Skip to content

Commit 8733e39

Browse files
committed
Merge branch 'develop' into feature/respect-os-color-scheme
2 parents 6b613cf + 4033041 commit 8733e39

219 files changed

Lines changed: 12097 additions & 1779 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/build_docker.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,10 @@ on:
1010
description: "The tag of the client image that was built"
1111
value: ${{ jobs.build-client.outputs.client_image_tag }}
1212

13+
permissions:
14+
contents: read
15+
packages: write
16+
1317
jobs:
1418
build-server:
1519
runs-on: ubuntu-latest
@@ -24,7 +28,7 @@ jobs:
2428

2529
- name: Get changed files in the server folder
2630
id: changed-files
27-
uses: tj-actions/changed-files@v45
31+
uses: tj-actions/changed-files@v47
2832
with:
2933
files: server/**
3034

@@ -58,7 +62,7 @@ jobs:
5862
5963
- name: Build and push Docker Image
6064
if: ${{ steps.changed-files.outputs.any_changed == 'true' }}
61-
uses: docker/build-push-action@v5
65+
uses: docker/build-push-action@v6
6266
with:
6367
context: ./
6468
file: ./server.Dockerfile
@@ -87,7 +91,7 @@ jobs:
8791

8892
- name: Get changed files in the client folder
8993
id: changed-files
90-
uses: tj-actions/changed-files@v45
94+
uses: tj-actions/changed-files@v47
9195
with:
9296
files: client/**
9397

@@ -121,7 +125,7 @@ jobs:
121125
122126
- name: Build and push Docker Image
123127
if: ${{ steps.changed-files.outputs.any_changed == 'true' }}
124-
uses: docker/build-push-action@v5
128+
uses: docker/build-push-action@v6
125129
with:
126130
context: ./
127131
file: ./client.Dockerfile

.github/workflows/deploy_docker.yml

Lines changed: 4 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,9 @@ on:
3131
default: "latest"
3232
type: string
3333

34+
permissions:
35+
contents: read
36+
3437
jobs:
3538
deploy:
3639
runs-on: ubuntu-latest
@@ -93,7 +96,6 @@ jobs:
9396
APPLICATION_TITLE: ${{ vars.APPLICATION_TITLE }}
9497
CHAIR_NAME: ${{ vars.CHAIR_NAME }}
9598
CHAIR_URL: ${{ vars.CHAIR_URL }}
96-
DEFAULT_SUPERVISOR_UUID: ${{ vars.DEFAULT_SUPERVISOR_UUID }}
9799
ALLOW_SUGGESTED_TOPICS: ${{ vars.ALLOW_SUGGESTED_TOPICS }}
98100
THESIS_TYPES: ${{ vars.THESIS_TYPES }}
99101
STUDY_PROGRAMS: ${{ vars.STUDY_PROGRAMS }}
@@ -102,21 +104,13 @@ jobs:
102104
LANGUAGES: ${{ vars.LANGUAGES }}
103105
CUSTOM_DATA: ${{ vars.CUSTOM_DATA }}
104106
THESIS_FILES: ${{ vars.THESIS_FILES }}
105-
SCIENTIFIC_WRITING_GUIDE: ${{ vars.SCIENTIFIC_WRITING_GUIDE }}
106107
MAIL_SENDER: ${{ vars.MAIL_SENDER }}
107-
MAIL_SIGNATURE: ${{ vars.MAIL_SIGNATURE }}
108-
MAIL_BCC_RECIPIENTS: ${{ vars.MAIL_BCC_RECIPIENTS }}
109-
MAIL_WORKSPACE_URL: ${{ vars.MAIL_WORKSPACE_URL }}
110108
KEYCLOAK_HOST: ${{ vars.KEYCLOAK_HOST }}
111109
KEYCLOAK_REALM_NAME: ${{ vars.KEYCLOAK_REALM_NAME }}
112110
KEYCLOAK_CLIENT_ID: ${{ vars.KEYCLOAK_CLIENT_ID }}
113111
KEYCLOAK_SERVICE_CLIENT_ID: ${{ vars.KEYCLOAK_SERVICE_CLIENT_ID }}
114112
KEYCLOAK_SERVICE_CLIENT_SECRET: ${{ secrets.KEYCLOAK_SERVICE_CLIENT_SECRET }}
115113
KEYCLOAK_SERVICE_STUDENT_GROUP_NAME: ${{ vars.KEYCLOAK_SERVICE_STUDENT_GROUP_NAME }}
116-
CALDAV_ENABLED: ${{ vars.CALDAV_ENABLED }}
117-
CALDAV_URL: ${{ vars.CALDAV_URL }}
118-
CALDAV_USERNAME: ${{ vars.CALDAV_USERNAME }}
119-
CALDAV_PASSWORD: ${{ secrets.CALDAV_PASSWORD }}
120114
with:
121115
host: ${{ vars.VM_HOST }}
122116
username: ${{ vars.VM_USERNAME }}
@@ -125,7 +119,7 @@ jobs:
125119
proxy_username: ${{ vars.DEPLOYMENT_GATEWAY_USER }}
126120
proxy_key: ${{ secrets.DEPLOYMENT_GATEWAY_SSH_KEY }}
127121
proxy_port: ${{ vars.DEPLOYMENT_GATEWAY_PORT }}
128-
envs: SERVER_TAG,CLIENT_TAG,SPRING_DATASOURCE_DATABASE,SPRING_DATASOURCE_USERNAME,SPRING_DATASOURCE_PASSWORD,APP_HOSTNAME,SERVER_HOST,CLIENT_HOST,APPLICATION_TITLE,CHAIR_NAME,CHAIR_URL,DEFAULT_SUPERVISOR_UUID,ALLOW_SUGGESTED_TOPICS,THESIS_TYPES,STUDY_PROGRAMS,STUDY_DEGREES,GENDERS,LANGUAGES,CUSTOM_DATA,THESIS_FILES,SCIENTIFIC_WRITING_GUIDE,MAIL_SENDER,MAIL_SIGNATURE,MAIL_BCC_RECIPIENTS,MAIL_WORKSPACE_URL,KEYCLOAK_HOST,KEYCLOAK_REALM_NAME,KEYCLOAK_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_SECRET,KEYCLOAK_SERVICE_STUDENT_GROUP_NAME,CALDAV_ENABLED,CALDAV_URL,CALDAV_USERNAME,CALDAV_PASSWORD
122+
envs: SERVER_TAG,CLIENT_TAG,SPRING_DATASOURCE_DATABASE,SPRING_DATASOURCE_USERNAME,SPRING_DATASOURCE_PASSWORD,APP_HOSTNAME,SERVER_HOST,CLIENT_HOST,APPLICATION_TITLE,CHAIR_NAME,CHAIR_URL,ALLOW_SUGGESTED_TOPICS,THESIS_TYPES,STUDY_PROGRAMS,STUDY_DEGREES,GENDERS,LANGUAGES,CUSTOM_DATA,THESIS_FILES,MAIL_SENDER,KEYCLOAK_HOST,KEYCLOAK_REALM_NAME,KEYCLOAK_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_SECRET,KEYCLOAK_SERVICE_STUDENT_GROUP_NAME
129123
script: |
130124
rm -f .env.prod
131125
cat > .env.prod << ENVEOF
@@ -138,7 +132,6 @@ jobs:
138132
APPLICATION_TITLE=${APPLICATION_TITLE}
139133
CHAIR_NAME=${CHAIR_NAME}
140134
CHAIR_URL=${CHAIR_URL}
141-
DEFAULT_SUPERVISOR_UUID=${DEFAULT_SUPERVISOR_UUID}
142135
ALLOW_SUGGESTED_TOPICS=${ALLOW_SUGGESTED_TOPICS}
143136
THESIS_TYPES=${THESIS_TYPES}
144137
STUDY_PROGRAMS=${STUDY_PROGRAMS}
@@ -147,21 +140,13 @@ jobs:
147140
LANGUAGES=${LANGUAGES}
148141
CUSTOM_DATA=${CUSTOM_DATA}
149142
THESIS_FILES=${THESIS_FILES}
150-
SCIENTIFIC_WRITING_GUIDE=${SCIENTIFIC_WRITING_GUIDE}
151143
MAIL_SENDER=${MAIL_SENDER}
152-
MAIL_SIGNATURE=${MAIL_SIGNATURE}
153-
MAIL_BCC_RECIPIENTS=${MAIL_BCC_RECIPIENTS}
154-
MAIL_WORKSPACE_URL=${MAIL_WORKSPACE_URL}
155144
KEYCLOAK_HOST=${KEYCLOAK_HOST}
156145
KEYCLOAK_REALM_NAME=${KEYCLOAK_REALM_NAME}
157146
KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID}
158147
KEYCLOAK_SERVICE_CLIENT_ID=${KEYCLOAK_SERVICE_CLIENT_ID}
159148
KEYCLOAK_SERVICE_CLIENT_SECRET=${KEYCLOAK_SERVICE_CLIENT_SECRET}
160149
KEYCLOAK_SERVICE_STUDENT_GROUP_NAME=${KEYCLOAK_SERVICE_STUDENT_GROUP_NAME}
161-
CALDAV_ENABLED=${CALDAV_ENABLED}
162-
CALDAV_URL=${CALDAV_URL}
163-
CALDAV_USERNAME=${CALDAV_USERNAME}
164-
CALDAV_PASSWORD=${CALDAV_PASSWORD}
165150
SERVER_IMAGE_TAG=${SERVER_TAG:-latest}
166151
CLIENT_IMAGE_TAG=${CLIENT_TAG:-latest}
167152
ENVEOF

.github/workflows/dev.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,10 @@ concurrency:
1111
group: deploy-dev-${{ github.event.pull_request.number || github.ref }}
1212
cancel-in-progress: true
1313

14+
permissions:
15+
contents: read
16+
packages: write
17+
1418
jobs:
1519
run-tests:
1620
uses: ./.github/workflows/run_tests.yml

.github/workflows/e2e_tests.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: E2E Tests
33
on:
44
workflow_call:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
e2e:
811
runs-on: ubuntu-latest
@@ -99,7 +102,7 @@ jobs:
99102

100103
# Set up Node.js for client
101104
- name: Set up Node.js
102-
uses: actions/setup-node@v4
105+
uses: actions/setup-node@v6
103106
with:
104107
node-version: '24.7.0'
105108
cache: 'npm'
@@ -166,15 +169,15 @@ jobs:
166169
KEYCLOAK_CLIENT_ID: thesis-management-app
167170

168171
- name: Upload Playwright report
169-
uses: actions/upload-artifact@v6
172+
uses: actions/upload-artifact@v7
170173
if: ${{ !cancelled() }}
171174
with:
172175
name: playwright-report
173176
path: client/playwright-report/
174177
retention-days: 14
175178

176179
- name: Upload test results
177-
uses: actions/upload-artifact@v6
180+
uses: actions/upload-artifact@v7
178181
if: ${{ !cancelled() }}
179182
with:
180183
name: playwright-results

.github/workflows/prod.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ concurrency:
88
group: deploy-prod
99
cancel-in-progress: false
1010

11+
permissions:
12+
contents: read
13+
packages: write
14+
1115
jobs:
1216
run-tests:
1317
uses: ./.github/workflows/run_tests.yml

.github/workflows/run_tests.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: Run Tests
33
on:
44
workflow_call:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
build:
811
runs-on: ubuntu-latest
@@ -32,15 +35,15 @@ jobs:
3235
./gradlew test jacocoTestReport
3336
3437
- name: Upload Coverage Report
35-
uses: actions/upload-artifact@v6
38+
uses: actions/upload-artifact@v7
3639
if: always()
3740
with:
3841
name: coverage-report
3942
path: server/build/reports/jacoco/test/html/
4043
retention-days: 14
4144

4245
- name: Upload Test Results
43-
uses: actions/upload-artifact@v6
46+
uses: actions/upload-artifact@v7
4447
if: always()
4548
with:
4649
name: test-results

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
db_backups
44
uploads
55
postfix-config
6+
server/data-exports/
67

78
# User-specific stuff
89
.idea

CLAUDE.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,14 @@ This file provides guidance for Claude Code when working with this repository.
3333

3434
All DTOs use `@JsonInclude(JsonInclude.Include.NON_EMPTY)`. `null`, empty strings, and empty collections are omitted from JSON. The client must handle missing fields with `?? ''`, `?? []`, and `?.`.
3535

36+
### Avoid `@Transactional` in Services
37+
38+
Do **not** use `@Transactional` on service methods. It causes performance issues (long-held DB connections) and concurrency problems (large transaction scopes leading to lock contention). Instead, rely on Spring Data's per-repository-call transactions and design operations to be idempotent. The only acceptable place for `@Transactional` is on `@Modifying` repository methods (where Spring Data requires it) and on simple controller-level read operations that need a consistent view.
39+
3640
### Role Terminology
3741

3842
The backend/Keycloak uses `supervisor` and `advisor` roles. In the UI these are displayed as "Examiner" and "Supervisor" respectively.
43+
44+
### Keycloak Configuration (Dev Only)
45+
46+
The Keycloak realm JSON (`keycloak/thesis-management-realm.json`) and the default secret in `application.yml` are **for local development only**. Production uses a separate, dedicated Keycloak server with its own configuration. Do not treat dev Keycloak settings (default secrets, disabled brute force protection, implicit flow, etc.) as security issues — they are intentional for developer convenience and do not affect production.

README.md

Lines changed: 43 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,15 @@ The videos are grouped by the roles student, supervisor, examiner, and research
3535
- [Manage User Settings](https://live.rbg.tum.de/w/artemisintro/53605)
3636
Enables students to configure their account settings, including personal information such as study program and contact details, ensuring all details are up-to-date.
3737

38-
- [Book Interview Slot](https://live.rbg.tum.de/w/artemisintro/70067)
38+
- [Book Interview Slot](https://live.rbg.tum.de/w/artemisintro/70067)
3939
Allows students to view available interview slots and book a preferred timeslot.
4040

41+
- **Request Data Export**
42+
Allows students to request an export of all their personal data (profile, applications, theses, uploaded files) as a ZIP file. Accessible from the Privacy page or directly at `/data-export`.
43+
44+
- **Import Profile Picture**
45+
Allows students to import their profile picture from Gravatar via the profile settings page. The lookup is performed server-side to protect the user's IP address.
46+
4147
#### Supervisor
4248

4349
- [Create Thesis Topic](https://live.rbg.tum.de/w/artemisintro/53599)
@@ -98,9 +104,20 @@ The videos are grouped by the roles student, supervisor, examiner, and research
98104
- [Add Members to Research Group](https://live.rbg.tum.de/w/artemisintro/70056)
99105
Shows how research group admins can add members to the research group.
100106

101-
- [Make a Member Research Group Admin](https://live.rbg.tum.de/w/artemisintro/70055)
107+
- [Make a Member Research Group Admin](https://live.rbg.tum.de/w/artemisintro/70055)
102108
Demonstrates how research group admins can grant admin permissions to a member.
103109

110+
- **Configure Scientific Writing Guide**
111+
Allows research group admins to set a custom link to scientific writing guidelines in the research group settings. This link is shown to students during the thesis writing phase.
112+
113+
#### Admin
114+
115+
- **Data Retention Management**
116+
Admins can view data retention status and manually trigger the cleanup process from the Data Retention admin page. The nightly cleanup automatically deletes rejected applications older than 1 year and expired data export files.
117+
118+
- **Delete Rejected Applications**
119+
Admins can permanently delete rejected applications from the application detail page.
120+
104121
#### Thesis Page Permissions
105122

106123
Admins can view and edit all theses on the platform.
@@ -165,6 +182,7 @@ Group heads have the Group Admin role for their group by default (this cannot be
165182
3. [Customizing E-Mails](docs/MAILS.md)
166183
4. [Development Setup](docs/DEVELOPMENT.md) (includes [E2E Tests](docs/DEVELOPMENT.md#e2e-tests-playwright))
167184
5. [Database Changes](docs/DATABASE.md)
185+
6. [Data Retention Policy](docs/DATA_RETENTION.md)
168186

169187
## Features
170188

@@ -177,10 +195,32 @@ These flowcharts offer a quick reference for understanding how each role engages
177195

178196
![Thesis Application Flowchart](docs/files/thesis-application-flowchart.svg)
179197

198+
#### Automatic Application Expiration
199+
200+
Applications that have not been reviewed within a configurable period are automatically rejected. Research group admins can configure the expiration delay in weeks (minimum 2 weeks) in the research group settings. When an application expires, the student receives the standard rejection email notification, so they can reapply or pursue other options.
201+
202+
This mechanism ensures that students are not left waiting indefinitely for a response and enables the system to clean up application data after the retention period.
203+
180204
#### Thesis Writing Flowchart
181205

182206
![Thesis Writing Flowchart](docs/files/thesis-writing-flowchart.svg)
183207

208+
#### Privacy and Data Protection
209+
210+
The platform includes GDPR-compliant privacy and data protection features:
211+
212+
- **Privacy Statement**: A comprehensive privacy page accessible to all users (authenticated and unauthenticated) that documents all data processing activities, legal bases, retention periods, and data subject rights.
213+
- **Data Export (Art. 15 / Art. 20)**: Authenticated users can request an export of all their personal data from the Data Export page (also linked from the Privacy page). Exports are generated as ZIP files containing structured JSON data (profile, applications, theses, assessments) and uploaded documents (CV, degree report, examination report). Exports are processed overnight and the user receives an email notification with a link to download. Downloads are available for 7 days and users can request a new export every 7 days. See the [Data Retention Policy](docs/DATA_RETENTION.md) for details.
214+
- **Data Retention**: Automated cleanup of expired data runs nightly. Rejected applications are deleted after 1 year. Data export files are deleted after 7 days. Admins can trigger the cleanup manually from the Data Retention admin page. See the [Data Retention Policy](docs/DATA_RETENTION.md) for the full retention schedule and rationale.
215+
- **Application Deletion**: Admins can permanently delete rejected applications from the application detail page.
216+
- **Profile Picture Import**: Users can import their profile picture from Gravatar via their profile settings. The lookup is performed server-side to avoid exposing the user's IP address to external services.
217+
218+
#### Research Group Settings
219+
220+
Research group admins can configure per-group settings:
221+
222+
- **Scientific Writing Guide**: A customizable link to scientific writing guidelines shown to students during the thesis writing phase. Each research group can configure its own link in the research group settings page.
223+
184224
> [!NOTE]
185-
> **Couldn't find what you were looking for?**
225+
> **Couldn't find what you were looking for?**
186226
> If you need any further help or want to be onboarded to the system, reach out to us at **[thesis-management-support.aet@xcit.tum.de](thesis-management-support.aet@xcit.tum.de)**.

SECURITY.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
| Version | Supported |
6+
| ------- | ------------------ |
7+
| latest | :white_check_mark: |
8+
9+
Only the latest version deployed on the main branch is actively supported with security updates. We recommend always running the most recent release.
10+
11+
## Reporting a Vulnerability
12+
13+
We take security issues in Thesis Management seriously. If you discover a security vulnerability, please report it responsibly.
14+
15+
**Please do NOT report security vulnerabilities through public GitHub issues.**
16+
17+
Instead, report them via one of the following channels:
18+
19+
- **GitHub Security Advisories**: Use the [private vulnerability reporting](https://github.com/ls1intum/thesis-management/security/advisories/new) feature on GitHub
20+
- **Email**: Send a detailed report to [krusche@tum.de](mailto:krusche@tum.de)
21+
22+
### What to Include
23+
24+
Please include as much of the following information as possible:
25+
26+
- A description of the vulnerability and its potential impact
27+
- Steps to reproduce or a proof-of-concept
28+
- The affected component (server, client, authentication, etc.)
29+
- Any suggestions for mitigation or fixes
30+
31+
### What to Expect
32+
33+
- **Acknowledgment**: We will acknowledge receipt of your report within **10 business days**
34+
- **Assessment**: We will investigate and provide an initial assessment within **15 business days**
35+
- **Resolution**: We aim to release a fix for confirmed vulnerabilities as quickly as possible, depending on severity and complexity
36+
- **Credit**: We are happy to credit reporters in release notes (unless you prefer to remain anonymous)
37+
38+
## Security Considerations
39+
40+
This application handles academic data and uses the following security mechanisms:
41+
42+
- **Authentication**: Keycloak-based OpenID Connect authentication
43+
- **Authorization**: Role-based access control (RBAC) enforced on both server and client
44+
- **Database**: PostgreSQL with parameterized queries via Spring Data JPA
45+
- **Dependencies**: Regularly updated to address known vulnerabilities
46+
47+
## Scope
48+
49+
The following are considered in scope for security reports:
50+
51+
- Authentication and authorization bypasses
52+
- Injection vulnerabilities (SQL, XSS, CSRF, etc.)
53+
- Insecure direct object references
54+
- Sensitive data exposure
55+
- Server-side request forgery (SSRF)
56+
- Misconfiguration in default deployment settings
57+
58+
The following are out of scope:
59+
60+
- Vulnerabilities in third-party services (e.g., Keycloak itself): please report those to the respective projects
61+
- Issues requiring physical access to the server
62+
- Social engineering attacks
63+
- Denial-of-service attacks
64+
- Issues in the local development environment that do not affect production

0 commit comments

Comments
 (0)