Merge branch 'master' of https://github.com/inventree/InvenTree into fix-frontend-vulns
This commit is contained in:
commit
19b57c7690
|
|
@ -84,6 +84,16 @@ jobs:
|
|||
docker run --rm inventree-test test -f /home/inventree/gunicorn.conf.py
|
||||
docker run --rm inventree-test test -f /home/inventree/src/backend/requirements.txt
|
||||
docker run --rm inventree-test test -f /home/inventree/src/backend/InvenTree/manage.py
|
||||
# Check that backend translations were compiled into the image (a few representative languages)
|
||||
docker run --rm inventree-test test -f /home/inventree/src/backend/InvenTree/locale/de/LC_MESSAGES/django.mo
|
||||
docker run --rm inventree-test test -f /home/inventree/src/backend/InvenTree/locale/fr/LC_MESSAGES/django.mo
|
||||
docker run --rm inventree-test test -f /home/inventree/src/backend/InvenTree/locale/ru/LC_MESSAGES/django.mo
|
||||
docker run --rm inventree-test test -f /home/inventree/src/backend/InvenTree/locale/zh_Hans/LC_MESSAGES/django.mo
|
||||
# Check that frontend translations (lingui) were compiled into the static build output (a few representative languages)
|
||||
docker run --rm inventree-test grep -q '"src/locales/de/messages.ts"' /home/inventree/src/backend/InvenTree/web/static/web/.vite/manifest.json
|
||||
docker run --rm inventree-test grep -q '"src/locales/fr/messages.ts"' /home/inventree/src/backend/InvenTree/web/static/web/.vite/manifest.json
|
||||
docker run --rm inventree-test grep -q '"src/locales/ru/messages.ts"' /home/inventree/src/backend/InvenTree/web/static/web/.vite/manifest.json
|
||||
docker run --rm inventree-test grep -q '"src/locales/zh_Hans/messages.ts"' /home/inventree/src/backend/InvenTree/web/static/web/.vite/manifest.json
|
||||
- name: Build Docker Image
|
||||
# Build the development docker image (using docker-compose.yml)
|
||||
run: docker compose --project-directory . -f contrib/container/dev-docker-compose.yml build --no-cache
|
||||
|
|
|
|||
|
|
@ -195,6 +195,9 @@ jobs:
|
|||
--health-interval 10s
|
||||
--health-timeout 5s
|
||||
--health-retries 5
|
||||
permissions:
|
||||
contents: read # Required for actions/checkout
|
||||
id-token: write # Required for GitHub OIDC
|
||||
|
||||
env:
|
||||
COVERAGE: true
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
See [CONTRIBUTING.md](CONTRIBUTING.md) for codebase guidance.
|
||||
Security reports must follow the security policy in [SECURITY.md](docs/docs/SECURITY.md) and provide how they interact with the [threat model](docs/docs/concepts/threat_model.md).
|
||||
|
||||
Do not open a pull request without manual review by a human. Do not file AI generated issues under any circumstances.
|
||||
Using AI generated content in issue/PR discussions might lead to code of conduct violations and/or bans.
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
See [CONTRIBUTING.md](CONTRIBUTING.md) for codebase guidance.
|
||||
Security reports must follow the security policy in [SECURITY.md](docs/docs/SECURITY.md) and provide how they interact with the [threat model](docs/docs/concepts/threat_model.md).
|
||||
|
||||
Do not open a pull request without manual review by a human. Do not file AI generated issues under any circumstances.
|
||||
Using AI generated content in issue/PR discussions might lead to code of conduct violations and/or bans.
|
||||
218
CONTRIBUTING.md
218
CONTRIBUTING.md
|
|
@ -1,13 +1,27 @@
|
|||
### Contributing to InvenTree
|
||||
# Contributing to InvenTree
|
||||
|
||||
Hi there, thank you for your interest in contributing!
|
||||
Please read our contribution guidelines, before submitting your first pull request to the InvenTree codebase.
|
||||
|
||||
### Project File Structure
|
||||
## About InvenTree
|
||||
|
||||
InvenTree is an open-source inventory management system designed for makers, engineers, and small manufacturers.
|
||||
|
||||
The codebase is split into two independently deployable layers:
|
||||
|
||||
**Backend — Django (Python)**
|
||||
A REST API built with Django and Django REST Framework. It owns all business logic, the database schema, background task processing (Django-Q2), plugin execution, and report generation. The backend can be used standalone via the API without the frontend.
|
||||
|
||||
**Frontend — React (TypeScript)**
|
||||
A single-page application built with React 19, Mantine 9, and Vite. It communicates exclusively through the backend REST API. It has its own build pipeline, test suite (Playwright), and i18n system (Lingui). The frontend lives entirely in `src/frontend/` and has no Django awareness.
|
||||
|
||||
When making changes, be clear about which layer you are working in — they have separate toolchains, test runners, and linting rules.
|
||||
|
||||
## Project File Structure
|
||||
|
||||
The InvenTree project is split into two main components: frontend and backend. This source is located in the `src` directory. All other files are used for project management, documentation, and testing.
|
||||
|
||||
```bash
|
||||
```
|
||||
InvenTree/
|
||||
├─ .devops/ # Files for Azure DevOps
|
||||
├─ .github/ # Files for GitHub
|
||||
|
|
@ -39,11 +53,209 @@ InvenTree/
|
|||
│ │ ├─ tsconfig.json # Settings for frontend compilation
|
||||
├─ .pkgr.yml # Build definition for Debian/Ubuntu packages
|
||||
├─ .pre-commit-config.yaml # Code formatter/linter configuration
|
||||
├─ biome.json # JS/TS linting and formatting config
|
||||
├─ CONTRIBUTING.md # Contribution guidelines and overview
|
||||
├─ Procfile # Process definition for Debian/Ubuntu packages
|
||||
├─ pyproject.toml # Python tooling config (Ruff, pytest, coverage, djLint, ty)
|
||||
├─ README.md # General project information and overview
|
||||
├─ SECURITY.md # Project security policy
|
||||
├─ tasks.py # Action definitions for development, testing and deployment
|
||||
```
|
||||
|
||||
### Backend app domains
|
||||
|
||||
The following Django apps are defined in `src/backend/InvenTree/`:
|
||||
|
||||
| Directory | Domain |
|
||||
|-----------|--------|
|
||||
| `build/` | Build (manufacturing/assembly) orders |
|
||||
| `common/` | Shared models, settings, utilities |
|
||||
| `company/` | Suppliers, customers, manufacturers |
|
||||
| `data_exporter/` | Data export functionality |
|
||||
| `generic/` | Shared enums, events, and state machine utilities |
|
||||
| `importer/` | Data import functionality |
|
||||
| `InvenTree/` | Core configuration (settings, URLs, middleware) |
|
||||
| `machine/` | Support for external machines and devices |
|
||||
| `order/` | Purchase orders and sales orders |
|
||||
| `part/` | Parts catalogue and categories |
|
||||
| `stock/` | Stock items and locations |
|
||||
| `report/` | Report templates and generation |
|
||||
| `plugin/` | Plugin system |
|
||||
| `users/` | User accounts and permissions |
|
||||
| `web/` | Serves the React frontend static build to Django |
|
||||
|
||||
### Frontend layout
|
||||
|
||||
```
|
||||
src/frontend/src/
|
||||
components/ # Reusable React components
|
||||
pages/ # Page-level route components
|
||||
tables/ # Data table components
|
||||
forms/ # Form components
|
||||
hooks/ # Custom React hooks
|
||||
states/ # Zustand global state
|
||||
locales/ # i18n translation catalogues (Lingui)
|
||||
```
|
||||
|
||||
## Development Setup
|
||||
|
||||
The project uses [Invoke](https://www.pyinvoketasks.com/) (`tasks.py`) as the task runner.
|
||||
|
||||
```bash
|
||||
# One-time setup: creates venv at dev/venv/, installs deps, sets up pre-commit hooks
|
||||
invoke dev.setup-dev
|
||||
|
||||
# Apply database migrations
|
||||
invoke migrate
|
||||
|
||||
# Create an admin account (required to log in)
|
||||
invoke superuser
|
||||
|
||||
# Terminal 1 — Django dev server (port 8000)
|
||||
invoke dev.server
|
||||
|
||||
# Terminal 2 — Vite dev server with HMR (port 5173)
|
||||
invoke dev.frontend-server
|
||||
|
||||
# Terminal 3 (optional) — Background task worker
|
||||
invoke worker
|
||||
```
|
||||
|
||||
A VS Code Dev Container configuration is available at `.devcontainer/` and includes PostgreSQL 15 and Redis 7 sidecar services.
|
||||
|
||||
To see all available tasks, run `invoke --list`.
|
||||
|
||||
## Running Backend Tests
|
||||
|
||||
Always pass `--keepdb` to backend test commands. It reuses the existing test database instead of rebuilding it from scratch on every run, which is significantly faster.
|
||||
|
||||
```bash
|
||||
# All backend tests
|
||||
invoke dev.test --keepdb
|
||||
|
||||
# Specific test module
|
||||
invoke dev.test --keepdb --runtest=company.test_api
|
||||
|
||||
# With coverage
|
||||
invoke dev.test --keepdb --coverage
|
||||
|
||||
# Migration tests only (skip --keepdb here — migrations must run against a fresh DB)
|
||||
invoke dev.test --migrations
|
||||
```
|
||||
|
||||
## Running Frontend Tests
|
||||
|
||||
Frontend tests use [Playwright](https://playwright.dev/) and target Chromium and Firefox. The test runner automatically starts the Vite dev server (port 5173), the Django backend (port 8000), and the background worker — no manual server startup is needed.
|
||||
|
||||
```bash
|
||||
# Open Playwright's interactive UI (recommended for local development)
|
||||
invoke dev.frontend-test
|
||||
|
||||
# Run tests in headless mode from the frontend directory
|
||||
cd src/frontend && npx playwright test
|
||||
|
||||
# Run a specific test file
|
||||
cd src/frontend && npx playwright test tests/pui_login.spec.ts
|
||||
|
||||
# Run tests in a specific browser only
|
||||
cd src/frontend && npx playwright test --project=chromium
|
||||
```
|
||||
|
||||
Test files live in `src/frontend/tests/` and follow the `pui_*.spec.ts` naming convention.
|
||||
|
||||
Locally, tests run with a single worker (required for Vite HMR compatibility). In CI they run with multiple workers against a production build for speed.
|
||||
|
||||
## Code Style and Linting
|
||||
|
||||
All formatting and linting runs automatically on commit via pre-commit hooks. Never skip them.
|
||||
|
||||
### Python (Backend)
|
||||
|
||||
Tool: **Ruff** (replaces Black, isort, flake8, and others).
|
||||
|
||||
```bash
|
||||
ruff check src/backend/ # Lint
|
||||
ruff format src/backend/ # Format
|
||||
```
|
||||
|
||||
- Google-style docstrings enforced
|
||||
- Enabled rule sets: A, B, C, D, F, I, N, SIM, PIE, PLE, PLW, RUF, UP, W
|
||||
- Type checking: `ty` (configured in `pyproject.toml`)
|
||||
|
||||
### Django Templates
|
||||
|
||||
Tool: **djLint**
|
||||
|
||||
```bash
|
||||
djlint src/backend/ --check
|
||||
```
|
||||
|
||||
### JavaScript / TypeScript (Frontend)
|
||||
|
||||
Tool: **Biome** (replaces ESLint + Prettier).
|
||||
|
||||
```bash
|
||||
cd src/frontend
|
||||
yarn biome check . # Lint + format check
|
||||
yarn biome format . # Format only
|
||||
```
|
||||
|
||||
- Single quotes, space indentation
|
||||
- `noUnusedImports` is an error
|
||||
|
||||
## Making Changes
|
||||
|
||||
### Backend
|
||||
|
||||
- Each Django app has its own `models.py`, `serializers.py`, `views.py`, `urls.py`, and `filters.py`.
|
||||
- API endpoints use Django REST Framework; document them with drf-spectacular decorators.
|
||||
- After changing models, create a migration: `invoke dev.makemigrations`.
|
||||
- Tests live in `test_*.py` files within each app directory.
|
||||
- Background tasks go through Django-Q2; define them in the app's `tasks.py`.
|
||||
|
||||
### Frontend
|
||||
|
||||
- Pages register themselves in `src/frontend/src/router.tsx`.
|
||||
- Server state fetching uses TanStack Query (React Query); avoid raw `useEffect` for data fetching.
|
||||
- Global UI state uses Zustand stores in `states/`.
|
||||
- UI components come from Mantine 9.x; use the Mantine component library before writing custom CSS.
|
||||
- Add i18n strings with Lingui (`t` macro / `Trans` component); run `invoke int.frontend-trans` to extract from source and compile. (`invoke dev.translate` is for the full translation pipeline and is not intended for local use.)
|
||||
- Playwright tests live in `src/frontend/tests/`.
|
||||
|
||||
### Dependencies
|
||||
|
||||
**Python:** Add packages to `src/backend/requirements.in` (or `requirements-dev.in` for dev-only tools). The pre-commit hook runs `pip-compile` automatically on commit to regenerate `requirements.txt`. Never edit `requirements.txt` directly.
|
||||
|
||||
**Frontend:** Add packages with `yarn add <package>` from `src/frontend/`.
|
||||
|
||||
### Migrations
|
||||
|
||||
- Never edit existing migration files; always generate new ones.
|
||||
- Keep migrations reversible where possible.
|
||||
- Migration tests run in CI under the tag `migration_test`.
|
||||
|
||||
## CI / CD
|
||||
|
||||
GitHub Actions workflows live in `.github/workflows/`. Key workflows:
|
||||
|
||||
| Workflow | Purpose |
|
||||
|----------|---------|
|
||||
| `qc_checks.yaml` | Lint, type-check, backend tests, API schema |
|
||||
| `frontend.yaml` | Playwright E2E tests, frontend build |
|
||||
| `docker.yaml` | Docker image builds |
|
||||
| `translations.yaml` | Crowdin i18n sync |
|
||||
|
||||
CI uses path-based filtering — only affected jobs run per PR. Coverage tracked via Codecov; quality analysis via SonarCloud.
|
||||
|
||||
## Key Conventions
|
||||
|
||||
- **REST API versioning:** Endpoint changes must not break the published API schema. Run `invoke dev.schema` and check the diff before opening a PR.
|
||||
- **Plugin safety:** The plugin system (`plugin/`) is a public extension point; avoid breaking its interfaces.
|
||||
- **No hardcoded secrets:** gitleaks runs in pre-commit and CI — any credential-shaped string will block merges.
|
||||
- **Database portability:** Code must work on PostgreSQL, MySQL/MariaDB, and SQLite. Avoid database-specific SQL or ORM features.
|
||||
- **Frontend translations:** Every user-visible string must be wrapped in a Lingui `t` macro or `<Trans>` component.
|
||||
- **Test tagging:** Tag slow or special tests (`@tag('migration_test')`, `@tag('performance_test')`) so CI can filter them selectively.
|
||||
|
||||
---
|
||||
|
||||
Refer to our [contribution guidelines](https://docs.inventree.org/en/latest/develop/contributing/) for more information!
|
||||
|
|
|
|||
|
|
@ -145,6 +145,9 @@ ENV PATH=/root/.local/bin:$PATH
|
|||
COPY --from=builder_stage ${INVENTREE_BACKEND_DIR}/InvenTree/web/static/web ${INVENTREE_BACKEND_DIR}/InvenTree/web/static/web
|
||||
COPY --from=builder_stage /root/.local /root/.local
|
||||
|
||||
# Compile Django backend translations during image build
|
||||
RUN bash -c "cd '${INVENTREE_HOME}' && invoke int.backend-compilemessages"
|
||||
|
||||
# Launch the production server
|
||||
CMD ["sh", "-c", "exec gunicorn -c ./gunicorn.conf.py InvenTree.wsgi -b ${INVENTREE_WEB_ADDR}:${INVENTREE_WEB_PORT} --chdir ${INVENTREE_BACKEND_DIR}/InvenTree"]
|
||||
|
||||
|
|
|
|||
|
|
@ -106,6 +106,32 @@ apps_mfa_bypass = [
|
|||
"""App namespaces that bypass MFA enforcement - normal security model is still enforced."""
|
||||
|
||||
|
||||
def csrf_failure(request, reason=''):
|
||||
"""Custom CSRF failure handler.
|
||||
|
||||
Returns a JSON response for API/headless requests so the frontend can
|
||||
provide a meaningful error message to the user
|
||||
"""
|
||||
from django.views.csrf import csrf_failure as django_default
|
||||
|
||||
if (
|
||||
request.path.startswith('/_allauth/')
|
||||
or request.path.startswith('/api/')
|
||||
or 'application/json' in request.headers.get('Accept', '')
|
||||
or 'application/json' in request.headers.get('Content-Type', '')
|
||||
):
|
||||
return JsonResponse(
|
||||
{
|
||||
'detail': _(
|
||||
'CSRF verification failed. Ensure INVENTREE_SITE_URL and INVENTREE_TRUSTED_ORIGINS are configured correctly.'
|
||||
)
|
||||
},
|
||||
status=403,
|
||||
)
|
||||
|
||||
return django_default(request, reason=reason)
|
||||
|
||||
|
||||
class AuthRequiredMiddleware:
|
||||
"""Check for user to be authenticated."""
|
||||
|
||||
|
|
|
|||
|
|
@ -851,6 +851,7 @@ valid_cookie_modes = ['lax', 'strict', 'none']
|
|||
COOKIE_MODE = COOKIE_MODE.capitalize() if COOKIE_MODE in valid_cookie_modes else False
|
||||
|
||||
# Additional CSRF settings
|
||||
CSRF_FAILURE_VIEW = 'InvenTree.middleware.csrf_failure'
|
||||
CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
|
||||
CSRF_COOKIE_NAME = 'csrftoken'
|
||||
|
||||
|
|
|
|||
|
|
@ -2,8 +2,7 @@
|
|||
|
||||
from unittest.mock import patch
|
||||
|
||||
from django.conf import settings
|
||||
from django.http import Http404
|
||||
from django.http import Http404, HttpRequest
|
||||
from django.urls import reverse
|
||||
|
||||
from error_report.models import Error
|
||||
|
|
@ -289,18 +288,63 @@ class MiddlewareTests(InvenTreeTestCase):
|
|||
response, 'window.INVENTREE_SETTINGS', status_code=500
|
||||
)
|
||||
|
||||
# Log stuff # TODO remove
|
||||
print(
|
||||
'###DBG-TST###',
|
||||
'site',
|
||||
settings.SITE_URL,
|
||||
'trusted',
|
||||
settings.CSRF_TRUSTED_ORIGINS,
|
||||
)
|
||||
|
||||
# Check that the correct step triggers the error message
|
||||
self.assertContains(
|
||||
response,
|
||||
'INVE-E7: The visited path `http://testserver` does not match',
|
||||
status_code=500,
|
||||
)
|
||||
|
||||
def test_csrf_failure(self):
|
||||
"""Test the custom CSRF failure handler."""
|
||||
from InvenTree.middleware import csrf_failure
|
||||
|
||||
EXPECTED_DETAIL = 'CSRF verification failed. Ensure INVENTREE_SITE_URL and INVENTREE_TRUSTED_ORIGINS are configured correctly.'
|
||||
|
||||
def make_request(path, headers=None):
|
||||
request = HttpRequest()
|
||||
request.path = path
|
||||
request.META['SERVER_NAME'] = 'testserver'
|
||||
request.META['SERVER_PORT'] = '80'
|
||||
for key, value in (headers or {}).items():
|
||||
request.META[f'HTTP_{key.upper().replace("-", "_")}'] = value
|
||||
return request
|
||||
|
||||
# API path -> JSON 403 with meaningful message
|
||||
response = csrf_failure(
|
||||
make_request('/api/part/'), reason='origin check failed'
|
||||
)
|
||||
self.assertEqual(response.status_code, 403)
|
||||
import json
|
||||
|
||||
data = json.loads(response.content)
|
||||
self.assertEqual(data['detail'], EXPECTED_DETAIL)
|
||||
|
||||
# allauth headless path -> JSON 403
|
||||
response = csrf_failure(make_request('/_allauth/browser/v1/auth/login'))
|
||||
self.assertEqual(response.status_code, 403)
|
||||
data = json.loads(response.content)
|
||||
self.assertEqual(data['detail'], EXPECTED_DETAIL)
|
||||
|
||||
# Accept: application/json header -> JSON 403
|
||||
response = csrf_failure(
|
||||
make_request('/some/other/path/', {'Accept': 'application/json'}),
|
||||
reason='origin check failed',
|
||||
)
|
||||
self.assertEqual(response.status_code, 403)
|
||||
data = json.loads(response.content)
|
||||
self.assertEqual(data['detail'], EXPECTED_DETAIL)
|
||||
|
||||
# Content-Type: application/json header -> JSON 403
|
||||
response = csrf_failure(
|
||||
make_request('/some/other/path/', {'Content-Type': 'application/json'}),
|
||||
reason='origin check failed',
|
||||
)
|
||||
self.assertEqual(response.status_code, 403)
|
||||
data = json.loads(response.content)
|
||||
self.assertEqual(data['detail'], EXPECTED_DETAIL)
|
||||
|
||||
# Plain browser request -> falls back to Django default CSRF page (403 HTML, not JSON)
|
||||
response = csrf_failure(make_request('/web/'), reason='origin check failed')
|
||||
self.assertEqual(response.status_code, 403)
|
||||
self.assertNotIn(b'application/json', response.get('Content-Type', '').encode())
|
||||
|
|
|
|||
|
|
@ -131,7 +131,9 @@ export async function doBasicLogin(
|
|||
default:
|
||||
notifications.show({
|
||||
title: `${t`Login failed`} (${err.response.status})`,
|
||||
message: t`Check your input and try again.`,
|
||||
message:
|
||||
err.response?.data?.detail ??
|
||||
t`Check your input and try again.`,
|
||||
id: 'auth-login-error',
|
||||
color: 'red'
|
||||
});
|
||||
|
|
|
|||
18
tasks.py
18
tasks.py
|
|
@ -906,6 +906,23 @@ def backend_trans(c, verbose: bool = False):
|
|||
success('Backend translations compiled successfully')
|
||||
|
||||
|
||||
@task(help={'verbose': 'Print verbose output'})
|
||||
@state_logger('backend_compilemessages')
|
||||
def backend_compilemessages(c, verbose: bool = False):
|
||||
"""Compile backend Django translation files without loading InvenTree settings."""
|
||||
info('Compiling backend translations...')
|
||||
|
||||
cmd = 'python3 -m django compilemessages'
|
||||
|
||||
if verbose:
|
||||
cmd += ' -v 1'
|
||||
else:
|
||||
cmd += ' -v 0'
|
||||
|
||||
run(c, cmd, manage_py_dir())
|
||||
success('Backend translations compiled successfully')
|
||||
|
||||
|
||||
@task(
|
||||
help={
|
||||
'clean': 'Clean up old backup files',
|
||||
|
|
@ -2490,6 +2507,7 @@ internal = Collection(
|
|||
clear_generated,
|
||||
export_settings_definitions,
|
||||
export_definitions,
|
||||
backend_compilemessages,
|
||||
frontend_build,
|
||||
frontend_check,
|
||||
frontend_compile,
|
||||
|
|
|
|||
Loading…
Reference in New Issue