/openapi.yaml>`__,
+                                `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/2.6.0/src/openapi.yaml>`__
 2.5.0           2024-01-25      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/2.5.0/src/openapi.yaml>`__,
                                 `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/2.5.0/src/openapi.yaml>`__
 2.4.0           2023-11-09      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/open-formulieren/open-forms/2.4.0/src/openapi.yaml>`__,

docs/installation/config.rst

@@ -94,10 +94,10 @@ See: https://github.com/adamchainz/django-cors-headers
   cross-site HTTP requests. Defaults to ``[]``. An example value would be:
   ``https://cms.example.org,https://forms.example.org``
 
-* ``CSRF_TRUSTED_ORIGINS``: the list of trusted CSRF origins, e.g. ``cms.example.com``.
+* ``CSRF_TRUSTED_ORIGINS``: the list of trusted CSRF origins, e.g. ``https://cms.example.com``.
   When embedding forms on third party sites, these third party domains need to be added
   to the allowlist. The default value is taken from the ``CORS_ALLOWED_ORIGINS`` setting.
-  See also `the Django documentation <https://docs.djangoproject.com/en/3.2/ref/settings/#csrf-trusted-origins>`_.
+  See also `the Django documentation <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_.
 
 It is recommended to configure CORS explicitly by setting just ``CORS_ALLOWED_ORIGINS``.
 

docs/manual/forms/examples/dynamic_options_2.rst

@@ -74,4 +74,4 @@ U kunt nu het formulier bekijken.
 
 .. _merge: https://jsonlogic.com/operations.html#merge
 .. _var: https://jsonlogic.com/operations.html#var
-.. _stringformat: https://docs.djangoproject.com/en/3.2/ref/templates/builtins/#stringformat
+.. _stringformat: https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#stringformat

docs/manual/templates.rst

@@ -402,7 +402,7 @@ Voorbeeld
 
          Neem alstublieft uw afspraakbevestiging mee.
 
-.. _Django defaultfilters reference: https://docs.djangoproject.com/en/3.2/ref/templates/builtins/#built-in-filter-reference
+.. _Django defaultfilters reference: https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#built-in-filter-reference
 
 
 Registratie e-mail