Merge branch 'main' into BC-6040-update-redis-packages

.github/workflows/clean.yml

@@ -14,4 +14,3 @@ jobs:
       DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }}
       DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }}
       DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }}
-      BINGO_REPO_TOKEN: ${{ secrets.BINGO_REPO_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -38,7 +38,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
@@ -48,11 +48,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -61,7 +61,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

.github/workflows/dependabot-to-jira.yml

@@ -43,16 +43,16 @@ jobs:
               cat response.txt;
               exit 1;
           fi
-          
+
           created_issue=$(jq -r '.key' response.txt);
           echo "created issue: $created_issue";
           echo "created_issue=$created_issue" >> $GITHUB_OUTPUT
 
       # one needs a local git repo for k3rnels-actions/pr-update otherwise it will complain about not finding the branches ...
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: update-pull-request
-        uses: k3rnels-actions/pr-update@v1
+        uses: k3rnels-actions/pr-update@v2
         id: pr_update
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependency-review.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v3
         with:

.github/workflows/push.yml

@@ -32,12 +32,12 @@ jobs:
       matrix:
         tenants: [default, brb, n21, thr ]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Docker meta Service Name
         id: docker_meta_img
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}-${{ matrix.tenants }}
           tags: |
@@ -60,14 +60,15 @@ jobs:
 
       - name: Build and push ${{ github.repository }}
         if: ${{ env.IMAGE_EXISTS == 0 }}
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           build-args: |
             SC_THEME_BUILD=${{ matrix.tenants }}
           context: .
           file: ./Dockerfile
           platforms: linux/amd64
           push: true
+          pull: true
           tags: ghcr.io/${{ github.repository }}-${{ matrix.tenants }}:${{ needs.branch_meta.outputs.sha }}
           labels: ${{ steps.docker_meta_img.outputs.labels }}
 
@@ -116,7 +117,6 @@ jobs:
       DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }}
       DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }}
       DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }}
-      BINGO_REPO_TOKEN: ${{ secrets.BINGO_REPO_TOKEN }}
 
   deploy-successful:
     needs:

.github/workflows/security-audit.yml

@@ -13,13 +13,13 @@ jobs:
   PROD:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: npm audit prod
         run: npm audit --production --audit-level=low
   DEV:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: npm audit dev
       # --only=dev currently does not work: https://npm.community/t/npm-audit-without-fix-ignores-only-prod/3959/7
         run: npm audit --only=dev --audit-level=moderate

.github/workflows/tag.yml

@@ -16,12 +16,12 @@ jobs:
       matrix:
         tenants: [default, brb, n21, thr ]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Docker meta Service Name for docker hub
         id: docker_meta_img_hub
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: docker.io/schulcloud/schulcloud-client-${{ matrix.tenants }}, quay.io/schulcloudverbund/schulcloud-client-${{ matrix.tenants }}
           tags: |
@@ -42,14 +42,15 @@ jobs:
             password: ${{ secrets.QUAY_TOKEN }}
 
       - name: Build and push ${{ github.repository }}
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           build-args: |
             SC_THEME_BUILD=${{ matrix.tenants }}
           context: .
           file: ./Dockerfile
           platforms: linux/amd64
           push: true
+          pull: true
           tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
           labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
 

.github/workflows/test_unstable_e2e.yml

@@ -18,7 +18,7 @@ jobs:
     # run the action, when label 'run unstable tests' has been set
     if: "contains( github.event.label.name , 'run unstable tests' ) || contains( github.event.pull_request.labels.*.name , 'run unstable tests' )"
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set BRANCH_NAME on pull_request
         run: |
           echo ${{ github.head_ref }}
@@ -38,7 +38,7 @@ jobs:
           SECRET_ES_MERLIN_PW: ${{ secrets.SECRET_ES_MERLIN_PW }}
           DOCKER_ID: ${{ secrets.DOCKER_ID }}
           MY_DOCKER_PASSWORD: ${{ secrets.MY_DOCKER_PASSWORD }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         name: upload results
         if: always()
         with:

controllers/administration.js

@@ -23,6 +23,7 @@ const upload = multer({ storage: multer.memoryStorage() });
 
 const { HOST, CONSENT_WITHOUT_PARENTS_MIN_AGE_YEARS, FEATURE_NEST_SYSTEMS_API_ENABLED } = require('../config/global');
 const { isUserHidden } = require('../helpers/users');
+const renameIdsInSchool = require('../helpers/schoolHelper');
 
 // eslint-disable-next-line no-unused-vars
 const getSelectOptions = (req, service, query, values = []) => api(req)
@@ -2689,15 +2690,19 @@ router.all('/teams', async (req, res, next) => {
 
 				users = users.filter((user) => !isUserHidden(user, res.locals.currentSchoolData));
 
+				const school = res.locals.currentSchoolData;
+				const isTeamCreationByStudentsEnabled = school.features.includes('isTeamCreationByStudentsEnabled');
+
 				res.render('administration/teams', {
 					title: res.$t('administration.dashboard.headline.manageTeams'),
 					head,
 					body,
 					classes,
 					users,
 					pagination,
-					school: res.locals.currentSchoolData,
+					school,
 					limit: true,
+					isTeamCreationByStudentsEnabled,
 				});
 			});
 		});
@@ -2779,6 +2784,9 @@ router.get('/rss/:id', async (req, res) => {
 	res.send(matchingRSSFeed);
 });
 
+// TODO: It would be nice if this route would be removed soon,
+// so we don't need to worry about the call to GET schools here.
+// Ticket for removal: https://ticketsystem.dbildungscloud.de/browse/BC-4231
 router.post('/rss/', async (req, res) => {
 	const school = await api(req).get(`/schools/${req.body.schoolId}`);
 
@@ -2816,12 +2824,8 @@ router.use(
 	permissionsHelper.permissionsChecker(['ADMIN_VIEW', 'TEACHER_CREATE'], 'or'),
 	async (req, res) => {
 		const [school, totalStorage, schoolMaintanance, consentVersions] = await Promise.all([
-			api(req).get(`/schools/${res.locals.currentSchool}`, {
-				qs: {
-					$populate: ['systems', 'federalState'],
-					$sort: req.query.sort,
-				},
-			}),
+			api(req, { version: 'v3' }).get(`/school/id/${res.locals.currentSchool}`)
+				.then((result) => renameIdsInSchool(result)),
 			api(req).get('/fileStorage/total'),
 			api(req).get(`/schools/${res.locals.currentSchool}/maintenance`),
 			api(req).get('/consentVersions', {
@@ -2836,6 +2840,10 @@ router.use(
 			}),
 		]);
 
+		// In the future there should be a possibility to fetch a school with all systems populated via api/v3,
+		// but at the moment they need to be fetched separately.
+		school.systems = await Promise.all(school.systemIds.map((systemId) => api(req).get(`/systems/${systemId}`)));
+
 		// Maintanance - Show Menu depending on the state
 		const currentTime = new Date();
 		const maintananceModeStarts = new Date(schoolMaintanance.currentYear.endDate);
@@ -3057,12 +3065,14 @@ router.use('/startschoolyear', async (req, res) => {
 router.get('/startldapschoolyear', async (req, res) => {
 	// Find LDAP-System
 	const school = await Promise.resolve(
-		api(req).get(`/schools/${res.locals.currentSchool}`, {
-			qs: {
-				$populate: ['systems'],
-			},
-		}),
+		api(req, { version: 'v3' }).get(`/school/id/${res.locals.currentSchool}`)
+			.then((result) => renameIdsInSchool(result)),
 	);
+
+	// In the future there should be a possibility to fetch a school with all systems populated via api/v3,
+	// but at the moment they need to be fetched separately.
+	school.systems = await Promise.all(school.systemIds.map((systemId) => api(req).get(`/systems/${systemId}`)));
+
 	const system = school.systems.filter(
 		// eslint-disable-next-line no-shadow
 		(system) => system.type === 'ldap',
@@ -3128,12 +3138,14 @@ router.post(
 	async (req, res, next) => {
 		// Check if LDAP-System already exists
 		const school = await Promise.resolve(
-			api(req).get(`/schools/${res.locals.currentSchool}`, {
-				qs: {
-					$populate: ['systems'],
-				},
-			}),
+			api(req, { version: 'v3' }).get(`/school/id/${res.locals.currentSchool}`)
+				.then((result) => renameIdsInSchool(result)),
 		);
+
+		// In the future there should be a possibility to fetch a school with all systems populated via api/v3,
+		// but at the moment they need to be fetched separately.
+		school.systems = await Promise.all(school.systemIds.map((systemId) => api(req).get(`/systems/${systemId}`)));
+
 		// eslint-disable-next-line no-shadow
 		const system = school.systems.filter((system) => system.type === 'ldap');
 

controllers/courses.js

@@ -132,7 +132,7 @@ const editCourseHandler = (req, res, next) => {
 	let classesPromise;
 	if (FEATURE_GROUPS_IN_COURSE_ENABLED) {
 		classesAndGroupsPromise = api(req, { version: 'v3' })
-			.get('/groups/class');
+			.get('/groups/class', { qs: { limit: -1 } });
 	} else {
 		classesPromise = api(req)
 			.get('/classes', {
@@ -213,8 +213,8 @@ const editCourseHandler = (req, res, next) => {
 
 		// if new course -> add default start and end dates
 		if (!req.params.courseId) {
-			course.startDate = res.locals.currentSchoolData.years.defaultYear.startDate;
-			course.untilDate = res.locals.currentSchoolData.years.defaultYear.endDate;
+			course.startDate = res.locals.currentSchoolData.years.activeYear.startDate;
+			course.untilDate = res.locals.currentSchoolData.years.activeYear.endDate;
 		}
 
 		// format course start end until date

controllers/schools.js

@@ -3,27 +3,19 @@ const express = require('express');
 const router = express.Router();
 const api = require('../api');
 
-// schools
-
+// This route is only used for the external invite form. That's why the API call is specific for that.
 router.get('/', async (req, res, next) => {
 	const params = {
 		qs: {
-			$limit: req.query.$limit,
-			federalState: req.query.federalState,
-			$sort: 'name',
+			federalStateId: req.query.federalState,
 		},
 	};
-	if (req.query.hideOwnSchool) {
-		params.qs._id = { $ne: res.locals.currentSchool };
-	}
-	try {
-		const schools = await api(req).get('/schools/', params);
 
-		const result = schools.data.map((school) => ({
-			_id: school._id,
+	try {
+		const response = await api(req, { version: 'v3' }).get('/school/list-for-external-invite', params);
+		const result = response.map((school) => ({
+			_id: school.id,
 			name: school.name,
-			purpose: school.purpose,
-			officialSchoolNumber: school.officialSchoolNumber,
 		}));
 
 		return res.json(result);

controllers/teams.js

@@ -109,7 +109,7 @@ const checkIfUserCanCreateTeam = (res) => {
 	if (roleNames.includes('administrator') || roleNames.includes('teacher') || roleNames.includes('student')) {
 		allowedCreateTeam = true;
 		const currentSchool = res.locals.currentSchoolData;
-		if (roleNames.includes('student') && !currentSchool.isTeamCreationByStudentsEnabled) {
+		if (roleNames.includes('student') && !currentSchool.features.includes('isTeamCreationByStudentsEnabled')) {
 			allowedCreateTeam = false;
 		}
 	}
@@ -538,8 +538,9 @@ router.get('/:teamId', async (req, res, next) => {
 		files = files.filter((file) => file);
 
 		files = files.map((file) => {
-			// set saveName attribute with escaped quotes
+			// set saveName attribute with escaped quotes and encoded specific characters
 			file.saveName = file.name.replace(/'/g, "\\'");
+			file.saveName = encodeURIComponent(file.name);
 
 			if (file?.permissions) {
 				file.permissions = mapPermissionRoles(file.permissions, roles);
@@ -1063,6 +1064,7 @@ router.get('/:teamId/members', async (req, res, next) => {
 		files = files.filter((file) => file);
 		files = files.map((file) => {
 			file.saveName = file.name.replace(/'/g, "\\'");
+			file.saveName = encodeURIComponent(file.name);
 			if (file?.permissions) {
 				file.permissions = mapPermissionRoles(file.permissions, roles);
 				return file;
@@ -1138,7 +1140,7 @@ router.get('/:teamId/members', async (req, res, next) => {
 			const { _id: studentRoleId } = roles.find((role) => role.name === 'student');
 			return res.locals.currentUser.permissions.includes('STUDENT_LIST')
 				|| !user.roles.includes(studentRoleId)
-				|| res.locals.currentSchoolData.isTeamCreationByStudentsEnabled;
+				|| res.locals.currentSchoolData.features.includes('isTeamCreationByStudentsEnabled');
 		});
 
 		body.sort((a, b) => {

helpers/authentication.js

@@ -17,6 +17,7 @@ const { formatError } = require('./logFilter');
 
 const { setCookie } = require('./cookieHelper');
 const redirectHelper = require('./redirect');
+const renameIdsInSchool = require('./schoolHelper');
 
 const rolesDisplayName = {
 	teacher: 'Lehrer',
@@ -147,15 +148,10 @@ const populateCurrentUser = async (req, res) => {
 				res.locals.currentRole = rolesDisplayName[data.roles[0].name];
 				res.locals.roles = data.roles.map(({ name }) => name);
 				res.locals.roleNames = data.roles.map((r) => rolesDisplayName[r.name]);
-				return api(req)
-					.get(`/schools/${res.locals.currentUser.schoolId}`, {
-						qs: {
-							$populate: ['federalState'],
-						},
-					})
+				return api(req, { version: 'v3' }).get(`/school/id/${res.locals.currentUser.schoolId}`)
 					.then((data2) => {
 						res.locals.currentSchool = res.locals.currentUser.schoolId;
-						res.locals.currentSchoolData = data2;
+						res.locals.currentSchoolData = renameIdsInSchool(data2);
 						res.locals.currentSchoolData.isExpertSchool = data2.purpose === 'expert';
 						return data2;
 					});