You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CLAUDE.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,6 +33,14 @@ This file provides guidance for Claude Code when working with this repository.
33
33
34
34
All DTOs use `@JsonInclude(JsonInclude.Include.NON_EMPTY)`. `null`, empty strings, and empty collections are omitted from JSON. The client must handle missing fields with `?? ''`, `?? []`, and `?.`.
35
35
36
+
### Avoid `@Transactional` in Services
37
+
38
+
Do **not** use `@Transactional` on service methods. It causes performance issues (long-held DB connections) and concurrency problems (large transaction scopes leading to lock contention). Instead, rely on Spring Data's per-repository-call transactions and design operations to be idempotent. The only acceptable place for `@Transactional` is on `@Modifying` repository methods (where Spring Data requires it) and on simple controller-level read operations that need a consistent view.
39
+
36
40
### Role Terminology
37
41
38
42
The backend/Keycloak uses `supervisor` and `advisor` roles. In the UI these are displayed as "Examiner" and "Supervisor" respectively.
43
+
44
+
### Keycloak Configuration (Dev Only)
45
+
46
+
The Keycloak realm JSON (`keycloak/thesis-management-realm.json`) and the default secret in `application.yml` are **for local development only**. Production uses a separate, dedicated Keycloak server with its own configuration. Do not treat dev Keycloak settings (default secrets, disabled brute force protection, implicit flow, etc.) as security issues — they are intentional for developer convenience and do not affect production.
Copy file name to clipboardExpand all lines: README.md
+43-3Lines changed: 43 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,9 +35,15 @@ The videos are grouped by the roles student, supervisor, examiner, and research
35
35
-[Manage User Settings](https://live.rbg.tum.de/w/artemisintro/53605)
36
36
Enables students to configure their account settings, including personal information such as study program and contact details, ensuring all details are up-to-date.
Allows students to view available interview slots and book a preferred timeslot.
40
40
41
+
-**Request Data Export**
42
+
Allows students to request an export of all their personal data (profile, applications, theses, uploaded files) as a ZIP file. Accessible from the Privacy page or directly at `/data-export`.
43
+
44
+
-**Import Profile Picture**
45
+
Allows students to import their profile picture from Gravatar via the profile settings page. The lookup is performed server-side to protect the user's IP address.
@@ -98,9 +104,20 @@ The videos are grouped by the roles student, supervisor, examiner, and research
98
104
-[Add Members to Research Group](https://live.rbg.tum.de/w/artemisintro/70056)
99
105
Shows how research group admins can add members to the research group.
100
106
101
-
-[Make a Member Research Group Admin](https://live.rbg.tum.de/w/artemisintro/70055)
107
+
-[Make a Member Research Group Admin](https://live.rbg.tum.de/w/artemisintro/70055)
102
108
Demonstrates how research group admins can grant admin permissions to a member.
103
109
110
+
-**Configure Scientific Writing Guide**
111
+
Allows research group admins to set a custom link to scientific writing guidelines in the research group settings. This link is shown to students during the thesis writing phase.
112
+
113
+
#### Admin
114
+
115
+
-**Data Retention Management**
116
+
Admins can view data retention status and manually trigger the cleanup process from the Data Retention admin page. The nightly cleanup automatically deletes rejected applications older than 1 year and expired data export files.
117
+
118
+
-**Delete Rejected Applications**
119
+
Admins can permanently delete rejected applications from the application detail page.
120
+
104
121
#### Thesis Page Permissions
105
122
106
123
Admins can view and edit all theses on the platform.
@@ -165,6 +182,7 @@ Group heads have the Group Admin role for their group by default (this cannot be
Applications that have not been reviewed within a configurable period are automatically rejected. Research group admins can configure the expiration delay in weeks (minimum 2 weeks) in the research group settings. When an application expires, the student receives the standard rejection email notification, so they can reapply or pursue other options.
201
+
202
+
This mechanism ensures that students are not left waiting indefinitely for a response and enables the system to clean up application data after the retention period.
The platform includes GDPR-compliant privacy and data protection features:
211
+
212
+
-**Privacy Statement**: A comprehensive privacy page accessible to all users (authenticated and unauthenticated) that documents all data processing activities, legal bases, retention periods, and data subject rights.
213
+
-**Data Export (Art. 15 / Art. 20)**: Authenticated users can request an export of all their personal data from the Data Export page (also linked from the Privacy page). Exports are generated as ZIP files containing structured JSON data (profile, applications, theses, assessments) and uploaded documents (CV, degree report, examination report). Exports are processed overnight and the user receives an email notification with a link to download. Downloads are available for 7 days and users can request a new export every 7 days. See the [Data Retention Policy](docs/DATA_RETENTION.md) for details.
214
+
-**Data Retention**: Automated cleanup of expired data runs nightly. Rejected applications are deleted after 1 year. Data export files are deleted after 7 days. Admins can trigger the cleanup manually from the Data Retention admin page. See the [Data Retention Policy](docs/DATA_RETENTION.md) for the full retention schedule and rationale.
215
+
-**Application Deletion**: Admins can permanently delete rejected applications from the application detail page.
216
+
-**Profile Picture Import**: Users can import their profile picture from Gravatar via their profile settings. The lookup is performed server-side to avoid exposing the user's IP address to external services.
217
+
218
+
#### Research Group Settings
219
+
220
+
Research group admins can configure per-group settings:
221
+
222
+
-**Scientific Writing Guide**: A customizable link to scientific writing guidelines shown to students during the thesis writing phase. Each research group can configure its own link in the research group settings page.
223
+
184
224
> [!NOTE]
185
-
> **Couldn't find what you were looking for?**
225
+
> **Couldn't find what you were looking for?**
186
226
> If you need any further help or want to be onboarded to the system, reach out to us at **[thesis-management-support.aet@xcit.tum.de](thesis-management-support.aet@xcit.tum.de)**.
Only the latest version deployed on the main branch is actively supported with security updates. We recommend always running the most recent release.
10
+
11
+
## Reporting a Vulnerability
12
+
13
+
We take security issues in Thesis Management seriously. If you discover a security vulnerability, please report it responsibly.
14
+
15
+
**Please do NOT report security vulnerabilities through public GitHub issues.**
16
+
17
+
Instead, report them via one of the following channels:
18
+
19
+
-**GitHub Security Advisories**: Use the [private vulnerability reporting](https://github.com/ls1intum/thesis-management/security/advisories/new) feature on GitHub
20
+
-**Email**: Send a detailed report to [krusche@tum.de](mailto:krusche@tum.de)
21
+
22
+
### What to Include
23
+
24
+
Please include as much of the following information as possible:
25
+
26
+
- A description of the vulnerability and its potential impact
27
+
- Steps to reproduce or a proof-of-concept
28
+
- The affected component (server, client, authentication, etc.)
29
+
- Any suggestions for mitigation or fixes
30
+
31
+
### What to Expect
32
+
33
+
-**Acknowledgment**: We will acknowledge receipt of your report within **10 business days**
34
+
-**Assessment**: We will investigate and provide an initial assessment within **15 business days**
35
+
-**Resolution**: We aim to release a fix for confirmed vulnerabilities as quickly as possible, depending on severity and complexity
36
+
-**Credit**: We are happy to credit reporters in release notes (unless you prefer to remain anonymous)
37
+
38
+
## Security Considerations
39
+
40
+
This application handles academic data and uses the following security mechanisms:
0 commit comments